Chat now with support
Chat with Support

Identity Manager 8.1.4 - Target System Synchronization Reference Guide

Target system synchronization with the Synchronization Editor Working with the Synchronization Editor Basics of target system synchronization Setting up synchronization
Starting the Synchronization Editor Creating a synchronization project Configuring synchronization
Setting up mappings Setting up synchronization workflows Connecting systems Editing the scope Using variables and variable sets Setting up start up configurations Setting up base objects
Overview of schema classes Customizing the synchronization configuration Checking the consistency of the synchronization configuration Activating the synchronization project Defining start up sequences
Running synchronization Synchronization analysis Setting up synchronization with default connectors Updating existing synchronization projects Script library for synchronization projects Additional information for experts Resolving errors when connecting target systems Configuration parameters for target system synchronization Configuration file examples Glossary

Updating schemas

To include schema data that have been deleted through compression and schema modifications in the synchronization projectClosed, update each schema in the synchronization project. This may be necessary if:

  • A schema was changed by:

    • Changes to a target system schema

    • Customizations to the One Identity Manager schema

    • A One Identity Manager update migration

  • A schema in the synchronization project was shrunk by:

    • Enabling the synchronization project

    • Saving the synchronization project for the first time

    • Compressing a schema

To update a system connection schema

  1. Select the Configuration | Target systemClosed category.

    - OR -

    Select the Configuration | One Identity Manager connection category.

  2. Select the General view and click Update schema.

  3. Confirm the security prompt with Yes.

    This reloads the schema data.

Then you can add the changes to the schema property mapping.

NOTE: The synchronization is deactivated if the schema of an activated synchronization project is updated. Reactivate the synchronization project to synchronize.
Related topics

Synchronizing and provisioning memberships

Memberships, such as user accounts in groups, are saved in assignment tables in the One Identity Manager database. Membership lists are commonly maintained as an object property in the target system. If a membership is modified in One Identity Manager, the object must be updated.

Changing a membership label

To label whether a membership was changed, a base table assignment is maintained, which maintains information about the last change of membership in the Dependencies modification date column (XDateSubItem). During provisioning of modified memberships, One Identity Manager decided which objects must be updated based on this date. In the case of synchronizationClosed with revision filtering, the highest value from XDateSubItem and XDateUpdated is used as a revision counter for the database objects.

If a membership is changed in One Identity Manager, the change date for dependencies must updated so that the modification can be provisioned.

Prerequisites

  • The base table has the XDateSubItem column.

    NOTE: If this column does not exist in the assignment's base table, you can extend the base table. Create the CCC_XDateSubItem column to do this.
  • The Update dependencies modification date property is true in the table relation between assignment and base table (QBMRelation.IsForUpdateXDateSubItem = TRUE).

Figure 13: Memberships in the One Identity Manager database

If a membership changes (through insertion, deletion, or resetting of status "Outstanding") a task for updating the XDateSubItem column of the base table is queued in the DBQueue (QBM-K-XDateSubItemUpdate). If necessary, more processing tasks, for example, calculating inheritance, are queued in the DBQueue. These tasks are handled first. The QBM-K-XDateSubItemUpdate task is deferred until all the processing tasks for the modified object and the module to which it belongs, have been handled. If other memberships in this module are changed in the meantime, these changes are collected by the existing task for updating the XDateSubItem column and subsequently handled together. Once the QBM-K-XDateSubItemUpdate task is run, an update task for the XDateSubItem column is queued in the Job queue. The column value is updated. The task for provisioning changed memberships is then placed in the Job queue.

Figure 14: Processing a membership change in One Identity Manager

Example

Active Directory user account membership in an Active Directory group is deleted in One Identity Manager (ADSAccountInADSGroup table). The change date for dependencies is updated on the Active Directory group (ADSGroup.XDateSubItem). The change to the membership for this Active Directory group is provisioned in the target system. The next time synchronization with revision filtering is run, XDateSubItem is taken as the highest change date for the revision counter and is compared to the schema type's revision.

Related topics

Single membership provisioning

During the membership provisioning, changes made in the target system will probably be overwritten. This behavior can occur under the following conditions:

  • Memberships are saved in the target system as an object property in list form (Example: List of user accounts in the Members property of an Active Directory group).

  • Memberships can be modified in either of the connected systems.

  • A provisioning workflow and provisioning processes are set up.

If one membership in One Identity Manager changes, by default, the complete list of members is transferred to the target system. Therefore, memberships that were previously added to the target system are removed in the process and previously deleted memberships are added again.

To prevent this, provisioning can be configured such that only the modified membership is provisioned in the target system. To do this, you must set the Merge mode option on the assignment table (DPRNameSpaceHasDialogTable.IsAdHocSingleMemberShip = TRUE). For more detailed information about setting this option, see the administration guides for connecting each target systems.

Additional processing steps are executed for tables with this option enabled.

  1. A task is set up in the DBQueue Processor to update the DPRMemberShipAction table. This table contains the modified objects and operations to be run.
  2. The membership list of modified objects is compared to the DPRMemberShipAction table. Therefore, if only one membership changes, not the entire members list in the target system has to be updated. Only each modified membership is transferred to the members list. Changes to memberships of the modified object, which were made in the target system in the meantime, are therefore not overwritten.
  3. Once the change has been successfully provisioned in the target system, the entry is deleted from the DPRMemberShipAction table. If an error occurs during provisioning, the entry remains in the table.
Table 27: Handling entries in the DPRMemberShipAction table
ProvisioningClosed Process Entry in DPRMemberShipAction Comment
Success Deleted  
Fail Remains intact A new modification to the object is reprocessed by provisioning and deleted on success.
Re-enabled Reprocessed  
Failed and deleted Remains intact Deleted during daily maintenanceClosed.

All entries without a provisioning task in the Job queue are deleted in the process of these maintenance jobs.

NOTE: The complete members list is updated by synchronizationClosed. During this process, objects with changes but incomplete provisioning are not handled. These objects are logged in the synchronization log.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating