Sun Java System Identity Manager - unassign vs unlink

Here's an example to demonstrate.

IDM user jdoe is assigned resources Active Directory and LDAP.

Active Directory is linked to "cn=jdoe,cn=Users,dc=Acme,dc=com"

LDAP is linked to "uid=jdoe,ou=People,o=Acme"

Unlinking Active Directory, IDM will remove "cn=jdoe,cn=Users,dc=Acme,dc=com" from the IDM account, but the user still has Active Directory listed as a resource.

Unassigning LDAP will remove the both "uid=jdoe,ou=People,o=Acme" and remove LDAP from the users resources.

If you edit the user, the user will show Active Directory as an assigned resource, but no mention of LDAP. It should find the existing account on Active Directory and you could link it back to the user.

If you go to Assignments and assign the user LDAP, you could then do a Refresh and it would find the account and you could link it back.

The caveat is that the Identity Templates for each resource would have to be able to calculate the same accountId as the values it previously had (e.g. LDAP Identity Template is set to "uid=$accountId$,ou=People,o=Acme").

If you Unassign an account, IDM will ignore that resource as far as that user is concerned (until it is assigned back through some means). If you Unlink an account, IDM will acknowledge that the user should have that type of account and will attempt to create one if it isn't able to link to an existing one.

Jason

jsalleea at 2007-7-10 14:12:41 >