Membership of user accounts in groups, for example, can result from direct assignment or through inheritance in One Identity Manager. The membership's origin is stored in the XOrigin . Inherited memberships cannot be deleted as long as the inheritance source still exists. If inherited memberships are deleted in the target system, they are marked as outstanding by , depending on which processing method was selected.
You can differentiate between the following cases of deleting membership through synchronization:
Table 72: Deleting memberships
| Only direct |
The membership is deleted immediately by synchronization. |
The membership is marked as outstanding by synchronization. |
| Only inherited |
The membership is marked as outstanding by synchronization. |
The membership is marked as outstanding by synchronization. |
| Direct and inherited |
The membership is marked as outstanding by synchronization. The reference to direct assignment is removed (value in the XOrigin column is updated). |
The membership is marked as outstanding by synchronization. |
Outstanding memberships must be post-processed separately. You can publish these memberships if the inheritance source still exists or you set the status back and remove the inheritance source.
Example
Pat Identity1 has an Active Directory user account that is a member of the Active Directory group "Backup operators". This membership is loaded into the One Identity Manager database by initial synchronization and saved as direct membership in the ADSAccountInADSGroup table (XOrigin = '1'). Pat Identity1 is member of the business "Project A". This business role is assigned to the Active Directory group "Backup operators". Therefore, Pat Identity1 becomes an indirect member of this Active Directory group (ADSAccountInADSGroup.XOrigin = '3'). The group membership is deleted in the target system. The deleted membership is immediately deleted in the One Identity Manager database the next time synchronization is run (ADSAccountInADSGroup.XOrigin = '2'). The membership is marked as outstanding because it remains in the One Identity Manager database due to inheritance. The outstanding membership must be post-processed in . There are two possible ways to do this:
- Assignments to the business role "Project A" are correct.
The method "Publish" is applied. Membership is re-added to the target system.
- Mapping in the target system is correct.
- The method "Reset status" is applied.
- The assignment of the Active Directory group to the business role "Project A", or Pat Identity1's membership of this business role must be deleted. The group membership must also be deleted from ADSAccountInADSGroup table.
The method "Delete" cannot be applied.
Related topics
After , either none or only a manageable number of objects should be marked as outstanding. These can be checked individually and further processed using target system comparison. If a lot of objects are marked as outstanding during synchronization, editing them individually can be too time-consuming. The One Identity Manager provides methods to handle outstanding objects in an automated way. These methods can be called in scripts or processes.
NOTE: If a lot of objects are marked as outstanding during synchronization, this may be due to incorrect data. Before applying the methods, fix the cause of the incorrect data.
Call syntax: <method> ("<table>", "<condition>")
This method requires two parameters:
-
Table
Table containing the outstanding objects to be processed.
-
Condition
Condition that restricts the objects to be processed.
The condition XMarkedForDeletion & 2 = 2 is used to select all outstanding objects of the specified table. You can extend the condition to further restrict objects for processing.
Method: BulkDeleteOutstanding
Deletes the outstanding objects from the One Identity Manager database.
Example of a method call: BulkDeleteOutstanding ("ADSAccount", "XMarkedForDeletion & 2 = 2")
Deletes all outstanding objects of the ADSAccount table in the database.
Method: BulkDeleteOutstandingState
Resets the status of the outstanding objects.
Example of a method call: BulkDeleteOutstandingState ("ADSAccount", "XMarkedForDeletion & 2 = 2")
Resets the status of all outstanding objects of the ADSAccount table.
Method: BulkPublishOutstanding
Publishes the outstanding objects in the target system.
Example of a method call: BulkPublishOutstanding ("ADSAccount", "XMarkedForDeletion & 2 = 2")
Publishes all outstanding objects of the ADSAccount table.
Example of a method call by process
For example, to reset the status of all Active Directory user accounts marked as outstanding in bulk while synchronizing by process call, define a process and use the CallMethod in the . Pass the following parameters to the process task:
Process task: CallMethod
MethodName: Value = "BulkDeleteOutstandingState"
ObjectType: Value = "DPRNameSpace"
WhereClause: Value = "Ident_DPRNameSpace = 'ADS'"
Param1: Value = "ADSAccount"
Param2: Value = "XMarkedForDeletion & 2 = 2"
For more information about creating processes, see the One Identity Manager Configuration Guide.
Related topics
You can generate a report for analyzing problems that arise during , inadequate performance for example. The report contains information such as:
-
Consistency check results
-
settings
-
applied
-
Analysis of the data store
-
Object access times in the One Identity Manager database and in the target system
To generate a synchronization analysis report
-
Select the Help > Generate synchronization analysis report menu item and click Yes in the security prompt.
The report may take a few minutes to generate. It is displayed in a separate window.
-
Print the report or save it in one of the available output formats.
One Identity Manager provides connectors for with the following target systems:
- Directly supported target systems
Separate modules are provided for mapping and processing target system objects. Each target system has its own connector. This includes target systems such as:
- Active Directory
- SharePoint
- SAP R/3
Connectors for directly supported target systems are described in the administration guides for the relevant modules.
- Cloud applications
Using the SCIM connector, Cloud applications can be connected to the Universal Cloud Interface of the One Identity Manager. Cloud objects are transferred to the Universal Cloud Interface over the Cloud Systems Management Module and can be linked there to employees.
For more information, see the following guides:
- One Identity Manager Administration Guide for Connecting to Cloud Applications
- One Identity Manager Administration Guide for Connecting to the Universal Cloud Interface
- CSV files
The can transfer data between CSV files and the One Identity Manager database. In this context, the CSV files map the target system.
For more information, see the One Identity Manager CSV Connector User Guide.
- One Identity Manager databases
Use the One Identity Manager connector to synchronize One Identity Manager databases with the same product version.
For more information, see the One Identity Manager User Guide for the One Identity Manager Connector.
- Target systems that are not directly supported
You can use the Windows PowerShell connector to connect target systems to One Identity Manager that are not directly supported in One Identity Manager. Windows PowerShell cmdlets are used to run read and write operations in the target system.
For more detailed information, see the One Identity Manager Windows PowerShell Connector User Guide.
- Other database systems
With this , you can synchronize external databases with the One Identity Manager database.
For more information, see the following guides:
- One Identity Manager Generic Database Connector User Guide for Connecting DB2 (LUW) Databases
- One Identity Manager Generic Database Connector User Guide for Connecting MySQL Databases
- One Identity Manager Generic Database Connector User Guide for Connecting Oracle Databases
- One Identity Manager Generic Database Connector User Guide for Connecting SQLite Databases
- One Identity Manager Generic Database Connector User Guide for Connecting SQL Server Databases
- One Identity Manager Generic Database Connector User Guide for the CData ADO.NET Provider
- One Identity Manager Generic Database Connector User Guide for the generic ADO.NET Provider
- One Identity Manager Generic Database Connector User Guide for Connecting SAP HANA Databases
- One Identity Manager Generic Database Connector User Guide for Connecting PostgreSQL Databases
