Chatta subito con l'assistenza
Chat con il supporto

Identity Manager 9.1 - Target System Synchronization Reference Guide

Target system synchronization with the Synchronization Editor Working with the Synchronization Editor Basics of target system synchronization Setting up synchronization
Starting the Synchronization Editor Creating a synchronization project Configuring synchronization
Setting up mappings Setting up synchronization workflows Connecting systems Editing the scope Using variables and variable sets Setting up start up configurations Setting up base objects
Overview of schema classes Customizing the synchronization configuration Checking the consistency of the synchronization configuration Activating the synchronization project Defining start up sequences
Running synchronization Synchronization analysis Setting up synchronization with default connectors Updating existing synchronization projects Script library for synchronization projects Additional information for experts Troubleshooting errors when connecting target systems Configuration parameters for target system synchronization Configuration file examples

How does revision filtering work?

When you start synchronizationClosed, all synchronization objects are loaded. Some of these objects have not be modified since the last synchronization and, therefore, must not be processed. Synchronization is accelerated by only loading those object pairs that have changed since the last synchronization. One Identity Manager uses revision filtering to accelerate synchronization.

Prerequisites

  • The target system supports revision filtering.

    This data is supplied by the system connector.

  • SchemaClosed types own a schema property which is labeled as a revision counterClosed.

    This schema property stores the information about the last object modifications.

    Example of an Active Directory group:

    • In the target system schema: UNS Changed
    • In the One Identity Manager schema: RevisionClosed Date
  • Revision filteringClosed permitted for this synchronization workflowClosed.

Revision filtering can be applied to workflows and start up configuration. The workflow setting is valid for all synchronizations with this workflow. In order to synchronize with the same workflow at different times, with, and without revision filtering, create different start up configurations and specify revision filtering for them.

To permit revision filtering on a workflow

  • In the Synchronization EditorClosed, open the synchronization projectClosed.

  • Edit the workflow properties. Select the Use revision filter item from Revision filtering menu.

For more information, see How to edit a workflow.

To permit revision filtering for a start up configuration

  • In the Synchronization Editor, open the synchronization project.

  • Edit the start up configuration properties. Select the Use revision filter item from the Revision filtering menu.

For more information, see How to edit start up configurations.

Normally, each object keeps information about the last changes made. The highest change data value of all synchronized objects of a schema type is taken as the revision in the One Identity Manager database (DPRRevisionStore table, DPRRevisionStore column). This value is used as a comparison for revision filtering when the same workflow is synchronized the next time. This means that when this workflow is next synchronized, the object change data is compared with the revision saved in the One Identity Manager database. This involves finding object pairs where one has newer change data than the last time it was synchronized. Thus, only objects that have changed since the last synchronization are updated.

The reference parameter for revision filtering is also the last schema type synchronization with the same workflow. The table DPRRevisionStore contains one entry per workflow and schema type.

NOTE: One Identity Manager supplies a scheduledClosed process planClosed, which regularly cleans up the contents of the DPRAttachedDataStore table. Entries for schema types that are no longer used in the synchronization configuration are deleted in the process. The process plan is run during daily maintenanceClosed.
Related topics

How does dependency resolution work?

Dependencies can arise between schema classes that require synchronization stepsClosed to be repeated. For example, object references cannot be set until the reference object has been added. Dependencies can also arise between schema properties within a schema class.

Figure 9: Example of a workflow with dependent schema classes and schema properties

One Identity Manager can automatically resolve such dependencies. In this case, the synchronizationClosed steps are group together such that the referenced objects are synchronized first and them the dependent objects next. If dependencies exist within a schema class, additional synchronization steps are inserted to synchronize the dependent schema properties. The final sequence of synchronization steps can be viewed in the report "Processing PlanClosed".

NOTE: If dependencies exist between schema classes, the schema classes must be synchronized by the same workflow so that dependencies can be automatically resolved.

Figure 10: Example of a workflow with automatic dependency resolution

To set up automatic resolution of dependencies

Use automatic dependency resolution by default. Only select manual dependency resolution if individual dependencies cannot be resolved automatically. This might be necessary, for example, if two objects reference each other as mandatory properties.

NOTE: If dependency resolution is set to "Manual", One Identity Manager does not check whether dependencies exits between schema classes and schema properties during synchronization. The synchronization steps are processed sequentially in the order displayed in the workflow view.

Synchronization exits with an error if dependencies exist that cannot be resolved!

To resolve dependencies manually

  1. Find the schema properties between which dependencies exist.
  2. Create a workflow with synchronization steps which take the following criteria into account:
    1. Synchronization steps which synchronize independent and references objects.

      Property mapping rules for dependent schema properties must be excluded for this.

    2. Synchronization steps which reference dependent objects.

      Property mapping rules for dependent schema properties must be included for this.

  3. Specify the synchronization step sequence such that all synchronization steps for a) are run first and them the synchronization steps for b).
  4. Edit the workflow properties. Select the following option:
    Dependency resolution: Manual

    For more information, see How to edit a workflow.

Related topics

Unresolvable references

If a reference object does not exist in the One Identity Manager database, the object reference cannot be resolved by synchronizingClosed. Unresolvable object references are written in a buffer called the data store (table DPRAttachedDataStore). This ensures that these references remain intact and are not deleted in the target system by provisioning.

Example

An Active Directory group has an account manager, which owns a domain not in the current synchronization run. The account manager is not in the One Identity Manager database either.

Synchronization cannot assign an account manager. In order to retain the assignment, the object reference is saved with the account manager's distinguished name in the data store.

During each synchronization One Identity Manager tries to clean up the data store. If referenced objects in the One Identity Manager database exist, the references can be resolved and the entries are deleted from the data store. The data store is cleaned up depending on the synchronization type (with or without revision filter) and the maintenanceClosed mode.

Table 23: Maintenance for unresolved object references
Maintenance mode Synchronization without revision filer Synchronization with revision filer
The following applies depending on the maintenance mode: Object references of all synchronization objects are cleaned up if they exist in the One Identity Manager database. Only object references for modified objects are cleaned up.
No maintenance There is no additional task of clearing up the data store.
Always synchronize affected objects No effect. The filter is removed on objects with unresolved references. Therefore, references are also cleaned if the objects have not been changed since the last synchronization.
Full maintenance after every synchronization One Identity Manager tries to resolve object references following synchronization. As a result, unresolved references are processed that arose during this synchronization run. One Identity Manager tries to resolve object references following synchronization. As a result, unresolved references are processed that arose during this synchronization run. Object references that were not modified are also cleaned up.

You can enter the number of retries for resolving object references. It may be necessary to try several times to resolve an object if it maps a hierarchy with several levels. One hierarchy level at a time can be resolved with each attempt to resolve an object.

To set up maintenance mode

NOTE: One Identity Manager supplies a scheduledClosed process planClosed, which regularly cleans up the contents of the table DPRAttachedDataStore. Object entries, which no longer exist in the One Identity Manager database are deleted. The process plan is run during daily maintenance.
Related topics

Direction of synchronization and mapping

To synchronizeClosed a target system with One Identity Manager, you must specify which of the connected systemsClosed is the primary system. The primary system is defined in the synchronization configuration by the synchronization direction. The direction in which schema properties are mapped may differ from this. Therefore, the permitted mapping directionClosed must be given in the schema properties mapping.

Table 24: Direction of synchronization
Defined on Direction of synchronization specifies
Start configurationClosed In which direction a specific synchronization is run
WorkflowClosed In which direction synchronizations are run
synchronization step

By which synchronization direction the step is run

Table 25: Permitted mapping direction
Defined on Specifies the mapping direction
Mapping By which synchronization direction property mapping rules are used
Property mapping ruleClosed By which synchronization direction this property mapping rule is used

One Identity Manager synchronizes two connection systems in the direction given in the start up configuration or in the workflow. A synchronization step is only run in this case, if the direction of synchronization stored with the step matches with the direction of the current synchronization. If the mapping direction stored with the mapping corresponds to the current direction of synchronization, the system object from this schema class are synchronized. Thus, One Identity Manager checks which property mapping rule can be used in the current synchronization direction. This property mapping rule is ignored if the mapping direction of the property mapping rule differs from the current direction of synchronization.

Figure 11: Example showing effect of specified synchronization direction and permitted mapping direction

Related topics
Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione