Hi,
we have a use case where we need to clear certain attributes for an AD account, that are not in the usual sync scope.
In this case, I want to clear the userCertificate attribute, but the provisioning step (projection) does not perform the desired change in AD.
What I have done is I have created a single property mapping rule with a virtual property on the IM side, which is a constant (binary) empty value, and mapped it to the userCertificate attribute on the target side. I have set up a separate workflow and step using that mapping, as well as a provisioning process operation type only for this purpose etc.. The synchronization workflow step is set up to process only changed objects and to "Update" the target object. It is not possible to setup processing identical obejects by "Update" on the target, only "Delete" is available in that case.
I think the problem is that there is a) no change on the source object, or that there is b) no difference detected. To my understanding, if I map a virtual property, which is empty, to a AD attribute, that contains something, this should be detected as a difference between the objects and the target object should be updated as defined in the processing rule. However, this does not seem to be the case.
The provisioning logs state 'success', but that "There are no changed objects logged for this synchronization log".
Any idea what I am doing wrong?
