Chat now with support
Chat mit Support

Identity Manager 9.2 - Cloud Access Governance Administration Guide

Updating Schemas

All the schema data (schema types and schema properties) of the target system schema and the One Identity Manager schema are available when you are editing a synchronization project. Only a part of this data is really needed for configuring synchronization. If a synchronization project is finished, the schema is compressed to remove unnecessary data from the synchronization project. This can speed up loading the synchronization project. Deleted schema data can be added to the synchronization configuration again at a later point.

If the target system schema or the One Identity Manager schema has changed, these changes must also be added to the synchronization configuration. Then the changes can be added to the schema property mapping.

To include schema data that have been deleted through compressing and schema modifications in the synchronization project, update each schema in the synchronization project.

This may be necessary if

  • A schema was changed by
    • Changes to a target system schema
    • Customizations to the One Identity Manager schema
    • A One Identity Manager update migration
  • A schema in the synchronization project was shrunk by
    • Enabling the synchronization project
    • Saving the synchronization project for the first time
    • Compressing a schema

To update a system connection schema

  1. Open the synchronization project in the Synchronization Editor.
  2. Select the category Configuration | Target systems.

    - OR -

    Select the category Configuration | One Identity Manager connection.

  3. Select the view General and click Update schema.
  4. Confirm the security prompt with Yes.

    This reloads the schema data.

To edit a mapping

  1. Open the synchronization project in the Synchronization Editor.
  2. Select the category Mappings.
  3. Select a mapping in the navigation view.

    The Mapping Editor is displayed.

For more detailed information about mappings, see the One Identity Manager Target System Synchronization Reference Guide.

NOTE: The synchronization is deactivated if the schema of an activated synchronization project is updated. Reactivate the synchronization project to synchronize.

Post-processing outstanding objects

Objects, which do not exist in the target system, can be marked as outstanding in One Identity Manager by synchronizing. This prevents objects being deleted because of an incorrect data situation or an incorrect synchronization configuration.

Outstanding objects

  • Cannot be edited in One Identity Manager
  • Are ignored by subsequent synchronization
  • Are ignored by inheritance calculations

This means, all memberships and assignments remain intact until the outstanding objects have been processed. Start target system synchronization to do this.

To post-process outstanding objects

  1. In One Identity Manager, select the Azure Cloud Access Governance | Target system synchronization: Azure Cloud Access Governance category.

    All tables assigned to the target system type CIM as synchronization tables are displayed in the navigation view.

    All objects that are marked as outstanding are shown. The Last log entry and Last method run columns display the time at which the last entry was made in the synchronization log and which processing method was run.
    The No log available entry can mean the following

    • The synchronization log has already been deleted.

    - OR -

    • An assignment from a member list has been deleted in the target system.

      The base object of the assignment has been updated during the synchronization. A corresponding entry appears in the synchronization log. The entry in the assignment table is marked as outstanding, but there is no entry in the synchronization log.

      • An object that contains a member list has been deleted in the target system.

        During synchronization, the object and all corresponding entries in assignment tables are marked as outstanding. However, an entry in the synchronization log appears only for the deleted object.

    NOTE:

    To display object properties of an outstanding object

    1. Select the object on the target system synchronization form.
    2. Open the context menu and click Show object.
  2. Select the objects you want to rework. Multi-select is possible.
  3. Click one of the following icons in the form toolbar to run the respective method.

    NOTE: Publish operation is not supported.

  4. Table 11: Methods for handling outstanding objects

    Icon

    Method Description

    Delete The object is immediately deleted in the One Identity Manager database. Deferred deletion is not taken into account. The Outstanding label is removed for the object. Indirect memberships cannot be deleted.

    Publish

    The object is added in the target system. The Outstanding label is removed for the object. The method triggers the HandleOutstanding event. This runs a target system specific process that triggers the provisioning process for the object. Prerequisites

    • The table containing the object can be published.
    • The target system connector has write access to the target system.

    Reset The Outstanding label is removed for the object.

  5. Confirm the security prompt with Yes.

NOTE:

  • By default, the selected objects are processed in parallel, which speeds up execution of the selected method. If an error occurs during processing, the action is stopped and all changes are discarded.
  • Bulk processing of objects must be disabled if errors are to be localized, which means the objects are processed sequentially. Failed objects are named in the error message. All changes that were made up until the error occurred are saved.

To disable bulk processing

  • Deactivate in the form toolbar.

    You must customize synchronization to synchronize custom tables.

Speeding up synchronization with revision filtering

When you start synchronization, all synchronization objects are loaded. Some of these objects have not been modified since the last synchronization and, therefore, must not be processed. Synchronization is accelerated by only loading those object pairs that have changed since the last synchronization. One Identity Manager uses revision filtering to accelerate synchronization.

SCIM supports revision filtering for schemas AzRoles, AzRoleAssignment, AzGroupRoleAssignment, AzUserRoleAssignment and AzSPRoleAssigbment. The Azure Cloud system object's date of last change is used as revision counter. Each synchronization saves its last execution date as a revision in the One Identity Manager database (table DPRRevisionStore, column Value). This value is used as a comparison for revision filtering when the same workflow is synchronized the next time. When this workflow is synchronized the next time, the Azure cloud system object's change date is compared with the One Identity Manager revision saved in the database. Only those objects that have been changed since this date are loaded from the Azure Cloud System.

The revision is found at start of synchronization. Objects changed after this point are included with the next synchronization.

Revision filtering can be applied to workflows and start up configuration.

To permit revision filtering on a workflow

  1. Open the synchronization project in the Synchronization Editor.

  2. Edit the workflow properties. Select the entry Use revision filter from Revision filtering.

To permit revision filtering for a start up configuration

  1. Open the synchronization project in the Synchronization Editor.

  2. Edit the start up configuration properties. Select the entry Use revision filter from Revision filtering.

For more detailed information about revision filtering, see the One Identity Manager Target System Synchronization Reference Guide.

Help for the analysis of synchronization issues

You can generate a report for analysing problems which occur during synchronization, for example, insufficient performance. The report contains information such as:

  • Consistency check results

  • Revision filter settings

  • Scope applied

  • Analysis of the synchronization buffer

  • Object access times in the One Identity Manager database and in the target system

To generate a synchronization analysis report

  1. Open the synchronization project in the Synchronization Editor.

  2. Select the menu Help | Generate synchronization analysis report and answer the security prompt with Yes.

    The report may take a few minutes to generate. It is displayed in a separate window.

  3. Print the report or save it in one of the available output formats.

Deactivating synchronization

Regular synchronization cannot be started until the synchronization project and the schedule are active.

To prevent regular synchronization

  1. Open the synchronization project in the Synchronization Editor.

  2. Select the start-up configuration and deactivate the configured schedule.

    Now you can only start synchronization manually.

An activated synchronization project can only be edited to a limited extend. The schema in the synchronization project must be updated if schema modifications are required. The synchronization project is deactivated in this case and can be edited again.

Furthermore, the synchronization project must be deactivated if synchronization should not be started by any means (not even manually).

To deactivate the synchronization project

  1. Open the synchronization project in the Synchronization Editor.

  2. Select General on the start page.

  3. Click Deactivate project.

Related Topics

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen