To display a log
-
In the , open the .
-
Select the Logs category.
-
Click in the navigation view toolbar.
Logs for all completed synchronization runs are displayed in the navigation view.
-
Select a log by double-clicking it.
An analysis of the synchronization is shown as a report. You can save the report.
To display a provisioning log
-
In the Synchronization Editor, open the synchronization project.
-
Select the Logs category.
-
Click in the navigation view toolbar.
Logs for all completed provisioning processes are displayed in the navigation view.
-
Select a log by double-clicking it.
An analysis of the provisioning is shown as a report. You can save the report.
The log is marked in color in the navigation view. This mark shows you the status of the synchronization/provisioning.
TIP: The logs are also displayed in the Manager under the <target system> > synchronization log category.
Objects, which do not exist in the target system, can be marked as outstanding in One Manager by . This prevents objects being deleted because of an incorrect data situation or an incorrect synchronization configuration.
Outstanding objects:
-
Cannot be edited in One Identity Manager.
-
Are ignored by subsequent synchronizations.
-
Are ignored by inheritance calculations.
This means, all memberships and assignments remain intact until the outstanding objects have been processed.
Start to do this.
To post-process outstanding objects
- Start the .
- Select the <target system type> > synchronization: <target system type> > <table> category.
TIP:
To display the properties of an outstanding object
-
Select the object on the target system synchronization form.
-
Open the context menu and click Show object.
-
For memberships, select the object whose properties you want to display.
-
Select the objects you want to rework. Multi-select is possible.
-
Click on one of the following icons in the form toolbar to run the respective method.
Table 69: Methods for handling outstanding objects
|
Delete |
The object is immediately deleted from the One Identity Manager database. Deferred deletion is not taken into account.
Indirect memberships cannot be deleted. |
|
Publish |
The object is added to the target system. The Outstanding label is removed from the object.
This runs a target system specific process that triggers the provisioning process for the object.
Prerequisites:
-
The table containing the object can be published.
-
The target system connector has write access to the target system.
-
A process is set up for provisioning the object. |
|
Reset |
The Outstanding label is removed for the object. |
TIP: If a method cannot be run due to certain restrictions, the respective icon is disabled.
- Confirm the security prompt with Yes.
NOTE: By default, the selected objects are processed in parallel, which speeds up the selected method. If an error occurs during processing, the action is stopped and all changes are discarded.
Bulk processing of objects must be disabled if errors are to be localized, which means the objects are processed sequentially. Failed objects are named in the error message. All changes that were made up until the error occurred are saved.
To disable bulk processing
For more information about post-processing outstanding objects from connected target systems, see the target system connection guides.
Membership of user accounts in groups, for example, can result from direct assignment or through inheritance in One Manager. The membership's origin is stored in the XOrigin . Inherited memberships cannot be deleted as long as the inheritance source still exists. If inherited memberships are deleted in the target system, they are marked as outstanding by , depending on which processing method was selected.
You can differentiate between the following cases of deleting membership through synchronization:
Table 70: Deleting memberships
Only direct |
The membership is deleted immediately by synchronization. |
The membership is marked as outstanding by synchronization. |
Only inherited |
The membership is marked as outstanding by synchronization. |
The membership is marked as outstanding by synchronization. |
Direct and inherited |
The membership is marked as outstanding by synchronization. The reference to direct assignment is removed (value in the XOrigin column is updated). |
The membership is marked as outstanding by synchronization. |
Outstanding memberships must be post-processed separately. You can publish these memberships if the inheritance source still exists or you set the status back and remove the inheritance source.
Example
Pat Identity1 has an Active Directory user account that is a member of the Active Directory group "Backup operators". This membership is loaded into the One Identity Manager database by initial synchronization and saved as direct membership in the ADSAccountInADSGroup table (XOrigin = '1'). Pat Identity1 is member of the business "Project A". This business role is assigned to the Active Directory group "Backup operators". Therefore, Pat Identity1 becomes an indirect member of this Active Directory group (ADSAccountInADSGroup.XOrigin = '3'). The group membership is deleted in the target system. The deleted membership is immediately deleted in the One Identity Manager database the next time synchronization is run (ADSAccountInADSGroup.XOrigin = '2'). The membership is marked as outstanding because it remains in the One Identity Manager database due to inheritance. The outstanding membership must be post-processed in . There are two possible ways to do this:
- Assignments to the business role "Project A" are correct.
The method "Publish" is applied. Membership is re-added to the target system.
- Mapping in the target system is correct.
- The method "Reset status" is applied.
- The assignment of the Active Directory group to the business role "Project A", or Pat Identity1's membership of this business role must be deleted. The group membership must also be deleted from ADSAccountInADSGroup table.
The method "Delete" cannot be applied.
After , either none or only a manageable number of objects should be marked as outstanding. These can be checked individually and further processed using target system comparison. If a lot of objects are marked as outstanding during synchronization, editing them individually can be too time-consuming. The One Manager provides methods to handle outstanding objects in an automated way. These methods can be called in scripts or processes.
NOTE: If a lot of objects are marked as outstanding during synchronization, this may be due to incorrect data. Before applying the methods, fix the cause of the incorrect data.
Call syntax: <method> ("<table>", "<condition>")
This method requires two parameters:
-
Table
Table containing the outstanding objects to be processed.
-
Condition
Condition that restricts the objects to be processed.
The condition XMarkedForDeletion & 2 = 2 is used to select all outstanding objects of the specified table. You can extend the condition to further restrict objects for processing.
Method: BulkDeleteOutstanding
Deletes the outstanding objects from the One Identity Manager database.
Example of a method call: BulkDeleteOutstanding ("ADSAccount", "XMarkedForDeletion & 2 = 2")
Deletes all outstanding objects of the ADSAccount table in the database.
Method: BulkDeleteOutstandingState
Resets the status of the outstanding objects.
Example of a method call: BulkDeleteOutstandingState ("ADSAccount", "XMarkedForDeletion & 2 = 2")
Resets the status of all outstanding objects of the ADSAccount table.
Method: BulkPublishOutstanding
Publishes the outstanding objects in the target system.
Example of a method call: BulkPublishOutstanding ("ADSAccount", "XMarkedForDeletion & 2 = 2")
Publishes all outstanding objects of the ADSAccount table.
Example of a method call by process
For example, to reset the status of all Active Directory user accounts marked as outstanding in bulk while synchronizing by process call, define a process and use the CallMethod in the . Pass the following parameters to the process task:
Process task: CallMethod
MethodName: Value = "BulkDeleteOutstandingState"
ObjectType: Value = "DPRNameSpace"
WhereClause: Value = "Ident_DPRNameSpace = 'ADS'"
Param1: Value = "ADSAccount"
Param2: Value = "XMarkedForDeletion & 2 = 2"
For more information about creating processes, see the One Identity Manager Configuration Guide.