Chat now with support
Chat with Support

Identity Manager 8.2.1 - Target System Synchronization Reference Guide

Target system synchronization with the Synchronization Editor Working with the Synchronization Editor Basics of target system synchronization Setting up synchronization
Starting the Synchronization Editor Creating a synchronization project Configuring synchronization
Setting up mappings Setting up synchronization workflows Connecting systems Editing the scope Using variables and variable sets Setting up start up configurations Setting up base objects
Overview of schema classes Customizing the synchronization configuration Checking the consistency of the synchronization configuration Activating the synchronization project Defining start up sequences
Running synchronization Synchronization analysis Setting up synchronization with default connectors Updating existing synchronization projects Script library for synchronization projects Additional information for experts Troubleshooting errors when connecting target systems Configuration parameters for target system synchronization Configuration file examples

Editing object matching rules

Object matching rules assign schema properties through which system objects can be uniquely identified. For example, Active Directory groups can be uniquely identified by the DistinguishedName and ObjectGUID schema properties.

Object matching rules can be added or created from property mappingClosed rules. If system objects can only be identified through several schema properties, different property matching rules can be linked with logical operators to form an object matching rule.

NOTE: Using object matching rules of this type can slow down synchronizationClosed. Instead, use a virtual schema property to link the schema properties required for matching and create an object matching rule with it.

If several object matching rules are set up, they are run in the order in which they are listed in the rule view. The rule at the top is the primary rule, all other are marked as alternatives. If a system object can be identified uniquely by the primary rule, the alternative rule are not run. If a system object cannot be identified by the primary rule, One Identity Manager uses the next alternative rule to determine a suitable system object. If non of the rules can identify a suitable system object, the object does not have a partner can is handled as new or deleted.

Example

The following object matching rules are defined for mapping Active Directory groups:

  • Object GUID <-> Object GUID (primary rule)
  • Distinguished name <-> Obj-Dist-Name (alternative rule)
  • Object SID <-> Object-Sid (alternative rule no. 2)

Properties of an Active Directory group are modified in One Identity Manager. During provisioning, the Active Directory connector tries to identify the group in the target system by using the object GUID. It does not find an object with this object GUID so the alternative object matching rule is applied. The connector identifies an object with the same distinguished name and updates this object in the target system.

NOTE:

  • Object matching rules must use schema properties with read-access. Write-only schema properties are not suitable for identification of system objects.

  • SchemaClosed properties used to identify system objects must contain a value. If a schema property contains is empty, the object mapping rule is ignored and the next alternative rule is applied.

  • If several system objects that fulfill the matching criteria are found, a message appears in the synchronization log. These objects are ignored as processing continues.

    If several system objects are found, either there is corrupt data in connected systems or the matching critera is not unique. Clean up the data in the connected systems and adjust the object matching rules.

How to create object matching rules

To create an object matching rule from a property mappingClosed rule

  1. Select the Mappings category.
  2. Select a mapping in the navigation view.
  3. Select the property mapping rule in the rule view.
  4. Click in the rule view toolbar.

    A message appears.

  5. To convert the property mapping rule to an object matching rule, click No in the message dialog.

    - OR -

    To convert the property mapping rule into an object matching rule and create a copy of the property mapping rule, click Yes in the message dialog.

To create a new object matching rule

  1. Select the Mappings category.
  2. Select a mapping in the navigation view.
  3. Click in the rule view toolbar for object matching rules.
  4. Select a rule type and enter the rule details.
  5. Click OK.

One Identity Manager helps you to set up new object matching rules based on existing rules. Use the mapping wizard for this.

To create an object matching rules with the mapping wizard

  1. Select the Mappings category.
  2. Select a mapping in the navigation view.
  3. Click in the menu bar for the object matching rule view.
  4. Follow the mapping wizard's instructions.
  5. Test the new rule.

How to edit object matching rules

To edit an object matching rule

  1. Select the MappingsClosed category.
  2. Select a mapping in the navigation view.
  3. Double-click on the object matching rule you want to edit.
  4. Edit the rule details.
  5. Click OK.

How to delete object matching rules

To delete an object matching rule

  1. Select the MappingsClosed category.
  2. Select a mapping in the navigation view.
  3. Click in the rule view menu bar for object matching rules.
  4. Confirm the security prompt with Yes.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating