Chat now with support
Chat with Support

Identity Manager 8.2.1 - Administration Guide for Active Roles Integration

One Identity Active Roles integration Synchronizing Active Directory using One Identity Active Roles Interaction with Active Roles workflows Interaction with Active Roles policies Managing Active Directory objects Configuration parameters for managing an Active Directory environment Default project template for One Identity Active Roles Active Roles connector settings

Managing Active Directory user accounts and Active Directory contacts through account definitions

In the default installation, after synchronizing, employees are automatically created for user accounts and contacts. If an account definition for the domain is not known at the time of synchronization, user accounts and contacts are linked to employees. However, account definitions are not assigned. The user accounts and contacts are therefore in a Linked state.

To manage the user accounts and contacts using account definitions, assign an account definition and a manage level to these user accounts and contacts.

To manage user accounts and contacts through account definitions

  1. Create an account definition.

  2. Assign an account definition to the domain.

  3. Assign a user account in the Linked state to the account definition. The account definition's default manage level is applied to the user account.

    1. In the Manager, select the Active Directory > User accounts > Linked but not configured > Domain> category.

      - OR -

      In the Manager, select the Active Directory > Contacts > Linked but not configured > Domain> category.

    2. Select the Assign account definition to linked accounts task.

    3. In the Account definition menu, select the account definition.

    4. Select the user accounts that contain the account definition.

    5. Save the changes.

For detailed information about account definitions for Active Directory user accounts and contacts, see the One Identity Manager Administration Guide for Connecting to Active Directory.

Troubleshooting

Synchronization Editor helps you to analyze and eliminate synchronization errors.

  • Simulating synchronization

    The simulation allows you to estimate the result of synchronization. This means you can, for example, recognize potential errors in the synchronization configuration.

  • Analyzing synchronization

    You can generate the synchronization analysis report for analyzing problems which occur during synchronization, for example, insufficient performance.

  • Logging messages

    One Identity Manager offers different options for logging errors. These include the synchronization log, the log file for One Identity Manager Service, the logging of messages with NLOG, and similar.

  • Reset start information

    If synchronization stopped unexpectedly, for example, because a server was not available, the start information must be reset manually. Only then can the synchronization be restarted.

For more information about these topics, see the One Identity Manager Target System Synchronization Reference Guide.

Related topics

Ignoring data error in synchronization

By default, objects with incorrect data are not synchronized. These objects can be synchronized once the data has been corrected. In certain situations, however, it might be necessary to synchronize objects like these and ignore the data properties that have errors. This synchronization behavior can be configured in One Identity Manager.

To ignoring data errors during synchronization in One Identity Manager

  1. In the Synchronization Editor, open the synchronization project.

  2. Select the Configuration > One Identity Manager connection category.

  3. In the General view, click Edit connection.

    This starts the system connection wizard.

  4. On the Additional options page, enable Try to ignore data errors.

    This option is only effective if Continue on error is set in the synchronization workflow.

    Default columns, such as primary keys, UID columns, or mandatory input columns cannot be ignored.

  5. Save the changes.

IMPORTANT: If this option is set, One Identity Manager tries to ignore commit errors that could be related to data errors in a single column. This causes the data changed in the affected column to be discarded and the object is subsequently saved again. This effects performance and leads to loss of data.

Only set this option in the exceptional circumstance of not being able to correct the data before synchronization.

Interaction with Active Roles workflows

In the default configuration of processes and synchronization behavior, the integrated Active Roles connector works without input from Active Roles workflows. Changes are published immediately in Active Directory. An administrative user account. which is member in the Active Roles group is required for default behavior.

The One Identity Manager connector integrated in Active Roles does, however, allow Active Roles workflows to be controlled. That means, every operation in the Active Roles that is linked to a workflow starts that workflow.

If the Active Roles connector is supposed to trigger workflows, you may have to customize processes so that they wait for the workflows to run and the changes to be made in Active Directory. This is necessary because the One Identity Manager processes defined in the Active Directory are run synchronously. The Active Roles connector is provided with additional functions to support you when querying the status of workflows.

The domain configuration and One Identity Manager Service user account permissions determine whether workflows are triggered.

NOTE: If the One Identity Manager Service's user account is a member in the Active Roles administrators group, workflows are always bypassed irrespective of the option setting.

For more information about Active Roles workflows, see your One Identity Active Roles documentation.

The following table show the correlation.

Table 5: Correlation to Active Roles workflow control
User Account Member of the Active Roles Administrators? Option "Run Active Roles workflows" set? Operation Linked with Active Roles Workflows? Result

Yes

Yes

No

The operation is run immediately.

Yes

No

No

The operation is run immediately.

Yes

Yes

Yes

The operation is run immediately without input from workflows.

Yes

No

Yes

The operation is run immediately without input from workflows.

No

Yes

No

The operation is run immediately.

No

No

No

The operation is run immediately.

No

Yes

Yes

The Operation triggers workflows and depends on the final status.

No

No

Yes

The operation quits with an error message.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating