I have checked the forum and documentation and have not been able to find a clear answer to the following question/problem. My scenario is as follows:

I have about 12 separate ABAP clients that I am trying to hook into a new Identity Management 7.2 system. When performing the initial load from the ABAP client, I'd like prevent the IDM generated password from being provisioned back out to the ABAP systems. The way I understand it is that the IDM will create a password using the custom_InitializePassword script when the Identity is created in the IDM. This I'm OK with, but what I don't want is for every user in every client that I'm managing to have to log in with a new password. I'd be happiest if the IDM password was only distributed to systems that the user did not already exist in (newly created users in the target client). If they already have a password, let them use that existing password at logon time. If they ever need to have their password reset, I'm ok to reset it in the IDM and provision it to all the systems. I just don't want to have them do it now as they already are productive.

The documentation indicates that I can adjust the Update system privilege trigger attributes pass to disable attributes that I don't want to distribute. The issue I have is that I can't understand that pass correctly. There are 2 functions in that pass (sap_core_setPrivilegeModifyTriggerAttributes & sap_core_setPrivlegeModifyTriggerIgnoreAttributes). The first is enabled in the default Provisioning framework and the second is commented out by default. My assumption is that I should be able to just uncomment the second (ModifyTriggerIgnoreAttributes) and add MS_PASSWORD and MX_PASSWORD_DISABLED to the parameter list. However, after running this, it did not do the trick. I am not sure how to work with this pass as it is undocumented.

Anyone have any standard way of achieving this?