What is a scope?
The scope specifies which parts of the should be synchronized. The scope is set for the target system to be synchronized as well as for the One Identity Manager schema. If no scope is defined, all objects in the connected system are synchronized.
Example:
Active Directory domains "xyz" and "uvw" are managed through One Identity Manager. The containers "abc", "def", and "ghi" from the Active Directory domain "xyz" should be synchronized. A scope is defined for the target system connection and the One Identity Manager database connection which filters only these objects. The Active Directory domain "uvw" should initially not be synchronized.
Figure 8: Example for scope definition
To specify a scope, define a system filter and object filter.
Hierarchy filter
Some target systems offer an additional option to specify the scope: the . This filter limits the number of objects to load in the connected system. It is therefore effectively the same as a system filter. The hierarchy filter is built based on the target system's real objects. The objects are displayed in their hierarchical structure. All objects included in the scope are marked in the hierarchy. All objects that are not marked remain outside the scope and are not included in the synchronization. The hierarchy filter can only be applied to objects and not to their schema properties. Create an additional object filter to include schema properties as criteria in the scope definition.
A fully defined hierarchy filter can be transformed into a variable. Thus the filter can be redefined in a specialized variable set and used for other synchronization configurations.
Reference scope
References to objects in different target systems can be mapped in the One Identity Manager database. In order to solve these references, the target system scope must be extended to include the referenced target systems. For this, you can additionally define a reference scope for each system connection. You can enter the reference scope for the database in the same way. This means that references to parts of the One Identity Manager database can be resolved which are not included in the general scope.
If no reference scope is defined, the general scope is also used for the reference resolution.
Example
Active Directory domains "xyz" and "uvw" are trusted domains. User accounts from both domains are members in Active Directory groups in the Active Directory domain "xyz". Define a reference scope to assign referenced user accounts of the domain "uvw" during group membership synchronization. In the reference scope, specify that referenced objects should also be searched for in the Active Directory domain "uvw".
If you have not defined a reference scope, Active Directory SIDs are determined for Active Directory domain "uvw" user accounts during Active Directory domain "uvw" group membership synchronization and entered in the One Identity Manager data store.
Related topics
How does revision filtering work?
When you start , all synchronization objects are loaded. Some of these objects have not be modified since the last synchronization and, therefore, must not be processed. Synchronization is accelerated by only loading those object pairs that have changed since the last synchronization. One Identity Manager uses revision filtering to accelerate synchronization.
Prerequisites
- The target system supports revision filtering.
This data is supplied by the system connector.
- types own a schema property which is labeled as a .
This schema property stores the information about the last object modifications.
Example of an Active Directory group:
- In the target system schema: UNS Changed
- In the One Identity Manager schema: Date
- permitted for this .
Revision filtering can be applied to workflows and start up configuration. The workflow setting is valid for all synchronizations with this workflow. In order to synchronize with the same workflow at different times, with, and without revision filtering, create different start up configurations and specify revision filtering for them.
To permit revision filtering on a workflow
-
In the , open the .
- Edit the workflow properties. Select the Use revision filter item from Revision filtering menu.
For more information, see How to edit a workflow.
To permit revision filtering for a start up configuration
For more information, see How to edit start up configurations.
Normally, each object keeps information about the last changes made. The highest change data value of all synchronized objects of a schema type is taken as the revision in the One Identity Manager database (DPRRevisionStore table, DPRRevisionStore column). This value is used as a comparison for revision filtering when the same workflow is synchronized the next time. This means that when this workflow is next synchronized, the object change data is compared with the revision saved in the One Identity Manager database. This involves finding object pairs where one has newer change data than the last time it was synchronized. Thus, only objects that have changed since the last synchronization are updated.
The reference parameter for revision filtering is also the last schema type synchronization with the same workflow. The table DPRRevisionStore contains one entry per workflow and schema type.
NOTE: One Identity Manager supplies a , which regularly cleans up the contents of the DPRAttachedDataStore table. Entries for schema types that are no longer used in the synchronization configuration are deleted in the process. The process plan is run during daily .
Related topics
How does dependency resolution work?
Dependencies can arise between schema classes that require to be repeated. For example, object references cannot be set until the reference object has been added. Dependencies can also arise between schema properties within a schema class.
Figure 9: Example of a workflow with dependent schema classes and schema properties
One Identity Manager can automatically resolve such dependencies. In this case, the steps are group together such that the referenced objects are synchronized first and them the dependent objects next. If dependencies exist within a schema class, additional synchronization steps are inserted to synchronize the dependent schema properties. The final sequence of synchronization steps can be viewed in the report "".
NOTE: If dependencies exist between schema classes, the schema classes must be synchronized by the same workflow so that dependencies can be automatically resolved.
Figure 10: Example of a workflow with automatic dependency resolution
To set up automatic resolution of dependencies
Use automatic dependency resolution by default. Only select manual dependency resolution if individual dependencies cannot be resolved automatically. This might be necessary, for example, if two objects reference each other as mandatory properties.
NOTE: If dependency resolution is set to "Manual", One Identity Manager does not check whether dependencies exits between schema classes and schema properties during synchronization. The synchronization steps are processed sequentially in the order displayed in the workflow view.
Synchronization exits with an error if dependencies exist that cannot be resolved!
To resolve dependencies manually
- Find the schema properties between which dependencies exist.
- Create a workflow with synchronization steps which take the following criteria into account:
- Synchronization steps which synchronize independent and references objects.
Property mapping rules for dependent schema properties must be excluded for this.
- Synchronization steps which reference dependent objects.
Property mapping rules for dependent schema properties must be included for this.
- Specify the synchronization step sequence such that all synchronization steps for a) are run first and them the synchronization steps for b).
- Edit the workflow properties. Select the following option:
Dependency resolution: |
Manual |
For more information, see How to edit a workflow.
Related topics
Unresolvable references
If a reference object does not exist in the One Identity Manager database, the object reference cannot be resolved by . Unresolvable object references are written in a buffer called the data store (table DPRAttachedDataStore). This ensures that these references remain intact and are not deleted in the target system by provisioning.
Example
An Active Directory group has an account manager, which owns a domain not in the current synchronization run. The account manager is not in the One Identity Manager database either.
Synchronization cannot assign an account manager. In order to retain the assignment, the object reference is saved with the account manager's distinguished name in the data store.
During each synchronization One Identity Manager tries to clean up the data store. If referenced objects in the One Identity Manager database exist, the references can be resolved and the entries are deleted from the data store. The data store is cleaned up depending on the synchronization type (with or without revision filter) and the mode.
Table 22: Maintenance for unresolved object references
The following applies depending on the maintenance mode: |
Object references of all synchronization objects are cleaned up if they exist in the One Identity Manager database. |
Only object references for modified objects are cleaned up. |
No maintenance |
There is no additional task of clearing up the data store. |
Always synchronize affected objects |
No effect. |
The filter is removed on objects with unresolved references. Therefore, references are also cleaned if the objects have not been changed since the last synchronization. |
Full maintenance after every synchronization |
One Identity Manager tries to resolve object references following synchronization. As a result, unresolved references are processed that arose during this synchronization run. |
One Identity Manager tries to resolve object references following synchronization. As a result, unresolved references are processed that arose during this synchronization run. Object references that were not modified are also cleaned up. |
You can enter the number of retries for resolving object references. It may be necessary to try several times to resolve an object if it maps a hierarchy with several levels. One hierarchy level at a time can be resolved with each attempt to resolve an object.
To set up maintenance mode
NOTE: One Identity Manager supplies a , which regularly cleans up the contents of the table DPRAttachedDataStore. Object entries, which no longer exist in the One Identity Manager database are deleted. The process plan is run during daily maintenance.
Related topics