サポートと今すぐチャット
サポートとのチャット

Active Roles 8.0 LTS - Synchronization Service Administration Guide

Synchronization Service Overview Deploying Synchronization Service Getting started Connections to external data systems
External data systems supported with built-in connectors
Working with Active Directory Working with an AD LDS (ADAM) instance Working with Skype for Business Server Working with Oracle Working with Exchange Server Working with Active Roles Working with One Identity Manager Working with a delimited text file Working with Microsoft SQL Server Working with Micro Focus NetIQ Directory Working with Salesforce Working with ServiceNow Working with Oracle Unified Directory Working with an LDAP directory service Working with IBM DB2 Working with IBM AS/400 Working with an OpenLDAP directory service Working with IBM RACF connector Working with MySQL database Working with an OLE DB-compliant relational database Working with SharePoint Configuring data synchronization with the Office 365 Connector
Creating a Microsoft 365 connection Viewing or modifying a Microsoft 365 connection Microsoft 365 data supported for data synchronization
ClientPolicy object attributes supported for Microsoft 365 data synchronization ConferencingPolicy object attributes supported for Microsoft 365 data synchronization Contact object attributes supported for Microsoft 365 data synchronization DistributionGroup object attributes supported for Microsoft 365 data synchronization Domain object attributes supported for Microsoft 365 data synchronization DynamicDistributionGroup object attributes supported for Microsoft 365 data synchronization ExternalAccessPolicy object attributes supported for Microsoft 365 data synchronization HostedVoicemailPolicy object attributes supported for Microsoft 365 data synchronization LicensePlanService object attributes supported for Microsoft 365 data synchronization Mailbox object attributes supported for Microsoft 365 data synchronization MailUser object attributes supported for Microsoft 365 data synchronization PresencePolicy object attributes supported for Microsoft 365 data synchronization SecurityGroup object attributes supported for Microsoft 365 data synchronization SPOSite object attributes supported for Microsoft 365 data synchronization SPOSiteGroup object attributes supported for Microsoft 365 data synchronization SPOWebTemplate object attributes supported for Microsoft 365 data synchronization SPOTenant object attributes supported for Microsoft 365 data synchronization User object attributes supported for Microsoft 365 data synchronization VoicePolicy object attributes supported for Microsoft 365 data synchronization Microsoft 365 Group attributes supported for Microsoft 365 data synchronization Changing the display names of synchronized Microsoft 365 licenses and services
Objects and attributes specific to Microsoft 365 services How the Office 365 Connector works with data
Configuring data synchronization with the Microsoft Azure AD Connector Configuring data synchronization with the SCIM Connector Configuring data synchronization with the Generic SCIM Connector
Using connectors installed remotely Creating a connection Renaming a connection Deleting a connection Modifying synchronization scope for a connection Using connection handlers Specifying password synchronization settings for a connection
Synchronizing identity data Mapping objects Automated password synchronization Synchronization history Scenarios of use
About scenarios Scenario 1: Create users from a .csv file to an Active Directory domain Scenario 2: Use a .csv file to update user accounts in an Active Directory domain Scenario 3: Synchronizing data between One Identity Manager Custom Target Systems and an Active Directory domain Scenario 4: Deprovisioning between One Identity Manager Custom Target Systems and an Active Directory domain Scenario 5: Provisioning of Groups between One Identity Manager Custom Target Systems and an Active Directory domain Scenario 6: Enabling Delta Sync mode between One Identity Manager Custom Target Systems and an Active Directory domain Example of using the Generic SCIM Connector for data synchronization
Appendix A: Developing PowerShell scripts for attribute synchronization rules Appendix B: Using a PowerShell script to transform passwords

Scenario 6: Enabling Delta Sync mode between One Identity Manager Custom Target Systems and an Active Directory domain

Scenario 6: Enabling Delta Sync mode between One Identity Manager Custom Target Systems and an Active Directory domain

The Delta processing mode of the Synchronization Service allows you to synchronize identities between the source and the target systems for only the data that has changed in the source and target connected systems since their last synchronization.

This scenario describes how to enable the delta processing mode between the source (Active Directory domain) and target (One Identity Manager) systems.

To enable the delta processing mode:

  1. Step 1: Create a sync workflow for provisioning data synchronization between the source (Active Directory) and target (One Identity Manager) system.
  2. Step 2: Add a creating step for the workflow to provision users from the source system to target system.
  3. Click on the synchronization step for provision of users.
  4. In the General Options tab, specify the delta process mode:
    1. Under Source Connected System select the option Process delta from last run.
    2. Under Target Connected System select the option Process delta from last run.
  5. Click Save and continue.

    NOTE: Before any data has been processed from the source to the target system, the initial synchronization of data is always performed in the Process all delta mode.

  1. Step 3: Run the configured creating step.

    The data for the users added or updated to the source since the previous run, is displayed under Processed Objects.

 

Example of using the Generic SCIM Connector for data synchronization

Once you configured a connection with the Generic SCIM Connector as described in Configuring the Generic SCIM Connector for Starling Connect connections, you can configure import-based data synchronization tasks to import data from the SCIM-based SuccessFactors HR and ServiceNow connectors of Starling Connect to another target system supported by Active Roles Synchronization Service.

Creating such a SCIM-based synchronization workflow has two main steps:

  1. Mapping objects by configuring one or more mapping pairs and mapping rules. By mapping objects, you can specify logic checks by which Active Roles Synchronization Service can identify if two data entries stored in two separate databases are the same or not.

    • With mapping pairs, you can establish a relationship between object types in two connected systems.

    • With mapping rules, you can define the conditions on how the objects specified in the mapping pair will be mapped during synchronization.

    Example: Mapping objects by user ID

    You can use object mapping, for example, to identify the same data entries between a SuccessFactors HR database (connected to Active Roles via a Generic SCIM Connector connection) and an SQL server (connected to Active Roles Synchronization Service via a Microsoft SQL Server Connector).

    To do so, you can set up a mapping that compares the User ID value of the data entries in the two systems. If the data entries in the two systems share the same User ID, Active Roles will consider them the same.

    For more information on object mapping, see Mapping objects. For an example mapping procedure using the Generic SCIM Connector, see Creating object mapping between a SCIM connection and an SQL connection.

  2. Setting up a synchronization workflow based on the configured object mapping, so that you can automate creating, removing or deprovisioning specific data entries between the connected systems.

    For more information on synchronization workflows, see Getting started with identity data synchronization. For an example workflow configuration procedure using the Generic SCIM Connector, see Creating a synchronization workflow for synchronizing data from a SCIM-based Starling Connect connector.

The following chapters will provide an example for setting up a synchronization workflow that will import data from a SuccessFactors HR database via a Generic SCIM Connector connection, and synchronizing that data to an SQL database.

Creating object mapping between a SCIM connection and an SQL connection

Once you configured a connection with the Generic SCIM Connector as described in Configuring the Generic SCIM Connector for Starling Connect connections, you can configure import-based data synchronization tasks to import data from the SCIM-based SuccessFactors HR and ServiceNow connectors of Starling Connect to another target system supported by Active Roles Synchronization Service.

The first step of creating this synchronization is mapping objects between the SCIM-based source system and a target system, so that Active Roles Synchronization Service can detect identical data entries between the two system for proper data synchronization.

By mapping objects, you can specify logic checks by which Active Roles Synchronization Service can identify if two data entries stored in two separate databases are the same or not.

  • With mapping pairs, you can establish a relationship between object types in two connected systems.

  • With mapping rules, you can define the conditions on how the objects specified in the mapping pair will be mapped during synchronization.

The following example procedures show how to create a mapping pair and a mapping rule between:

  • A SuccessFactors HR database connected to Active Roles Synchronization Service with the Generic SCIM Connector. The SuccessFactors HR database will be the source system from which Active Roles Synchronization Service imports the data.

  • An SQL database connected to Active Roles Synchronization Service with the Microsoft SQL Server Connector. The SQL database will act as the target system to which Active Roles Synchronization Service will synchronize the SuccessFactors HR data.

Prerequisites

You can perform the following procedures only if Active Roles Synchronization Service already contains the following working connectors:

To configure a mapping pair between a SuccessFactors HR database and an SQL database

  1. In the Active Roles Synchronization Service Console, navigate to Mapping, then click the SCIM Connection to SuccessFactors HR connection.

    Figure 16: Active Roles Synchronization Service – Selecting a connector for mapping objects

  2. To start configuring a new object mapping with the Add mapping pair dialog, click Add mapping pair.

  3. In the Specify source step, under Connected system object type, select the resource object type you want the object mapping to check. In this example, we are using the Employees data entry of the SuccessFactors HR database, so click Select, then in the Select Object Type step, select Employees.

    TIP: If the data entry is hard to find due to the length of the list, use the Filter by name field to find it quicker.

    To apply your selection, click OK, then Next.

  4. In the Specify target step, under Target connected system, configure the target system where the other resource object type is located. To do so, click Specify, and in the Add Connected System Wizard, select the Select existing connected system option, then the connector of the SQL server (in this example, SQL Connection). To apply your selection, click Finish.

  5. Under Connected system object type, select sql-Object.

  6. To create the mapping pair, click Finish.

  7. (Optional) If needed, you can configure additional mapping pairs as well for your synchronization workflow. To do so, click Add mapping pair again, and repeat the procedure. This example procedure uses only one mapping pair.

Once the mapping pair is created, you can configure its associated mapping rule.

To configure a mapping rule between a SuccessFactors HR database and an SQL database

  1. In the Active Roles Synchronization Service Console, navigate to Mapping, then click the SCIM Connection to SuccessFactors HR connection.

  2. The previously configured mapping pair appears. To open the available mapping pair settings, click the Employees object type in the mapping pair.

    Figure 17: Active Roles Synchronization Service – Mapping pair in a configured SCIM connection

  3. To start configuring a new mapping rule, in the Mapping pair window, click Add mapping rule.

  4. In the Define Mapping Rule window, specify the source and target resource object types that must be equal so that Active Roles Synchronization Service can map the data pairs. In this example, we are using the UserID attribute for this purpose both in the SuccessFactors HR database and in the SQL database as well.

    Therefore, at the Value generated for SCIM Connection to SuccessFactors HR by using field, click Attribute, then in the Select attribute window, select userId. This adds the userId object value to both the source and target fields.

    TIP: If the data entry is hard to find due to the length of the list, use the Filter by name field to find it quicker.

  5. To finish adding the mapping rule, click OK.

    Figure 18: Active Roles Synchronization Service – Mapping rule in a configured SCIM mapping pair

  6. To start the mapping synchronization based on the configured value pair of the mapping rule, click Map now. Active Roles Synchronization Service offers two mapping types:

    • Quick Map, using local cached data to speed up the mapping process.

    • Full Map, retrieving data from the source and target data system for accuracy.

    As this is the first time of running this mapping, perform a Full Map.

Once the mapping rule finishes running successfully, it will indicate the unmapped, changed and mapped objects, along with the objects that do not meet the scope conditions of the configured mapping rule.

Creating a synchronization workflow for synchronizing data from a SCIM-based Starling Connect connector

Once you configured a connection with the Generic SCIM Connector as described in Configuring the Generic SCIM Connector for Starling Connect connections, you can configure import-based data synchronization tasks to import data from the SCIM-based SuccessFactors HR and ServiceNow connectors of Starling Connect to another target system supported by Active Roles Synchronization Service.

The second step of creating this synchronization task is setting up a synchronization workflow based on the object mapping configured in Creating object mapping between a SCIM connection and an SQL connection. By configuring a workflow, you can automate creating, removing or deprovisioning specific data entries between the connected systems.

The following example procedure shows how to create a workflow that creates and updates data synchronization between:

  • A SuccessFactors HR database connected to Active Roles Synchronization Service with the Generic SCIM Connector. The SuccessFactors HR database will be the source system from which Active Roles Synchronization Service imports the data.

  • An SQL database connected to Active Roles Synchronization Service with the Microsoft SQL Server Connector. The SQL database will act as the target system to which Active Roles Synchronization Service will synchronize the SuccessFactors HR data.

Prerequisites

Before performing the procedure, make sure that the following conditions are met:

To configure a data synchronization workflow between a SuccessFactors HR database and an SQL database

  1. In the Active Roles Synchronization Service Console, click Sync Workflows > Add sync workflow.

    Figure 19: Active Roles Synchronization Service – Adding a new synchronization workflow

  2. In the Sync workflow name step, name the workflow (for example, SuccessFactors HR to SQL Server), then click OK.

    The new workflow then appears in the Sync Workflows tab.

  3. Configure a data synchronization creation step for the workflow. To do so, in Sync Workflows, click the name of the workflow (in this example, SuccessFactors HR to SQL Server), then click Add synchronization step.

    Figure 20: Active Roles Synchronization Service – Adding a new synchronization step

  4. In the Select an action step, select Creation, then click Next.

    The Creation step of the workflow will be used to create the synchronized data entries of the SuccessFactors HR database in the target SQL database. The Creation step performs data synchronization only for data entries that do not exist in the target system. Because of this, you typically run this step only once.

  5. In the Specify source and criteria step, configure the following settings:

    • Source connected system: Specify the SuccessFactors HR database connection here, created with the Generic SCIM Connector. To do so, click Specify > Select existing connected system, then select the SCIM-based connection (in this example, SCIM Connection to SuccessFactors HR).

    • Source object type: Specify the source object type here (in this example, the Employees object type). To do so, click Select, then in the Select Object Type window, select Employees, and click OK.

      TIP: If the data entry is hard to find due to the length of the list, use the Filter by name field to find it quicker.

    • (Optional) Creation Criteria: Specify additional conditions that the specified source object(s) must meet for synchronization in this workflow step. This setting is not used in this example.

  6. In the Specify target step, configure the following settings:

    • Target connected system: Specify the SQL server connection here, created with the Microsoft SQL Server Connector. To do so, click Specify > Select existing connected system, then select the SQL server connection (in this example, SQL Connection).

    • Target object type: Specify the target object type here. By default, when selecting an SQL server connection in Target connected system, Active Roles Synchronization Service sets this setting to sql-Object, the object type used in this example.

  7. In the Specify creation rules step, configure the logic (called forward synchronization rules) that Active Roles Synchronization Service will use to perform first-time synchronization and copy data entries from the SuccessFactors HR database over to the target SQL database.

    To do so, specify one or more unique attributes that Active Roles Synchronization Service can use to link the corresponding data entries in the connected SuccessFactors HR and SQL data systems. In this example, four such SuccessFactors HR attributes are specified: userName, userId, emails.value and name.familyName.

    To specify these creation rules:

    1. Click Forward Sync Rule.

    2. Click Source item > Attribute, and in the Select Object Attribute window, search for the user name attribute in the SuccessFactors HR database (for example, userName), then click OK.

      TIP: If the data entry is hard to find due to the length of the list, use the Filter by name field to find it quicker.

    3. Click Target item > Attribute, and search for the applicable user name attribute pair in the SQL database (for example, userName), then click OK.

      TIP: If the data entry is hard to find due to the length of the list, use the Filter by name field to find it quicker.

      Figure 21: Active Roles Synchronization Service – Mapping attributes for a forward synchronization rule

    4. To apply the forward synchronization rule created for the specified user name attributes, click OK.

    5. To configure synchronization rules for the userId, emails.value and name.familyName SuccessFactors HR data entries too, click Forward Sync Rule again, and repeat the previous sub-steps by selecting the source and target attributes applicable to these data entries.

  8. Once all forward synchronization rules are configured, to finish configuring the Creation step, click Finish.

    Figure 22: Active Roles Synchronization Service – Finalizing all forward synchronization rules

    This creates the Creation step as the first step of the synchronization workflow.

    Figure 23: Active Roles Synchronization Service – Step 1 created for the SuccessFactors HR / SQL server workflow

  9. Now that the Creation step of the workflow is configured, configure the Update step. To do so, click Add synchronization step again.

    The Update step of the workflow will be used to update existing data entries mapped between the SuccessFactors HR database and the target SQL database. The Update step performs data synchronization only for existing data entries: it does not create new ones. Because of this, you typically run this step after running the Creation step, and run only the Update step later once the data entries have been created with the Creation step.

  10. In the Select an action step, select Update, then click Next.

  11. In the Specify source and criteria step, configure the following settings:

    • Source connected system: Specify the SuccessFactors HR database connection here, created with the Generic SCIM Connector. To do so, click Specify > Select existing connected system, then select the SCIM-based connection (in this example, SCIM Connection to SuccessFactors HR).

    • Source object type: Specify the source object type here (in this example, the Employees object type). To do so, click Select, then in the Select Object Type window, select Employees, and click OK.

      TIP: If the data entry is hard to find due to the length of the list, use the Filter by name field to find it quicker.

    • (Optional) Creation Criteria: Specify additional conditions that the specified source object(s) must meet for synchronization in this workflow step. This setting is not used in this example.

  12. In the Specify target step, configure the following settings:

    • Target connected system: Specify the SQL server connection here, created with the Microsoft SQL Server Connector. To do so, click Specify > Select existing connected system, then select the SQL server connection (in this example, SQL Connection).

    • Target object type: Specify the target object type here. By default, when selecting an SQL server connection in Target connected system, Active Roles Synchronization Service sets this setting to sql-Object, the object type used in this example.

  13. In the Specify update rules step, configure the forward synchronization rules that Active Roles Synchronization Service will use to update existing data entries in the target SQL database from the SuccessFactors HR database. In this example, four such attributes are specified: userName, userId, SuccessFactors HR ID (displayed as sfid) and metadata information (displayed as meta).

    To specify these creation rules:

    1. Click Forward Sync Rule.

    2. Click Source item > Attribute, and in the Select Object Attribute window, search for the user name attribute in the SuccessFactors HR database (for example, userName), then click OK.

      TIP: If the data entry is hard to find due to the length of the list, use the Filter by name field to find it quicker.

    3. Click Target item > Attribute, and search for the applicable user name attribute pair in the SQL database (for example, userName), then click OK.

      TIP: If the data entry is hard to find due to the length of the list, use the Filter by name field to find it quicker.

    4. To apply the forward synchronization rule created for the specified user name attributes, click OK.

    5. To configure synchronization rules for the user ID, sfid and meta data entries too, click Forward Sync Rule again, and repeat the previous sub-steps by selecting the source and target attributes applicable to these data entries.

  14. Once all forward synchronization rules are configured, to finish configuring the Update step, click Finish. The configured workflow will appear, containing both steps.

  15. Start the workflow by clicking Run workflow. For the first-time run, select only Step 1 (Creation from SCIM Connection to SuccessFactors HR to SQL Connection), then select the running method:

    • Full Run fetches all data entries specified in the workflow steps directly from the source system. As such, One Identity recommends using this method when running the workflow the first time, even if the process takes longer than a Quick Run.

    • Quick Run uses cached data whenever possible, and is normally faster.

    The run may take several minutes to complete.

    Figure 24: Active Roles Synchronization Service – Running a configured synchronization workflow for the first time

  16. Once Active Roles Synchronization Service found all mapped objects, apply the synchronization changes by clicking Commit.

    Alternatively, to check detailed information about the processed objects, click the Processed objects number. The Objects processed in window then opens, listing all new data objects that Active Roles Synchronization Service will synchronize to the target SQL database.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択