Disabling system synchronization
Regular synchronization can only be started if schedules are enabled.
To prevent regular synchronization
-
In the Designer, disable the Daily database synchronization, Frequent database synchronization, andMost frequent database synchronization schedules.
If you do not want synchronization to be started manually, deactivate the synchronization project as well.
To deactivate the synchronization project
-
In the Synchronization Editor, open the synchronization project.
-
Select the General view on the start page.
-
Click Deactivate project.
Related topics
Setting up synchronization using custom configuration
To manually set up synchronization with a One Identity Manager database, follow the steps described here.
To set up synchronization manually
- Install and configure a synchronization server and declare the server as a Job server in One Identity Manager.
-
Provide One Identity Manager users with the required permissions for setting up synchronization and post-processing synchronization objects.
- Create a synchronization project with the Synchronization Editor.
Detailed information about this topic
Users and permissions for synchronizing
In the synchronization with the database connectors, there are three use cases for mapping synchronization objects in the One Identity Manager data model.
-
Mapping custom target systems
-
Mapping default tables (for example Person or Department)
-
Mapping custom tables
In the case of One Identity Manager tools non role-based login, it is sufficient to add a system user in the DPR_EditRights_Methods and QBM_LaunchPad permissions groups. For more information about system users and permissions groups, see the One Identity Manager Authorization and Authentication Guide.
Table 2: Users and permissions groups for non role-based login
One Identity Manager administrators |
administrator and administrative system users Administrative system users are not added to application roles.
administrators:
-
Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.
-
Create system users and permissions groups for non role-based login to administration tools in the Designer as required.
-
Enable or disable additional configuration parameters in the Designer as required.
-
Create custom processes in the Designer as required.
-
Create and configure schedules as required. |
System users in the DPR_EditRights_Methods permissions group |
|
System users in the QBM_LaunchPad permissions group |
|
There are different steps required for role-based login, in order to equip One Identity Manager users with the required permissions for setting up synchronization and post-processing of synchronization objects.
Table 3: User and permissions groups for role-based login: Mapped as custom target system
One Identity Manager administrators |
administrator and administrative system users Administrative system users are not added to application roles.
administrators:
-
Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.
-
Create system users and permissions groups for non role-based login to administration tools in the Designer as required.
-
Enable or disable additional configuration parameters in the Designer as required.
-
Create custom processes in the Designer as required.
-
Create and configure schedules as required. |
Target system administrators |
Target system administrators must be assigned to the Target systems | Administrators application role.
Users with this application role:
-
Administer application roles for individual target system types.
-
Specify the target system manager.
-
Set up other application roles for target system managers if required.
-
Specify which application roles for target system managers are mutually exclusive.
-
Authorize other employees to be target system administrators.
-
Do not assume any administrative tasks within the target system. |
Target system managers |
Users with this application role:
-
Assume administrative tasks for the target system.
-
Create, change, or delete target system objects.
-
Edit password policies for the target system.
-
Can add employees who have another identity than the Primary identity.
-
Configure synchronization in the Synchronization Editor and define the mapping for comparing target systems and One Identity Manager.
-
Edit the synchronization's target system types and outstanding objects.
-
Authorize other employees within their area of responsibility as target system managers and create child application roles if required. |
Table 4: User and permissions groups for role-based login: Default table mapping
One Identity Manager administrators |
administrator and administrative system users Administrative system users are not added to application roles.
administrators:
-
Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.
-
Create system users and permissions groups for non role-based login to administration tools in the Designer as required.
-
Enable or disable additional configuration parameters in the Designer as required.
-
Create custom processes in the Designer as required.
-
Create and configure schedules as required. |
Custom application role |
Users with this application role:
The application role gets its permissions through a custom permissions group and the vi_4_SYNCPROJECT_ADMIN permissions group. |
Table 5: Users and permissions groups for role-based login: Custom table mapping (only custom configuration)
One Identity Manager administrators |
administrator and administrative system users Administrative system users are not added to application roles.
administrators:
-
Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.
-
Create system users and permissions groups for non role-based login to administration tools in the Designer as required.
-
Enable or disable additional configuration parameters in the Designer as required.
-
Create custom processes in the Designer as required.
-
Create and configure schedules as required. |
Application roles for custom tasks |
Administrators must be assigned to the Custom | Administrators application role.
Users with this application role:
|
Manager for custom tasks |
Managers must be assigned to the Custom | Managers application role or a child role.
Users with this application role:
-
Add custom task in One Identity Manager.
-
Configure and start synchronization in the Synchronization Editor.
-
Edit the synchronization's target system types as well as outstanding objects in the Manager.
You can use these application roles, for example, to guarantee One Identity Manager user permissions on custom tables or columns. All application roles that you define here must obtain their permissions through custom permissions groups.
The application role gets its permissions through a custom permissions group and the vi_4_SYNCPROJECT_ADMIN permissions group. |
To configure synchronization projects and target system synchronization (in the use cases 2 and 3)
-
Set up a custom permissions group with all permissions for configuring synchronization and editing synchronization objects.
-
Assign a custom application role to this permissions group.
Detailed information about this topic
Setting up custom application roles for custom configuration
For role-based login, create a custom application role to guarantee One Identity Manager users the necessary permissions for configuring synchronization and handling outstanding objects. This application role obtains the required permissions by using a custom permissions group.
To set up an application role for synchronization (use case 2):
-
In the Manager, select the default application role to use to edit the objects you want to synchronization.
If you want to import employee data, for example, select the Identity Management | Employees | Administrators application role. The default permissions group of this application role is vi_4_PERSONADMIN.
-
In the Designer, create a new permissions group .
-
Make the new permissions group dependent on the vi_4_SYNCPROJECT_ADMIN permissions group.
Then the vi_4_SYNCPROJECT_ADMIN permissions groups must be assigned as the parent permissions group. This means that the new permissions group inherits the properties.
-
Make the new permissions group dependent on the default permissions group of the selected default application role.
Then the default permissions groups must be assigned as the parent permissions group. This means that the new permissions group inherits the properties.
- Save the changes.
-
In the Manager, create a new application role.
-
Assign the selected application role to be the parent application role.
-
Assign the newly created permissions group.
-
Assign employees to this application role.
- Save the changes.
To set up an application role for synchronization (use case 3):
-
In the Designer, create a new permissions group for custom tables that are populated by synchronization.
-
Guarantee this permissions group all the required permissions to the custom tables.
-
Create another permissions group for synchronization.
-
Make the permissions group for synchronization dependent on the permissions group for custom tables.
Then the permissions group for custom tables must be assigned as the parent permissions group. This means the permissions groups for synchronization inherits its properties.
-
Make the permissions group for synchronization dependent on the vi_4_SYNCPROJECT_ADMIN permissions group.
Then the vi_4_SYNCPROJECT_ADMIN permissions groups must be assigned as the parent permissions group. This means the permissions groups for synchronization inherits its properties.
- Save the changes.
-
In the Manager, create a new application role.
-
Assign the Custom | Managers application role as the parent application role.
-
Assign the permissions group for the synchronization.
-
Assign employees to this application role.
- Save the changes.
For more information about setting up application roles and permissions groups, see the One Identity Manager Authorization and Authentication Guide.