Chat now with support
Chat with Support

Identity Manager 9.2.1 - Target System Synchronization Reference Guide

Target system synchronization with the Synchronization Editor Working with the Synchronization Editor Basics of target system synchronization Setting up synchronization
Starting the Synchronization Editor Creating a synchronization project Configuring synchronization
Setting up mappings Setting up synchronization workflows Connecting systems Configuring the synchronization log Editing the scope Using variables and variable sets Setting up start up configurations Setting up base objects
Overview of schema classes Customizing the synchronization configuration Checking the consistency of the synchronization configuration Activating the synchronization project Defining start up sequences Copying synchronization projects
Running synchronization Synchronization analysis Setting up synchronization with default connectors Updating existing synchronization projects Script library for synchronization projects Additional information for experts Troubleshooting errors when connecting target systems Configuration parameters for target system synchronization Configuration file examples

Deleting property mapping rules

To delete a property mappingClosed rule

  1. Select the Mappings category.

  2. In the navigation view, select a mapping.

  3. Click in the rule view menu bar for property mapping rules.

  4. Confirm the security prompt with Yes.
Related topics

Property mapping rule details

Enter the following details for a property mappingClosed rule.

Tip: To create a rule from a templateClosed, click .
Table 39: Property mapping rule details

Detail

Description

Rule types

Select the rule type for a new rule.

Value comparison rule

Compares the schema property value of the One IdentityClosed Manager schema with the value of a target system schema.

Multiple reference rule

Compares multi-value schema properties. The value list are compared element by element. Missing values are added; superfluous value are deleted.

Rule name

Name of the rule. The rule name must be unique within a mapping.

Click to change rule names. The rule name is used as key. Changes to the rule name may cause errors.

Display name

Rule display name.

Mapping directionClosed

Specify the permitted mapping direction for mapping selected schema properties.

Both directions

Property mapping ruleClosed is applied for both synchronizationClosed in the direction of the target system and synchronization direction One Identity Manager.

To the target system

Property mapping rule is only used for synchronizing in the direction of the target system.

To the One Identity Manager

Property mapping rule is only used for synchronizing in the direction of the One Identity Manager.

Do not assign

The property mapping rule is ignored.

You can set this value to disable a property mapping rule.

Taken from mapping

The mapping direction applies which is fixed in the mapping.

Ignore mapping direction restrictions on adding

Specifies whether the given direction of mapping is ignored when new objects are added.

If this option is set, the property mapping rule can also be run if the synchronization mapping is in the opposite direction. Property mapping rules not assigned a mapping direction are also ignore when new objects are added.

If this option is not set, the specify mapping direction is valid when new objects are added.

Example:

A telephone system is managed with One Identity Manager. The telephone system acts as the primary system when the telephone numbers are synchronized. The direction of mapping is set to One Identity Manager. The telephone number is a mandatory value in the target system.

In One Identity Manager, a new identity is added. Each identity is given and initial telephone number. These identities should be added to the target system by synchronizing them. So that the telephone numbers are written to the target system during synchronization, the Ignore mapping direction restrictions on adding option must be set on the property mapping rule.

For more information, see Detecting rogue modifications.

Description

Text field for additional explanation.

Concurrence behavior

Specifies whether the property mapping rule is always applied.

Objects in a connected systemClosed (synchronization target) that

  • Have been changed but the changes are not yet provisioned

  • Are in automatic processes that are not yet complete

  • Or are blocked in some other way

are excluded by default to avoid data conflict. If possible, synchronization of these objects is repeated by the next synchronization run.

In rare cases, it may still be necessary to synchronize some properties of these objects immediately, to transfer safety-critical changes to the connected system, for example.

  • Apply rule: Applies the property mapping rule, overwriting any data changes.

    IMPORTANT:

    • Only select this option in exceptional cases. Afterward, check the data modifications that might be overwritten by this.

    • The setting only takes effect if Pre-processing is selected for collision detection in the start up configuration. Only then can collisions can be detected before mapping takes place.

  • Do not apply rule: The property mapping rule is not run if the object is blocked for changes. If this option is enabled for all property mapping rules in the mapping, the object will be completely omitted and not handled by the synchronization.

    This corresponds to the default behavior.

For more information, see Concurrency behavior of synchronization objects.

Schema propertyClosed

Select the schema properties to be mapped.

Do not overwrite

The schema property value is only changed by synchronization if the schema property does not contain a value.

Mapping condition

Condition under which the property mapping rule is used. The condition can be created with the wizard or stored as a script.

Use the Left and Right operators to reference the respective schema.

Left: SchemaClosed properties in the One Identity Manager's schema extension.

Right: Schema properties in the target system's schema extension.

  • To create the condition with the wizard, select the Condition and click Create condition. For more information, see Wizard for entering filters.

    Example: Left.CanonicalName = 'Managed Service Accounts'

    The property mapping rule is applied to all objects assigned to the container "Managed Service Accounts" in One Identity Manager.

  • To write the condition as a script, select Script and enter the script code. For more information, see Support for scripting.

    Example: If string.IsNullOrEmpty($Left::CanonicalName$) Then ...

Table 40: Additional detail of a value compare rule

Detail

Description

Force mapping against direction of synchronization

If this option is set, the property mapping rule can also be applied if the synchronization mapping is in the opposite direction. For more information, see Mapping against the direction of synchronization.

The option can only be set if:

  • Detecting rogue modificationsClosed is disabled.
  • The direction of mapping is Target systemClosed or One Identity Manager.

The property mapping rule may not be run in both directions.

Detecting rogue modifications

Specifies whether rogue modifications are identified and logged if the direction of synchronization is opposite to the mapping direction.

The option can only be set if:

  • The direction of mapping is Target system or One Identity Manager.
  • Force mapping against direction of synchronization is disabled.

If this option is set, rogue modifications are detected and logged. The log can be evaluated after synchronization. For more information, see Synchronization analysis.

If the option is not set, the property mapping rule is ignored by synchronization.

For more information, see Detecting rogue modifications.

Correct rogue modifications

Specifies whether rogue modifications are corrected if the direction of synchronization is opposite to the mapping direction.

The option can only be set if:

  • Detecting rogue modifications is enabled.
  • The direction of mapping is Target system or One Identity Manager.
  • Force mapping against direction of synchronization is disabled.

If the option is set, the property mapping rule is run by synchronization. The object propertyClosed in the connected system is overwritten with the value from the primary system. Thus rogue changes are ignored.

If the option is not set, rogue changes are only logged.

For more information, see Detecting rogue modifications.

Multi-value sort order

Specifies whether the order in which the values of multi-valued schema properties are sorted must be respected when detecting rogue modifications.

  • Respect sort order: The order in which values are sorted is relevant. Rogue modification detection checks whether all values in both mapped schema properties are in the identical order.

  • Ignore sort order: The order in which the values are sorted is irrelevant. Rogue modification detection checks whether all values in both mapped schema properties exist irrespective of their sort order.

  • Automatic: The connector automatically determines whether the sort order is be respected. This is taken into account when a schema property is set, DPRSchemaProperty.IsMvpOrderSignificant=1 that can be overridden by the mapping.

This field is only displayed if all the following apply:

  • Both schema properties are multi-value

  • Force mapping against direction of synchronization is disabled

  • Detecting rogue modifications is enabled

  • Handle first property value as single value is disabled

For more information, see Detecting rogue modifications.

Ignore case

Specifies whether changes that only differ through case are ignored by the mapping. This option affects only schema properties with the String data type.

Deal with the first value of the property as a single value

If a multi-value schema property is mapped using a value compare rule, the first value from the value list is taken into account by synchronization.

Disable merge mode support

Specifies whether to disable merge mode for single provisioning of memberships in this property mapping rule. If the option is set, when memberships are provisioned and merge mode is enabled on the assignment tableClosed, the entire membership list is also transferred.

For more information, see Single membership provisioning.

Table 41: Additional detail of a multi-reference mapping rule
Member filter Description
Only include these Select all members in the value list to be mapped to the schema property of the connected system.
Exclude these Select all members in the value list not to be mapped to the schema property of the connected system.
Related topics

Testing property mapping rules

The functionality of property mappingClosed rules can be tested on an object pair that meet the object matching criteria. Furthermore, the test can be run on a new object pair that does not contain any values. To run the test, change the properties of one of the objects. The test dialog shows what changes have been made in each system. The changed objects can be copied into the clipboard and used for further analysis.

The Test object matching rules... dialog shows all mapped schema properties from the selected mapping. The schema property values that have write access can be edited.

Table 42: Meaning of icons in the test dialog
Icon/Option Meaning

Filters the list of object pairs that match the object matching rules.

Discards all changes made to the objects.

Copies objects to the clipboard.

Automatic

Specifies whether the mapping is run automatically once a value changes.

If a value in the target system object has changed, mapping is carried out in One IdentityClosed Manager and vice versa. This applies all the property mapping rules.

Maps to One Identity Manager. This applies all the property mapping rules.

Maps to the target system. This applies all the property mapping rules.

Close

Closes the test dialog.

To test property mapping rules with a new object pair

  1. In the Synchronization EditorClosed, select the Mappings category.

  2. Select a mapping in the navigation view.

  3. In the property mapping rule view's toolbar, click .

    This open the Test property mapping rules dialog and displays empty object propertiesClosed.

  4. Enter values for the target system object.

    • Click or map automatically.

      All changes caused by the property mapping rules are displayed on the database side.

  5. Enter values for the database object.

    • Click or map automatically.

      All changes caused by the property mapping rules are displayed on the target system side.

To test property mapping rules with a fixed object pair

  1. In the Synchronization Editor, select the Mappings category.

  2. Select a mapping in the navigation view.

  3. In the object matching rule view's toolbar, click .

  4. In the Test object matching rules dialog, double-click the object pair you want to test with property mapping rules.

    This open the Test property mapping rules dialog and displays the object properties of the selected object pair. The Test object pairs section shows all the object pairs that meet the object matching criteria.

  5. (Optional) To run the test with a different object pair, double-click an object pair in the Test object pairs section.

  6. Change the target system object's properties.

    • Click or map automatically.

      All changes caused by the property mapping rules are displayed on the database side.

  7. Change the database object's properties.

    • Click or map automatically.

      All changes caused by the property mapping rules are displayed on the target system side.

Related topics

Editing object matching rules

Object matching rules assign schema properties through which system objects can be uniquely identified. For example, Active Directory groups can be uniquely identified by the DistinguishedName and ObjectGUID schema properties.

Object matching rules can be added or created from property mappingClosed rules. If system objects can only be identified through several schema properties, different property mapping rules can be linked with logical operators to form an object matching rule.

NOTE: Using object matching rules of this type can slow down synchronizationClosed. Instead, use a virtual schema property to link the schema properties required for matching and create an object matching rule with it.

If several object matching rules are set up, they are run in the order in which they are listed in the rule view. The rule at the top is the primary rule, all other are marked as alternatives. If a system object can be identified uniquely by the primary rule, the alternative rule are not run. If a system object cannot be identified by the primary rule, One IdentityClosed Manager uses the next alternative rule to determine a suitable system object. If non of the rules can identify a suitable system object, the object does not have a partner can is handled as new or deleted.

Example

The following object matching rules are defined for mapping Active Directory groups:

  • Object GUID <-> Object GUID (primary rule)
  • Distinguished name <-> Obj-Dist-Name (alternative rule)
  • Object SID <-> Object-Sid (alternative rule no. 2)

Properties of an Active Directory group are modified in One Identity Manager. During provisioning, the Active Directory connector tries to identify the group in the target system by using the object GUID. It does not find an object with this object GUID so the alternative object matching rule is applied. The connector identifies an object with the same distinguished name and updates this object in the target system.

NOTE:

  • Object matching rules must use schema properties with read-access. Write-only schema properties are not suitable for identification of system objects.

  • SchemaClosed properties used to identify system objects must contain a value. If a schema property contains is empty, the object matching rule is ignored and the next alternative rule is applied.

  • If several system objects that fulfill the matching criteria are found, a message appears in the synchronization log. These objects are ignored as processing continues.

    If several system objects are found, either there is corrupt data in connected systems or the matching criteria is not unique. Clean up the data in the connected systems and adjust the object matching rules.

Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating