To synchronize a target system environment with One Identity Manager, you must specify which of the connected systems is the data master. You should only make changes to object properties in the master system.
Changes in the connected system, which is not the master system, can be identified, logged and corrected by One Identity Manager. Every difference between object project properties of the connection system are considered to be a change. These changes are described as "rogue modification" in the following.
MappingList of object matching rules and property mapping rules which map the schema properties of two connected systems to one another. property rules must by configured correspondingly so that One Identity Manager can detect rogue modification during synchronization. Rogue modifications can be found for all property mapping rules with opposite mapping direction.
|Note: Rogue modifications can only be corrected if there is write access for schema property to be corrected.|
To detect and log rogue modifications
To correct rogue modifications
SynchronizationThe process of comparing data between One Identity Manager and a target system. Objects and their properties are compared by fixed rules. Synchronization results in the identical data situation in the target system and One Identity Manager database. Sequence with Modification Detection
|Detecting Rogue Modifications||
Effect if option set:
Rogue modifications in the linked system are identified and logged.
The log can be evaluated after synchronization. For more information, see Synchronization Analysis.
Effect if option is not set:
The property mapping rule is ignored by synchronization.
|Correct rogue modifications||
Effect if option set:
Rogue modifications are corrected in the connected system, which means overwritten with the value from the synchronization master system.
Effect if option is not set:
Rogue modifications are not logged.
|Note: Rogue modifications are also handled when object modifications are provisioned.|
The source for the user data and permissions managed by One Identity Manager may be different systems. For example, SAP R/3 user accounts are managed in One Identity Manager. The associated employee data, however, is imported into the database through the CSV connectorSystem connector which allow data to be imported from CSV files. from another system.
The CSV import may cause the objects coming from another target system through synchronization to be modified. For example, the first and last names of an SAP user account change when the first and last names of an employee change through the CSV import. Changes to the SAP user account should be immediately provisioned in SAP R/3. To illustrate this, the connected systems will be named "primary systems" in the following; the systems whose data is synchronized with the CSV connector as "secondary systems".
Figure 12: Example of Synchronizing User Data with Different Systems
You can specify whether the data comes from a secondary system in the synchronization steps. In this case, changes are provisioned immediately (actually during synchronization) in the primary system. Conversely, the provisioning process may not start if primary systems are being synchronized.
To configure immediate provisioning when synchronizing a secondary system
Set the option Import data on the General tab.
|NOTE: To prevent immediately provisioning of a primary system during synchronization, open the primary system synchronization project and disable the option Import data in the synchronization step.|
The session variable FullSync=FALSE is set if the option Data import is enabled. The session variable is set to FullSync=TRUE if the option is disabled. Different processes, scripts and templates are only executed in the One Identity Manager database if FullSync=FALSE. In this context it means they are only synchronized with a secondary system. Synchronizing with a primary system ignores processes, scripts and templates.
You have two options for deleting objects in the One Identity Manager, which do not exist in the target system, by using synchronization.
You can view the synchronization log to see which objects have been deleted.
||NOTE: Memberships, which exist due to inheritance, cannot be deleted immediately. They are always marked as outstanding.|
Outstanding objects must be post-processed separately in One Identity Manager. They can either be deleted or published in the target system in the process. This prevents objects being deleted because of an incorrect data situation or an incorrect synchronization configuration.
||Note: Objects from a secondary system cannot be marked as outstanding. The controlling factor for this is the option Data import in the synchronization step.|
To delete objects immediately in One Identity Manager
|For synchronizing from target system to One Identity Manager||Processing MethodMethod used to process objects within a synchronization step. Example: Add object (insert), update object (update), delete object (delete). Processing methods and their mandatory parameters are define with the schema type. (technical name)|
|Objects that only exist in One Identity Manager:||Delete|
To mark object as outstanding in One Identity Manager
|For synchronizing from target system to One Identity Manager||Processing Method (technical name)|
|Objects only found in One Identity Manager are:||MarkAsOutstanding|
Outstanding objects cannot be editing in One Identity Manager until they have been verified. They are ignored by every other synchronization.
To delete outstanding objects in the One Identity Manager
The selected objects are immediately deleted in the One Identity Manager database. Deferred deletion is not taken into account. The "outstanding" label is removed from the objects.
All the schema data (schema types and schema properties) of the target system schema and the One Identity Manager schema are available when you are editing a synchronization project. Only a part of this data is really needed for configuring synchronization. If a synchronization project is finished, the schema is compressed to remove unnecessary data from the synchronization project. This can speed up loading the synchronization project.
Unnecessary schema data is automatically removed from the synchronization project on activation.
All the schema types that are not currently in use are displayed in a dialog box. You may remove these from the synchronization project. Here you can select the schema types that should remain available for you to use later.
To shrink the system connection schema
- OR -Select the category
Configuration | One Identity Manager connection.
These schema types remain there and can still be used in the synchronization configuration.
You can add the deleted schema data back into the synchronization project again later. To do this you must update the respective schema.