Chat now with support
Chat with Support

Identity Manager 9.3 - One Identity Manager Connector User Guide

Setting up synchronization with the One Identity Manager connector Setting up system synchronization Setting up synchronization using custom configuration Troubleshooting

Setting up custom application roles for custom configuration

For role-based login, create a custom application role to guarantee One Identity Manager users the necessary permissions for configuring synchronization and handling outstanding objects. This application role obtains the required permissions by using a custom permissions group.

To set up an application role for synchronization (use case 2):

  1. In the Manager, select the default application role to use to edit the objects you want to synchronization.

    • Establish the application role's default permissions group.

    If you want to import identity main data, for example, select the Identity Management | Identities | Administrators application role. The default permissions group of this application role is vi_4_PERSONADMIN.

  2. In the Designer, create a new permissions group .

    • Set the Only use for role based authentication option.

  3. Make the new permissions group dependent on the vi_4_SYNCPROJECT_ADMIN permissions group.

    Then the vi_4_SYNCPROJECT_ADMIN permissions groups must be assigned as the parent permissions group. This means that the new permissions group inherits the properties.

  4. Make the new permissions group dependent on the default permissions group of the selected default application role.

    Then the default permissions groups must be assigned as the parent permissions group. This means that the new permissions group inherits the properties.

  5. Save the changes.
  6. In the Manager, create a new application role.

    1. Assign the selected application role to be the parent application role.

    2. Assign the newly created permissions group.

  7. Assign identities to this application role.

  8. Save the changes.

To set up an application role for synchronization (use case 3):

  1. In the Designer, create a new permissions group for custom tables that are populated by synchronization.

    • Set the Only use for role based authentication option.

  2. Guarantee this permissions group all the required permissions to the custom tables.

  3. Create another permissions group for synchronization.

    • Set the Only use for role based authentication option.

  4. Make the permissions group for synchronization dependent on the permissions group for custom tables.

    Then the permissions group for custom tables must be assigned as the parent permissions group. This means the permissions groups for synchronization inherits its properties.

  5. Make the permissions group for synchronization dependent on the vi_4_SYNCPROJECT_ADMIN permissions group.

    Then the vi_4_SYNCPROJECT_ADMIN permissions groups must be assigned as the parent permissions group. This means the permissions groups for synchronization inherits its properties.

  6. Save the changes.
  7. In the Manager, create a new application role.

    1. Assign the Custom | Managers application role as the parent application role.

    2. Assign the permissions group for the synchronization.

  8. Assign identities to this application role.

  9. Save the changes.

For more information about setting up application roles and permissions groups, see the One Identity Manager Authorization and Authentication Guide.

Information required for creating a synchronization project for custom synchronization

A synchronization project collects all the information required for synchronizing the One Identity Manager database with a target system. Connection data for target systems, schema types and properties, mapping, and synchronization workflows all belong to this.

Make the following information available for setting up a custom synchronization project for synchronizing with the One Identity Manager connector.

Table 6: Information required to set up a synchronization project
Data Explanation

Synchronization server

All One Identity Manager Service actions are run against the target system environment on the synchronization server. Data entries required for synchronization and administration with the One Identity Manager database are processed by the synchronization server.

Installed components:

  • One Identity Manager Service (started)

The synchronization server must be declared as a Job server in One Identity Manager. The Job server name is required.

For more information, see Setting up the synchronization server.

Remote connection server

To configure synchronization with a target system, One Identity Manager must load the data from the target system. One Identity Manager communicates directly with the target system to do this. Sometimes direct access from the workstation, on which the Synchronization Editor is installed, is not possible. For example, because of the firewall configuration or the workstation does not fulfill the necessary hardware and software requirements. If direct access is not possible from the workstation, you can set up a remote connection.

Remote connection server configuration:

  • One Identity Manager Service is started

  • RemoteConnectPlugin is installed and an authentication method is set up

The remote connection server must be declared as a Job server in One Identity Manager. The Job server name is required.

TIP: The remote connection server requires the same configuration as the synchronization server (with regard to the installed software and entitlements). Use the synchronization server as remote connection server as well by installing the RemoteConnectPlugin.

For more detailed information about setting up a remote connection, see the One Identity Manager Target System Synchronization Reference Guide.

Synchronization workflow

Set the Data import option in the synchronization step if synchronization data is imported from a secondary system. You cannot select the MarkAsOutstanding processing method for these synchronization steps. This option takes effect in both directions, meaning also for synchronization to the target system.

For more information about synchronizing user data with different systems, see the One Identity Manager Target System Synchronization Reference Guide.

Base object

You cannot normally specify a base object for synchronizing with database connectors. In this case, assignment of one base table and the synchronization server is sufficient.

  • Select the table from the Base table drop-down in which to load the objects. The base table can be used to defined downstream processes for synchronization. For more information about downstream processes, see the One Identity Manager Target System Synchronization Reference Guide.

  • The Synchronization servers drop-down displays all Job servers with an enabled One Identity Manager connector server function.

Variable set

If you implement specialized variable sets, ensure that the start up configuration and the base object use the same variable set.

Detailed information about this topic

Creating custom configurations

There is a wizard to assist you with setting up a synchronization project. This wizard takes you through all the steps you need to set up initial synchronization with a target system. Click Next once you have entered all the data for a step.

NOTE: The following sequence describes how to configure a synchronization project if the Synchronization Editor is both:

  • Run in default mode

  • Started from the Launchpad

If you run the project wizard in expert mode or directly from the Synchronization Editor, additional configuration settings can be made. Follow the project wizard instructions through these steps.

To set up a synchronization project

  1. Start the Launchpad and log in on the One Identity Manager database.

    NOTE: If synchronization is run by an application server, connect the database through the application server.

  2. In the Installation overview > Data synchronization section, select the One Identity Manager connector and click Run.

    This starts the Synchronization Editor's project wizard.

  1. On the wizard's start page, click Next.

  2. On the System access page, specify how One Identity Manager can access the target system.

    • If access is possible from the workstation on which you started the Synchronization Editor, do not change any settings.

    • If access is not possible from the workstation on which you started the Synchronization Editor, you can set up a remote connection.

      Select the Connect using remote connection server and enter the remote connection properties.

  • Click Next to start the system connection wizard to create a connection to a One Identity Manager database.

  1. Select the database system to which you want to connect on the Select database system page.

    • Direct database connection: Specifies whether to connect directly to the central database.

    • Application server: Specifies whether the central database should be connected through an application server.

      Set this option if modules other than in the work database are installed in the central database, or if the central database is running with an older version of One Identity Manager.

    • Use application server REST API: Specifies whether to use the application server's REST API for communicating with the central database.

      IMPORTANT: Enable this option if the central database is operated with an older version of One Identity Manager.

      NOTES: The REST API cannot process virtual schema properties with the Translator property type. If schema properties like this are mapped, synchronization stops.

  2. On the Connection parameters page, enter the database credentials for the central database.

    • Enter the following data connecting directly to the database:

      • Server: Database server.

      • Windows authentication: (Optional) Specifies whether the integrated Windows authentication is used. This type of authentication is not recommended. If you decide to use it anyway, ensure that your environment supports Windows authentication.

      • User: User's SQL login name.

      • Password: Password for the SQL user's login.

      • Database: List of possible databases on the database server. Select the database.

      • Encrypt communication: Specifies whether encryption is required for exchanging data between the client and server. Select the minimum encryption level. The encryption level that is actually used depends on the database server configuration. For more information, see the documentation from Microsoft.

        Permitted values are:

        • Optional: Communication is not encrypted.

        • Mandatory: Data exchange is encrypted. The Trust server certificate option, allows you to also specify whether to verify the server certificate.

        • Strict (SQL Server 2022 and Azure SQL): The data exchange is encrypted.  The server certificate is always verified.

      • Trust server certificate: If this option is enabled, the data exchange between the client and server is encrypted. However, the server certificate is not verified.

    • To connect through an application server, enter the URL and Synchronization user password.

    • To enter additional information about the database connection, click Advanced options.

    • Click Test.

  3. Enter the private key for encrypting the database on the Encryption page.

  4. On the Additional settings page, you define additional settings to customize the behavior of the connector.

    • Try to ignore data errors: Specifies whether objects with erroneous data should be synchronized with the central database.

      By default, objects with incorrect data are not synchronized. These objects can be synchronized once the data has been corrected. In certain situations, however, it might be necessary to synchronize objects like these and ignore the data properties that have errors.

      IMPORTANT: If data errors are ignored, performance will be affected. Synchronization can also lead to data loss. Only set this option in the exceptional circumstance of not being able to correct the data before synchronization.

      NOTE:

      • The option cannot be enabled if the REST API of the application server is used.

      • This option is only effective if Continue on error is set in the synchronization workflow.

      • Default columns, such as primary keys, UID columns, or mandatory input columns cannot be ignored.

  5. On the last page of the system connection wizard, you can save the connection data.

    • Set the Save connection locally option to save the connection data. This can be reused when you set up other synchronization projects.
    • Click Finish, to end the system connection wizard and return to the project wizard.
  1. On the One Identity Manager Connection tab, test the data for connecting to the One Identity Manager database. The data is loaded from the connected database. Reenter the password.

    NOTE:

    • If you use an unencrypted One Identity Manager database and have not yet saved any synchronization projects to the database, you need to enter all connection data again.

    • This page is not shown if a synchronization project already exists.

  2. The wizard loads the target system schema. This may take a few minutes depending on the type of target system access and the size of the target system.

  1. On the Select project template page, select a project template to use for setting up the synchronization configuration.

    NOTE: The One Identity Manager connector does not provide a default project template for setting up synchronization. If you have created your own project template, you can select it to configure the synchronization project. Otherwise, select Create blank project.

  1. Enter the general setting for the synchronization project under General.

    Table 7: General properties of the synchronization project

    Property

    Description

    Display name

    Display name for the synchronization project.

    Description

    Text field for additional explanation.

  1. To close the project wizard, click Finish.
  2. Save the synchronization project in the database.
Related topics

Updating schemas

All the schema data (schema types and schema properties) of the target system schema and the One Identity Manager schema are available when you are editing a synchronization project. Only a part of this data is really needed for configuring synchronization. If a synchronization project is finished, the schema is compressed to remove unnecessary data from the synchronization project. This can speed up the loading of the synchronization project. Deleted schema data can be added to the synchronization configuration again at a later point.

If the target system schema or the One Identity Manager schema has changed, these changes must also be added to the synchronization configuration. Then the changes can be added to the schema property mapping.

To include schema data that have been deleted through compression and schema modifications in the synchronization project, update each schema in the synchronization project. This may be necessary if:

  • A schema was changed by:

    • Changes to a target system schema

    • Customizations to the One Identity Manager schema

    • A One Identity Manager update migration

  • A schema in the synchronization project was shrunk by:

    • Enabling the synchronization project

    • Saving the synchronization project for the first time

    • Compressing a schema

To update a system connection schema

  1. In the Synchronization Editor, open the synchronization project.

  2. Select the Configuration > Target system category.

    - OR -

    Select the Configuration > One Identity Manager connection category.

  3. Select the General view and click Update schema.

  4. Confirm the security prompt with Yes.

    This reloads the schema data.

To edit a mapping

  1. In the Synchronization Editor, open the synchronization project.

  2. Select the Mappings category.

  3. Select a mapping in the navigation view.

    Opens the Mapping Editor. For more information about mappings, see the One Identity Manager Target System Synchronization Reference Guide.

NOTE: The synchronization is deactivated if the schema of an activated synchronization project is updated. Reactivate the synchronization project to synchronize.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating