Chat now with support
Chat with Support

Identity Manager 8.0 - Target System Synchronization Reference Guide

Target Synchronization with the Synchronization Editor Basics of Target System Synchronization Setting up Synchronization
Starting the Synchronization Editor Creating a Synchronization Project How to Configure Synchronization
Setting Up Mappings Setting up Synchronization Workflows Connecting Systems Editing the Scope Using Variables and Variable Sets Setting up Start up Configurations Setting up Base Objects
Overview of schema Classes Customizing Synchronization Configuration Checking Synchronization Configuration Consistency Activating the Synchronization Project
Running Synchronization Synchronization Analysis Setting up Synchronization with Default Connectors Updating Existing Synchronization Projects Additional Information for Experts Error Handling Appendix: Example of a Configuration File

Detecting Rogue Modifications

Detecting Rogue Modifications

To synchronize a target system environment with One Identity Manager, you must specify which of the connected systems is the data master. You should only make changes to object properties in the master system.

Changes in the connected system, which is not the master system, can be identified, logged and corrected by One Identity Manager. Every difference between object project properties of the connection system are considered to be a change. These changes are described as "rogue modification" in the following.

MappingClosed property rules must by configured correspondingly so that One Identity Manager can detect rogue modification during synchronization. Rogue modifications can be found for all property mapping rules with opposite mapping direction.

Note: Rogue modifications can only be corrected if there is write access for schema property to be corrected.

To detect and log rogue modifications

To correct rogue modifications

  • Also set the option Correct rogue modifications in the property mapping rule.

SynchronizationClosed Sequence with Modification Detection

  1. A property mapping rule is detected whose mapping direct is opposite to the actual direction of synchronization.
  2. If Detect rogue modifications is set, One Identity Manager checks the object of the connected system for rogue modifications. Rogue modificationClosed are logged.
  3. If Correct rogue modification is set, the One Identity Manager overwrites the object property with the value from the synchronization master system. This value is saved in the connection system.
Table 27: Effects of this Option
Option Effect
Detecting Rogue Modifications

Effect if option set:

Rogue modifications in the linked system are identified and logged.

The log can be evaluated after synchronization. For more information, see Synchronization Analysis.

Effect if option is not set:

The property mapping rule is ignored by synchronization.

Correct rogue modifications

Effect if option set:

Rogue modifications are corrected in the connected system, which means overwritten with the value from the synchronization master system.

Effect if option is not set:

Rogue modifications are not logged.

Note: Rogue modifications are also handled when object modifications are provisioned.
Related Topics

Synchronizing User Data with Different Systems

Synchronizing User Data with Different Systems

The source for the user data and permissions managed by One Identity Manager may be different systems. For example, SAP R/3 user accounts are managed in One Identity Manager. The associated employee data, however, is imported into the database through the CSV connectorClosed from another system.

The CSV import may cause the objects coming from another target system through synchronization to be modified. For example, the first and last names of an SAP user account change when the first and last names of an employee change through the CSV import. Changes to the SAP user account should be immediately provisioned in SAP R/3. To illustrate this, the connected systems will be named "primary systems" in the following; the systems whose data is synchronized with the CSV connector as "secondary systems".

Figure 12: Example of Synchronizing User Data with Different Systems

You can specify whether the data comes from a secondary system in the synchronization steps. In this case, changes are provisioned immediately (actually during synchronization) in the primary system. Conversely, the provisioning process may not start if primary systems are being synchronized.

To configure immediate provisioning when synchronizing a secondary system

  1. Open the synchronization project for the secondary system.

    For more information, see How to Edit a Synchronization Project.

  2. Edit the synchronization step properties.

    Set the option Import data on the General tab.

    For more information, see How to Edit Synchronization Steps.

NOTE: To prevent immediately provisioning of a primary system during synchronization, open the primary system synchronization project and disable the option Import data in the synchronization step.

The session variable FullSync=FALSE is set if the option Data import is enabled. The session variable is set to FullSync=TRUE if the option is disabled. Different processes, scripts and templates are only executed in the One Identity Manager database if FullSync=FALSE. In this context it means they are only synchronized with a secondary system. Synchronizing with a primary system ignores processes, scripts and templates.

Related Topics

Deleting Objects in One Identity Manager

Deleting Objects in One Identity Manager

You have two options for deleting objects in the One Identity Manager, which do not exist in the target system, by using synchronization.

  1. The objects are deleted immediately on synchronization.

    You can view the synchronization log to see which objects have been deleted.

    NOTE: Memberships, which exist due to inheritance, cannot be deleted immediately. They are always marked as outstanding.
  2. The objects are marked as outstanding by synchronization.

    Outstanding objects must be post-processed separately in One Identity Manager. They can either be deleted or published in the target system in the process. This prevents objects being deleted because of an incorrect data situation or an incorrect synchronization configuration.

    Note: Objects from a secondary system cannot be marked as outstanding. The controlling factor for this is the option Data import in the synchronization step.

To delete objects immediately in One Identity Manager

  1. Edit the synchronization step properties.

    For more information, see How to Edit Synchronization Steps.

  2. Select the Processing tab.
  3. Specify the processing method. Select:
    For synchronizing from target system to One Identity Manager Processing MethodClosed (technical name)
    Objects that only exist in One Identity Manager: Delete

To mark object as outstanding in One Identity Manager

  1. Edit the synchronization step properties.

    For more information, see How to Edit Synchronization Steps.

  2. Select the Processing tab.
  3. Specify the processing method. Select:
    For synchronizing from target system to One Identity Manager Processing Method (technical name)
    Objects only found in One Identity Manager are: MarkAsOutstanding

Outstanding objects cannot be editing in One Identity Manager until they have been verified. They are ignored by every other synchronization.

To delete outstanding objects in the One Identity Manager

  1. Start the Manager.
  2. Select the category <target system type> | Target system synchronization: <target system type> | <table>.
  1. Select the objects you want to delete. Multi-select is possible.
  2. Click .
  3. Confirm the security prompt with Yes.

    The selected objects are immediately deleted in the One Identity Manager database. Deferred deletion is not taken into account. The "outstanding" label is removed from the objects.

Related Topics

How to Remove Unnecessary Project Data

How to Remove Unnecessary Project Data

All the schema data (schema types and schema properties) of the target system schema and the One Identity Manager schema are available when you are editing a synchronization project. Only a part of this data is really needed for configuring synchronization. If a synchronization project is finished, the schema is compressed to remove unnecessary data from the synchronization project. This can speed up loading the synchronization project.

  • Activating the SynchronizationClosed Project

    Unnecessary schema data is automatically removed from the synchronization project on activation.

  • Shrink schema
    1. Schemas are shrunk when the synchronization project is saved for the first time.
    2. The schema for each system connection can be shrunk.

      All the schema types that are not currently in use are displayed in a dialog box. You may remove these from the synchronization project. Here you can select the schema types that should remain available for you to use later.

To shrink the system connection schema

  1. Select the category Configuration | Target system.

    - OR -

    Select the category

    Configuration | One Identity Manager connection.

  2. Click Shrink schema... in the General view.
  3. Mark all the schema types that should not be removed.

    These schema types remain there and can still be used in the synchronization configuration.

  4. Click OK.

You can add the deleted schema data back into the synchronization project again later. To do this you must update the respective schema.

Related Topics
Related Documents