Converse agora com nosso suporte
Chat com o suporte

Identity Manager 8.1.4 - Target System Synchronization Reference Guide

Target system synchronization with the Synchronization Editor Working with the Synchronization Editor Basics of target system synchronization Setting up synchronization
Starting the Synchronization Editor Creating a synchronization project Configuring synchronization
Setting up mappings Setting up synchronization workflows Connecting systems Editing the scope Using variables and variable sets Setting up start up configurations Setting up base objects
Overview of schema classes Customizing the synchronization configuration Checking the consistency of the synchronization configuration Activating the synchronization project Defining start up sequences
Running synchronization Synchronization analysis Setting up synchronization with default connectors Updating existing synchronization projects Script library for synchronization projects Additional information for experts Resolving errors when connecting target systems Configuration parameters for target system synchronization Configuration file examples Glossary

Detecting rogue modifications

To mapClosed single schema properties, it could be necessary to declare one of the connected systems as the data master. Property mapping rules for these schema properties all have the same direction of mapping. If editing these schema properties is not technically restricted in any of the connected systems, you can also change their values in a system that is not the data master.

If the direction of synchronizationClosed matches the direction of mapping these changes are overwritten by the next synchronization.

If the direction of synchronization is opposite to the direction of mapping, data that cannot be corrected by synchronization becomes inconsistent because the property mapping rules are not executed. Change like this are consider to be “rogue modifications”. In this case, a modification is considered to be any difference between the object properties of the connected systems, irrespective of the system the object was actually modified.

Synchronization can identify (rogue detection), log, and correct (rogue correction) rogue modifications. You can configure the respective behavior in the property mapping rules.

Prerequisites
  • The direction of mapping target system or One Identity Manager is set in the property mapping rule.
  • The Force mapping against direction of synchronization option is not set in the property mapping rule.

To detect and log rogue modifications

To correct rogue modifications

  • In addition, set the Correct rogue modifications option in the property mapping rule.
NOTE: Rogue modifications can only be corrected if there is write access for schema property to be corrected.

Synchronization Sequence with Modification Detection

  1. A property mapping rule is detected whose mapping direct is opposite to the actual direction of synchronization.

  2. If Detect rogue modifications is set, One Identity Manager checks the object of the connected system for rogue modifications. Rogue modificationClosed are logged.

    The log can be evaluated after synchronization. For more information, see Synchronization analysis.

  3. If the Correct rogue modifications option is set, One Identity Manager executes the property mapping rule. The object property in the connected system is overwritten with the value from the data master.

NOTE: Rogue modifications are also handled when object modifications are provisioned.

Modification detection can be usefully applied if a synchronization workflow and a provisioning workflow are configured, which means, the direction of synchronization is One Identity Manager and for certain schema properties the direction of mapping is the target system. In this case, only changes made to the schema properties that were made in the target system are detected as rogue modifications.

Example

The synchronization direction One Identity Manager is specified for synchronizing Active Directory groups. The groups and their properties are created, edited, and deleted in Active Directory. Only the group’s account manager is going to be assigned and changed in One Identity Manager.

Table 26: Synchronization Configuration

Configuration Setting

Value

Direction of Synchronization:

To the One Identity Manager

Property mapping ruleClosed for schema properties:

ADSGroup.ObjectKeyManager - Group.name of manager

Mapping directionClosed:

To the target system

Detecting rogue modifications:

Set

Correct rogue modifications:

Set

Synchronization adds new groups in One Identity Manager. An account manager is assigned in One Identity Manager. This modification is provisioned in the target system.

There is no technical restriction to editing the account manager in the target system. If the account manager is changed in Active Directory, there is a discrepancy in the data, meaning a rogue modification. This change is detected, logged, and reverted by the next synchronization. The property matching rule is executed and the value in the target system is overwritten with the value from the One Identity Manager database.

It may make sense to use modification detection together with the Ignore mapping direction restrictions on adding option. As in the example, a new group is added in Active Directory. This initially assigned an account manager.

By synchronizing, the group is added in One Identity Manager but the account manager remains empty because the property mapping rule is not executed.

Before the account manager is assigned in One Identity Manager, the Active Directory is synchronized again. This detects a rogue modification (empty value in the database - account manager assigned in the target system). As a result, the value in the target system is corrected, deleting the account manager.

To avoid such situations, set the Ignore mapping direction restrictions on adding option. This means, the property mapping rule for the account manager is executed when the group is added and the account manager is assigned in the database. The subsequent synchronization does not detect a rogue modification because the account manager is identical in both systems.

To execute a property mapping rule on adding

Related topics

Synchronizing user data with different systems

The source for the user data and permissions managed by One Identity Manager may be different systems. For example, SAP R/3 user accounts are managed in One Identity Manager. The associated employee data, however, is imported into the database through the CSV connectorClosed from another system.

The CSV import may cause the objects coming from another target system through synchronizationClosed to be modified. For example, the first and last names of an SAP user account change when the first and last names of an employee change through the CSV import. Changes to the SAP user account should be immediately provisioned in SAP R/3. To illustrate this, the connected systems will be named "primary systems" in the following; the systems whose data is synchronized with the CSV connector as "secondary systems".

Figure 12: Example of synchronizing user data with different systems

You can specify whether the data comes from a secondary system in the synchronization stepsClosed. In this case, changes are provisioned immediately (actually during synchronization) in the primary system. Conversely, the provisioning process may not start if primary systems are being synchronized.

To configure immediate provisioning when synchronizing a secondary system

  1. Open the synchronization projectClosed for the secondary system.

    For more information, see How to edit a synchronization project.

  2. Edit the synchronization step properties.

    Set the Import data option on the General tab.

    For more information, see How to edit synchronization steps.

NOTE: To prevent immediately provisioning of a primary system during synchronization, open the primary system synchronization project and disable the Import data option in the synchronization step.

The session variable FullSync=FALSE is set if the Data import option is enabled. The session variable is set to FullSync=TRUE if the option is disabled. Different processes, scripts, and templates are only executed in the One Identity Manager database if FullSync=FALSE. In this context it means they are only synchronized with a secondary system. Synchronizing with a primary system ignores processes, scripts, and templates.

Related topics

Deleting objects in One Identity Manager

You have two options for deleting objects in the One Identity Manager, which do not exist in the target system, by using synchronizationClosed.

  1. The objects are deleted immediately on synchronization.

    You can view the synchronization log to see which objects have been deleted.

    NOTE: Memberships that exist based on an inheritance cannot be deleted immediately. They are always marked as outstanding.
  2. The objects are marked as outstanding by synchronization.

    Outstanding objects must be post-processed separately in One Identity Manager. They can either be deleted or published in the target system in the process. This prevents objects being deleted because of an incorrect data situation or an incorrect synchronization configuration.

    Outstanding objects:

    • Cannot be edited in One Identity Manager.

    • Are ignored by subsequent synchronizations.

    • Are ignored by inheritance calculations.

    This means, all memberships and assignments remain intact until the outstanding objects have been processed.

To delete objects immediately in One Identity Manager

  1. Edit the synchronization stepClosed properties.

    For more information, see How to edit synchronization steps.

  2. Select the Processing tab.
  3. Specify the processing method. Select the following options as appropriate:
    For synchronization from the target systems to One Identity Manager Processing method (technical name)
    Objects that are only found in One Identity Manager: Delete

To mark object as outstanding in One Identity Manager

  1. Edit the synchronization step properties.

    For more information, see How to edit synchronization steps.

  2. Select the Processing tab.
  3. Specify the processing method. Select the following options as appropriate:
    For synchronization from the target systems to One Identity Manager Processing MethodClosed (technical name)
    Objects that are only found in One Identity Manager: MarkAsOutstanding

Outstanding objects cannot be editing in One Identity Manager until they have been verified. They are ignored by every other synchronization.

To delete outstanding objects in the One Identity Manager

  1. Start the Manager.
  2. Select the <target system type> | Target systemClosed synchronization: <target system type> | <table> category.
  1. Select the objects you want to delete. Multi-select is possible.
  2. Click .
  3. Confirm the security prompt with Yes.

    The selected objects are immediately deleted in the One Identity Manager database. Deferred deletion is not taken into account. The "outstanding" label is removed from the objects.

Related topics

How to remove unnecessary project data

All the schema data (schema types and schema properties) of the target system schema and the One Identity Manager schema are available when you are editing a synchronization projectClosed. Only a part of this data is really needed for configuring synchronization. If a synchronization project is finished, the schema is compressed to remove unnecessary data from the synchronization project. This can speed up the loading of the synchronization project.

  • Activating the Synchronization Project

    Unnecessary schema data is automatically removed from the synchronization project on activation.

  • Shrink schema
    1. Schemas are shrunk when the synchronization project is saved for the first time.
    2. Each time the system is connected, you have the option to shrink the schema.

      All the schema types that are not currently in use are displayed in a dialog. You may remove these from the synchronization project. Here you can select the schema types that should remain available for you to use later.

To shrink the system connection schema

  1. Select Configuration | Target systemClosed.

    - OR -

    Select Configuration | One Identity Manager connection.

  2. Click Shrink schema... in the General view.
  3. Mark all the schema types that should not be removed.

    These schema types remain there and can still be used in the synchronization configuration.

  4. Click OK.

You can add the deleted schema data back into the synchronization project again later. To do this you must update the respective schema.

Related topics
Documentos relacionados

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação