You may be aware that AR does not allow the update of Exchange attributes (extension) if a master account is orphan (without equivalent shadow account) and the ERFM policy is deployed on the hosting OU.
This is by design, as the ERFM policy is triggered for any operations performed on nested objects. It modifies the Exchange/Extension attributes only on the equivalent Shadow Account and not on the Master account, then syncs these Exchange/Extension attributes from Shadow account back to the Master account.
We call these: ‘Substitute properties’. The Exchange and Extension attributes are non-configurable hard coded attributes in the ‘Substituted properties’ list.
Please refer to the documentation below for detailed information about the synchronization process and more information about substituted properties:
Active Roles 7.4 - Solutions Guide (Synchronize)
https://support.oneidentity.com/technical-documents/active-roles/7.4/solutions-guide/2#TOPIC-1304729
Active Roles 7.4 - Solutions Guide (Substituted properties)
https://support.oneidentity.com/technical-documents/active-roles/7.4/solutions-guide/2#TOPIC-1304731
An enhancement request (TF00617437) has been created detailing the feature above.
WORKAROUND
To alter an orphan Master account’s Exchange attributes, the ERFM policy needs to be blocked for the specific object or the object needs to be moved to another OU that doesn’t have the ERFM policy applied to it.
STATUS
The product team will evaluate the request and this feature may become available on a future release of the product.
Please refer to this article for updates or contact support referencing the Enhancement Request ID: TF00617437.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center