Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Identity Manager 9.2.1 - One Identity Manager Connector User Guide

Setting up synchronization with the One Identity Manager connector Setting up system synchronization Setting up synchronization using custom configuration Troubleshooting

Speeding up synchronization with revision filtering

When you start synchronization, all synchronization objects are loaded. Some of these objects have not be modified since the last synchronization and, therefore, must not be processed. Synchronization is accelerated by only loading those object pairs that have changed since the last synchronization. One Identity Manager uses revision filtering to accelerate synchronization.

One Identity Manager supports revision filtering. The date of the last target system object change (XDateUpdated) is used as revision counter. Each synchronization saves the last date is was run as a revision in the One Identity Manager database (DPRRevisionStore table, Value column). This value is used as a comparison for revision filtering when the same workflow is synchronized the next time. When this workflow is synchronized the next time, the target system objects' change date is compared with the revision saved in the One Identity Manager database. Only those objects that have been changed since this date are loaded from the target system.

Synchronization is even faster if the change information on the schema type also takes deleted objects into account. If a schema type's objects were neither added, changed nor deleted, the synchronization step can be skipped. Objects must not be loaded for comparison. To take advantage of this optimization, the revision data for tables must be saved in both of the connected databases.

To use optimized revision filtering

  1. Start the Designer and connect to the central database.

  2. Set the Common | TableRevision configuration parameter.

  3. Save the changes.
  4. Connect the Designer to the work database.

  5. Set the Common | TableRevision configuration parameter.

  6. Save the changes.

Now each time a table changes, the table's revision date updates. This information is stored in the QBMTableRevision table, RevisionDate column. In this way, One Identity Manager identifies whether objects in a table have been added, changed, or deleted.

Synchronization with revision filtering compares a table's revision date against the revision saved in the One Identity Manager database. If the revision date is older, no objects have been changed in this table since the previous synchronization. Therefore, synchronization does not carry out this step for the affected schema type. If the revision date is newer, synchronization carries out this step and the changed objects are determined as described above.

The revision is found at start of synchronization. Objects modified by synchronization are loaded and checked by the next synchronization. This means that the second synchronization after initial synchronization is not significantly faster.

Revision filtering can be applied to workflows and start up configuration.

To permit revision filtering on a workflow

  • In the Synchronization Editor, open the synchronization project.

  • Edit the workflow properties. Select the Use revision filter item from Revision filtering menu.

To permit revision filtering for a start up configuration

  • In the Synchronization Editor, open the synchronization project.

  • Edit the start up configuration properties. Select the Use revision filter item from the Revision filtering menu.

NOTE: If the Common | TableRevision is not set, all revision data in the QBMTableRevision table is deleted.

For more information about revision filtering, see the One Identity Manager Target System Synchronization Reference Guide.

Configuring the provisioning of memberships

Memberships, such as user accounts in groups, are saved in assignment tables in the One Identity Manager database. During provisioning of modified memberships, changes made in the target system may be overwritten. This behavior can occur under the following conditions:

  • Memberships are saved as an object property in list form in the target system.

  • Memberships can be modified in either of the connected systems.

  • A provisioning workflow and provisioning processes are set up.

If one membership in One Identity Manager changes, by default, the complete list of members is transferred to the target system. Therefore, memberships that were previously added to the target system are removed in the process and previously deleted memberships are added again.

To prevent this, provisioning can be configured such that only the modified membership is provisioned in the target system. The corresponding behavior is configured separately for each assignment table.

To allow separate provisioning of memberships

  1. In the Manager, select the Data Synchronization > Basic configuration data > Target system types category.

  2. In the result list, select the target system type.

  3. Select the Configure tables for publishing task.

  4. Select the assignment tables that you want to set up for single provisioning. Multi-select is possible.

  5. Click Merge mode.

    NOTE:

    • This option can only be enabled for assignment tables that have a base table with a XDateSubItem column.

    • Assignment tables that are grouped together in a virtual schema property in the mapping must be marked identically.

  6. Save the changes.

For each assignment table labeled like this, the changes made in One Identity Manager are saved in a separate table. Therefore, only newly added and deleted assignments are processed. During modification provisioning, the members list in the target system is compared to the entries in this table. This means that only modified memberships are provisioned and not the entire members list.

NOTE: The complete members list is updated by synchronization. During this process, objects with changes but incomplete provisioning are not handled. These objects are logged in the synchronization log.

You can restrict single provisioning of memberships with a condition. Once merge mode has been disabled for a table, the condition is deleted. Tables that have had the condition deleted or edited are marked with the following icon: . You can restore the original condition at any time.

To restore the original condition

  1. Select the auxiliary table for which you want to restore the condition.

  2. Right-click on the selected row and select the Restore original values context menu item.

  3. Save the changes.

NOTE: To create the reference to the added or deleted assignments in the condition, use the i table alias.

Example of a condition on the UNSAccountBInUNSGroupB assignment table:

exists (select top 1 1 from UNSGroupB g
where g.UID_UNSGroupB = i.UID_UNSGroupB
and <limiting condition>)

For more information about provisioning memberships, see the One Identity Manager Target System Synchronization Reference Guide.

Configuring single object synchronization

Changes made to individual objects in the target system can be immediately applied in the One Identity Manager database without having to start a full synchronization of the target system environment. Individual objects can only be synchronized if the object is already present in the One Identity Manager database. The changes are applied to the mapped object properties. If the object is no longer present in the target system, then it is deleted from the One Identity Manager database.

Prerequisites
  • A synchronization step exists that can import the changes to the changed object into One Identity Manager.

  • The path to the base object of the synchronization is defined for the table that contains the changed object.

To define the path to the base object for synchronization for a table

  1. In the Manager, select the Data Synchronization > Basic configuration data > Target system types category.

  2. In the result list, select the target system type.

  3. Select the Assign synchronization tables task.

  4. In the Add assignments pane, assign the table for which you want to use single object synchronization.

  5. Save the changes.
  6. Select the Configure tables for publishing task.

  7. Select the table and enter the Root object path.

    • If a concrete base object is defined for the target system, enter the path to the base object in the ObjectWalker notation of the VI.DB.

      Example: FK(UID_GAPCustomer).XObjectKey

    • If no concrete base object is defined for the target system, enter the XObjectKey of the base table.

      Example: <Key><T>DialogTable</T><P>RMB-T-Org</P></Key>

  8. Save the changes.

Starting synchronization

Synchronization is started using scheduled process plans. A scheduled process plan is added once a start up configuration is assigned to a schedule. Use schedules to define running times for synchronization.

NOTE: Synchronization can only be started if the synchronization project is enabled.

To run synchronization regularly, configure, and activate the a schedule. You can also start synchronization manually if there is no active schedule.

IMPORTANT: As long as a synchronization process is running, you must not start another synchronization process for the same target system. This especially applies, if the same synchronization objects would be processed.

  • If another synchronization process is started with the same start up configuration, the process is stopped and is assigned Frozen status. An error message is written to the One Identity Manager Service log file.

    • Ensure that start up configurations that are used in start up sequences are not started individually at the same time. Assign start up sequences and start up configurations different schedules.

  • Starting another synchronization process with different start up configuration that addresses same target system may lead to synchronization errors or loss of data. Specify One Identity Manager behavior in this case, in the start up configuration.

    • Use the schedule to ensure that the start up configurations are run in sequence.

    • Group start up configurations with the same start up behavior.

If you want to specify the order in which target systems are synchronized, use the start up sequence to run synchronization. In a start up sequence, you can combine start up configurations from different synchronization projects and specify the order in which they are run. For more information about start up sequences, see the One Identity Manager Target System Synchronization Reference Guide.

Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation