Chat now with support
Chat with Support

Identity Manager 8.1.4 - Target System Synchronization Reference Guide

Target system synchronization with the Synchronization Editor Working with the Synchronization Editor Basics of target system synchronization Setting up synchronization
Starting the Synchronization Editor Creating a synchronization project Configuring synchronization
Setting up mappings Setting up synchronization workflows Connecting systems Editing the scope Using variables and variable sets Setting up start up configurations Setting up base objects
Overview of schema classes Customizing the synchronization configuration Checking the consistency of the synchronization configuration Activating the synchronization project Defining start up sequences
Running synchronization Synchronization analysis Setting up synchronization with default connectors Updating existing synchronization projects Script library for synchronization projects Additional information for experts Resolving errors when connecting target systems Configuration parameters for target system synchronization Configuration file examples Glossary

Deleting memberships

Membership of user accounts in groups, for example, can result from direct assignment or through inheritance in One Identity Manager. The membership's origin is stored in the XOrigin assignment table. Inherited memberships cannot be deleted as long as the inheritance source still exists. If inherited memberships are deleted in the target system, they are marked as outstanding by synchronizationClosed, depending on which processing method was selected.

You can differentiate between the following cases of deleting membership through synchronization:

Table 72: Deleting memberships
Membership origin Delete method MarkAsOutstanding method
Only direct The membership is deleted immediately by synchronization. The membership is marked as outstanding by synchronization.
Only inherited The membership is marked as outstanding by synchronization. The membership is marked as outstanding by synchronization.
Direct and inherited The membership is marked as outstanding by synchronization. The reference to direct assignment is removed (value in the XOrigin column is updated). The membership is marked as outstanding by synchronization.

Outstanding memberships must be post-processed separately. You can publish these memberships if the inheritance source still exists or you set the status back and remove the inheritance source.

Example

Ben King has an Active Directory user account that is a member of the Active Directory group "Backup operators". This membership is loaded into the One Identity Manager database by initial synchronization and saved as direct membership in the ADSAccountInADSGroup table (XOrigin = '1'). Ben King is member of the business role "Project A". This business role is assigned to the Active Directory group "Backup operators". Therefore, Ben King becomes an indirect member of this Active Directory group (ADSAccountInADSGroup.XOrigin = '3'). The group membership is deleted in the target system. The deleted membership is immediately deleted in the One Identity Manager database the next time synchronization is run (ADSAccountInADSGroup.XOrigin = '2'). The membership is marked as outstanding because it remains in the One Identity Manager database due to inheritance. The outstanding membership must be post-processed in target system synchronizationClosed. There are two possible ways to do this:

  1. Assignments to the business role "Project A" are correct.

    The method "Publish" is applied. Membership is re-added to the target system.

  2. MappingClosed in the target system is correct.
    • The method "Reset status" is applied.
    • The assignment of the Active Directory group to the business role "Project A", or Ben King’s membership of this business role must be deleted. The group membership must also be deleted from ADSAccountInADSGroup table.

The method "Delete" cannot be applied.

Related topics

Help for the analysis of synchronization issues

You can generate a report for analyzing problems that arise during synchronizationClosed, inadequate performance for example. The report contains information such as:

  • Consistency check results
  • Revision filterClosed settings
  • ScopeClosed applied
  • Analysis of the data store
  • Object access times in the One Identity Manager database and in the target system

To generate a synchronization analysis report

  1. Select the Help | Generate synchronization analysis report menu item and click Yes in the security prompt.

    The report may take a few minutes to generate. It is displayed in a separate window.

  2. Print the report or save it in one of the available output formats.

Setting up synchronization with default connectors

One Identity Manager provides connectors for synchronizingClosed with the following target systems:

  • Native supported target systems

    Separate modules are provided for mappingClosed and processing target system objects. Each target system has its own connector. This includes, for example, the following target systems:

    • Active Directory
    • SharePoint
    • SAP R/3

    Connectors for natively supported target systems are described in the administration guides for the relevant modules.

  • Cloud applications

    Using the SCIM connector, Cloud applications can be connected to the Universal Cloud Interface Module of the One Identity Manager. Cloud objects are transferred to the Universal Cloud Interface over the Cloud Systems Management Module and can be linked there to employees.

    For detailed information, see the following guides:

    • One Identity Manager Administration Guide for Connecting to Cloud Applications
    • One Identity Manager Administration Guide for Connecting to the Universal Cloud Interface
  • CSV files

    The CSV connectorClosed can transfer data between CSV files and the One Identity Manager database. In this context, the CSV files map the target system.

    For more detailed information, see the One Identity Manager CSV Connector User Guide.

  • One Identity Manager databases

    Use the One Identity Manager connector to synchronize One Identity Manager databases with the same product version.

    For more detailed information, see the One Identity Manager User Guide for the One Identity Manager Connector.

  • Target systems that are not natively supported

    You can use the Windows PowerShell connector to connect target systems to One Identity Manager that do not have native support in One Identity Manager. Windows PowerShell cmdlets are used to execute read/write operations in the target system.

    For more detailed information, see the One Identity Manager Windows PowerShell Connector User Guide.

  • Native database systems

    With this native database connector, you can synchronize external databases with the One Identity Manager database.

    For detailed information, see the following guides:

    • One Identity Manager Native Database Connector User Guide for Connecting DB2 (LUW) Databases
    • One Identity Manager Native Database Connector User Guide for Connecting MySQL Databases
    • One Identity Manager Native Database Connector User Guide for Connecting Oracle Databases
    • One Identity Manager Native Database Connector User Guide for Connecting SQLite Databases
    • One Identity Manager Native Database Connector User Guide for Connecting SQL Server Databases
    • One Identity Manager Native Database Connector User Guide for the CData ADO.NET Provider
    • One Identity Manager Native Database Connector User Guide for the generic ADO.NET Provider
    • One Identity Manager Native Database Connector User Guide for Connecting SAP HANA Databases

Updating existing synchronization projects

Any required changes to system connectors or the synchronizationClosed engine are made available when you update One Identity Manager. These changes must be applied to existing synchronization projectsClosed to prevent target system synchronizationsClosed that are already set up, from failing. There are two way to do this:

  • Apply the required patches to the existing synchronization projects.

    Patches for new functions and resolved issues in One Identity Manager are installed by hotfix packages and migration packages. You must apply these patches manually for the changes to take effect in existing synchronization projects. The default configuration of these synchronization projects is update in the process. Custom modifications are not effected by the patches.

    This method is recommended if the synchronization projects conform to the default configuration and contain no, or only very little, customization.

  • Delete existing synchronization projects and create them again.

    This method is recommended if your synchronization projects contain extensive customizations that might conflict with the modifications in the patches.

Detailed information about this topic

For more detailed information about setting up synchronization projects, see the administration guides for connecting target systems.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating