-
Title
Quick Connect connector exclusions are not excluding users from sync agreements. -
Description
Quick Connect connector exclusions are not excluding users from sync agreements. When synchronizing accounts from a connected system to Active Roles, you may wish to filter out users from being included in the synchronization.
You may run into the following scenario(Quick Connect provisioning sync from SQL to Active Roles Server):
First, an initial provisioning step was made to sync all users from SQL to Active Roles Server. From there once the accounts were created, the accounts were excluded from the Active Roles Server connector so the accounts will not be synchronized in any way. The Active Roles Server connector does exclude the users but because they are not excluded in SQL, the excluded accounts are treated like that have not been created in the Active Roles Server target system(because the Active Roles Server connector does not "see" the accounts due to the exclusion). Therefore you may receive an error saying the samaccountname is identical to one in the domain when attempting to create the user in Active Roles Server
This is by design
The logic for this is as follows:
1. The SQL connector performs a query of the table for all objects and attributes to be synced(No filter in place, all accounts are considered)
2. The Active Roles Server connector performs a query of the AD environment for all objects and attributes to be synced(Filter is in place here)
3. SQL finds ALL of the users and then looks at Active Roles Server and asks, "Do these accounts exist in the Active Roles Server domain?"
4. It sees does not see the accounts have been created(because they are excluded from the connector) and proceeds to create the users. IT fails with a duplicate samaccountname error.,
-
Resolution
WORKAROUND
Create the exclusion on the SQL connector.