How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I prevent updates to specific attributes in DS when synchronizing data in IDM (All versions)?

Last updated Jan 19, 2022

The purpose of this article is to provide information on preventing updates to all attributes in DS when performing a synchronization operation (reconciliation, LiveSync or implicit sync) in IDM. For instance, implicit sync is designed to update the entire object in the target system (all attributes) even if the change only affects a single attribute, but this article shows how you can remove this behavior from specific attributes.


1 reader recommends this article

Overview

You can prevent attributes being updated on the target by setting the NOT_RETURNED_BY_DEFAULT flag on the attribute in the provisioner configuration file (for example, provisioner.openicf-ldap.json), which is located in the /path/to/idm/conf directory. Once you have set this flag, you can add a condition to the mapping in the sync.json file (located in the /path/to/idm/conf directory) to selectively apply the property mapping to ensure that it is only updated based on the condition you've set (this condition should evaluate to true when the old and new value differ).

There are two different approaches you can take to set the condition, where the second option is only available if you are doing an implicit sync:

  • All synchronization types: you can use an onUpdate trigger.
  • Implicit synchronization only: you can use the oldSource variable, which you can access from the condition script. oldSource is not defined during reconciliation or LiveSync operations, which is why you cannot use this approach unless you are doing an implicit sync.

See Script Triggers Defined in Mappings for further information.

Other considerations

You should also consider the following depending on your setup:

  • If the property has a transformation, you also need to include the transformation logic in the condition, since the condition is evaluated before the transformation. For example: ( (oldSource.sn !== object.sn) && (oldSource.givenName !== object.givenName) )
  • If an attribute also needs to be synced from LDAP to Managed, you need to do one of the following:
    • Configure two separate provisioner configuration files; one with the NOT_RETURNED_BY_DEFAULT flag and one without.
    • Specify a sourceQuery on the LDAP to Managed mapping, which includes the _fields property and explicitly lists all of the attributes. This configuration will cause the attribute with the NOT_RETURNED_BY_DEFAULT flag set to be returned anyway in this scenario.

Preventing updates to an attribute (using onUpdate trigger)

The following example demonstrates configuring the mail attribute so that it only gets updated during a sync operation when it has actually changed:

  1. Add the NOT_RETURNED_BY_DEFAULT flag to the mail attribute in the provisioner configuration file: "mail" : {                    "type" : "string",                     "nativeName" : "mail",                     "nativeType" : "string",                     "flags" : [                         "NOT_RETURNED_BY_DEFAULT"                     ]                 },
  2. Set a flag in the onUpdate trigger in the managed.json file (located in the /path/to/idm/conf directory), for example: "onUpdate" : {                                "type" : "text/javascript",                                 "source" :"newObject.mailUpdate=(newObject.mail!=oldObject.mail);"                              },
  3. Add a condition to the mapping for the mail attribute in the sync.json file that evaluates to true when the old and new mail values differ based on the onUpdate trigger: {                    "target" : "mail",                     "source" : "mail",                     "condition" : {                         "type" : "text/javascript",                         "source" : "object.mailUpdate;"                     }                 },

Preventing updates to an attribute (using oldSource)

The following example demonstrates configuring the mail attribute so that it only gets updated during an implicit sync operation when it has actually changed:

  1. Add the NOT_RETURNED_BY_DEFAULT flag to the mail attribute in the provisioner configuration file: "mail" : {                    "type" : "string",                     "nativeName" : "mail",                     "nativeType" : "string",                     "flags" : [                         "NOT_RETURNED_BY_DEFAULT"                     ]                 },
  2. Add a condition to the mapping for the mail attribute in the sync.json file that evaluates to true when the old and new mail values differ: {                    "target" : "mail",                     "source" : "mail",                     "condition" : {                         "type" : "text/javascript",                         "source" : "(oldSource.mail !== object.mail)"                     }                 },

See Also

FAQ: Scripts in IDM

Types of Synchronization

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.