Chat now with support
Chat with Support

Identity Manager 9.2 - Administration Guide for Connecting to Custom Target Systems

Managing custom target systems Setting up scripted data provisioning in a custom target system Managing user accounts and identities Managing assignments of groups and system entitlements Login credentials for user accounts Mapping custom target system objects in One Identity Manager Treatment of custom target system objects in the Web Portal Basic configuration data for custom target systems Configuration parameters for managing custom target systems

Post-processing outstanding objects

Objects from custom target systems can be loaded in to the One Identity Manager database at regular intervals by custom processes. This gives you the option to either delete objects directly in the One Identity Manager database or mark them as outstanding, if they do not exist in the target system. For more information, see the One Identity Manager Target System Synchronization Reference Guide.

Objects, which do not exist in the target system, can be marked as outstanding in One Identity Manager by synchronizing. This prevents objects being deleted because of an incorrect data situation or an incorrect synchronization configuration.

Outstanding objects:

  • Cannot be edited in One Identity Manager.

  • Are ignored by subsequent synchronizations.

  • Are ignored by inheritance calculations.

This means, all memberships and assignments remain intact until the outstanding objects have been processed.

Start target system synchronization to do this.

To allow post-processing of outstanding objects

  • Configure target system synchronization on the target system type of the target system to be synchronized.

Related topics

Adding custom tables to the target system synchronization

To post-process outstanding objects, assign the custom target system's target system type to tables, which can contain outstanding objects. Specify the tables for which outstanding objects can be published in the target system during post-processing.

To add tables to target system synchronization

  1. In the Manager, select the Custom Target Systems > Basic configuration data > Target system types category.

  2. In the result list, select the target system type of the customer target system.

  3. Select the Assign synchronization tables task.

  4. In the pane, assign custom tables to the outstanding objects you want to handle.

  5. Save the changes.
  6. Select the Configure tables for publishing task.

  7. Select the tables that contain the outstanding objects that can be published in the target system and set the Publishable option.

  8. Save the changes.

To publish outstanding objects

  1. Create processes that perform provisioning of objects for:

    • Simple tables

    • Assignment tables that contain additional information, such as a valid-from date

    Use the AdHocProjection process task of the ProjectorComponent process component.

    For more information about defining processes, see the One Identity Manager Configuration Guide.

  2. Create the HandleOutstanding event for these processes.

For memberships mapped to simple assignment tables, the Dependencies modified on (XDateSubItem column) is changed on the base table of the mapping when publishing. This triggers the default update process that is set up for this base table. For more information about change labeling for memberships, see the One Identity Manager Target System Synchronization Reference Guide.

For more information, see Setting up scripted data provisioning in a custom target system.

NOTE: If you use the CSV connector for provisioning, ensure that the CSV connector has write access to the CSV files. That means, the Connection is read-only option must not be set for the target system connection. For more information, see the One Identity Manager Target System Synchronization Reference Guide.

Post-processing outstanding objects

To post-process outstanding objects

  1. In the Manager, select the Custom Target Systems > Basic configuration data > Target system synchronization: <target system> category.

    All tables assigned to the target system type are displayed in the navigation view.

  2. On the Target system synchronization form, in the Table / object column, open the node of the table for which you want to post-process outstanding objects.

    All objects that are marked as outstanding are shown. The Last log entry and Last method run columns display the time at which the last entry was made in the synchronization log and which processing method was run. The No log available entry can mean the following:

    • The synchronization log has already been deleted.

      - OR -

    • An assignment from a member list has been deleted from the target system.

      The base object of the assignment was updated during the synchronization. A corresponding entry appears in the synchronization log. The entry in the assignment table is marked as outstanding, but there is no entry in the synchronization log.

    • An object that contains a member list has been deleted from the target system.

      During synchronization, the object and all corresponding entries in the assignment tables are marked as outstanding. However, an entry in the synchronization log appears only for the deleted object.

    TIP:

    To display object properties of an outstanding object

    1. Select the object on the target system synchronization form.

    2. Open the context menu and click Show object.

  1. Select the objects you want to rework. Multi-select is possible.

  2. Click on one of the following icons in the form toolbar to run the respective method.

    Table 5: Methods for handling outstanding objects

    Icon

    Method

    Description

    Delete

    The object is immediately deleted from the One Identity Manager database. Deferred deletion is not taken into account.

    Indirect memberships cannot be deleted.

    Publish

    The object is added to the target system. The Outstanding label is removed from the object.

    This runs a target system specific process that triggers the provisioning process for the object.

    Prerequisites:

    • The table containing the object can be published.

    • The target system connector has write access to the target system.

    Reset

    The Outstanding label is removed for the object.

    TIP: If a method cannot be run due to certain restrictions, the respective icon is disabled.

    • To display the constraint's details, click the Show button in the Constraints column.

  3. Confirm the security prompt with Yes.

NOTE: By default, the selected objects are processed in parallel, which speeds up the selected method. If an error occurs during processing, the action is stopped and all changes are discarded.

Bulk processing of objects must be disabled if errors are to be localized, which means the objects are processed sequentially. Failed objects are named in the error message. All changes that were made up until the error occurred are saved.

To disable bulk processing

  • Disable the icon in the form's toolbar.

Related topics

Managing user accounts and identities

The main feature of One Identity Manager is to map identities together with the main data and permissions available to them in different target systems. To achieve this, information about user accounts and permissions can be read from the target system into the One Identity Manager database and linked to identities. This provides an overview of the permissions for each identity in all of the connected target systems. One Identity Manager offers the option of managing user accounts and their permissions. You can provision modifications in the target systems. Identities are supplied with the necessary permissions in the connected target systems according to their function in the company. Regular synchronization keeps data consistent between target systems and the One Identity Manager database.

Because requirements vary between companies, One Identity Manager offers different methods for supplying user accounts to identities. One Identity Manager supports the following methods for linking identities and their user accounts:

  • Identities can automatically obtain their account definitions using user account resources.

    If an identity does not yet have a user account in a target system, a new user account is created. This is done by assigning account definitions to an identity using the integrated inheritance mechanisms and subsequent process handling.

    When you manage account definitions through user accounts, you can specify the way user accounts behave when identities are enabled or deleted.

  • When user accounts are inserted, they can be automatically assigned to an existing identity or a new identity can be created if necessary. In the process, the identity main data is created on the basis of existing user account main data. This mechanism can be implemented if a new user account is created manually or by synchronization. However, this is not the One Identity Manager default method. You must define criteria for finding identities for automatic identity assignment.

  • Identities and user accounts can be entered manually and assigned to each other.

For more information about basic handling and administration of identities and user accounts, see the One Identity Manager Target System Base Module Administration Guide.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating