How does dependency resolution work?
Dependencies can arise between schema classes that require to be repeated. For example, object references can not be set until the reference object has been added. Dependencies can also arise between schema properties within a schema class.
Figure 9: Example of a workflow with dependent schema classes and schema properties
One Identity Manager can automatically resolve such dependencies. In this case, the steps are group together such that the referenced objects are synchronized first and them the dependent objects next. If dependencies exist within a schema class, additional synchronization steps are inserted to synchronize the dependent schema properties. The final sequence of synchronization steps can be viewed in the report "Execution Plan".
NOTE: If dependencies exist between schema classes, the schema classes must be synchronized by the same workflow so that dependencies can be automatically resolved.
Figure 10: Example of a workflow with automatic dependency resolution
To set up automatic resolution of dependencies
Use automatic dependency resolution by default. Only select manual dependency resolution if individual dependencies cannot be resolved automatically. This might be necessary, for example, if two objects reference each other as mandatory properties.
NOTE: If dependency resolution is set to "Manual", One Identity Manager does not check whether dependencies exits between schema classes and schema properties during synchronization. The synchronization steps are processed sequentially in the order displayed in the workflow view.
Synchronization exits with an error if dependencies exist that cannot be resolved!
To resolve dependencies manually
- Find the schema properties between which dependencies exist.
- Create a workflow with synchronization steps which take the following criteria into account:
- Synchronization steps which synchronize independent and references objects.
Property rules for dependent schema properties must be excluded for this.
- Synchronization steps which reference dependent objects.
Property mapping rules for dependent schema properties must be included for this.
- Specify the synchronization step sequence such that all synchronization steps for a) are executed first and them the synchronization steps for b).
- Edit the workflow properties. Select the following option:
For more information, see How to edit a workflow.
If a reference object does not exist in the One Identity Manager database, the object reference cannot be resolved by . Unresolvable object references are written in a buffer called the data store (table DPRAttachedDataStore). This ensures that these references remain intact and are not deleted in the target system by provisioning.
An Active Directory group has an account manager, which owns a domain not in the current synchronization run. The account manager is not in the One Identity Manager database either.
Synchronization cannot assign an account manager. In order to retain the assignment, the object reference is saved with the account manager's distinguished name in the data store.
During each synchronization One Identity Manager tries to clean up the data store. If referenced objects in the One Identity Manager database exist, the references can be resolved and the entries are deleted from the data store. The data store is cleaned up depending on the synchronization type (with or without revision filter) and the mode.
Table 22: Maintenance for unresolved object references
|The following applies depending on the maintenance mode:
|Object references of all synchronization objects are cleaned up if they exist in the One Identity Manager database.
|Only object references for modified objects are cleaned up.
|There is no additional task of clearing up the data store.
|Always synchronize affected objects
|The filter is removed on objects with unresolved references. Therefore, references are also cleaned if the objects have not been changed since the last synchronization.
|Full maintenance after every synchronization
|One Identity Manager tries to resolve object references following synchronization. As a result, unresolved references are processed that arose during this synchronization run.
|One Identity Manager tries to resolve object references following synchronization. As a result, unresolved references are processed that arose during this synchronization run. Object references that were not modified are also cleaned up.
You can enter the number of retries for resolving object references. It may be necessary to try several times to resolve an object if it a hierarchy with several levels. One hierarchy level at a time can be resolved with each attempt to resolve an object.
To set up maintenance mode
NOTE: One Identity Manager supplies a scheduled process plan, which regularly cleans up the contents of the table DPRAttachedDataStore. Object entries, which no longer exist in the One Identity Manager database are deleted. The process plan is executed during daily maintenance.
Direction of synchronization and mapping
To a target system with One Identity Manager, you must specify which of the connected systems is the data master. Specify the master system in the synchronization configuration with the . The direction in which schema properties are may differ from this. Therefore, the permitted mapping direction must be given in the schema properties mapping.
Table 23: Direction of synchronization
|In which direction a specific synchronization is executed
|In which direction synchronizations are executed
By which synchronization direction the step is executed
Table 24: Permitted mapping direction
|By which synchronization direction property mapping rules are used
|By which synchronization direction this property mapping rule is used
One Identity Manager synchronizes two connection systems in the direction given in the start up configuration or in the workflow. A synchronization step is only executed in this case, if the direction of synchronization stored with the step matches with the direction of the current synchronization. If the mapping direction stored with the mapping corresponds to the current direction of synchronization, the system object from this schema class are synchronized. Thus, One Identity Manager checks which property mapping rule can be used in the current synchronization direction. This property mapping rule is ignored if the mapping direction of the property mapping rule differs from the current direction of synchronization.
Figure 11: Example showing effect of specified synchronization direction and permitted mapping direction
Mapping against the direction of synchronization
For certain schema properties, it may be necessary to copy the schema property value immediately from the connected system into the master system each time synchronization is run. There is a property rule for these schema properties whose direction of mapping is opposite to the . These rules are not executed by default. To transfer these schema property values during synchronization, you must force execution of these rules. This behavior is configured in the property mapping rules.
To force mapping a schema property against the direction of synchronization
Property mapping rules with this option set are executed after the is completed. This copies changes from the connected system against the direction of synchronization into the master system.
- All property mapping rules whose mapping direction is the opposite to the direction of synchronization are ignored whilst a synchronization step is being executed. Property mapping rules whose mapping direction corresponds to the direction of synchronization are run.
- All changes to the connection system are saved when the synchronization step is complete.
All property mapping rules with the option Force mapping against direction of synchronization set are executed again. For those schema properties involved, the changes are copied from the connected system into the master system.
NOTE: The property mapping rules are also rerun after completion of the synchronization step if there are no processing methods given in the synchronization step.
Use the Force mapping against direction of synchronization option for schema properties that cannot be edited in the master system due to technical limitations.
NOTE: This option is also taken into account when object changes are provisioned.
An Active Directory environment should be administrated through One Identity Manager. One Identity Manager is the master system for synchronizing both systems. The user account object GUIDs are, however, not mapped in One Identity Manager but in the Active Directory environment. This means the mapping direction is different for a user account object GUID. To copy the object GUID from the target system to One Identity Manager during synchronization, the mapping must be forced in the opposite direction of synchronization for this schema property.
Table 25: Synchronization configuration
Direction of Synchronization:
To the target system
for schema properties:
ADSAccount.ObjectGUID - User.ObjectGUID
To the One Identity Manager
Force mapping against direction of synchronization
Scenario: A new Active Directory user account was added in One Identity Manager.
- The user account is added in the target system through synchronization.
- The property mapping rule for the object GUID is ignored because of the opposing the mapping direction.
- Once all property mapping rules of the synchronization step have been processed, the user account is saved in the target system. A value is calculated in the target system for User.ObjectGUID.
- Once the synchronization step is complete the property mapping rule for the object GUID is run again. The object GUID is copied from Active Directory to One Identity Manager.