Chatta subito con l'assistenza
Chat con il supporto

Identity Manager 9.3 - One Identity Manager Connector User Guide

Setting up synchronization with the One Identity Manager connector Setting up system synchronization Setting up synchronization using custom configuration Troubleshooting

Preparing work database for setting up system synchronization

To be able to successfully run system synchronization, some properties must be set on the work database. You can run the SQL queries listed here with a suitable program.

TIP: Depending on the purpose of the work database, it may be useful to adjust further settings. For example, check whether to disable templates on the synchronized columns in the work database.

Using the GUID module

The Module GUID permitted table property (DialogTable.IsModuleGUIDAllowed) table property must be set on all the tables you want to synchronize. To enable this option, run the following query on the central database first and then on the work database.

-- transfer customized configuration DialogTable.IsModuleGUIDAllowed from your central database 
-- => manual process required
select UID_DialogTable, 'Update DialogTable set IsModuleGUIDAllowed = 1 
    where IsModuleGUIDAllowed = 0 and UID_DialogTable = '''+UID_DialogTable+''' ' as ChangeStatement 
    from DialogTable where IsModuleGUIDAllowed = 1
--if you got an result, copy the commands and execute them in your work database
Disabling all provisioning processes

Since there are no target systems associated with the work database, the standard provisioning processes should not be run here. Run the queries for this on the work database.

The following query disables all processes for the tables:

  • PersonHasTSBAccountDef

  • PersonHasQERResource

  • TSBAccountDef (TSB_TSBAccountDef_AutoAssignToPerson and TSB_TSBAccountDef_AutoRemoveFromPerson)

-- deactivate all predefined provisioning processes
update JobChain set NoGenerate = 1, XDateUpdated = GETUTCDATE(), XUserUpdated = 'SysSyncInitialConfig' from JobChain JC 
    join JobEventGen JEG on JEG.UID_JobChain = JC.UID_JobChain 
    join QBMEvent JE on JE.UID_QBMEvent = JEG.UID_QBMEvent where 
        (
        JE.EventName in ('Insert', 'Update', 'Delete', 'Assign', 'Remove'
        or JC.UID_DialogTable in ('TSB-T-PersonHasTSBAccountDef', 'QER-T-PersonHasQERResource'
        or UID_JobChain in ('TSB-F9E8F1B2DA86E847A254E70A572A3832','TSB-EB76885961C6404FB7BB73FC1AC83153')
        ) 
        and dbo.QBM_FCVGUIDToModuleOwner(JC.UID_JobChain) <> 'CCC' 
        and NoGenerate = 0

The following query disables the merge mode of single membership provisioning for all assignment tables.

-- deactivate merge for provisioning (DPRMemberShipAction) for all synchronized tables
update DPRNameSpaceHasDialogTable set IsAdHocSingleMemberShip = 0, WhereClause = Null

The following query prevents dependencies' modification dates from updating on assignment base tables.

-- deactivate XDateSubItem behavior for all synchronized tables
update QBMRelation set IsForUpdateXDateSubItem = 0 where UID_QBMRelation in 
    (
    select UID_QBMRelation from QBM_VQBMRelation r 
        join DialogTable t on r.UID_DialogTableChild=t.UID_DialogTable or r.UID_DialogTableParent=t.UID_DialogTable 
            where t.SystemSyncMode > 0 and r.IsForUpdateXDateSubItem = 1
    )
Disabling schedules

The following query disables all schedules except for custom schedules and system schedules. Modify this query for the purposes of the work database. Run the query on the work database.

-- deactivate all not required schedules
-- allow only system and custom schedules as well as such ones belonging to reports and attestation
-- but disable all synchronization schedules except the system synchronization
update DialogSchedule 
    set Enabled = 0, XDateUpdated = GETUTCDATE(), XUserUpdated = 'SysSyncInitialConfig' 
        where Enabled = 1 and 
            (
            dbo.QBM_FCVGUIDToModuleOwner(UID_DialogSchedule) not in ('CCC','QBM','QER','RPS','ATT'
            or (Name like '%execution of Initial Synchronization%' and Name not like 'System Synchronization%')
            )
Disabling DBQueue Processor tasks for SAP objects

Since there are no target systems associated with the work database, DBQueue Processor tasks for processing SAP objects can be disabled. Run the query on the work database.

-- disable SAP/SBW DBQueueTask for generation SAPUserMandant and SAPBWUser
update QBMDBQueueTask 
    set ProcedureName = 'QBM_ZDBQueueVoidTask', CountParameter = 0, MaxInstance = 1, IsBulkEnabled = 0, QueryForRecalculate = Null 
        where UID_Task in ('SAP-K-SAPUserMandant', 'SBW-K-SAPBWUser')
Disabling recalculation of dynamic roles

If dynamic roles are synchronized, the assignments should not be recalculated on the work database as it is possible that not all the required data is available here yet. The memberships and assignments are calculated only on the central database and transferred to the working database by synchronization.

IMPORTANT: You cannot specify a mapping direction for the DynamicGroup.IsRecalculationDeactivated column (No recalculation of assignments) in the synchronization configuration.

To prevent assignments to synchronized dynamic roles being calculated

  1. In the Designer, select the One Identity Manager Schema > Tables > Table category.

  2. Select the DynamicGroup table and click the Show table definition task to start the Schema Editor.

  3. In the Table properties view, select the Table scripts tab.

  4. In the Script (OnSaving) field, enter the following script.

    If CBool(Connection.Variables("Transport")) AndAlso CBool(Connection.Variables("Projector")) Then
         Base.PutValue("IsRecalculationDeactivated", 1)
    End If
  5. Select the Database > Save to database and click Save.

This prevents recalculation of assignments for dynamic roles that are imported into the work database by synchronization. The role memberships in effect are those from the central database that synchronized with the work database.

Related topics

Selecting tables and columns for system synchronization

Before you create a synchronization project for system synchronization, flag all the table and column content to synchronize.

NOTE: Selecting tables and columns

  • For each table selected, specify the mapping direction for all primary key columns and mandatory columns.

  • For each table selected, specify the mapping direction for the XOrigin and XIsInEffect columns.

  • For each table selected with multi-column uniqueness definitions, specify the mapping direction for all columns that make up the unique group and are not populated automatically.

  • If a base table and its derivatives are selected (for example, BaseTree and Department), then set the same synchronization configuration for both tables.

    • Same synchronization mode for the base table and its derivatives

    • Same columns to be mapped

    • Same mapping direction for these columns

IMPORTANT:

  • If an assignment table is selected for synchronization and the Provisioning the central database synchronization mode is selected, the table's Assign by event property must be enabled for this table to generate the provisioning processes.

    If this table property is enabled after a synchronization project has been generated, then the synchronization project must be regenerated.

  • If dynamic roles are synchronized, the assignments should not be recalculated on the work database as it is possible that not all the required data is available here yet. The memberships and assignments are calculated only on the central database and transferred to the working database by synchronization.

    You cannot specify a mapping direction for the DynamicGroup.IsRecalculationDeactivated column (No recalculation of assignments) in the synchronization configuration.

To select a table for system synchronization

  1. In the Designer, select the One Identity Manager schema category.

  2. Select the table and start the Schema Editor with the Show table definition task.

  3. In the Table properties view, select the System synchronization tab.

  4. Edit the following table properties:

    • Synchronization mode: Permitted synchronization directions and processing methods for this table. Set all the bit positions that apply to this table.

      Set:

      • The direction of synchronization

      • Whether to provision changes to the central database,

      • Which processing methods to use for application data

      • Whether to update system data

      • Which schedule to use for synchronizing this table (start frequency)

        If neither the Start synchronization frequently or the Start synchronization very frequently bit positions is set, synchronization is started once a day (default).

    • Columns for alternative rules: Comma delimited list of columns to be used for creating alternative object matching rules.

      If the One Identity Manager connector cannot identify a system object through the primary object matching rule, it applies the alternative rules to determine a matching system object. Enter the technical names of all the columns for which you want to generate alternative rules.

    • Columns for alternative rules: .NET class used to consider special cases when generating a synchronization project between two One Identity Manager databases.

  5. Set the permitted mapping direction for all columns to be mapped.

    1. Select the column in the Schema Editor and edit the column properties.

    2. On the More tab, in the Mapping direction drop-down, select all permitted mapping directions.

  6. Perform steps 2 to 5 for all the tables that are going to be synchronized.

  7. Select the Database > Save to database and click Save.

To set the mapping direction for a column

  1. In the Designer, select the One Identity Manager schema category.

  2. Select the table and start the Schema Editor with the Show table definition task.

  3. Select the column in the Schema Editor and edit the column properties.

  4. On the More tab, in the Mapping direction drop-down, select all permitted mapping directions.

  5. Select the Database > Save to database and click Save.

If you change the tables or columns to be synchronized after the synchronization project has been generated, the synchronization project will be updated automatically.

Related topics

Information required for creating a synchronization project for system synchronization

To set up a synchronization project for system synchronization, have the following information ready.

Table 1: Information required to set up a synchronization project
Data Explanation

Connection credentials for the central database

For direct database connection:

  • Database server

  • Database name

  • SQL login and password

  • Specifies whether integrated Windows authentication is used

    Use of the integrated Windows authentication is not recommended. If you decide to use it anyway, ensure that your environment supports Windows authentication.

For connecting through an application server:

  • Application server URL

  • Synchronization user's password

Connection credentials for the work database

  • Database server

  • Database name

  • SQL login and password

  • Specifies whether integrated Windows authentication is used

    Use of the integrated Windows authentication is not recommended. If you decide to use it anyway, ensure that your environment supports Windows authentication.

Synchronization server

All One Identity Manager Service actions are run against the target system environment on the synchronization server. Data entries required for synchronization and administration with the One Identity Manager database are processed by the synchronization server.

Installed components:

  • One Identity Manager Service (started)

The synchronization server must be declared as a Job server in One Identity Manager. The Job server name is required.

For more information, see Setting up the synchronization server.

Remote connection server

To configure synchronization with a target system, One Identity Manager must load the data from the target system. One Identity Manager communicates directly with the target system to do this. Sometimes direct access from the workstation, on which the Synchronization Editor is installed, is not possible. For example, because of the firewall configuration or the workstation does not fulfill the necessary hardware and software requirements. If direct access is not possible from the workstation, you can set up a remote connection.

Remote connection server configuration:

  • One Identity Manager Service is started

  • RemoteConnectPlugin is installed and an authentication method is set up

The remote connection server must be declared as a Job server in One Identity Manager. The Job server name is required.

TIP: The remote connection server requires the same configuration as the synchronization server (with regard to the installed software and entitlements). Use the synchronization server as remote connection server as well by installing the RemoteConnectPlugin.

For more detailed information about setting up a remote connection, see the One Identity Manager Target System Synchronization Reference Guide.

Detailed information about this topic

Creating a synchronization project for the system synchronization

NOTE: Exactly one synchronization project for system synchronization can be created for a work database.

There is a wizard to assist you with setting up a synchronization project. This wizard takes you through all the steps you need to set up initial synchronization with a target system. Click Next once you have entered all the data for a step.

NOTE: The following sequence describes how to configure a synchronization project if the Synchronization Editor is both:

  • Run in default mode

  • Started from the Launchpad

If you run the project wizard in expert mode or directly from the Synchronization Editor, additional configuration settings can be made. Follow the project wizard instructions through these steps.

To set up a synchronization project

  1. Start the Launchpad and log in on the One Identity Manager database.

    NOTE: If synchronization is run by an application server, connect the database through the application server.

  2. In the Installation overview > Data synchronization section, select the One Identity Manager connector and click Run.

    This starts the Synchronization Editor's project wizard.

  1. On the wizard's start page, click Next.

  2. On the System access page, specify how One Identity Manager can access the target system.

    • If access is possible from the workstation on which you started the Synchronization Editor, do not change any settings.

    • If access is not possible from the workstation on which you started the Synchronization Editor, you can set up a remote connection.

      Select the Connect using remote connection server and enter the remote connection properties.

  • Click Next to start the system connection wizard to create a connection to a One Identity Manager database.

  1. Select the database system to which you want to connect on the Select database system page.

    • Direct database connection: Specifies whether to connect directly to the central database.

    • Application server: Specifies whether the central database should be connected through an application server.

      Set this option if modules other than in the work database are installed in the central database, or if the central database is running with an older version of One Identity Manager.

    • Use application server REST API: Specifies whether to use the application server's REST API for communicating with the central database.

      IMPORTANT: Enable this option if the central database is operated with an older version of One Identity Manager.

      NOTES: The REST API cannot process virtual schema properties with the Translator property type. If schema properties like this are mapped, synchronization stops.

  2. On the Connection parameters page, enter the database credentials for the central database.

    • Enter the following data connecting directly to the database:

      • Server: Database server.

      • Windows authentication: (Optional) Specifies whether the integrated Windows authentication is used. This type of authentication is not recommended. If you decide to use it anyway, ensure that your environment supports Windows authentication.

      • User: User's SQL login name.

      • Password: Password for the SQL user's login.

      • Database: List of possible databases on the database server. Select the database.

      • Encrypt communication: Specifies whether encryption is required for exchanging data between the client and server. Select the minimum encryption level. The encryption level that is actually used depends on the database server configuration. For more information, see the documentation from Microsoft.

        Permitted values are:

        • Optional: Communication is not encrypted.

        • Mandatory: Data exchange is encrypted. The Trust server certificate option, allows you to also specify whether to verify the server certificate.

        • Strict (SQL Server 2022 and Azure SQL): The data exchange is encrypted.  The server certificate is always verified.

      • Trust server certificate: If this option is enabled, the data exchange between the client and server is encrypted. However, the server certificate is not verified.

    • To connect through an application server, enter the URL and Synchronization user password.

    • To enter additional information about the database connection, click Advanced options.

    • Click Test.

  3. Enter the private key for encrypting the database on the Encryption page.

  4. On the Additional settings page, you define additional settings to customize the behavior of the connector.

    • Try to ignore data errors: Specifies whether objects with erroneous data should be synchronized with the central database.

      By default, objects with incorrect data are not synchronized. These objects can be synchronized once the data has been corrected. In certain situations, however, it might be necessary to synchronize objects like these and ignore the data properties that have errors.

      IMPORTANT: If data errors are ignored, performance will be affected. Synchronization can also lead to data loss. Only set this option in the exceptional circumstance of not being able to correct the data before synchronization.

      NOTE:

      • The option cannot be enabled if the REST API of the application server is used.

      • Default columns, such as primary keys, UID columns, or mandatory input columns cannot be ignored.

  5. On the last page of the system connection wizard, you can save the connection data.

    • Set the Save connection locally option to save the connection data. This can be reused when you set up other synchronization projects.
    • Click Finish, to end the system connection wizard and return to the project wizard.
  1. On the One Identity Manager Connection tab, test the data for connecting to the One Identity Manager database. The data is loaded from the connected database. Reenter the password.

    NOTE:

    • If you use an unencrypted One Identity Manager database and have not yet saved any synchronization projects to the database, you need to enter all connection data again.

    • This page is not shown if a synchronization project already exists.

  2. The wizard loads the target system schema. This may take a few minutes depending on the type of target system access and the size of the target system.

  1. On the Select project template page, select a project template to use for setting up the synchronization configuration.

    • Select AutomaticOne Identity Manager synchronization.

  1. To close the project wizard, click Finish.
  2. Save the synchronization project in the database.

Only the connection credentials for the connected systems may be changed manually in a generated synchronization project.

Related topics
Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione