I ran across this situation recently in a system that I am looking to better understand. I know IDM 4.5 is out of support but I'm curious if this is an inherent intended behavior of the driver, a bug that was patched in the 4.5 lifecycle, or a bug that was patched with a later version of IDM.
The problem flow is as follows:
I have an SAP-UM driver.
I have an existing user that was previously processed and associated through the SAP-UM driver
I changed the password on the existing, associated user in my vault
The password change is processed to SAP through the SAP-UM driver
[04/25/19 19:27:38.549]:SAPCMP ST:Start transaction.
[04/25/19 19:27:38.551]:SAPCMP ST:Processing events for transaction.
[04/25/19 19:27:38.552]:SAPCMP ST:
<nds dtdversion="4.0" ndsversion="8.x">
<product edition="Advanced" version="126.96.36.199">DirXML</product>
<modify cached-time="20190426002738.533Z" class-name="User"
<modify-attr attr-name="nspmDistributionPassword"><!-- content
At the end of the password sync event in the driver, the SAP-UM driver automatically initiates a merge operation between IDV and SAP
[04/25/19 19:27:39.528]:SAPCMP ST:Password synchronization command
[04/25/19 19:27:39.528]:SAPCMP ST:Re-reading associations in case they
were changed by previous event processing
[04/25/19 19:27:39.529]:SAPCMP ST:Subscriber processing add for
[04/25/19 19:27:39.529]:SAPCMP ST:Password synchronization command detected.
[04/25/19 19:27:39.529]:SAPCMP ST:Already associated with USdY9JB289.
[04/25/19 19:27:39.529]:SAPCMP ST:Merging eDirectory and application values.
[04/25/19 19:27:39.530]:SAPCMP ST:Reading relevant attributes from
The merge event resets SAP roles in SAP based on data in IDV
SAP revokes access to various SAP modules and then reinstates access
Sometimes this revocation process causes the passwords in the SAP modules to be reset to a default value
Sometimes this revocation process fails in SAP to reprovision access in the SAP modules (shame on SAP but shame on IDV for forcing the merge in the first place...)
I need to keep the ability to perform match/merge operations during true match/merge operations but I do not want the driver forcing a merge of data every time an object is touched. That seems unnecessarily excessive and potentially problematic (as evident in my use case). I thought that was the purpose of the association, to allow the driver to know that an existing account was already discovered in the connected system so IDM would only process the changed data, not the full account data on each transaction. That isn't how the driver is behaving with the association and I need to understand why and if there is a way to resolve it if this isn't the expected or intended behavior.
Thanks in advance for any help or information.