Chat now with support
Chat with Support

Identity Manager 8.1.5 - Administration Guide for Connecting to a Universal Cloud Interface

Managing Universal Cloud Interface environments Setting up synchronization with a cloud application in Universal Cloud Interface Basic data for managing a Universal Cloud Interface environment Cloud target systems Container structures in a cloud target system Cloud user accounts Cloud groups Cloud permissions controls Provisioning object changes Reports about objects in cloud target systems Configuration parameters for managing cloud target systems Default project template for cloud applications in the Universal Cloud Interface

Updating schemas

All the schema data (schema types and schema properties) of the target system schema and the One Identity Manager schema are available when you are editing a synchronization project. Only a part of this data is really needed for configuring synchronization. If a synchronization project is finished, the schema is compressed to remove unnecessary data from the synchronization project. This can speed up the loading of the synchronization project. Deleted schema data can be added to the synchronization configuration again at a later point.

If the target system schema or the One Identity Manager schema has changed, these changes must also be added to the synchronization configuration. Then the changes can be added to the schema property mapping.

To include schema data that have been deleted through compression and schema modifications in the synchronization project, update each schema in the synchronization project. This may be necessary if:

  • A schema was changed by:

    • Changes to a target system schema

    • Customizations to the One Identity Manager schema

    • A One Identity Manager update migration

  • A schema in the synchronization project was shrunk by:

    • Enabling the synchronization project

    • Saving the synchronization project for the first time

    • Compressing a schema

To update a system connection schema

  1. Open the synchronization project in the Synchronization Editor.

  2. Select the Configuration | Target system category.

    - OR -

    Select the Configuration | One Identity Manager connection category.

  3. Select the General view and click Update schema.

  4. Confirm the security prompt with Yes.

    This reloads the schema data.

To edit a mapping

  1. Open the synchronization project in the Synchronization Editor.

  2. Select the Mappings category.

  3. Select a mapping in the navigation view.

    Opens the Mapping Editor. For more detailed information about mappings, see the One Identity Manager Target System Synchronization Reference Guide.

NOTE: The synchronization is deactivated if the schema of an activated synchronization project is updated. Reactivate the synchronization project to synchronize.

Speeding up synchronization with revision filtering

When you start synchronization, all synchronization objects are loaded. Some of these objects have not be modified since the last synchronization and, therefore, must not be processed. Synchronization is accelerated by only loading those object pairs that have changed since the last synchronization. One Identity Manager uses revision filtering to accelerate synchronization.

One Identity Manager supports revision filtering. The date of the last target system object change (column XDateUpdated) is used as revision counter. Each synchronization saves its last execution date as a revision in the One Identity Manager database (table DPRRevisionStore, column Value). This value is used as a comparison for revision filtering when the same workflow is synchronized the next time. When this workflow is synchronized the next time, the target system objects' change date is compared with the revision saved in the One Identity Manager database. Only those objects that have been changed since this date are loaded from the target system.

The revision is found at start of synchronization. Objects modified by synchronization are loaded and checked by the next synchronization. This means that the second synchronization after initial synchronization is not significantly faster.

Revision filtering can be applied to workflows and start up configuration.

To permit revision filtering on a workflow

  • Open the synchronization project in the Synchronization Editor.

  • Edit the workflow properties. Select the Use revision filter item from Revision filtering menu.

To permit revision filtering for a start up configuration

  • Open the synchronization project in the Synchronization Editor.

  • Edit the start up configuration properties. Select the Use revision filter item from the Revision filtering menu.

For more detailed information about revision filtering, see the One Identity Manager Target System Synchronization Reference Guide.

Post-processing outstanding objects

Objects, which do not exist in the target system, can be marked as outstanding in One Identity Manager by synchronizing. This prevents objects being deleted because of an incorrect data situation or an incorrect synchronization configuration.

Outstanding objects:

  • Cannot be edited in One Identity Manager.

  • Are ignored by subsequent synchronizations.

  • Are ignored by inheritance calculations.

This means, all memberships and assignments remain intact until the outstanding objects have been processed.

Start target system synchronization to do this.

To post-process outstanding objects

  1. In the Manager, select Cloud target systems | Target system synchronization: Universal Cloud Interface.

    All the synchronization tables assigned to the Universal Cloud Interface target system type are displayed in the navigation view.

  2. On the Target system synchronization form, in the Table / object column, open the node of the table for which you want to post-process outstanding objects.

    All objects that are marked as outstanding are shown. The Last log entry and Last method run columns display the time at which the last entry was made in the synchronization log and which processing method was executed. The No log available entry can mean the following:

    • The synchronization log has already been deleted.

      - OR -

    • An assignment from a member list has been deleted from the target system.

      The base object of the assignment was updated during the synchronization. A corresponding entry appears in the synchronization log. The entry in the assignment table is marked as outstanding, but there is no entry in the synchronization log.

    • An object that contains a member list has been deleted from the target system.

      During synchronization, the object and all corresponding entries in the assignment tables are marked as outstanding. However, an entry in the synchronization log appears only for the deleted object.

    TIP:

    To display object properties of an outstanding object

    1. Select the object on the target system synchronization form.
    2. Open the context menu and click Show object.

  1. Select the objects you want to rework. Multi-select is possible.

  2. Click on one of the following icons in the form toolbar to execute the respective method.

    Table 9: Methods for handling outstanding objects

    Icon

    Method

    Description

    Delete

    The object is immediately deleted from the One Identity Manager database. Deferred deletion is not taken into account. The Outstanding label is removed from the object.

    Indirect memberships cannot be deleted.

    Publish

    The object is added to the target system. The Outstanding label is removed from the object.

    The method triggers the HandleOutstanding event. This runs a target system specific process that triggers the provisioning process for the object.

    Prerequisites:

    • The table containing the object can be published.

    • The target system connector has write access to the target system.

    Reset

    The Outstanding label is removed for the object.

  3. Confirm the security prompt with Yes.

NOTE: By default, the selected objects are processed in parallel, which speeds up execution of the selected method. If an error occurs during processing, the action is stopped and all changes are discarded.

Bulk processing of objects must be disabled if errors are to be localized, which means the objects are processed sequentially. Failed objects are named in the error message. All changes that were made up until the error occurred are saved.

To disable bulk processing

  • In the form's toolbar, click to disable bulk processing.

NOTE: The target system connector must have write access to the target system in order to publish outstanding objects that are being post-processed. That means, the Connection is read-only option must not be set for the target system connection.

The target system type determines which tables are going to be synchronized. You cannot synchronize custom tables in the Cloud Systems Management Module. This means you cannot configure target system configuration for custom tables.

To display the target system synchronization configuration

  1. Select the Cloud Target Systems | Basic configuration data | Target system types category.
  2. Select Universal Cloud Interface in the result list.
  3. Select the Assign synchronization tables task.

    All the tables that could be synchronized are enabled.

  4. Select the Configure tables for publishing task.

    The Can be published option is set for all tables with outstanding objects in the target system.

Accelerating provisioning and single object synchronization

To smooth out spikes in data traffic, handling of processes for provisioning and single object synchronization can be distributed over several Job servers. This will also accelerate these processes.

NOTE: You should not implement load balancing for provisioning or single object synchronization on a permanent basis. Parallel processing of objects might result in dependencies not being resolved because referenced objects from another Job server have not been completely processed.

Once load balancing is no longer required, ensure that the synchronization server executes the provisioning processes and single object synchronization.

To configure load balancing

  1. Configure the server and declare it as a Job server in One Identity Manager.

    • Assign the Universal Cloud Interface connector server function to the Job server.

    All Job servers must access the same cloud target system as the synchronization server for the respective base object.

  2. In the Synchronization Editor, assign a custom server function to the base object.

    This server function is used to identify all the Job servers being used for load balancing.

    If there is no custom server function for the base object, create a new one.

    For more information about editing base objects, see the One Identity Manager Target System Synchronization Reference Guide.

  3. In the Manager, assign this server function to all the Job servers that will be processing provisioning and single object synchronization for the base object.

    Only select those Job servers that have the same configuration as the base object's synchronization server.

Once all the processes have been handled, the synchronization server takes over provisioning and single object synchronization again.

To use the synchronization server without load balancing.

  • In the Synchronization Editor, remove the server function from the base object.

For detailed information about load balancing, see the One Identity Manager Target System Synchronization Reference Guide.

Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating