Hello,
i would need some help to understand how IM treats object that are out of scope, especially the group membership.
Our scenario is the following: the synchronization against AD has been performed in a specific OU's subset (let's call them Corp OUs), and the service account we are using have a delegation to perform creations/deletions/modifications operations just on these Corp OUs. For now our Sync Project has been configured in read-only mode.
This Corp OU will also be the destination container of every user/group currently present in the domain, since we are using IDM to help with the AD reorganization.
At present time we have migrated users in the Corp OU and we have synchronized both users and groups, however some of the synchronized users still have a membership with out of scope groups (groups that are outside the Corp OU)
My question is: what will happens to those scoped-out groups and group membership when we'll switch our Sync Project to read-write mode. Will those out-of-scope groups be removed from the users even if IDM doesn't know anything about those groups? My opinion is that they should be left untouched but i need to be sure about that.
Can someone provide some enlightenment?
Thanks in advance,
Andrea
- Products
- Solutions
- Resources
- Trials
- Support
- Partners
- Communities
