Chat now with support
Chat with Support

Identity Manager 9.1.1 - Target System Synchronization Reference Guide

Target system synchronization with the Synchronization Editor Working with the Synchronization Editor Basics of target system synchronization Setting up synchronization
Starting the Synchronization Editor Creating a synchronization project Configuring synchronization
Setting up mappings Setting up synchronization workflows Connecting systems Editing the scope Using variables and variable sets Setting up start up configurations Setting up base objects
Overview of schema classes Customizing the synchronization configuration Checking the consistency of the synchronization configuration Activating the synchronization project Defining start up sequences
Running synchronization Synchronization analysis Setting up synchronization with default connectors Updating existing synchronization projects Script library for synchronization projects Additional information for experts Troubleshooting errors when connecting target systems Configuration parameters for target system synchronization Configuration file examples

Changing a membership label

To label whether a membership was changed, a base table assignment is maintained, which maintains information about the last change of membership in the Dependencies modification date column (XDateSubItem). During provisioning of modified memberships, One Identity Manager decided which objects must be updated based on this date. In the case of synchronizationClosed with revision filtering, the highest value from XDateSubItem and XDateUpdated is used as a revision counterClosed for the database objects.

If a membership is changed in One Identity Manager, the change date for dependencies must updated so that the modification can be provisioned.

Prerequisites

  • The base table has the XDateSubItem column.

  • The Update dependencies modification date property is true in the table relation between assignment and base table (QBMRelation.IsForUpdateXDateSubItem = TRUE).

Figure 13: Memberships in the One Identity Manager database

If a membership changes (through insertion, deletion, or resetting of status "Outstanding") a task for updating the XDateSubItem column of the base table is queued in the DBQueueClosed (QBM-K-XDateSubItemUpdate). If necessary, more processing tasksClosed, for example, calculating inheritance, are queued in the DBQueue. These tasks are handled first. The QBM-K-XDateSubItemUpdate task is deferred until all the processing tasks for the modified object and the module to which it belongs, have been handled. If other memberships in this module are changed in the meantime, these changes are collected by the existing task for updating the XDateSubItem column and subsequently handled together. Once the QBM-K-XDateSubItemUpdate task is run, an update task for the XDateSubItem column is queued in the Job queueClosed. The column value is updated. The task for provisioning changed memberships is then placed in the Job queue.

Figure 14: Processing a membership change in One Identity Manager

Example

Active Directory user account membership in an Active Directory group is deleted in One Identity Manager (ADSAccountInADSGroup table). The change date for dependencies is updated on the Active Directory group (ADSGroup.XDateSubItem). The change to the membership for this Active Directory group is provisioned in the target system. The next time synchronization with revision filtering is run, XDateSubItem is taken as the highest change date for the revision counter and is compared to the schema type's revision in the target system schema.

Related topics

Single membership provisioning

During the membership provisioning, changes made in the target system will probably be overwritten. This behavior can occur under the following conditions:

  • Memberships are saved as an object propertyClosed in list form in the target system.

    Examples: List of user accounts in the Member property of a group - OR - List of profiles in the MemberOf property of a user account

  • Memberships can be modified in either of the connected systemsClosed.

  • A provisioning workflowClosed and provisioning processes are set up.

If one membership in One Identity Manager changes, by default, the complete list of members is transferred to the target system. Therefore, memberships that were previously added to the target system are removed in the process and previously deleted memberships are added again.

To prevent this, provisioning can be configured such that only the modified membership is provisioned in the target system. To do this, you must set the Merge mode option on the assignment tableClosed (DPRNameSpaceHasDialogTable.IsAdHocSingleMemberShip = TRUE). For more information about setting this option, see the administration guides for connecting each target systems.

Additional processing stepsClosed are run for tables with this option enabled.

  1. A task is set up in the DBQueue ProcessorClosed to update the DPRMemberShipAction table. This table contains the modified objects and operations to be run.
  2. The membership list of modified objects is compared to the DPRMemberShipAction table. Therefore, if only one membership changes, not the entire members list in the target system has to be updated. Only each modified membership is transferred to the members list. Changes to memberships of the modified object, which were made in the target system in the meantime, are therefore not overwritten.
  3. Once the change has been successfully provisioned in the target system, the entry is deleted from the DPRMemberShipAction table. If an error occurs during provisioning, the entry remains in the table.
Table 27: Handling entries in the DPRMemberShipAction table
ProvisioningClosed Process Entry in DPRMemberShipAction Comment
Success Deleted  
Fail Remains intact A new modification to the object is reprocessed by provisioning and deleted on success.
Re-enabled Reprocessed  
Failed and deleted Remains intact Deleted during daily maintenance.

All entries without a provisioning task in the Job queueClosed are deleted in the process of these maintenance jobs.

NOTE: The complete members list is updated by synchronization. During this process, objects with changes but incomplete provisioning are not handled. These objects are logged in the synchronization log.

Performance and memory optimization

During synchronizationClosed, data packets are loaded in to memory to process synchronization objects in parallel. The size of these data packets can be increased to speed up synchronization but this required more memory. By default, the size of the data packet is selected such that the ratio of memory to performance is balanced out. However, memory issues can still occur during synchronization. This often depends on the configuration of the system environment, the amount of data to synchronize and the exact synchronization configuration. You can control memory usage to avoid such problems. The degree of change is determined with the performance/memory factor.

The performance/memory factor can be set for each synchronization stepClosed separately because the amount of data varies from object to object. The first thing to do if a memory problem occurs during synchronization, is to find the affected synchronization step. Reduce the performance/memory factor for this synchronization step until you find the optimal balance between memory requirements and performance.

To adjust the performance/memory factor for a synchronization step

  1. Edit the synchronization step properties.

    For more information, see How to edit synchronization steps.

  2. Select the Extended tab.
  3. Use the slider to set the performance/memory factor.
    • Move the slider to the left to reduce memory usage. This reduces performance.

      - OR -

    • To increase performance, move the slider to the right. This requires more memory.
  4. Click OK.

TIP: You can adjust the memory requirements for all the data to be processed in the start-up configuration. You can set the reload threshold, partition size, and bulk level here. These setting are only possible in expert mode. For more information, see Extended properties for start up configuration.

The performance/memory factor specifies the percentage with which the reload threshold, partition size, and bulk level are applied to an object type.

Related topics

Improving loading performance

To improve performance when loading a synchronization projectClosed, you can save the synchronization project’s configuration data as a shadow copyClosed in the One Identity Manager database. After that, the synchronization project is only loaded from the shadow copy. The project loads noticeably faster. The shadow copy is saved in the Configuration data column (DPRShell.ShadowCopy).

If you want to use this option, take note of the following:

  • The shadow copy does not contain any changes that were made directly in the database and not in the Synchronization EditorClosed.

  • If the One Identity Manager database is encrypted or decrypted with the Crypto ConfigurationClosed program, the shadow copy is deleted.

  • If changes to the synchronization project in another database are exported, the shadow copy is deleted in the other database. This ensures that the shadow copy does not contain outdated configuration data.

    Prerequisite: The transport package was created with the Transport of synchronization projects export criteria.

  • If the Enable shadow copy option is set, the daily maintenanceClosed tasks check whether a shadow copy is saved or not. If the shadow copy is missing, it is created.

To enable the shadow copy

  1. Edit the synchronization project’s properties.

  2. On the General tab, set the Enable shadow copy option.
  3. (Optional) If the shadow copy on needs to create if the synchronization project is active, set the Only if the synchronization project is active option.
  4. Click OK.
Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating