To include schema data that have been deleted through compression and schema modifications in the , update each schema in the synchronization project. This may be necessary if:
To update a system connection schema
Select the Configuration | category.
- OR -
Select the Configuration | One Identity Manager connection category.
Select the General view and click Update schema.
- Confirm the security prompt with Yes.
This reloads the schema data.
Then you can add the changes to the schema property mapping.
NOTE: The synchronization is deactivated if the schema of an activated synchronization project is updated. Reactivate the synchronization project to synchronize.
Synchronizing and provisioning memberships
Memberships, such as user accounts in groups, are saved in assignment tables in the One Identity Manager database. Membership lists are commonly maintained as an object property in the target system. If a membership is modified in One Identity Manager, the object must be updated.
Changing a membership label
To label whether a membership was changed, a base table assignment is maintained, which maintains information about the last change of membership in the Dependencies modification date column (XDateSubItem). During provisioning of modified memberships, One Identity Manager decided which objects must be updated based on this date. In the case of with revision filtering, the highest value from XDateSubItem and XDateUpdated is used as a revision counter for the database objects.
If a membership is changed in One Identity Manager, the change date for dependencies must updated so that the modification can be provisioned.
The base table has the XDateSubItem column.
NOTE: If this column does not exist in the assignment's base table, you can extend the base table. Create the CCC_XDateSubItem column to do this.
- The Update dependencies modification date property is true in the table relation between assignment and base table (QBMRelation.IsForUpdateXDateSubItem = TRUE).
Figure 13: Memberships in the One Identity Manager database
If a membership changes (through insertion, deletion, or resetting of status "Outstanding") a task for updating the XDateSubItem column of the base table is queued in the DBQueue (QBM-K-XDateSubItemUpdate). If necessary, more processing tasks, for example, calculating inheritance, are queued in the DBQueue. These tasks are handled first. The QBM-K-XDateSubItemUpdate task is deferred until all the processing tasks for the modified object and the module to which it belongs, have been handled. If other memberships in this module are changed in the meantime, these changes are collected by the existing task for updating the XDateSubItem column and subsequently handled together. Once the QBM-K-XDateSubItemUpdate task is run, an update task for the XDateSubItem column is queued in the Job queue. The column value is updated. The task for provisioning changed memberships is then placed in the Job queue.
Figure 14: Processing a membership change in One Identity Manager
Active Directory user account membership in an Active Directory group is deleted in One Identity Manager (ADSAccountInADSGroup table). The change date for dependencies is updated on the Active Directory group (ADSGroup.XDateSubItem). The change to the membership for this Active Directory group is provisioned in the target system. The next time synchronization with revision filtering is run, XDateSubItem is taken as the highest change date for the revision counter and is compared to the schema type's revision.
Single membership provisioning
During the membership provisioning, changes made in the target system will probably be overwritten. This behavior can occur under the following conditions:
Memberships are saved in the target system as an object property in list form (Example: List of user accounts in the Members property of an Active Directory group).
Memberships can be modified in either of the connected systems.
A provisioning workflow and provisioning processes are set up.
If one membership in One Identity Manager changes, by default, the complete list of members is transferred to the target system. Therefore, memberships that were previously added to the target system are removed in the process and previously deleted memberships are added again.
To prevent this, provisioning can be configured such that only the modified membership is provisioned in the target system. To do this, you must set the Merge mode option on the assignment table (DPRNameSpaceHasDialogTable.IsAdHocSingleMemberShip = TRUE). For more detailed information about setting this option, see the administration guides for connecting each target systems.
Additional processing steps are executed for tables with this option enabled.
- A task is set up in the DBQueue Processor to update the DPRMemberShipAction table. This table contains the modified objects and operations to be run.
- The membership list of modified objects is compared to the DPRMemberShipAction table. Therefore, if only one membership changes, not the entire members list in the target system has to be updated. Only each modified membership is transferred to the members list. Changes to memberships of the modified object, which were made in the target system in the meantime, are therefore not overwritten.
- Once the change has been successfully provisioned in the target system, the entry is deleted from the DPRMemberShipAction table. If an error occurs during provisioning, the entry remains in the table.
Table 27: Handling entries in the DPRMemberShipAction table
|A new modification to the object is reprocessed by provisioning and deleted on success.
|Failed and deleted
|Deleted during daily .
All entries without a provisioning task in the Job queue are deleted in the process of these maintenance jobs.
NOTE: The complete members list is updated by . During this process, objects with changes but incomplete provisioning are not handled. These objects are logged in the synchronization log.