ITIM : how to find non compliant attributes

When we do a reconciliation in ITIM, it is sometimes desirable to have the list of non-compliant attributes on accounts.

Unfortunately, this does not seems easy to have : the report gives us only the list of non-compliant accounts, but not the detail.

I discovered this morning that for AD account (objectclass=eradaccountitem), the non compliant attributes are stores in the ITIM LDAP directory, as separate entries under the account object.

For example, if the givenname attribute is not compliant on the AD account vs User, one can have such entry :

dn: erglobalid=5438921730163870300,erglobalid=533996249009324649,ou=0,ou=accounts, erglobalid=00000000000000000000,ou=MYCORP,o=ITIM
ercreatedate: 201404101151Z
erattributeaction: 3
erglobalid: 5438921730163870300
objectclass: top
objectclass: erComplianceIssue
erattributename: givenname
erbigcustomdata: Dmitry
eroverride: false

The ADaccount entry DN itself is :


Then, to have a list of all non-compliances, it is easy to build an ldap request, with these parameters : 

  • Base DN : ou=0,ou=accounts,erglobalid=00000000000000000000,ou=TENANT
  • filter : objectclass=erComplianceIssue

What I discovered also is that seems to be valid only when the Enforcement Policy is set to "Alert".