Chat now with support
Chat with Support

Identity Manager 9.1.1 - Target System Synchronization Reference Guide

Target system synchronization with the Synchronization Editor Working with the Synchronization Editor Basics of target system synchronization Setting up synchronization
Starting the Synchronization Editor Creating a synchronization project Configuring synchronization
Setting up mappings Setting up synchronization workflows Connecting systems Editing the scope Using variables and variable sets Setting up start up configurations Setting up base objects
Overview of schema classes Customizing the synchronization configuration Checking the consistency of the synchronization configuration Activating the synchronization project Defining start up sequences
Running synchronization Synchronization analysis Setting up synchronization with default connectors Updating existing synchronization projects Script library for synchronization projects Additional information for experts Troubleshooting errors when connecting target systems Configuration parameters for target system synchronization Configuration file examples

How to delete property mapping rules

To delete a property mappingClosed rule

  1. Select the Mappings category.
  2. In the navigation view, select a mapping.
  3. Click in the rule view menu bar for property mapping rules.
  4. Confirm the security prompt with Yes.

Property mapping rule details

Enter the following details for a property mappingClosed rule.

Tip: To create a rule from a templateClosed, click .
Table 40: Property mapping rule details

Detail

Description

Rule types

Select the rule type for a new rule.

Value comparison rule

Compares the schema property value of the One Identity Manager schema with the value of a target system schema.

Multiple reference rule

Compares multi-value schema properties. The value list are compared element by element. Missing values are added; superfluous value are deleted.

Rule name

Name of the rule. The rule name must be unique within a mapping.

Click to change rule names. The rule name is used as key. Changes to the rule name may cause errors.

Display name

Rule display name.

Mapping directionClosed

Specify the permitted mapping direction for mapping selected schema properties.

Both directions

Property mapping ruleClosed is applied for both synchronizationClosed in the direction of the target system and synchronization direction One Identity Manager.

To the target system

Property mapping rule is only used for synchronizing in the direction of the target system.

To the One Identity Manager

Property mapping rule is only used for synchronizing in the direction of the One Identity Manager.

Do not assign

The property mapping rule is ignored.

You can set this value to disable a property mapping rule.

Taken from mapping

The mapping direction applies which is fixed in the mapping.

Ignore mapping direction restrictions on adding

Specifies whether the given direction of mapping is ignored when new objects are added.

If this option is set, the property mapping rule can also be run if the synchronization mapping is in the opposite direction. Property mapping rules not assigned a mapping direction are also ignore when new objects are added.

If this option is not set, the specify mapping direction is valid when new objects are added.

Example:

A telephone system is managed with One Identity Manager. The telephone system acts as the primary system when the telephone numbers are synchronized. The direction of mapping is set to One Identity Manager. The telephone number is a mandatory value in the target system.

In One Identity Manager, a new employee is added. Each employee is given and initial telephone number. These employees should be added to the target system by synchronizing them. So that the telephone numbers are written to the target system during synchronization, the Ignore mapping direction restrictions on adding option must be set on the property mapping rule.

For more information, see Detecting rogue modifications.

Description

Text field for additional explanation.

Concurrence behavior

Specifies whether the property mapping rule is always applied.

Objects in a connected systemClosed (synchronization target) that

  • Have been changed but the changes are not yet provisioned

  • Are in automatic processes that are not yet complete

  • Or are blocked in some other way

are excluded by default to avoid data conflict. If possible, synchronization of these objects is repeated by the next synchronization run.

In rare cases, it may still be necessary to synchronize some properties of these objects immediately, to transfer safety-critical changes to the connected system, for example.

  • Apply rule: Applies the property mapping rule, overwriting any data changes.

    IMPORTANT: Only select this option in exceptional cases. Afterward, check the data modifications that might be overwritten by this.

  • Do not apply rule: The property mapping rule is not run if the object is blocked for changes. If this option is enabled for all property mapping rules in the mapping, the object will be completely omitted and not handled by the synchronization.

    This corresponds to the default behavior.

For more information, see Concurrence behavior of synchronization objects.

Schema propertyClosed

Select the schema properties to be mapped.

Do not overwrite

The schema property value is only changed by synchronization if the schema property does not contain a value.

Mapping condition

Condition under which the property mapping rule is used.

Click Create condition to create the condition with the wizard. For more information, see Wizard for entering filters.

Example: Left.CanonicalName = 'Managed Service Accounts'

The property mapping rule is applied to all objects assigned to the container "Managed Service Accounts" in One Identity Manager.

Table 41: Additional detail of a value compare rule

Detail

Description

Force mapping against direction of synchronization

If this option is set, the property mapping rule can also be applied if the synchronization mapping is in the opposite direction. For more information, see Mapping against the direction of synchronization.

The option can only be set if:

  • Detecting rogue modificationsClosed is disabled.
  • The direction of mapping is Target systemClosed or One Identity Manager.

The property mapping rule may not be run in both directions.

Detecting rogue modifications

Specifies whether rogue modifications are identified and logged if the direction of synchronization is opposite to the mapping direction.

The option can only be set if:

  • The direction of mapping is Target system or One Identity Manager.
  • Force mapping against direction of synchronization is disabled.

If this option is set, rogue modifications are detected and logged. The log can be evaluated after synchronization. For more information, see Synchronization analysis.

If the option is not set, the property mapping rule is ignored by synchronization.

For more information, see Detecting rogue modifications.

Correct rogue modifications

Specifies whether rogue modifications are corrected if the direction of synchronization is opposite to the mapping direction.

The option can only be set if:

  • Detecting rogue modifications is enabled.
  • The direction of mapping is Target system or One Identity Manager.
  • Force mapping against direction of synchronization is disabled.

If the option is set, the property mapping rule is run by synchronization. The object propertyClosed in the connected system is overwritten with the value from the primary system. Thus rogue changes are ignored.

If the option is not set, rogue changes are only logged.

For more information, see Detecting rogue modifications.

Ignore case

Specifies whether changes that only differ through case are ignored by the mapping. This option affects only schema properties with the String data type.

Deal with the first value of the property as a single value

If a multi-value schema property is mapped using a value compare rule, the first value from the value list is taken into account by synchronization.

Disable merge mode support

Specifies whether to disable merge mode for single provisioning of memberships in this property mapping rule. If the option is set, when memberships are provisioned and merge mode is enabled on the assignment tableClosed, the entire membership list is also transferred.

For more information, see Single membership provisioning.

Table 42: Additional detail of a multi-reference mapping rule
Member filter Description
Only include these Select all members in the value list to be mapped to the schema property of the connected system.
Exclude these Select all members in the value list not to be mapped to the schema property of the connected system.

Editing object matching rules

Object matching rules assign schema properties through which system objects can be uniquely identified. For example, Active Directory groups can be uniquely identified by the DistinguishedName and ObjectGUID schema properties.

Object matching rules can be added or created from property mappingClosed rules. If system objects can only be identified through several schema properties, different property matching rules can be linked with logical operators to form an object matching rule.

NOTE: Using object matching rules of this type can slow down synchronizationClosed. Instead, use a virtual schema property to link the schema properties required for matching and create an object matching rule with it.

If several object matching rules are set up, they are run in the order in which they are listed in the rule view. The rule at the top is the primary rule, all other are marked as alternatives. If a system object can be identified uniquely by the primary rule, the alternative rule are not run. If a system object cannot be identified by the primary rule, One Identity Manager uses the next alternative rule to determine a suitable system object. If non of the rules can identify a suitable system object, the object does not have a partner can is handled as new or deleted.

Example

The following object matching rules are defined for mapping Active Directory groups:

  • Object GUID <-> Object GUID (primary rule)
  • Distinguished name <-> Obj-Dist-Name (alternative rule)
  • Object SID <-> Object-Sid (alternative rule no. 2)

Properties of an Active Directory group are modified in One Identity Manager. During provisioning, the Active Directory connector tries to identify the group in the target system by using the object GUID. It does not find an object with this object GUID so the alternative object matching rule is applied. The connector identifies an object with the same distinguished name and updates this object in the target system.

NOTE:

  • Object matching rules must use schema properties with read-access. Write-only schema properties are not suitable for identification of system objects.

  • SchemaClosed properties used to identify system objects must contain a value. If a schema property contains is empty, the object mapping rule is ignored and the next alternative rule is applied.

  • If several system objects that fulfill the matching criteria are found, a message appears in the synchronization log. These objects are ignored as processing continues.

    If several system objects are found, either there is corrupt data in connected systems or the matching critera is not unique. Clean up the data in the connected systems and adjust the object matching rules.

How to create object matching rules

To create an object matching rule from a property mappingClosed rule

  1. Select the Mappings category.
  2. Select a mapping in the navigation view.
  3. Select the property mapping rule in the rule view.
  4. Click in the rule view toolbar.

    A message appears.

  5. To convert the property mapping rule to an object matching rule, click No in the message dialog.

    - OR -

    To convert the property mapping rule into an object matching rule and create a copy of the property mapping rule, click Yes in the message dialog.

To create a new object matching rule

  1. Select the Mappings category.
  2. Select a mapping in the navigation view.
  3. Click in the rule view toolbar for object matching rules.
  4. Select a rule type and enter the rule details.
  5. Click OK.

One Identity Manager helps you to set up new object matching rules based on existing rules. Use the mapping wizard for this.

To create an object matching rules with the mapping wizard

  1. Select the Mappings category.
  2. Select a mapping in the navigation view.
  3. Click in the menu bar for the object matching rule view.
  4. Follow the mapping wizard's instructions.
  5. Test the new rule.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating