We're running One Identity 8.1 and are using role based group assignment. This is generally working very well for us, with one exception.
When an AD account is manually removed from a group One Identity flags it as a synchronization error and the user is not re-added to the group. We would like the behavior to be that One Identity enforces its view on AD when it comes to group assignments that are part of a OneID role.
For example: UserA is a member of groupA and GroupB. GroupB was added via Role1 in One Identity and GroupA was added manually. At some point UserA is removed from GroupB in AD. We would like OneID to add UserA back to GroupB and not remove them from GroupA since there is no assignment for GroupA.
I had a look at, https://support.oneidentity.com/identity-manager/kb/229618/troubleshooting-one-identity-manager-provisioning-issues and so I imagine that I can publish the changes there and that will resolve the issue, but I have over 25,000 sync errors and I'd like to know how to do them on a recurring schedule and how to target only group changes.
I totally realize that the solution to this is to stop people from making manual changes, but to do that, I really need the system to smack them when they are naughty.
thanks everyone!
