Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Identity Manager 9.2.1 - Target System Synchronization Reference Guide

Target system synchronization with the Synchronization Editor Working with the Synchronization Editor Basics of target system synchronization Setting up synchronization
Starting the Synchronization Editor Creating a synchronization project Configuring synchronization
Setting up mappings Setting up synchronization workflows Connecting systems Configuring the synchronization log Editing the scope Using variables and variable sets Setting up start up configurations Setting up base objects
Overview of schema classes Customizing the synchronization configuration Checking the consistency of the synchronization configuration Activating the synchronization project Defining start up sequences Copying synchronization projects
Running synchronization Synchronization analysis Setting up synchronization with default connectors Updating existing synchronization projects Script library for synchronization projects Additional information for experts Troubleshooting errors when connecting target systems Configuration parameters for target system synchronization Configuration file examples

What is a scope?

The scope specifies which parts of the connected systemClosed should be synchronized. The scope is set for the target system to be synchronized as well as for the One IdentityClosed Manager schema. If no scope is defined, all objects in the connected system are synchronized.

Example:

Active Directory domains "xyz" and "uvw" are managed through One Identity Manager. The containers "abc", "def", and "ghi" from the Active Directory domain "xyz" should be synchronized. A scope is defined for the target system connection and the One Identity Manager database connection which filters only these objects. The Active Directory domain "uvw" should initially not be synchronized.

Figure 8: Example for scope definition

To specify a scope, define a system filter and object filter.

Hierarchy filter

Some target systems offer an additional option to specify the scope: the hierarchy filterClosed. This filter limits the number of objects to load in the connected system. It is therefore effectively the same as a system filter. The hierarchy filter is built based on the target system's real objects. The objects are displayed in their hierarchical structure. All objects included in the scope are marked in the hierarchy. All objects that are not marked remain outside the scope and are not included in the synchronization. The hierarchy filter can only be applied to objects and not to their schema properties. Create an additional object filter to include schema properties as criteria in the scope definition.

A fully defined hierarchy filter can be transformed into a variable. Thus the filter can be redefined in a specialized variable set and used for other synchronization configurations.

Reference scope

References to objects in different target systems can be mapped in the One Identity Manager database. In order to solve these references, the target system scope must be extended to include the referenced target systems. For this, you can additionally define a reference scope for each system connection. You can enter the reference scope for the database in the same way. This means that references to parts of the One Identity Manager database can be resolved which are not included in the general scope.

If no reference scope is defined, the general scope is also used for the reference resolution.

Example

Active Directory domains "xyz" and "uvw" are trusted domains. User accounts from both domains are members in Active Directory groups in the Active Directory domain "xyz". Define a reference scope to assign referenced user accounts of the domain "uvw" during group membership synchronization. In the reference scope, specify that referenced objects should also be searched for in the Active Directory domain "uvw".

If you have not defined a reference scope, Active Directory SIDs are determined for Active Directory domain "uvw" user accounts during Active Directory domain "uvw" group membership synchronization and entered in the One Identity Manager data store.

Related topics

How does revision filtering work?

When you start synchronizationClosed, all synchronization objects are loaded. Some of these objects have not be modified since the last synchronization and, therefore, must not be processed. Synchronization is accelerated by only loading those object pairs that have changed since the last synchronization. One IdentityClosed Manager uses revision filtering to accelerate synchronization.

Prerequisites

  • The target system supports revision filtering.

    This data is supplied by the system connector.

  • SchemaClosed types own a schema property which is labeled as a revision counterClosed.

    This schema property stores the information about the last object modifications.

    Example of an Active Directory group:

    • In the target system schema: UNS Changed
    • In the One Identity Manager schema: RevisionClosed Date
  • Revision filteringClosed permitted for this synchronization workflowClosed.

Revision filtering can be applied to workflows and start up configuration. The workflow setting is valid for all synchronizations with this workflow. In order to synchronize with the same workflow at different times, with, and without revision filtering, create different start up configurations and specify revision filtering for them.

To permit revision filtering on a workflow

  • In the Synchronization EditorClosed, open the synchronization projectClosed.

  • Edit the workflow properties. Select the Use revision filter item from Revision filtering menu.

For more information, see Editing workflows.

To permit revision filtering for a start up configuration

  • In the Synchronization Editor, open the synchronization project.

  • Edit the start up configuration properties. Select the Use revision filter item from the Revision filtering menu.

For more information, see How to edit start up configurations.

Normally, each object keeps information about the last changes made. The highest change data value of all synchronized objects of a schema type is taken as the revision in the One Identity Manager database (DPRRevisionStore table, DPRRevisionStore column). This value is used as a comparison for revision filtering when the same workflow is synchronized the next time. This means that when this workflow is next synchronized, the object change data is compared with the revision saved in the One Identity Manager database. This involves finding object pairs where one has newer change data than the last time it was synchronized. Thus, only objects that have changed since the last synchronization are updated.

The reference parameter for revision filtering is also the last schema type synchronization with the same workflow. The table DPRRevisionStore contains one entry per workflow and schema type.

Synchronization is even faster if the change information on the schema type also takes deleted objects into account. If a schema type's objects were neither added, changed nor deleted, the synchronization step can be skipped. Objects must not be loaded for comparison. Use of this optimization depends on whether the target system provides the appropriate change information.

To use optimized revision filtering

  • In the DesignerClosed, set the Common | TableRevision configuration parameterClosed.

    Now each time a table changes, the table's revision date updates. This information is stored in the QBMTableRevision table, RevisionDate column. In this way, One Identity Manager identifies whether a table object has been added, changed, or deleted.

NOTE: One Identity Manager supplies a scheduledClosed process planClosed, which regularly cleans up the contents of the DPRAttachedDataStore table. Entries for schema types that are no longer used in the synchronization configuration are deleted in the process. The process plan is run during daily maintenanceClosed.

NOTE: If the Common | TableRevision is not set, all revision data in the QBMTableRevision table is deleted.

Related topics

How does dependency resolution work?

Dependencies can arise between schema classes that require synchronization stepsClosed to be repeated. For example, object references cannot be set until the reference object has been added. Dependencies can also arise between schema properties within a schema class.

Figure 9: Example of a workflow with dependent schema classes and schema properties

One IdentityClosed Manager can automatically resolve such dependencies. In this case, the synchronizationClosed steps are group together such that the referenced objects are synchronized first and them the dependent objects next. If dependencies exist within a schema class, additional synchronization steps are inserted to synchronize the dependent schema properties. The final sequence of synchronization steps can be viewed in the Implementation plan report.

NOTE: If dependencies exist between schema classes, the schema classes must be synchronized by the same workflow so that dependencies can be automatically resolved.

Figure 10: Example of a workflow with automatic dependency resolution

To set up automatic resolution of dependencies

Use automatic dependency resolution by default. Only select manual dependency resolution if individual dependencies cannot be resolved automatically. For example, this may be necessary if two objects reference each other as mandatory properties.

NOTE: If dependency resolution is set to Manual, One Identity Manager does not check whether dependencies exits between schema classes and schema properties during synchronization. The synchronization steps are processed sequentially in the order displayed in the workflow view.

Synchronization exits with an error if dependencies exist that cannot be resolved.

To resolve dependencies manually

  1. Find the schema properties between which dependencies exist.

  2. Create a workflow with synchronization steps which take the following criteria into account:

    1. Synchronization steps for schema classes without object dependencies

    2. Synchronization steps for schema classes with objects referenced in other schema classes

      • Exclude the property mapping rules for dependent schema properties. Use the rule filter to do this.

    3. Synchronization steps for schema classes and schema properties that reference dependent objects

      • Enable the Step only for dealing with dependency conflicts option.

        These synchronization steps are performed only for objects that exist in both of the connected systemsClosed.

      • Include the property mapping rules for dependent schema properties. Use the rule filter to do this. All property mapping rules that have already been run in the previous steps can be excluded.

  3. Specify the synchronization step sequence such that all synchronization steps for a) are run first, then all the synchronization steps for b), and lastly all the synchronization steps for c).

  4. Edit the workflow properties. Select:

    Dependency resolution: Manual

    For more information, see Editing workflows.

Example of a workflow with manual dependency resolution

User accounts (Account) reference a primary system entitlementClosed (UIDClosed_EntitlementPrimary) and one user account must be assigned as a manager (UID_ManagerAccount) on the system entitlement (Entitlement).

A synchronization workflow is defined by the following synchronization steps:

  1. User accounts (Account)

    Excluded rule: Primary system entitlement rule(UID_EntitlementPrimary)

    Step only for dealing with dependency conflicts: disabled

  2. System entitlements (Entitlement)

    Step only for dealing with dependency conflicts: disabled

    The property mapping rule for the system entitlement manager (UID_ManagerAccount) remains included because the referenced user accounts are already synchronized in step 1.

  3. User accounts (Account)

    Step only for dealing with dependency conflicts: enabled

    Included rule: Primary system entitlement rule(UID_EntitlementPrimary)

    All other property mapping rules are excluded.

Related topics

Unresolvable references

If a reference object does not exist in the One IdentityClosed Manager database, the object reference cannot be resolved by synchronizingClosed. Unresolvable object references are written in a buffer called the data store (table DPRAttachedDataStore). This ensures that these references remain intact and are not deleted in the target system by provisioning.

Example

An Active Directory group has an account manager, which owns a domain not in the current synchronization run. The account manager is not in the One Identity Manager database either.

Synchronization cannot assign an account manager. In order to retain the assignment, the object reference is saved with the account manager's distinguished name in the data store.

During each synchronization One Identity Manager tries to clean up the data store. If referenced objects in the One Identity Manager database exist, the references can be resolved and the entries are deleted from the data store. The data store is cleaned up depending on the synchronization type (with or without revision filter) and the maintenanceClosed mode.

Table 21: Maintenance for unresolved object references
Maintenance mode Synchronization without revision filer Synchronization with revision filer
The following applies depending on the maintenance mode: Object references of all synchronization objects are cleaned up if they exist in the One Identity Manager database. Only object references for modified objects are cleaned up.
No maintenance There is no additional task of clearing up the data store.
Always synchronize affected objects No effect. The filter is removed on objects with unresolved references. Therefore, references are also cleaned if the objects have not been changed since the last synchronization.
Full maintenance after every synchronization One Identity Manager tries to resolve object references following synchronization. As a result, unresolved references are processed that arose during this synchronization run. One Identity Manager tries to resolve object references following synchronization. As a result, unresolved references are processed that arose during this synchronization run. Object references that were not modified are also cleaned up.

You can enter the number of retries for resolving object references. It may be necessary to try several times to resolve an object if it maps a hierarchy with several levels. One hierarchy level at a time can be resolved with each attempt to resolve an object.

To set up maintenance mode

NOTE: One Identity Manager supplies a scheduledClosed process planClosed, which regularly cleans up the contents of the table DPRAttachedDataStore. Object entries, which no longer exist in the One Identity Manager database are deleted. The process plan is run during daily maintenance.
Related topics
Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation