Provisioning Reference Guide › Advanced Configuration Options › Domain Configuration › Synchronization Parameters › Use Existing Accounts

Use Existing Accounts

Values: No (default) or Yes

Description: Enable the alternative User Synchronization behavior whereby a global user's set of assigned account templates (through assigned provisioning roles) will only attempt to prescribe one account that is correlated to the global user on any particular managed endpoint. This behavior can be useful if some accounts already correlated to the global user are named differently or are in different containers than what is prescribed by the account templates included in the global user's provisioning roles and only one account is needed or allowed. If the parameter is enabled and multiple account templates for one endpoint prescribe different names and/or different containers for the account only one account will be created.

If a global user already has multiple accounts on a single endpoint, the User Synchronization function (when Use Existing Accounts is set to Yes) attempts to figure out which account is required by which account templateaccount template. This is done through a heuristic that attempts to handle situations where a user's provisioning roles do in fact prescribe multiple accounts on one endpoint.

For example, if global users have two accounts (A1 and A2) on endpoint E and their provisioning roles indicate that they should have one account on endpoint E through account template AT1 and one account on endpoint E through account template AT2, User Synchronization pairs each account template (AT1 and AT2) with one of the existing accounts. The pairing is done with the following heuristic:

• Match account template with an account with exactly the DN specified by the account template.
• Match account template with an account already belonging to the specified account template. If more than one account matches, pick the first one.
• Match account template with an account whose endpoint type-specific account name attribute matches the global user's name. In some endpoint types, for instance Active endpoint, the account name is represented by an attribute of the account whereas the name as seen when you list the account is a display name (a full name). This rule accounts for such endpoint types.
• Account with name value matching the name value specified in the account template. That is, it matches an account with the right name but the wrong container. If there is more than one matching account, pick the first one.
• Pick the first account.

Note: When Use Existing Accounts parameter is set to No, only the first of these rules (exact matching that is based on account DN) is applied.

Continuing with the example, if the previous rules resulted in pairing both account template AT1 and account template AT2 with account A1, then User Synchronization would correct the accounts for this user by doing the following:

Deleting account A2 (assuming the administrator selected the Delete extra accounts or extra account templateaccount template assignments option of User Synchronization); and

Assigning either account template AT1 or AT2 to account A1 that was not already assigned.

These rules ensure that User Synchronization (with Use Existing Accounts enabled) never attempts to create additional accounts on an endpoint where a user already has an account. If your business requires you to create multiple accounts for your users on a single endpoint from provisioning roles, do not enable this configuration parameter. For more information about synchronization, see the Administration Guide.