Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for Connecting Unix-Based Target Systems

Managing Unix-Based Systems Setting Up Synchronization with a Unix-Based Target System Base Data for Unix-Based Target Systems Unix Host Unix user accounts Unix groups Reports about Unix Objects Appendix: Configuration Parameters for Managing Unix Appendix: Default Project Template for Unix-Based Target Systems

Configuring Memberships Provisioning

Configuring Memberships Provisioning

Memberships, for example, user accounts in groups, are saved in assignment tables in the One Identity Manager database. During provisioning of modified memberships, changes made in the target system will probably be overwritten. This behavior can occur under the following conditions:

  • Memberships are saved in the target system as an object property in list form.
  • Memberships can be modified in either of the connected systems.
  • A provisioning workflow and provisioning processes are set up.

If a membership in One Identity Manager changes, the complete list of members is transferred to the target system by default. Memberships, previously added to the target system are removed by this; previously deleted memberships are added again.

To prevent this, provisioning can be configured such that only the modified membership is provisioned in the target system. The corresponding behavior is configured separately for each assignment table.

To allow separate provisioning of memberships

  1. Start the Manager.
  2. Select the category Unix | Basic configuration data | Target system types.
  3. Select Configure tables for publishing.
  4. Select the assignment tables for which you want to allow separate provisioning. Multi-select is possible.
    • The option can only be set for assignment tables whose base table has a column XDateSubItem.
    • Assignment tables, which are grouped together in a virtual schema property in the mapping, must be labeled identically.
  5. Click Enable merging.
  6. Save the changes.

For each assignment table labeled like this, the changes made in the One Identity Manager are saved in a separate table. During modification provisioning, the members list in the target system is compared to the entries in this table. This means that only modified memberships are provisioned and the members list does not get entirely overwritten.

NOTE: The complete members list is updated by synchronization. During this process, objects with changes but incomplete provisioning are not handled. These objects are logged in the synchronization log.

For more detailed information about provisioning memberships, see the One Identity Manager Target System Synchronization Reference Guide.

Supporting Analysis of Synchronization Issues

Help for Analyzing Synchronization Issues

You can generate a report for analyzing problems which occur during synchronization, for example, insufficient performance. The report contains information such as:

  • Consistency check results
  • Revision filter settings
  • Scope applied
  • Analysis of the synchronization buffer
  • Object access times in the One Identity Manager database and in the target system

To generate a synchronization analysis report

  1. Open the synchronization project in the Synchronization Editor.

  2. Select the menu Help | Generate synchronization analysis report and answer the security prompt with Yes.

    The report may take a few minutes to generate. It is displayed in a separate window.

  3. Print the report or save it in one of the available output formats.

Deactivating Synchronization

Deactivating Synchronization

Regular synchronization cannot be started until the synchronization project and the schedule are active.

To prevent regular synchronization

  • Select the start up configuration and deactivate the configured schedule.

    Now you can only start synchronization manually.

An activated synchronization project can only be edited to a limited extend. The schema in the synchronization project must be updated if schema modifications are required. The synchronization project is deactivated in this case and can be edited again.

Furthermore, the synchronization project must be deactivated if synchronization should not be started by any means (not even manually).

To deactivate the loaded synchronization project

  1. Select General on the start page.
  2. Click Deactivate project.
Detailed information about this topic

Base Data for Unix-Based Target Systems

Base Data for Unix-Based Target Systems

The following base data is relevant for managing a Unix-based target system in One Identity Manager.

  • Configuration parameter

    Use configuration parameters to configure the behavior of the system's basic settings. One Identity Manager provides default settings for different configuration parameters. Check the configuration parameters and modify them as necessary to suit your requirements.

    Configuration parameters are defined in the One Identity Manager modules. Each One Identity Manager module can also install configuration parameters. You can find an overview of all configuration parameters in the category Base data | General | Configuration parameters in the Designer.

    For more information, see Appendix: Configuration Parameters for Managing Unix.

  • Account definitions

    One Identity Manager has account definitions for automatically allocating user accounts to employees during working hours. You can create account definitions for every target system. If an employee does not have a user account in the target system, a new user account is created. This is done by assigning account definitions to an employee using the integrated inheritance mechanism followed by process handling.

    For more information, see Setting Up Account Definitions.

  • Password policies

    One Identity Manager provides you with support for creating complex password policies, for example, for system user passwords, the employees' central password as well as passwords for individual target systems. Password polices apply not only when the user enters a password but also when random passwords are generated.

    Predefined password policies are supplied with the default installation that you can user or customize if required. You can also define your own password policies.

    For more information, see Password Policies.

  • Initial Password for New User Accounts

    You have the different options for issuing an initial password for user accounts. The central password of the assigned employee can be aligned with the user account password, a predefined, fixed password can be used or a randomly generated initial password can be issued.

    For more information, see Initial Password for New Unix User Accounts.

  • Email notifications about login data

    When a new user account is created, the login data are send to a specified recipient. In this case, two messages are sent with the user name and the initial password. Mail templates are used to generate the messages.

    For more information, see Email Notifications about Login Data.

  • Target System Types

    Target system types are required for configuring target system comparisons. Tables containing outstanding objects are maintained on target system types.

    For more information, see Post-Processing Outstanding Objects.

  • Target System Managers

    A default application role exists for the target system manager in the One Identity Manager. Assign this application to employees who are authorized to edit the Unix hosts in One Identity Manager.

    Define other application roles, if you want to limit target system managers' access permissions to individual Unix hosts. The application roles must be added under the default application role.

    For more information, see Target System Managers.

  • Server

    Servers must know your server functionality in order to handle Unix specific processes in One Identity Manager. For example, the synchronization server.

    For more information, see Editing a Server.

Related Documents