Chat now with support
Chat with Support

Identity Manager 9.1 - Target System Synchronization Reference Guide

Target system synchronization with the Synchronization Editor Working with the Synchronization Editor Basics of target system synchronization Setting up synchronization
Starting the Synchronization Editor Creating a synchronization project Configuring synchronization
Setting up mappings Setting up synchronization workflows Connecting systems Editing the scope Using variables and variable sets Setting up start up configurations Setting up base objects
Overview of schema classes Customizing the synchronization configuration Checking the consistency of the synchronization configuration Activating the synchronization project Defining start up sequences
Running synchronization Synchronization analysis Setting up synchronization with default connectors Updating existing synchronization projects Script library for synchronization projects Additional information for experts Troubleshooting errors when connecting target systems Configuration parameters for target system synchronization Configuration file examples

Synchronization Editor communications

A server installed with the One Identity Manager ServiceClosed and, if necessary, other target system specific software, is required for synchronizationClosed. This server (named the synchronization serverClosed in the following) requires direct access to the target system. The synchronization server communicates directly with the One Identity Manager database by default. You can also set up a connection over an application server for this.

Figure 4: Communication paths for synchronization

To configure synchronization with a target system, One Identity Manager must load the data from the target system. One Identity Manager communicates directly with the target system to do this. Sometimes direct access from the workstation, on which the Synchronization EditorClosed is installed, is not possible. For example, because of the firewall configuration or the workstation does not fulfill the necessary hardware and software requirements. If direct access is not possible from the workstation, you can set up a remote connection.

Figure 5: Communication paths for synchronization projectClosed configuration

Related topics

How are schemas mapped

To synchronizeClosed a target system with the One Identity Manager database, you must first map the data models of both systems to each other. The data models (schema) are different for each system. They must be extended in such a way that they can be uniquely mapped.

The One Identity Manager distinguishes between four sorts of schema: One Identity Manager schema, target system schema, connector schema, extended schema. Each schema is characterized through schema types and schema properties. You can extend schema with schema classes and schema properties such that they can be mapped uniquely.

Just how the schema are mapped to each other is defined in mappings. Mappings group together the rules used to map the schema properties of two connected systemsClosed. Object matching rules assign schema properties through which system objects can be uniquely identified. Property mapping rules describe how the target system schema properties are mapped in the One Identity Manager schema.

Figure 6: SchemaClosed mapping

Table 21: Terms for schema mapping
Term Explanation
Schema Data model of a connected system. The schema describes all the main data from the connected system.

The One Identity Manager distinguishes between four sorts of schema: One Identity Manager schema, target system schema, connector schema, extended schema.

One Identity Manager schema The One Identity Manager data model.
Target system schemaClosed Data model of a specific target system.
Connector schemaClosed The system connector extends the target system schema with additional information which is required for mapping in the Synchronization EditorClosed. This includes:
  • Information about which schema properties map memberships
  • Information about which schema properties represent references to other objects
  • Virtual properties that the system connector creates

If a target system does not deliver its own schema, the system connector generates the connector schema based on the imported data structure, for example, the import of CSV files by the CSV connectorClosed.

Extended schemaClosed A schema can be customized in the Synchronization Editor, for example, to allow or simplify mapping of complex schema properties. The following options are available:
  • Add new schema classes
  • Define user-specific virtual schema properties
  • Derive schema properties

Label the modified schema as "extended schema".

Schema typeClosed Defines an object type within a schema. A schema type refers to exactly one table or view of the database based schema or exactly one object type of the non-database based schema.
Schema classClosed Subset of a schema type. The result list of a schema type is filtered by defined criteria. The number of objects found is limited thus.

Example: Active Directory contacts (schema class) are Active Directory user accounts (schema type) with their own object class = 'CONTACT' (filter criteria).

Schema propertyClosed Property of a schema type. A schema property refers to exactly one column of a table or view of the database based schema or exactly one object type property of the non-database based schema. There are two different sorts of schema property:
  • Schema properties of schema types from the target system and One Identity Manager schema.

  • Virtual schema propertiesClosed,

    • Added by the system connector to extend the target system schema or the One Identity Manager schema

    • Added by the user to extend the connector schema or the One Identity Manager schema

Virtual schema properties Schema class property added by the system connector or the user.

Virtual schema properties extend the basic schema with additional data required for the mapping. You can use virtual schema properties to represent combinations of schema properties as well as processing stepClosed results as schema properties.

Object matching ruleClosed Specifies how a concrete object of a target system schema class can be set in relation to a concrete object of a One Identity Manager schema class. An object matching rule encompasses the target system schema property based on which the target system objects can be uniquely identified.
Property mapping ruleClosed Describes how a target system schema property is mapped in the One Identity Manager schema.
Related topics

What are filters?

You can define different filters in the Synchronization EditorClosed. You can use filters to define the scope of a synchronization projectClosed, define schema classes or to create virtual schema properties. There are three sorts of filter that differ in their effect and way they are defined. The number of objects to be synchronized can also be limited by a revision filter.

Table 22: Sorts of filter
FilterClosed Description
System filterClosed This filter limits the number of objects to load in the connected system. It is more effective than the object filter and object matcher because the system connector only load the objects that are really required. You cannot link more than one filter criteria with logical operators.

The filter is given in system specific notation, for example, as LDAP filter for an LDAP system.

The following connected systems support system filters: Active Directory, LDAP, One Identity Manager databases.

A special form of the system filter is the hierarchy filterClosed. The hierarchy filter is built based on the target system's real objects. All the objects to be filtered are selected from the object hierarchy.

The hierarchy filter can be used in the definition of the scope of certain target systems.

Object filterClosed The filter affects objects already loaded. All schema properties of the schema can be used as filter criteria and linked with logical operators.

The filter is formulated as a query applied to loaded objects. It can be used when the scope is defined and by virtual schema properties.

Object selectionClosed The filter affects objects already loaded. All schema properties of the schema can be used as filter criteria and linked with logical operators. In order to ensure that the filter returns the desired results when provisioning single objects, you must add additional system filter criteria to the filter condition.

The filter is formulated as a query applied to loaded objects. It can be implemented in the schema class definition.

Revision filterClosed This filter determines all object that have changed since the last synchronization run. The deciding factor being the revision property modification.

The filter can be applied to workflows and start up configurations.

It is recommended you combine system filter and object filter/schema class filter to utilize the advantages of the various filters.

If scope, schema class, and virtual schema property filters are defined in the synchronization configuration and revision filtering is permitted, the number of objects to be synchronized results from the combination of all filters.

Figure 7: Effects of the filter

Variables can be used in the filter conditions. This enables the same synchronization project to be used for synchronizing different target systems or different objects within the same target system.

Related topics

What is a scope?

The scope specifies which parts of the connected systemClosed should be synchronized. The scope is set for the target system to be synchronized as well as for the One Identity Manager schema. If no scope is defined, all objects in the connected system are synchronized.

Example:

Active Directory domains "xyz" and "uvw" are managed through One Identity Manager. The containers "abc", "def", and "ghi" from the Active Directory domain "xyz" should be synchronized. A scope is defined for the target system connection and the One Identity Manager database connection which filters only these objects. The Active Directory domain "uvw" should initially not be synchronized.

Figure 8: Example for scope definition

To specify a scope, define a system filter and object filter.

Hierarchy filter

Some target systems offer an additional option to specify the scope: the hierarchy filterClosed. This filter limits the number of objects to load in the connected system. It is therefore effectively the same as a system filter. The hierarchy filter is built based on the target system's real objects. The objects are displayed in their hierarchical structure. All objects included in the scope are marked in the hierarchy. All objects that are not marked remain outside the scope and are not included in the synchronization. The hierarchy filter can only be applied to objects and not to their schema properties. Create an additional object filter to include schema properties as criteria in the scope definition.

A fully defined hierarchy filter can be transformed into a variable. Thus the filter can be redefined in a specialized variable set and used for other synchronization configurations.

Reference scope

References to objects in different target systems can be mapped in the One Identity Manager database. In order to solve these references, the target system scope must be extended to include the referenced target systems. For this, you can additionally define a reference scope for each system connection. You can enter the reference scope for the database in the same way. This means that references to parts of the One Identity Manager database can be resolved which are not included in the general scope.

If no reference scope is defined, the general scope is also used for the reference resolution.

Example

Active Directory domains "xyz" and "uvw" are trusted domains. User accounts from both domains are members in Active Directory groups in the Active Directory domain "xyz". Define a reference scope to assign referenced user accounts of the domain "uvw" during group membership synchronization. In the reference scope, specify that referenced objects should also be searched for in the Active Directory domain "uvw".

If you have not defined a reference scope, Active Directory SIDs are determined for Active Directory domain "uvw" user accounts during Active Directory domain "uvw" group membership synchronization and entered in the One Identity Manager data store.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating