To label whether a membership was changed, a base table assignment is maintained, which maintains information about the last change of membership in the Dependencies modification date column (XDateSubItem). During provisioning of modified memberships, One IdentityAn identity usually represents a real person. In addition, identities that do not represent real people, such as machine identities or service identities, can be mappedList of object matching rules and property mapping rules which map the schema properties of two connected systems to one another. in One Identity Manager. (see also virtual identity; see also main identity/subidentity) Manager decided which objects must be updated based on this date. In the case of synchronizationThe processSequence of process steps for mapping an operational workflow. The process steps are connected to one another by predecessor/successor relationships. This functionality allows flexibility when linking up actions and sequences on object events. of comparing data between One Identity Manager and a target system. Objects and their properties are compared by fixed rules. Synchronization results in the identical data situation in the target system and One Identity Manager database. with revision filtering, the highest value from XDateSubItem and XDateUpdated is used as a revision counterInformation about the last change to a system object. The revision counter is used to determine the objects that have changed since the last synchronization. for the database objects.
If a membership is changed in One Identity Manager, the change date for dependencies must updated so that the modification can be provisioned.
Prerequisites
-
The base table has the XDateSubItem column.
-
The Update dependencies modification date property is true in the table relation between assignment and base table (QBMRelation.IsForUpdateXDateSubItem = TRUE).
Figure 13: Memberships in the One Identity Manager database
If a membership changes (through insertion, deletion, or resetting of status "Outstanding") a task for updating the XDateSubItem column of the base table is queued in the DBQueueList of tasks processed by the DBQueue Processor. The tasks queued in the DBQueue are the result of triggering, modifications to configuration parametersParameters for configuring the basic settings of One Identity Manager's system behavior. Preprocessor relevant configuration parameters are parameters that are linked to preprocessor conditions. If a preprocessor relevant configuration is changed, the database must be compiled. (for example, changes to a configuration parameter concerning inheritance) or running scheduledTask to run on a cyclical basis. Schedules control regular running of processes, calculation tasks, and other scheduled tasks. You define the start and interval times for the scheduled tasks. The activation time can be given in local time or Universal Time Code. A schedule can be in control of several tasks. tasks. (QBM-K-XDateSubItemUpdate). If necessary, more processing tasksTask to be run by a process., for example, calculating inheritance, are queued in the DBQueue. These tasks are handled first. The QBM-K-XDateSubItemUpdate task is deferred until all the processing tasks for the modified object and the module to which it belongs, have been handled. If other memberships in this module are changed in the meantime, these changes are collected by the existing task for updating the XDateSubItem column and subsequently handled together. Once the QBM-K-XDateSubItemUpdate task is run, an update task for the XDateSubItem column is queued in the Job queueCentral store for generating and running process componentComponent available for use in process stepsRepresents one processing task in a process.. actions.. The column value is updated. The task for provisioning changed memberships is then placed in the Job queue.
Figure 14: Processing a membership change in One Identity Manager
Example
Active Directory user account membership in an Active Directory group is deleted in One Identity Manager (ADSAccountInADSGroup table). The change date for dependencies is updated on the Active Directory group (ADSGroup.XDateSubItem). The change to the membership for this Active Directory group is provisioned in the target system. The next time synchronization with revision filtering is run, XDateSubItem is taken as the highest change date for the revision counter and is compared to the schema type's revision in the target system schema.