Speeding up synchronization with revision filtering
When you start synchronization, all synchronization objects are loaded. Some of these objects have not be modified since the last synchronization and, therefore, must not be processed. Synchronization is accelerated by only loading those object pairs that have changed since the last synchronization. One Identity Manager uses revision filtering to accelerate synchronization.
SAP R/3 supports revision filtering. The SAP objects' date of last change is used as revision counter. Each synchronization saves the last date is was run as a revision in the One Identity Manager database (DPRRevisionStore table, Value column). This value is used as a comparison for revision filtering when the same workflow is synchronized the next time. When this workflow is synchronized the next time, the SAP objects' change date is compared with the revision saved in the One Identity Manager database. Only those objects that have been changed since this date are loaded from the target system.
NOTE: SAP roles are given the last date the role was generated in the target system. Only SAP roles that have be regenerated since the last synchronization are updated in the database on synchronization with revision filtering.
The revision is found at start of synchronization. Objects modified by synchronization are loaded and checked by the next synchronization. This means that the second synchronization after initial synchronization is not significantly faster.
Revision filtering can be applied to workflows and start up configuration.
To permit revision filtering on a workflow
To permit revision filtering for a start up configuration
Detailed information about this topic
- One Identity Manager Target System Synchronization Reference Guide
Restricting synchronization objects using user permissions
One Identity Manager offers the ability to restrict user account and groups for synchronization by using user permissions. In this case, the only user accounts and groups that are synchronized are those used by the SAP R/3 connector to log into the target system. All other groups and user accounts are filtered out of the user lists and the groups list of the function module "/VIAENET/U". If only a small part of the user account in the SAP R/3 environment should be synchronized with the One Identity Manager then the synchronization can be accelerated with this method.
Prerequisites
- The user account used by the SAP R/3 connector to log into the target system is assigned exactly those groups in the SAP R/3 authorization object S_USER_GRP, characteristic CLASS, that should be synchronized.
- There are user accounts that one of these groups is assigned to in the SAP R/3 environment as user group for the authorization check (in the login data).
During synchronization, the groups are loaded into the One Identity Manager database that the user account used by the SAP R/3 connector to log into the target system has access to in the authorization object SUSER_GRP. All user accounts that are assigned one of these groups as a user group for authorization checking, are also synchronized. All other groups and user accounts are handled as non-existent objects in the target system during synchronization.
Post-processing outstanding objects
Objects, which do not exist in the target system, can be marked as outstanding in One Identity Manager by synchronizing. This prevents objects being deleted because of an incorrect data situation or an incorrect synchronization configuration.
Outstanding objects:
-
Cannot be edited in One Identity Manager.
-
Are ignored by subsequent synchronizations.
-
Are ignored by inheritance calculations.
This means, all memberships and assignments remain intact until the outstanding objects have been processed.
Start target system synchronization to do this.
To post-process outstanding objects
-
In the Manager, select the SAP R/3 > Target system synchronization: SAP R/3 category.
The navigation view lists all the synchronization tables assigned to the SAP R/3 target system type.
-
On the Target system synchronization form, in the Table / object column, open the node of the table for which you want to post-process outstanding objects.
All objects that are marked as outstanding are shown. The Last log entry and Last method run columns display the time at which the last entry was made in the synchronization log and which processing method was run. The No log available entry can mean the following:
-
The synchronization log has already been deleted.
- OR -
-
An assignment from a member list has been deleted from the target system.
The base object of the assignment was updated during the synchronization. A corresponding entry appears in the synchronization log. The entry in the assignment table is marked as outstanding, but there is no entry in the synchronization log.
-
An object that contains a member list has been deleted from the target system.
During synchronization, the object and all corresponding entries in the assignment tables are marked as outstanding. However, an entry in the synchronization log appears only for the deleted object.
TIP:
To display object properties of an outstanding object
-
Select the object on the target system synchronization form.
-
Open the context menu and click Show object.
-
Select the objects you want to rework. Multi-select is possible.
-
Click on one of the following icons in the form toolbar to run the respective method.
Table 22: Methods for handling outstanding objects
|
Delete |
The object is immediately deleted from the One Identity Manager database. Deferred deletion is not taken into account.
Indirect memberships cannot be deleted. |
|
Publish |
The object is added to the target system. The Outstanding label is removed from the object.
This runs a target system specific process that triggers the provisioning process for the object.
Prerequisites:
|
|
Reset |
The Outstanding label is removed for the object. |
- Confirm the security prompt with Yes.
NOTE: By default, the selected objects are processed in parallel, which speeds up the selected method. If an error occurs during processing, the action is stopped and all changes are discarded.
Bulk processing of objects must be disabled if errors are to be localized, which means the objects are processed sequentially. Failed objects are named in the error message. All changes that were made up until the error occurred are saved.
To disable bulk processing
You must customize your target system synchronization to synchronize custom tables.
To add custom tables to target system synchronization
-
In the Manager, select the SAP R/3 > Basic configuration data > Target system types category.
-
In the result list, select the SAP R/3 target system type.
-
Select the Assign synchronization tables task.
-
In the Add assignments pane, assign custom tables to the outstanding objects you want to handle.
- Save the changes.
-
Select the Configure tables for publishing task.
-
Select the custom tables that contain the outstanding objects that can be published in the target system and set the Publishable option.
- Save the changes.
NOTE: The target system connector must have write access to the target system in order to publish outstanding objects that are being post-processed. That means, the Connection is read-only option must not be set for the target system connection.
Configuring the provisioning of memberships
Memberships, such as user accounts in groups, are saved in assignment tables in the One Identity Manager database. During provisioning of modified memberships, changes made in the target system may be overwritten. This behavior can occur under the following conditions:
-
Memberships are saved as an object property in list form in the target system.
Example: List of role assignments in the AGR_NAME property of an SAP R/3 user (User)
-
Memberships can be modified in either of the connected systems.
-
A provisioning workflow and provisioning processes are set up.
If one membership in One Identity Manager changes, by default, the complete list of members is transferred to the target system. Therefore, memberships that were previously added to the target system are removed in the process and previously deleted memberships are added again.
To prevent this, provisioning can be configured such that only the modified membership is provisioned in the target system. The corresponding behavior is configured separately for each assignment table.
To allow separate provisioning of memberships
-
In the Manager, select the SAP R/3 > Basic configuration data > Target system types category.
-
In the result list, select the SAP R/3 target system type.
-
Select the Configure tables for publishing task.
-
Select the assignment tables that you want to set up for single provisioning. Multi-select is possible.
-
Click Merge mode.
NOTE:
-
This option can only be enabled for assignment tables that have a base table with a XDateSubItem column.
-
Assignment tables that are grouped together in a virtual schema property in the mapping must be marked identically.
- Save the changes.
For each assignment table labeled like this, the changes made in One Identity Manager are saved in a separate table. Therefore, only newly added and deleted assignments are processed. During modification provisioning, the members list in the target system is compared to the entries in this table. This means that only modified memberships are provisioned and not the entire members list.
NOTE: The complete members list is updated by synchronization. During this process, objects with changes but incomplete provisioning are not handled. These objects are logged in the synchronization log.
You can restrict single provisioning of memberships with a condition. Once merge mode has been disabled for a table, the condition is deleted. Tables that have had the condition deleted or edited are marked with the following icon: . You can restore the original condition at any time.
To restore the original condition
-
Select the auxiliary table for which you want to restore the condition.
-
Right-click on the selected row and select the Restore original values context menu item.
- Save the changes.
NOTE: To create the reference to the added or deleted assignments in the condition, use the i table alias.
Example of a condition on the SAPUserInSAPGrp assignment table:
exists (select top 1 1 from SAPUser u
where u.UID_SAPUser = i.UID_SAPUser
and <limiting condition>)
For more information about provisioning memberships, see the One Identity Manager Target System Synchronization Reference Guide.
NOTE: Changes to user account memberships in single role are always provisioned individually. Therefore, single provisioning cannot be configured for the SAPUserInSAPRole table.