To manually set up synchronization with a One Identity Manager database, follow the steps described here.
To set up synchronization manually
Provide One Identity Manager users with the required permissions for setting up synchronization and post-processing of synchronization objects.
In the synchronization with the database connectors, there are three use cases for mapping synchronization objects in the One Identity Manager data model.
Mapping custom target systems
Mapping default tables (for example Person or Department)
Mapping custom tables
In the case of non role-based login to One Identity Manager tools, it is sufficient to add one system user in the DPR_EditRights_Methods permissions group. For more information about system users and permissions groups, see the One Identity Manager Authorization and Authentication Guide.
| User | Tasks |
|---|---|
|
One Identity Manager administrators |
administrator and administrative system users Administrative system users are not added to application roles. administrators:
|
|
System users in the DPR_EditRights_Methods permissions group |
|
There are different steps required for role-based login, in order to equip One Identity Manager users with the required permissions for setting up synchronization and post-processing of synchronization objects.
| User | Tasks |
|---|---|
|
One Identity Manager administrators |
administrator and administrative system users Administrative system users are not added to application roles. administrators:
|
|
Target system administrators |
Target system administrators must be assigned to the Target systems | Administrators application role. Users with this application role:
|
|
Target system managers |
Users with this application role:
|
| User | Tasks |
|---|---|
|
One Identity Manager administrators |
administrator and administrative system users Administrative system users are not added to application roles. administrators:
|
|
Custom application role |
Users with this application role:
The application role gets its permissions through a custom permissions group and the vi_4_SYNCPROJECT_ADMIN permissions group. |
| User | Tasks |
|---|---|
|
One Identity Manager administrators |
administrator and administrative system users Administrative system users are not added to application roles. administrators:
|
|
Application roles for custom tasks |
Administrators must be assigned to the Custom | Administrators application role. Users with this application role:
|
|
Manager for custom tasks |
Managers must be assigned to the Custom | Managers application role or a child role. Users with this application role:
You can use these application roles, for example, to guarantee One Identity Manager user permissions on custom tables or columns. All application roles that you define here must obtain their permissions through custom permissions groups. The application role gets its permissions through a custom permissions group and the vi_4_SYNCPROJECT_ADMIN permissions group. |
To configure synchronization projects and target system synchronization (in the use cases 2 and 3)
Set up a custom permissions group with all permissions for configuring synchronization and editing synchronization objects.
Assign a custom application role to this permissions group.
For role-based login, create a custom application role to guarantee One Identity Manager users the necessary permissions for configuring synchronization and handling outstanding objects. This application role obtains the required permissions by using a custom permissions group.
To set up an application role for synchronization (use case 2):
In the Manager, select the default application role to use to edit the objects you want to synchronization.
Establish the application role's default permissions group.
If you want to import employee data, for example, select the Identity Management | Employees | Administrators application role. The default permissions group of this application role is vi_4_PERSONADMIN.
In the Designer, create a new permissions group .
Set the Only use for role based authentication option.
Make the new permissions group dependent on the vi_4_SYNCPROJECT_ADMIN permissions group.
Then the vi_4_SYNCPROJECT_ADMIN permissions groups must be assigned as the parent permissions group. This means that the new permissions group inherits the properties.
Make the new permissions group dependent on the default permissions group of the selected default application role.
Then the default permissions groups must be assigned as the parent permissions group. This means that the new permissions group inherits the properties.
In the Manager, create a new application role.
Assign the selected application role to be the parent application role.
Assign the newly created permissions group.
Assign employees to this application role.
To set up an application role for synchronization (use case 3):
In the Designer, create a new permissions group for custom tables that are populated by synchronization.
Set the Only use for role based authentication option.
Guarantee this permissions group all the required permissions to the custom tables.
Create another permissions group for synchronization.
Set the Only use for role based authentication option.
Make the permissions group for synchronization dependent on the permissions group for custom tables.
Then the permissions group for custom tables must be assigned as the parent permissions group. This means the permissions groups for synchronization inherits its properties.
Make the permissions group for synchronization dependent on the vi_4_SYNCPROJECT_ADMIN permissions group.
Then the vi_4_SYNCPROJECT_ADMIN permissions groups must be assigned as the parent permissions group. This means the permissions groups for synchronization inherits its properties.
In the Manager, create a new application role.
Assign the Custom | Managers application role as the parent application role.
Assign the permissions group for the synchronization.
Assign employees to this application role.
For more information about setting up application roles and permissions groups, see the One Identity Manager Authorization and Authentication Guide.
A synchronization project collects all the information required for synchronizing the One Identity Manager database with a target system. Connection data for target systems, schema types and properties, mapping, and synchronization workflows all belong to this.
Make the following information available for setting up a custom synchronization project for synchronizing with the One Identity Manager connector.
| Data | Explanation |
|---|---|
|
Synchronization server |
All One Identity Manager Service actions are run against the target system environment on the synchronization server. Data entries required for synchronization and administration with the One Identity Manager database are processed by the synchronization server. Installed components:
The synchronization server must be declared as a Job server in One Identity Manager. The Job server name is required. For more information, see Setting up the synchronization server. |
|
Remote connection server |
To configure synchronization with a target system, One Identity Manager must load the data from the target system. One Identity Manager communicates directly with the target system to do this. Sometimes direct access from the workstation, on which the Synchronization Editor is installed, is not possible. For example, because of the firewall configuration or the workstation does not fulfill the necessary hardware and software requirements. The remote connection server and the workstation must be in the same Active Directory domain. Remote connection server configuration:
The remote connection server must be declared as a Job server in One Identity Manager. The Job server name is required. TIP: The remote connection server requires the same configuration as the synchronization server (with regard to the installed software and entitlements). Use the synchronization as remote connection server at the same time, by simply installing the RemoteConnectPlugin as well. For more detailed information about setting up a remote connection, see the One Identity Manager Target System Synchronization Reference Guide. |
|
Synchronization workflow |
Set the Data import option in the synchronization step if synchronization data is imported from a secondary system. You cannot select the MarkAsOutstanding processing method for these synchronization steps. This option takes effect in both directions, meaning also for synchronization to the target system. For more detailed information about synchronizing user data with different systems, see the One Identity Manager Target System Synchronization Reference Guide. |
|
Base object |
You cannot normally specify a base object for synchronizing
|
|
Variable set |
If you implement specialized variable sets, ensure that the start up configuration and the base object use the same variable set. |
To configure synchronization with the One Identity Manager connector
Use the Synchronization Editor to create a new synchronization project.
Add mappings. Define property mapping rules and object matching rules.
Create synchronization workflows.
Create a start up configuration.
Define the synchronization scope.
Specify the base object of the synchronization.
Specify the extent of the synchronization log.
Run a consistency check.
Activate the synchronization project.
Save the new synchronization project in the database.
© ALL RIGHTS RESERVED. Feedback 이용 약관 개인정보 보호정책 Cookie Preference Center
