Speeding Up Synchronization with Revision Filtering

Speeding Up Synchronization with Revision Filtering

When you start synchronization, all synchronization objects are loaded. Some of these objects have not be modified since the last synchronization and, therefore, must not be processed. SynchronizationThe process of comparing data between One Identity Manager and a target system. Objects and their properties are compared by fixed rules. Synchronization results in the identical data situation in the target system and One Identity Manager database. is accelerated by only loading those object pairs that have changed since the last synchronization. One Identity Manager uses revision filtering to accelerate synchronization.

SAP R/3 supports revision filtering. The SAP objects' date of last change is used as revision counter. Each synchronization save its last execution date as revision in the the One Identity Manager database (table DPRRevisionStore, column Value). This value is used as a comparison for revision filtering when the same workflow is synchronized the next time. When this workflow is synchronized the next time, the SAP objects' change date is compared with the revision saved in the One Identity Manager database. Only those objects that have been changed since this date are loaded from the target system.

The revision is found at start of synchronization. Objects changed after this point are included with the next synchronization.

RevisionHighest value for change data for all system objects to be synchronized when synchronization is run. This value is saved in the table "DPRRevisionStore", column "value". filtering can be applied to workflows and start up configuration.

To permit revision filtering on a workflow

• Open the synchronization project in the Synchronization EditorOne Identity Manager tool for configuring target system synchronization..

• Edit the workflow properties. Select the entry Use revision filter from Revision filtering.

To permit revision filtering for a start up configuration

• Open the synchronization project in the Synchronization Editor.

• Edit the start up configuration properties. Select the entry Use revision filter from Revision filtering.

Detailed information about this topic

• One Identity Manager Target SystemAn instance of a target system in which the employees managed by One Identity Manager have access to network resources. Example: An Active Directory domain X for target system type "Active Directory", a directory Y for target system type "LDAP", a client Z for target system type "SAP R/3". Synchronization Reference Guide

Synchronizing Collective Roles

Synchronizing Collective Roles

Only directly assigned single and collective roles are mapped in the table SAPUserInSAPRole. Assignments of single roles to collective roles are mapped in the SAPCollectionRPG table. You can establish which single roles are indirectly assigned to a user account through both tables.

By default, the following applies to inheritance of single roles by user accounts: If a single role is assigned to a user account and the single role is part of a collective role, which is also assigned to the user account the single role is not inherited by the user account as well. This removes membership of user accounts in single roles when group memberships are provisioned in SAP R/3. This membership is deleted from the One Identity Manager database by the next synchronization or marked as outstanding, depending on the synchronization's configuration.

To prevent memberships being removed from single roles when single roles are part of collective roles

• Set the configuration parameter "TargetSystem\SAP\KeepRedundantProfiles" in the Designer.

Restricting Synchronization Objects using User Permissions

Restricting Synchronization Objects using User Permissions

The One Identity Manager offers the possibility to restrict user account and groups for synchronization by using user permissions. In this case, only the user accounts and groups are synchronized that the user account used by the SAP R/3 connector to log into the target system, is authorized for. All other groups and user accounts are filtered out of the user lists and the groups list of the function module "/VIAENET/U". If only a small part of the user account in the SAP R/3 environment should be synchronized with the One Identity Manager then the synchronization can be accelerated with this method.

Prerequisites

• The user account used by the SAP R/3 connector to log into the target system, is assigned exactly those groups in the SAP R/3 authorization object S_USER_GRP, characteristic CLASS, that should be synchronized.
• There are user accounts that one of these groups is assigned to in the SAP R/3 environment as user group for testing authorization (in the login data).

During synchronization, the groups are loaded into the One Identity Manager database that the user account used by the SAP R/3 connector to log into the target system, has access to in the authorization object SUSER_GRP. All user accounts that are assigned one of these groups as user group for authorization testing, are also synchronized. All other groups and user accounts are handled as non-existent objects in the target system during synchronization.

Post-Processing Outstanding Objects

Post-Processing Outstanding Objects

Objects, which do not exist in the target system, can be marked as outstanding in One Identity Manager by synchronizing. This prevents objects being deleted because of an incorrect data situation or an incorrect synchronization configuration.

Objects marked as outstanding:

• Cannot be edited in One Identity Manager.
• Are ignored by subsequent synchronization.
• Must be post-processed separately in One Identity Manager.

Start target system synchronization to do this.

To post-process outstanding objects

1. Select the category SAP R/3 | Target system synchronization: SAP R/3.

   All tables assigned to the target system type SAP R/3 as synchronization tables are displayed in the navigation view.

1. Select the table whose outstanding objects you want to edit in the navigation view.

   This opens the target system synchronization form. All objects are shown here that are marked as outstanding.

   TIP: To display object properties of an outstanding object Select the object on the target system synchronization form. Open the context menu and click Show object.

2. Select the objects you want to rework. Multi-select is possible.
3. Click one of the following icons in the form toolbar to execute the respective method.

   Table 24: Methods for handling outstanding objects

   Icon	Method	Description
   	Delete	The object is immediately deleted in the One Identity Manager. Deferred deletion is not taken into account. The "outstanding" label is removed from the object. Indirect memberships cannot be deleted.
   	Publish	The object is added in the target system. The "outstanding" label is removed from the object. The method triggers the event "HandleOutstanding". This runs a target system specific process that triggers the provisioning process for the object. Prerequisites: The table containing the object can be published. The target system connector has write access to the target system.
   	Reset	The "outstanding" label is removed from the object.

4. Confirm the security prompt with Yes.

You must customize synchronization to synchronize custom tables.

To add custom tables to the target system synchronization.

1. Select the category SAP R/3 | Basic configuration data | Target system types.
2. Select the target system type SAP R/3 in the result list.
3. Select Assign synchronization tables in the task view.
4. Assign custom tables whose outstanding objects you want to handle in Add assignments.
5. Save the changes.
6. Select Configure tables for publishing.
7. Select custom tables whose outstanding objects can be published in the target system and set the option Publishable.
8. Save the changes.