Previous Topic: Accounts with Multiple TemplatesNext Topic: How Reverse Synchronization Works


Reverse Synchronization with Endpoint Accounts

Although it is the responsibility of CA Identity Manager to create, delete and modify accounts, it is impossible to prevent an endpoint system user from performing these operations on their own. This situation can occur due to emergency reasons, or malicious reasons, such as a hacker. Reverse Synchronization ensures control of the accounts a user has on each endpoint by identifying discrepancies between CA Identity Manager accounts and accounts on the endpoints.

For example, if an account was created in the Active Directory domain using an external tool, CA Identity Manager must be aware of this potential security issue. In addition, bypassing CA Identity Manager causes a lack of approval processes, and audit reports.

Two types of discrepancies between CA Identity Manager and managed endpoints are as follows:

You can treat both cases by defining policies to handle the change. Then, using Explore and Correlate to update CA Identity Manager, you trigger the execution of policies.