Chat now with support
Chat with Support

Identity Manager 8.0 - Target System Synchronization Reference Guide

Target Synchronization with the Synchronization Editor Basics of Target System Synchronization Setting up Synchronization
Starting the Synchronization Editor Creating a Synchronization Project How to Configure Synchronization
Setting Up Mappings Setting up Synchronization Workflows Connecting Systems Editing the Scope Using Variables and Variable Sets Setting up Start up Configurations Setting up Base Objects
Overview of schema Classes Customizing Synchronization Configuration Checking Synchronization Configuration Consistency Activating the Synchronization Project
Running Synchronization Synchronization Analysis Setting up Synchronization with Default Connectors Updating Existing Synchronization Projects Additional Information for Experts Error Handling Appendix: Example of a Configuration File

Log View Toolbar

The navigation view in the Logs category has its own toolbar.

Table 65: Meaning of Icons in the Navigation View
Icon Meaning
Reload the data.
Display synchronization log.
Display provisioning log.
Only display most recent logs. This display logs from within the past 24 hours.
Sort by execution time.
Sort by execution status.

How to Display Synchronization Logs

How to Display Synchronization Logs

To display a synchronization log

  1. Select the category Logs.
  2. Click in the navigation view toolbar.

    Logs for all completed synchronization runs are displayed in the navigation view.

  3. Select a log by double-clicking on it.

    An analysis of the synchronization is shown as a report. You can save the report.

To display a provisioning log.

  1. Select the category Logs.
  2. Click in the navigation view toolbar.

    Logs for all completed provisioning processes are displayed in the navigation view.

  3. Select a log by double-clicking on it.

    An analysis of the provisioning is show as a report. You can save the report.

The log is marked in color in the navigation view. This mark shows you the execution status of the synchronization/provisioning.

Target System Synchronization

Target System Synchronization

Objects, which do not exist in the target system, can be marked as outstanding in One Identity Manager by synchronizing. This prevents objects being deleted because of an incorrect data situation or an incorrect synchronization configuration.

Objects marked as outstanding:

  • Cannot be edited in One Identity Manager.
  • Are ignored by subsequent synchronization.
  • Must be post-processed separately in One Identity Manager.

Start target system synchronization to do this.

To post-process outstanding objects

  1. Start the Manager.
  2. Select the category <target system type> | Target system synchronization: <target system type> | <table>.

    TIP:

    To display object properties of an outstanding object

    1. Select the object on the target system synchronization form.
    2. Open the context menu and click Show object.
  1. Select the objects you want to rework. Multi-select is possible.
  2. Click one of the following icons in the form toolbar to execute the respective method.
    Table 66: Methods for handling outstanding objects

    Icon

    Method

    Description

    Delete

    The object is immediately deleted in the One Identity Manager. Deferred deletion is not taken into account. The "outstanding" label is removed from the object.

    Indirect memberships cannot be deleted.

    Publish

    The object is added in the target system. The "outstanding" label is removed from the object.

    The method triggers the event "HandleOutstanding". This runs a target system specific process that triggers the provisioning process for the object.

    Prerequisites:

    • The table containing the object can be published.
    • The target system connector has write access to the target system.
    • A custom process is set up for provisioning the object.

    Reset

    The "outstanding" label is removed from the object.

  3. Confirm the security prompt with Yes.

NOTE: By default, the selected objects are processed in parallel, which speeds up execution of the selected method. If an error occurs during processing, the action is stopped and all changes are discarded.

Bulk processing of objects must be disabled if errors are to be localized, which means the objects are processed sequentially. Failed objects are named in the error message. All changes that were made up until the error occurred are saved.

To disable bulk processing

  • Deactivate in the form toolbar.

For more detailed information about post-processing outstanding objects from connected target systems, see the target system connection guides.

Deleting Memberships

Deleting Memberships

Membership of user accounts in groups, for example, can result from direct assignment or through inheritance in One Identity Manager. The membership's origin is stored in the assignment table XOrigin. Inherited memberships cannot be deleted as long as the inheritance source still exists. If inherited memberships are deleted in the target system, they are marked as outstanding by synchronization, depending on which processing method was selected.

You can differentiate between the following cases of deleting membership through synchronization:

Table 67: Deleting Memberships
Membership Origin Method Delete Method MarkAsOutstanding
Only direct The membership is deleted immediately by synchronization. The membership is marked as outstanding by synchronization.
Only inherited The membership is marked as outstanding by synchronization. The membership is marked as outstanding by synchronization.
Direct and inherited The membership is marked as outstanding by synchronization. The reference to direct assignment is removed (column value XOrigin is updated). The membership is marked as outstanding by synchronization.

Outstanding memberships must be post-processed separately. You can publish these memberships if the inheritance source still exists or you set the status back and remove the inheritance source.

Example

Ben King has an Active Directory user account that is a member of the Active Directory group "Backup operators". This membership is loaded into the One Identity Manager database by initial synchronization and saved as direct membership in the table ADSAccountInADSGroup (XOrigin = '1'). Ben King is member of the business role "Project A". This business role is assigned to the Active Directory group "Backup operators". Therefore, Ben King becomes an indirect member of this Active Directory group (ADSAccountInADSGroup.XOrigin = '3'). The group membership is deleted in the target system. The deleted membership is immediately deleted in the One Identity Manager database the next time synchronization is run (ADSAccountInADSGroup.XOrigin = '2'). The membership is marked as outstanding because it remains in the One Identity Manager database due to inheritance. The outstanding membership must be post-processed in target system synchronization. There are two possible ways to do this:

  1. Assignments to the business role "Project A" are correct.

    The method "Publish" is applied. Membership is re-added to the target system.

  2. MappingClosed in the target system is correct.
    • The method "Reset status" is applied.
    • The Active Directory group assignment to the business role "Project A" or Ben King's memberships in this business role must be removed. The group membership in the table ADSAccountInADSGroup is then deleted.

The method "Delete" cannot be applied.

Related Topics
Related Documents