Post-Processing Outstanding Objects

Post-Processing Outstanding Objects

Objects, which do not exist in the target system, can be marked as outstanding in One Identity Manager by synchronizing. This prevents objects being deleted because of an incorrect data situation or an incorrect synchronization configuration.

Objects marked as outstanding:

• Cannot be edited in One Identity Manager.
• Are ignored by subsequent synchronization.
• Must be post-processed separately in One Identity Manager.

Start target system synchronization to do this.

To post-process outstanding objects

1. Select the category Active Directory | Target system synchronization: Exchange.

   All tables assigned to the target system type Microsoft Exchange as synchronization tables are displayed in the navigation view.

1. Select the table whose outstanding objects you want to edit in the navigation view.

   This opens the target system synchronization form. All objects are shown here that are marked as outstanding.

   TIP: To display object properties of an outstanding object Select the object on the target system synchronization form. Open the context menu and click Show object.

2. Select the objects you want to rework. Multi-select is possible.
3. Click one of the following icons in the form toolbar to execute the respective method.

   Table 10: Methods for handling outstanding objects

   Icon	Method	Description
   	Delete	The object is immediately deleted in the One Identity Manager. Deferred deletion is not taken into account. The "outstanding" label is removed from the object. Indirect memberships cannot be deleted.
   	Publish	The object is added in the target system. The "outstanding" label is removed from the object. The method triggers the event "HandleOutstanding". This runs a target system specific process that triggers the provisioning process for the object. Prerequisites: The table containing the object can be published. The target system connector has write access to the target system.
   	Reset	The "outstanding" label is removed from the object.

4. Confirm the security prompt with Yes.

You must customize synchronization to synchronize custom tables.

To add custom tables to the target system synchronization.

1. Select the category Active Directory | Basic configuration data | Target system types.
2. Select the target system type Microsoft Exchange in the result list.
3. Select Assign synchronization tables in the task view.
4. Assign custom tables whose outstanding objects you want to handle in Add assignments.
5. Save the changes.
6. Select Configure tables for publishing.
7. Select custom tables whose outstanding objects can be published in the target system and set the option Publishable.
8. Save the changes.

Configuring Memberships Provisioning

Configuring Memberships Provisioning

Memberships, for example, user accounts in groups, are saved in assignment tables in the One Identity Manager database. During provisioning of modified memberships, changes made in the target system will probably be overwritten. This behavior can occur under the following conditions:

• Memberships are saved in the target system as an object property in list form (Example: List of mailboxes in the property AcceptMessagesOnlyFrom of a Microsoft Exchange Mailbox).
• Memberships can be modified in either of the connected systems.
• A provisioning workflow and provisioning processes are set up.

If a membership in One Identity Manager changes, the complete list of members is transferred to the target system by default. Memberships, previously added to the target system are removed by this; previously deleted memberships are added again.

To prevent this, provisioning can be configured such that only the modified membership is provisioned in the target system. The corresponding behavior is configured separately for each assignment table.

To allow separate provisioning of memberships

1. Start the Manager.
2. Select the category Active Directory | Basic configuration data | Target system types.
3. Select Configure tables for publishing.
4. Select the assignment tables for which you want to allow separate provisioning. Multi-select is possible.
   • The option can only be set for assignment tables whose base table has a column XDateSubItem.
   • Assignment tables, which are grouped together in a virtual schema property in the mapping, must be labeled identically.
5. Click Enable merging.
6. Save the changes.

For each assignment table labeled like this, the changes made in the One Identity Manager are saved in a separate table. During modification provisioning, the members list in the target system is compared to the entries in this table. This means that only modified memberships are provisioned and the members list does not get entirely overwritten.

For more detailed information about provisioning memberships, see the One Identity Manager Target SystemAn instance of a target system in which the employees managed by One Identity Manager have access to network resources. Example: An Active Directory domain X for target system type "Active Directory", a directory Y for target system type "LDAP", a client Z for target system type "SAP R/3". SynchronizationThe process of comparing data between One Identity Manager and a target system. Objects and their properties are compared by fixed rules. Synchronization results in the identical data situation in the target system and One Identity Manager database. Reference Guide.

Supporting Analysis of Synchronization Issues

Help for Analyzing Synchronization Issues

You can generate a report for analyzing problems which occur during synchronization, for example, insufficient performance. The report contains information such as:

• Consistency check results
• Revision filterFilters all system objects not changed since the last synchronization. The deciding factor being the revision property modification. SynchronizationThe process of comparing data between One Identity Manager and a target system. Objects and their properties are compared by fixed rules. Synchronization results in the identical data situation in the target system and One Identity Manager database. can be speeded up with revision filtering. settings
• ScopeSection of a connected system which should be synchronized. The scope is defined with a filter. applied
• Analysis of the synchronization buffer
• Object access times in the One Identity Manager database and in the target system

To generate a synchronization analysis report

1. Open the synchronization project in the Synchronization EditorOne Identity Manager tool for configuring target system synchronization..

2. Select the menu Help | Generate synchronization analysis report and answer the security prompt with Yes.

   The report may take a few minutes to generate. It is displayed in a separate window.

3. Print the report or save it in one of the available output formats.

Deactivating Synchronization

Deactivating Synchronization

Regular synchronization cannot be started until the synchronization project and the schedule are active.

To prevent regular synchronization

• Select the start up configuration and deactivate the configured schedule.

  Now you can only start synchronization manually.

An activated synchronization project can only be edited to a limited extend. The schema in the synchronization project must be updated if schema modifications are required. The synchronization project is deactivated in this case and can be edited again.

Furthermore, the synchronization project must be deactivated if synchronization should not be started by any means (not even manually).

To deactivate the loaded synchronization project

1. Select General on the start page.
2. Click Deactivate project.

Related Topics

• Creating a Synchronization Project for initial Synchronization of a Microsoft Exchange Environment