To be able to successfully run system synchronization, some properties must be set on the work database. You can run the SQL queries listed here with a suitable program.
TIP: Depending on the purpose of the work database, it may be useful to adjust further settings. For example, check whether to disable templates on the synchronized columns in the work database.
Using the GUID module
The Module GUID permitted table property (DialogTable.IsModuleGUIDAllowed) table property must be set on all the tables you want to synchronize. To enable this option, run the following query on the central database first and then on the work database.
-- transfer customized configuration DialogTable.IsModuleGUIDAllowed from your central database |
-- => manual process required |
select UID_DialogTable, 'Update DialogTable set IsModuleGUIDAllowed = 1 |
where IsModuleGUIDAllowed = 0 and UID_DialogTable = '''+UID_DialogTable+''' ' as ChangeStatement |
from DialogTable where IsModuleGUIDAllowed = 1 |
--if you got an result, copy the commands and execute them in your work database |
Disabling all provisioning processes
Since there are no target systems associated with the work database, the standard provisioning processes should not be run here. Run the queries for this on the work database.
The following query disables all processes for the tables:
-- deactivate all predefined provisioning processes |
update JobChain set NoGenerate = 1, XDateUpdated = GETUTCDATE(), XUserUpdated = 'SysSyncInitialConfig' from JobChain JC |
join JobEventGen JEG on JEG.UID_JobChain = JC.UID_JobChain |
join QBMEvent JE on JE.UID_QBMEvent = JEG.UID_QBMEvent where |
( |
JE.EventName in ('Insert', 'Update', 'Delete', 'Assign', 'Remove') |
or JC.UID_DialogTable in ('TSB-T-PersonHasTSBAccountDef', 'QER-T-PersonHasQERResource') |
or UID_JobChain in ('TSB-F9E8F1B2DA86E847A254E70A572A3832','TSB-EB76885961C6404FB7BB73FC1AC83153') |
) |
and dbo.QBM_FCVGUIDToModuleOwner(JC.UID_JobChain) <> 'CCC' |
and NoGenerate = 0 |
The following query disables the merge mode of single membership provisioning for all assignment tables.
-- deactivate merge for provisioning (DPRMemberShipAction) for all synchronized tables |
update DPRNameSpaceHasDialogTable set IsAdHocSingleMemberShip = 0, WhereClause = Null |
The following query prevents dependencies' modification dates from updating on assignment base tables.
-- deactivate XDateSubItem behavior for all synchronized tables |
update QBMRelation set IsForUpdateXDateSubItem = 0 where UID_QBMRelation in |
( |
select UID_QBMRelation from QBM_VQBMRelation r |
join DialogTable t on r.UID_DialogTableChild=t.UID_DialogTable or r.UID_DialogTableParent=t.UID_DialogTable |
where t.SystemSyncMode > 0 and r.IsForUpdateXDateSubItem = 1 |
) |
Disabling schedules
The following query disables all schedules except for custom schedules and system schedules. Modify this query for the purposes of the work database. Run the query on the work database.
-- deactivate all not required schedules |
-- allow only system and custom schedules as well as such ones belonging to reports and attestation |
-- but disable all synchronization schedules except the system synchronization |
update DialogSchedule |
set Enabled = 0, XDateUpdated = GETUTCDATE(), XUserUpdated = 'SysSyncInitialConfig' |
where Enabled = 1 and |
( |
dbo.QBM_FCVGUIDToModuleOwner(UID_DialogSchedule) not in ('CCC','QBM','QER','RPS','ATT') |
or (Name like '%execution of Initial Synchronization%' and Name not like 'System Synchronization%') |
) |
Disabling DBQueue Processor tasks for SAP objects
Since there are no target systems associated with the work database, DBQueue Processor tasks for processing SAP objects can be disabled. Run the query on the work database.
-- disable SAP/SBW DBQueueTask for generation SAPUserMandant and SAPBWUser |
update QBMDBQueueTask |
set ProcedureName = 'QBM_ZDBQueueVoidTask', CountParameter = 0, MaxInstance = 1, IsBulkEnabled = 0, QueryForRecalculate = Null |
where UID_Task in ('SAP-K-SAPUserMandant', 'SBW-K-SAPBWUser') |
Disabling recalculation of dynamic roles
If dynamic roles are synchronized, the assignments should not be recalculated on the work database as it is possible that not all the required data is available here yet. The memberships and assignments are calculated only on the central database and transferred to the working database by synchronization.
IMPORTANT: You cannot specify a mapping direction for the DynamicGroup.IsRecalculationDeactivated column (No recalculation of assignments) in the synchronization configuration.
To prevent assignments to synchronized dynamic roles being calculated
-
In the Designer, select the One Identity Manager Schema > Tables > Table category.
-
Select the DynamicGroup table and click the Show table definition task to start the Schema Editor.
-
In the Table properties view, select the Table scripts tab.
-
In the Script (OnSaving) field, enter the following script.
If CBool(Connection.Variables("Transport")) AndAlso CBool(Connection.Variables("Projector")) Then |
Base.PutValue("IsRecalculationDeactivated", 1) |
End If |
-
Select the Database > Save to database and click Save.
This prevents recalculation of assignments for dynamic roles that are imported into the work database by synchronization. The role memberships in effect are those from the central database that synchronized with the work database.
Before you create a synchronization project for system synchronization, flag all the table and column content to synchronize.
NOTE: Selecting tables and columns
-
For each table selected, specify the mapping direction for all primary key columns and mandatory columns.
-
For each table selected, specify the mapping direction for the XOrigin and XIsInEffect columns.
-
For each table selected with multi-column uniqueness definitions, specify the mapping direction for all columns that make up the unique group and are not populated automatically.
-
If a base table and its derivatives are selected (for example, BaseTree and Department), then set the same synchronization configuration for both tables.
-
Same synchronization mode for the base table and its derivatives
-
Same columns to be mapped
-
Same mapping direction for these columns
IMPORTANT:
-
If an assignment table is selected for synchronization and the Provisioning the central database synchronization mode is selected, the table's Assign by event property must be enabled for this table to generate the provisioning processes.
If this table property is enabled after a synchronization project has been generated, then the synchronization project must be regenerated.
-
If dynamic roles are synchronized, the assignments should not be recalculated on the work database as it is possible that not all the required data is available here yet. The memberships and assignments are calculated only on the central database and transferred to the working database by synchronization.
You cannot specify a mapping direction for the DynamicGroup.IsRecalculationDeactivated column (No recalculation of assignments) in the synchronization configuration.
To select a table for system synchronization
-
In the Designer, select the One Identity Manager schema category.
-
Select the table and start the Schema Editor with the Show table definition task.
-
In the Table properties view, select the System synchronization tab.
-
Edit the following table properties:
-
Synchronization mode: Permitted synchronization directions and processing methods for this table. Set all the bit positions that apply to this table.
Set:
-
The direction of synchronization
-
Whether to provision changes to the central database,
-
Which processing methods to use for application data
-
Whether to update system data
-
Which schedule to use for synchronizing this table (start frequency)
If neither the Start synchronization frequently or the Start synchronization very frequently bit positions is set, synchronization is started once a day (default).
-
Columns for alternative rules: Comma delimited list of columns to be used for creating alternative object matching rules.
If the One Identity Manager connector cannot identify a system object through the primary object matching rule, it applies the alternative rules to determine a matching system object. Enter the technical names of all the columns for which you want to generate alternative rules.
-
Columns for alternative rules: .NET class used to consider special cases when generating a synchronization project between two One Identity Manager databases.
-
Set the permitted mapping direction for all columns to be mapped.
-
Select the column in the Schema Editor and edit the column properties.
-
On the More tab, in the Mapping direction drop-down, select all permitted mapping directions.
-
Perform steps 2 to 5 for all the tables that are going to be synchronized.
-
Select the Database > Save to database and click Save.
To set the mapping direction for a column
-
In the Designer, select the One Identity Manager schema category.
-
Select the table and start the Schema Editor with the Show table definition task.
-
Select the column in the Schema Editor and edit the column properties.
-
On the More tab, in the Mapping direction drop-down, select all permitted mapping directions.
-
Select the Database > Save to database and click Save.
If you change the tables or columns to be synchronized after the synchronization project has been generated, the synchronization project will be updated automatically.
To set up a synchronization project for system synchronization, have the following information ready.
Table 1: Information required to set up a synchronization project
Connection credentials for the central database |
For direct database connection:
-
Database server
-
Database name
-
SQL login and password
-
Specifies whether integrated Windows authentication is used
Use of the integrated Windows authentication is not recommended. If you decide to use it anyway, ensure that your environment supports Windows authentication.
For connecting through an application server:
|
Connection credentials for the work database |
-
Database server
-
Database name
-
SQL login and password
-
Specifies whether integrated Windows authentication is used
Use of the integrated Windows authentication is not recommended. If you decide to use it anyway, ensure that your environment supports Windows authentication. |
Synchronization server |
All One Identity Manager Service actions are run against the target system environment on the synchronization server. Data entries required for synchronization and administration with the One Identity Manager database are processed by the synchronization server.
Installed components:
The synchronization server must be declared as a Job server in One Identity Manager. The Job server name is required.
For more information, see Setting up the synchronization server. |
Remote connection server |
To configure synchronization with a target system, One Identity Manager must load the data from the target system. One Identity Manager communicates directly with the target system to do this. Sometimes direct access from the workstation, on which the Synchronization Editor is installed, is not possible. For example, because of the firewall configuration or the workstation does not fulfill the necessary hardware and software requirements. If direct access is not possible from the workstation, you can set up a remote connection.
Remote connection server configuration:
The remote connection server must be declared as a Job server in One Identity Manager. The Job server name is required.
TIP: The remote connection server requires the same configuration as the synchronization server (with regard to the installed software and entitlements). Use the synchronization server as remote connection server as well by installing the RemoteConnectPlugin.
For more detailed information about setting up a remote connection, see the One Identity Manager Target System Synchronization Reference Guide. |
Detailed information about this topic
NOTE: Exactly one synchronization project for system synchronization can be created for a work database.
There is a wizard to assist you with setting up a synchronization project. This wizard takes you through all the steps you need to set up initial synchronization with a target system. Click Next once you have entered all the data for a step.
NOTE: The following sequence describes how to configure a synchronization project if the Synchronization Editor is both:
If you run the project wizard in expert mode or directly from the Synchronization Editor, additional configuration settings can be made. Follow the project wizard instructions through these steps.
To set up a synchronization project
-
Start the Launchpad and log in on the One Identity Manager database.
NOTE: If synchronization is run by an application server, connect the database through the application server.
-
In the Installation overview > Data synchronization section, select the One Identity Manager connector and click Run.
This starts the Synchronization Editor's project wizard.
-
On the wizard's start page, click Next.
-
On the System access page, specify how One Identity Manager can access the target system.
-
If access is possible from the workstation on which you started the Synchronization Editor, do not change any settings.
-
If access is not possible from the workstation on which you started the Synchronization Editor, you can set up a remote connection.
Select the Connect using remote connection server and enter the remote connection properties.
-
Access parameters
-
Server: Full server name or IP address of the server.
To select an existing Job server as the remote connection server, click and select the server from the drop-down. This displays all the Job servers that have the One Identity Manager Service installed server function selected.
-
Port: Port that is configured for the RemoteConnectPlugin.
-
Authentication
If SecretAuthentication is configured for the RemoteConnectPlugin:
If ADGroupAuthentication is configured for the RemoteConnectPlugin, no data is required.
-
Options
-
Request timeout: Maximum time allowed for a server query in seconds. If the time is exceeded, the request is canceled.
-
Accept self-signed certificates: Specifies whether self-signed certificates can be accepted.
-
Select the database system to which you want to connect on the Select database system page.
-
Direct database connection: Specifies whether to connect directly to the central database.
-
Application server: Specifies whether the central database should be connected through an application server.
Set this option if modules other than in the work database are installed in the central database, or if the central database is running with an older version of One Identity Manager.
-
Use application server REST API: Specifies whether to use the application server's REST API for communicating with the central database.
IMPORTANT: Enable this option if the central database is operated with an older version of One Identity Manager.
NOTES: The REST API cannot process virtual schema properties with the Translator property type. If schema properties like this are mapped, synchronization stops.
-
On the Connection parameters page, enter the database credentials for the central database.
-
Enter the following data connecting directly to the database:
-
Server: Database server.
-
Windows authentication: (Optional) Specifies whether the integrated Windows authentication is used. This type of authentication is not recommended. If you decide to use it anyway, ensure that your environment supports Windows authentication.
-
User: User's SQL login name.
-
Password: Password for the SQL user's login.
-
Database: List of possible databases on the database server. Select the database.
-
Encrypt communication: Specifies whether encryption is required for exchanging data between the client and server. Select the minimum encryption level. The encryption level that is actually used depends on the database server configuration. For more information, see the documentation from Microsoft.
Permitted values are:
-
Optional: Communication is not encrypted.
-
Mandatory: Data exchange is encrypted. The Trust server certificate option, allows you to also specify whether to verify the server certificate.
-
Strict (SQL Server 2022 and Azure SQL): The data exchange is encrypted. The server certificate is always verified.
-
Trust server certificate: If this option is enabled, the data exchange between the client and server is encrypted. However, the server certificate is not verified.
-
To connect through an application server, enter the URL and Synchronization user password.
-
To enter additional information about the database connection, click Advanced options.
-
Click Test.
-
Enter the private key for encrypting the database on the Encryption page.
-
On the Additional settings page, you define additional settings to customize the behavior of the connector.
-
Try to ignore data errors: Specifies whether objects with erroneous data should be synchronized with the central database.
By default, objects with incorrect data are not synchronized. These objects can be synchronized once the data has been corrected. In certain situations, however, it might be necessary to synchronize objects like these and ignore the data properties that have errors.
IMPORTANT: If data errors are ignored, performance will be affected. Synchronization can also lead to data loss. Only set this option in the exceptional circumstance of not being able to correct the data before synchronization.
NOTE:
-
The option cannot be enabled if the REST API of the application server is used.
-
Default columns, such as primary keys, UID columns, or mandatory input columns cannot be ignored.
-
On the last page of the system connection wizard, you can save the connection data.
- Set the Save connection locally option to save the connection data. This can be reused when you set up other synchronization projects.
- Click Finish, to end the system connection wizard and return to the project wizard.
-
On the One Identity Manager Connection tab, test the data for connecting to the One Identity Manager database. The data is loaded from the connected database. Reenter the password.
NOTE:
-
If you use an unencrypted One Identity Manager database and have not yet saved any synchronization projects to the database, you need to enter all connection data again.
-
This page is not shown if a synchronization project already exists.
-
The wizard loads the target system schema. This may take a few minutes depending on the type of target system access and the size of the target system.
-
On the Select project template page, select a project template to use for setting up the synchronization configuration.
- To close the project wizard, click Finish.
- Save the synchronization project in the database.
Only the connection credentials for the connected systems may be changed manually in a generated synchronization project.