Feature #2685
Updated by Alena Peterová about 3 years ago
When IdM updates some account on the connected system, we often want to know, how the attributes changed. The provisioning archive displays only new values of the attributes. It would be really useful to add also a new table, which contains the original values of the attributes, before IdM updated them, e.g. here:
!provisioning_old_values.png!
Use cases:
* Some AD admin added a user to some AD group. IdM (correctly) removes the group membership when updating the user account. The user asks, why something in AD doesn't work. The helpdesk looks into the provisioning archive and can see, which group was removed from the user. The helpdesk can request for the role in IdM.
* Initial cleaning: IdM starts to manage AD. First update of an account (correctly) sets the attributes, e.g. distinguishedName, displayName, description. For the audit reasons, we would like to know their original values.
* Bug: Incorrect mapping/scripting in IdM causes that some attributes are broken, users are moved to wrong OUs etc. We need to repair the data quickly, so we need to see, what was the correct (original) value.
* Ability to distinguish changes in the attributes with "Send always" flag (https://redmine.czechidm.com/issues/774)
The additional table could be present also in the active provisioning operations. It doesn't matter that it's empty until "Attributes for provisioning" are computed. Also, if the system is read-only, we could immeditaly see what IdM wants to change and how - good for checking when going into production.
-------------------------------------------
This feature was requested also by our partner.