How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I prevent updates to specific attributes in DS when performing an Implicit Synchronization operation in IDM (All versions)?

Last updated Apr 8, 2021

The purpose of this article is to provide information on preventing updates to all attributes in DS when performing an implicit sync operation in IDM. Implicit sync is designed to update the entire object in the target system (all attributes) even if the change only affects a single attribute, but this article shows how you can remove this behavior from specific attributes.


1 reader recommends this article

Overview

You can prevent attributes being updated on the target by setting the NOT_RETURNED_BY_DEFAULT flag on the attribute in the provisioner configuration file (for example, provisioner.openicf-ldap.json), which is located in the /path/to/idm/conf directory. Once you have set this flag, you can add a condition to the mapping in the sync.json file (located in the /path/to/idm/conf directory) to selectively apply the property mapping to ensure that it is only updated based on the condition you've set (this condition should evaluate to true when the old and new value differ).

There are two different approaches you can take to setting the condition:

  • Using oldSource: You can access the oldSource from the condition script, which makes it easier to ensure the property mapping is only applied after a change to the attribute in the managed object.
  • Using onUpdate trigger: If you do not want to use oldSource, you can use an onUpdate trigger instead.

Other considerations

You should also consider the following depending on your setup:

  • If the property has a transformation, you also need to include the transformation logic in the condition since the condition is evaluated before the transformation. For example: ( (oldSource.sn !== object.sn) && (oldSource.givenName !== object.givenName) )
  • If an attribute also needs to be synced from LDAP to Managed, you need to do one of the following:
    1. Configure two separate provisioner configuration files; one with the NOT_RETURNED_BY_DEFAULT flag and one without.
    2. Specify a sourceQuery on the LDAP to Managed mapping, which includes the _fields property and explicitly lists all of the attributes. This configuration will cause the attribute with the NOT_RETURNED_BY_DEFAULT flag set to be returned anyway in this scenario.

Preventing updates to an attribute (using oldSource)

The following example demonstrates configuring the mail attribute so that it only gets updated during an implicit sync operation when it has actually changed:

  1. Add the NOT_RETURNED_BY_DEFAULT flag to the mail attribute in the provisioner configuration file: "mail" : {                    "type" : "string",                     "nativeName" : "mail",                     "nativeType" : "string",                     "flags" : [                         "NOT_RETURNED_BY_DEFAULT"                     ]                 },
  2. Add a condition to the mapping for the mail attribute in the sync.json file that evaluates to true when the old and new mail value differs: {                    "target" : "mail",                     "source" : "mail",                     "condition" : {                         "type" : "text/javascript",                         "source" : "(oldSource.mail !== object.mail)"                     }                 },

See Scripting Guide › Script Triggers Defined in Mappings for further information.

Preventing updates to an attribute (using onUpdate trigger)

The following example demonstrates configuring the mail attribute so that it only gets updated during an implicit sync operation when it has actually changed:

  1. Add the NOT_RETURNED_BY_DEFAULT flag to the mail attribute in the provisioner configuration file: "mail" : {                    "type" : "string",                     "nativeName" : "mail",                     "nativeType" : "string",                     "flags" : [                         "NOT_RETURNED_BY_DEFAULT"                     ]                 },
  2. Set a flag in the onUpdate trigger in the managed.json file (located in the /path/to/idm/conf directory), for example: "onUpdate" : {                                "type" : "text/javascript",                                 "source" :"newObject.mailUpdate=(newObject.mail!=oldObject.mail);"                              },
  3. Add a condition to the mapping for the mail attribute in the sync.json file that evaluates to true when the old and new mail value differs based on the onUpdate trigger: {                    "target" : "mail",                     "source" : "mail",                     "condition" : {                         "type" : "text/javascript",                         "source" : "object.mailUpdate;"                     }                 },

See Also

FAQ: Scripts in IDM

Synchronization Guide › Types of Synchronization

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.