Object matching rules assign schema properties through which system objects can be uniquely identified. For example, Active Directory groups can be uniquely identified by the DistinguishedName and ObjectGUID schema properties.
Object matching rules can be added or created from property mappingList of object matching rules and property mapping rules which map the schema properties of two connected systems to one another. rules. If system objects can only be identified through several schema properties, different property matching rules can be linked with logical operators to form an object matching rule.
NOTE: Using object matching rules of this type can slow down synchronizationThe processSequence of process steps for mapping an operational workflow. The process steps are connected to one another by predecessor/successor relationships. This functionality allows flexibility when linking up actions and sequences on object events. of comparing data between One Identity Manager and a target system. Objects and their properties are compared by fixed rules. Synchronization results in the identical data situation in the target system and One Identity Manager database.. Instead, use a virtual schema property to link the schema properties required for matching and create an object matching rule with it.
If several object matching rules are set up, they are run in the order in which they are listed in the rule view. The rule at the top is the primary rule, all other are marked as alternatives. If a system object can be identified uniquely by the primary rule, the alternative rule are not run. If a system object cannot be identified by the primary rule, One Identity Manager uses the next alternative rule to determine a suitable system object. If non of the rules can identify a suitable system object, the object does not have a partner can is handled as new or deleted.
Example
The following object matching rules are defined for mapping Active Directory groups:
- Object GUID <-> Object GUID (primary rule)
- Distinguished name <-> Obj-Dist-Name (alternative rule)
- Object SID <-> Object-Sid (alternative rule no. 2)
Properties of an Active Directory group are modified in One Identity Manager. During provisioning, the Active Directory connector tries to identify the group in the target system by using the object GUID. It does not find an object with this object GUID so the alternative object matching rule is applied. The connector identifies an object with the same distinguished name and updates this object in the target system.
NOTE:
-
Object matching rules must use schema properties with read-access. Write-only schema properties are not suitable for identification of system objects.
-
SchemaData model of a connected systemSystem the objects and their properties are transferred to during synchronization. The connected system is defined by the synchronization direction. Example of synchronization direction "Target system" (One Identity Manager -> Active Directory): Here Active Directory is the connected system and One Identity Manager is the primary system of synchronization.. The schema describes all the main data from the connected system. see target system schema; see One Identity Manager schema; see connector schema; see extended schema properties used to identify system objects must contain a value. If a schema property contains is empty, the object mapping rule is ignored and the next alternative rule is applied.
-
If several system objects that fulfill the matching criteria are found, a message appears in the synchronization log. These objects are ignored as processing continues.
If several system objects are found, either there is corrupt data in connected systems or the matching critera is not unique. Clean up the data in the connected systems and adjust the object matching rules.