How does Dependency Resolution Work
How does Dependency Resolution Work
Dependencies can arise between schema classes that require synchronization steps to be repeated. For example, object references can not be set until the reference object has been added. Dependencies can also arise between schema properties within a schema class.
Figure 9: Example of a Workflow
One Identity Manager can automatically resolve such dependencies. In this case, the synchronization steps are group together such that the referenced objects are synchronized first and them the dependent objects next. If dependencies exist within a schema class, additional synchronization steps are inserted to synchronize the dependent schema properties. The final sequence of synchronization steps can be viewed in the report "Execution Plan".
|
|
Note: If dependencies exist between schema classes, the schema classes must be synchronized by the same workflow so that dependencies can be automatically resolved. |
Figure 10: Example of a Workflow with Automatic Dependency Resolution
To set up automatic resolution of dependencies
- Edit the workflow properties. Select:
Dependency resolution: Automatic
Use automatic dependency resolution by default. Only select manual dependency resolution if individual dependencies cannot be resolved automatically. This might be necessary, for example, if two objects reference each other as mandatory properties.
|
|
Note: If dependency resolution is set to "Manual", One Identity Manager does not check whether dependencies exits between schema classes and schema properties during synchronization. The synchronization steps are processed sequentially in the order displayed in the workflow view. Synchronization |
To resolve dependencies manually
- Find the schema properties between which dependencies exist.
- Create a workflow with synchronization steps which take the following criteria into account:
- Synchronization steps which synchronize independent and references objects.
Property mapping rules for dependent schema properties must be excluded for this.
- Synchronization steps which reference dependent objects.
Property mapping rules for dependent schema properties must be included for this.
- Synchronization steps which synchronize independent and references objects.
- Specify the synchronization step sequence such that all synchronization steps for a) are executed first and them the synchronization steps for b).
- Edit the workflow properties. Select:
Dependency resolution: Manual
Related Topics
Unresolvable References
Unresolvable References
If a reference object does not exist in the One Identity Manager database, the object reference cannot be resolved by synchronizing. Unresolvable object references are written in a synchronization buffer (table DPRAttachedDataStore). This ensures that these references remain intact and are not deleted in the target system by provisioning.
Example:
A Active Directory group has an account manager, which owns a domain not in the current synchronization run. The account manager is not in the One Identity Manager database either.
Synchronization
During each synchronization One Identity Manager tries to clean up the synchronization buffer. If referenced objects in the One Identity Manager database exist, the references can be resolved and the entries are deleted from the synchronization buffer. The synchronization buffer is cleaned up depending on the synchronization type (with or without revision filter) and the maintenance mode.
| Maintenance Mode | Synchronization without revision filer | Synchronization with revision filer |
|---|---|---|
| The following applies depending on the maintenance mode: | Object references of all synchronization objects are cleaned up if they exist in the One Identity Manager database. | Only object references for modified objects are cleaned up. |
| No maintenance | There is no additional task of clearing up the synchronization buffer. | |
| Always synchronize affected objects | No effect. | The filter is removed on objects with unresolved references. Therefore, references are also cleaned if the objects have not been changed since the last synchronization. |
| Full maintenance after every synchronization | The One Identity Manager tries to resolve object references following synchronization. As a result, unresolved references are processed that arose during this synchronization run. | The One Identity Manager tries to resolve object references following synchronization. As a result, unresolved references are processed that arose during this synchronization run. Object references that were not modified are also cleaned up. |
You can enter the number of retries for resolving object references. It may be necessary to try several times to resolve an object if it maps a hierarchy with several levels. One hierarchy level at a time can be resolved with each attempt to resolve an object.
To set up maintenance mode
- Edit the start up configuration properties. Select the Maintenance tab.
For more information, see How to Edit Start up Configurations.
|
|
NOTE: One Identity Manager supplies a scheduled process plan, which regularly cleans up the contents of the table DPRAttachedDataStore. Object entries, which no longer exist in the One Identity Manager database are deleted. The process plan is executed during daily maintenance. |
Related Topics
Direction of Synchronization and Mapping
Direction of Synchronization and Mapping
To synchronize a target system with One Identity Manager, you must specify which of the connected systems is the data master. Specify the master system in the synchronization configuration with the direction of synchronization. The direction in which schema properties are mapped may differ from this. Therefore, the permitted mapping direction must be given in the schema properties mapping.
| Defined on | Direction of SynchronizationThe process of comparing data between One Identity Manager and a target system. Objects and their properties are compared by fixed rules. Synchronization results in the identical data situation in the target system and One Identity Manager database. Specifies |
|---|---|
| Start up configurationSpecifies which synchronization configuration components are used for a specific synchronization. Specifies the synchronization schedule. |
In which direction a specific synchronization is executed |
| WorkflowCollection of all the synchronization steps to be executed. |
In which direction synchronizations are executed |
| Synchronization stepSpecific rule for processing exactly two schema classes. |
By which synchronization direction the step is executed |
| Defined on | Specifies the MappingList of object matching rules and property mapping rules which map the schema properties of two connected systems to one another. Direction |
|---|---|
| Mapping | By which synchronization direction property mapping rules are used |
| Property mapping ruleDescribes how a target system schema property is mapped in the One Identity Manager schema. |
By which synchronization direction this property mapping rule is used |
One Identity Manager synchronizes two connection systems in the direction given in the start up configuration or in the workflow. A synchronization step is only executed in this case, if the direction of synchronization stored with the step matches with the direction of the current synchronization. If the mapping direction stored with the mapping corresponds to the current direction of synchronization, the system object from this schema class are synchronized. Thus, One Identity Manager checks which property mapping rule can be used in the current synchronization direction. This property mapping rule rule is ignored if the mapping direction of the property mapping rule differs from the current direction of synchronization.
Figure 11: Example showing Effect of Specified Synchronization Direction and Permitted Mapping Direction
Related Topics
- Setting up Start up Configurations
- Properties of a Workflow
- General Properties of a Synchronization Step
- Properties of a Mapping
- Editing Property Mapping Rules
Mapping against the Direction of Synchronization
Mapping against the Direction of Synchronization
For certain schema properties, it may be necessary to copy the schema property value from the connected system into the master synchronization system each time synchronization is run. In this case, the schema property must also be mapped in the opposing synchronization direction when synchronization is run. This behavior can be configured in the property mapping rule.
To force mapping a schema property against the direction of synchronization
- Edit the property mapping rule.
Set Force mapping against direction of synchronization.
For more information, see How to Edit Property Mapping Rules.
Property mapping rules with this option set are executed again after the synchronization step is completed. This copies changes from the connected system against the direction of synchronization into the master system.
Synchronization
- All property mapping rules whose mapping direction is the opposite to the direction of synchronization are ignored whilst a synchronization step is being executed. Property mapping rules whose mapping direction corresponds to the direction of synchronization are run.
- All changes to the connection system are saved when the synchronization step is complete.
- All property mapping rules with the option Force mapping against direction of synchronization set are executed again. For those schema properties involved, the changes are copied from the connected system into the master system.
NOTE: The property mapping rules are also rerun after completion of the synchronization step if there are no processing methods given in the synchronization step.
|
|
Note:The option Force mapping against direction of synchronization is also taken into account when changes to objects are provisioned. |
Example
An Active Directory environment should be administrated through One Identity Manager. One Identity Manager is the master system for synchronizing both systems. The user account object GUIDs are, however, not mapped in One Identity Manager but in the Active Directory environment. This means the mapping direction is different for a user account object GUID. To copy the object GUID from Active Directory to One Identity Manager during synchronization, the mapping must be forced in the opposite direction of synchronization for this schema property.
| Configuration Setting | Value |
|---|---|
|
Direction of Synchronization: |
Direction target system |
|
Property mapping rule |
ADSAccount.ObjectGUID - User.ObjectGUID |
|
Mapping direction |
Direction One Identity Manager |
|
Force mapping against direction of synchronization |
Set |
Synchronization Sequence
Scenario: A new Active Directory user account was added in One Identity Manager.
- The user account is added in the target system through synchronization.
- The property mapping rule for the object GUID is ignored because of the opposing the mapping direction.
- Once all property mapping rules of the synchronization step have been processed, the user account is saved in the target system. The Active Directory finds a value for User.ObjectGUID.
- Once the synchronization step is complete the property mapping rule for the object GUID is run again. The object GUID is copied from Active Directory to One Identity Manager.