methods can be limited to a set of the objects. To do this, specify the condition under which the processing method is to be run. You can specify different processing methods for different sets of objects. These are run in the given order.
To define processing for different sets
-
Select a processing method from the drop-down for an object set.
-
Click to specify another processing method for this object set. Select a processing method from the drop-down.
-
Create the conditions required for running the processing method. Click next to the method.
Enter the condition. You can use comparisons, logical operators, and variables. You can write queries with a wizard or enter them directly.
-
Use the following expression in the condition to access the schema properties of the system in which you want the processing method to be run: Base.<schemaproperty>.
-
To access the schema properties of the other system, use the following expression in the condition: Other.<schema property>
-
Use and to specify the order in which to run the processing methods.
Example
All user accounts that only exist in Active Directory are processed as follows when synchronizing Active Directory user accounts from One Manager in the direction of One Identity Manager:
1 |
All user accounts, connected to an identity, are marked for deletion. |
MarkForDeletion |
Base._Person <> '' |
All user accounts, not connected with an identity, are deleted. |
Delete |
Base.UID_Person = '' |
2 |
All user accounts, in container A, are deleted. |
Delete |
Base.UID_ADSContainer = '4b53ff19-6ae4-4a87-86bd-eca3ddf5ebf2' |
All user accounts, not belonging to container A, are marked for deletion. |
MarkForDeletion |
Base.UID_ADSContainer <> '4b53ff19-6ae4-4a87-86bd-eca3ddf5ebf2' |
Apart from a connector’s default and additional methods, the can also use processing methods. This is done using custom scripts.
To set up and use a custom processing method
-
In the , create a script to make the necessary modifications to the loaded objects.
Script structure
References VI.Projector.Database.dll |
<Tag("Projector")> |
<BaseObjectType("Table")> |
Public Sub CCC_ScriptName(unit As IUnitOfWork, entity As IEntity(), args As VI.Projector.Database.ScriptMethodArgs) |
'Steps to execute |
... |
End Sub |
-
<Tag("Projector")>: Labels the script to use as a processing method. This enables the Synchronization Editor to identify the scripts to use as processing methods.
-
<BaseObjectType("Table")>: Defines the type of objects the script will be applied to. Enter the table that contains the objects to be handled.
If the script can be applied to several object types, define a separate object type for each table.
-
CCC_ScriptName: Script name. In the Synchronization Editor, you can select the script as the processing method under this name. Enter a name that uniquely describes the processing method.
For more information about creating scripts with the Script Editor, see the One Identity Manager Configuration Guide.
-
Compile the script.
-
In the Synchronization Editor, open the .
-
Select the Configuration > One Identity Manager connection category and update the One Identity Manager schema.
-
In the Workflows category, select the in which you want to use the new processing method.
-
Find the synchronization step and click Edit.
The synchronization step must handle the object type defined in the script.
-
On the Processing tab, you can select processing methods under the script name.
Example scripts
The following example script removes the manager from all departments and location that the script will be applied to as a processing method.
References VI.Projector.Database.dll |
<Tag("Projector")> |
<BaseObjectType("Department")> |
<BaseObjectType("Locality")> |
Public Sub CCC_Department_RemoveManager(unit As IUnitOfWork, entities As IEntity(), args As VI.Projector.Database.ScriptMethodArgs) |
For Each currEntity As IEntity In entities |
If Not String.IsNullOrEmpty(currEntity.GetValue("UID_PersonHead").ToString()) Then |
currEntity.PutValue("UID_PersonHead","") |
unit.Put(currEntity) |
End If |
Next |
End Sub |
The following sample script creates or updates database objects.
References VI.Projector.Database.dll |
<Tag("Projector")> |
<BaseObjectType("ADSAccount")> |
Public Sub CCC_SpecialCommit(unit As IUnitOfWork, entities As IEntity(), args As VI.Projector.Database.ScriptMethodArgs) |
For Each entity In entities |
For Each kvp In args.Changes |
entity.PutValue(kvp.Key, kvp.Value) |
Next |
unit.Put(entity) |
Next |
End Sub |
Errors in the configuration can cause system objects to be processed incorrectly. Errors in the data through incorrect configuration can be reduced. Often, it is known how many system objects are generally modified, added, or deleted in a . If this number is exceeded when a processing method is run, a warning appears and synchronization is stopped. The and mapping configurations can be checked and corrected before repeating synchronization.
To specify the maximum set of system objects that can be processed in a synchronization step, define for each processing method. A quota provides the maximum number of objects to process relative to the total number of all objects in the schema class to be synchronized. When a synchronization step is run, One Manager calculates the number of objects to process for each processing method with a quota. If this number exceeds the quota, processing of objects in this schema class stops. Synchronization stops and writes an error message in the synchronization log.
You can define different quotas for synchronizing with the target system and synchronizing with One Identity Manager. Variables can also be used for this.
Table 52: Quotas for a synchronization step
No quota |
Specifies whether quotas are taken into account by synchronization. If this is set, quotas are not included. |
Use following settings |
Specifies whether the connected system takes quotas into account. Quotas are defined in the following settings. |
Method |
Processing methods that take quotas into account. |
Quota (%) |
Quota in percent or as a variable defined in the quota.
When you configure a new synchronization step for objects in One Identity Manager for the Delete , a quota of 10% is automatically set. Adjust the quota as required.
One Identity Manager specifies quotas for synchronization in the target system in workflows created with the workflow wizard, by default. Adjust the quota as required.
- Update processing method: 75%
- Delete processing method: 10% for single objects, 20% for many-to-many schema types.
|
Use variable |
List of variables that can be used in quotas.
If different quota are used for different start up configurations, specify variables for the quotas. Specify the value of the variable as an integer (0%-100%) or as a decimal (0.0-1.0).
|
Notes
-
Quotas can only be defined for processing methods which modify data (for example, Insert, Update, Delete).
-
When the number of object to process is being calculated, One Identity Manager takes the amount of objects loaded in the slim list. Conditions defined for processing methods are not taken into account!
Enter an higher quota for processing methods use a condition to limit the number of objects to synchronize.
-
To check whether the quota will be exceeded, all the objects to be processed are loaded first. Only then will the processing method be run. If there is a large amount of data, this can affect synchronization performance.
-
If the quota is exceeded by a single object, that object will still be processed.
For example, if a quota of 10% is defined for a schema class with only 8 objects and exactly one object has been changed, then this object will be processed even though the quota has already been exceeded.
In , quotas are ineffective because only single objects are ever processed.
-
Quotas affect membership synchronization only when M:N schema types are processed in a separate synchronization step. (Example: Synchronization of assignments of SAP to SAP user accounts. The quota refers to the set of UserInRole objects).
If memberships are stored as a base (member list), the quota only affects the base object and not the individual members. (Example: Synchronization of Active Directory groups. The quota refers only to the number of groups and not to the number of members).
You can specify which property rules must be applied to each . For example, dependencies between schema class objects can be resolved this way.
NOTE: Unmarked rules are included automatically.
Detailed information about this topic