|
|
|
Reverse Synchronization ensures control of the accounts a user has on each endpoint by identifying discrepancies between Identity Manager accounts stored in the Option Pack endpoint attribute and accounts on the endpoints.
Although it is Identity Manager's responsibility to create, delete and modify accounts, it is impossible to prevent an endpoint system administrator from performing these operations on their own. This can occur due to emergency reasons, or malicious reasons (a hacker, for instance).
As a result, Identity Manager must provide its administrators, managers, and users the ability to detect any changes performed on the endpoint systems. For example, if an account was created in the Active Directory domain using an external tool, Identity Manager must be aware of this potential security issue. In addition, bypassing Identity Manager causes a lack of approval processes, SOD prevention, and audit reports.
Two types of discrepancies between Identity Manager and managed endpoints are as follows:
You can treat both cases by defining account and attribute policies for these two types of discrepancies.