To delete a property rule
-
Select the Mappings category.
-
In the navigation view, select a mapping.
-
Click in the rule view menu bar for property mapping rules.
- Confirm the security prompt with Yes.
Enter the following details for a property rule.
Tip: To create a rule from a , click
.
Table 39: Property mapping rule details
Rule types |
Select the rule type for a new rule.
Value comparison rule |
Compares the schema property value of the One Manager schema with the value of a target system schema. |
Multiple reference rule |
Compares multi-value schema properties. The value list are compared element by element. Missing values are added; superfluous value are deleted. | |
Rule name |
Name of the rule. The rule name must be unique within a mapping.
Click to change rule names. The rule name is used as key. Changes to the rule name may cause errors. |
Display name |
Rule display name. |
|
Specify the permitted mapping direction for mapping selected schema properties.
Both directions |
is applied for both in the direction of the target system and synchronization direction One Identity Manager. |
To the target system |
Property mapping rule is only used for synchronizing in the direction of the target system. |
To the One Identity Manager |
Property mapping rule is only used for synchronizing in the direction of the One Identity Manager. |
Do not assign |
The property mapping rule is ignored.
You can set this value to disable a property mapping rule. |
Taken from mapping |
The mapping direction applies which is fixed in the mapping. | |
Ignore mapping direction restrictions on adding |
Specifies whether the given direction of mapping is ignored when new objects are added.
If this option is set, the property mapping rule can also be run if the synchronization mapping is in the opposite direction. Property mapping rules not assigned a mapping direction are also ignore when new objects are added.
If this option is not set, the specify mapping direction is valid when new objects are added.
Example:
A telephone system is managed with One Identity Manager. The telephone system acts as the primary system when the telephone numbers are synchronized. The direction of mapping is set to One Identity Manager. The telephone number is a mandatory value in the target system.
In One Identity Manager, a new identity is added. Each identity is given and initial telephone number. These identities should be added to the target system by synchronizing them. So that the telephone numbers are written to the target system during synchronization, the Ignore mapping direction restrictions on adding option must be set on the property mapping rule.
For more information, see Detecting rogue modifications. |
Description |
Text field for additional explanation. |
Concurrence behavior |
Specifies whether the property mapping rule is always applied.
Objects in a (synchronization target) that
-
Have been changed but the changes are not yet provisioned
-
Are in automatic processes that are not yet complete
-
Or are blocked in some other way
are excluded by default to avoid data conflict. If possible, synchronization of these objects is repeated by the next synchronization run.
In rare cases, it may still be necessary to synchronize some properties of these objects immediately, to transfer safety-critical changes to the connected system, for example.
-
Apply rule: Applies the property mapping rule, overwriting any data changes.
IMPORTANT:
-
Only select this option in exceptional cases. Afterward, check the data modifications that might be overwritten by this.
-
The setting only takes effect if Pre-processing is selected for collision detection in the start up configuration. Only then can collisions can be detected before mapping takes place.
-
Do not apply rule: The property mapping rule is not run if the object is blocked for changes. If this option is enabled for all property mapping rules in the mapping, the object will be completely omitted and not handled by the synchronization.
This corresponds to the default behavior.
For more information, see Concurrency behavior of synchronization objects. |
|
Select the schema properties to be mapped. |
Do not overwrite |
The schema property value is only changed by synchronization if the schema property does not contain a value. |
Mapping condition |
Condition under which the property mapping rule is used. The condition can be created with the wizard or stored as a script.
Use the Left and Right operators to reference the respective schema.
Left: properties in the One Identity Manager's schema extension.
Right: Schema properties in the target system's schema extension.
-
To create the condition with the wizard, select the Condition and click Create condition. For more information, see Wizard for entering filters.
Example: Left.CanonicalName = 'Managed Service Accounts'
The property mapping rule is applied to all objects assigned to the container "Managed Service Accounts" in One Identity Manager.
-
To write the condition as a script, select Script and enter the script code. For more information, see Support for scripting.
Example: If string.IsNullOrEmpty($Left::CanonicalName$) Then ... |
Table 40: Additional detail of a value compare rule
Force mapping against direction of synchronization |
If this option is set, the property mapping rule can also be applied if the synchronization mapping is in the opposite direction. For more information, see Mapping against the direction of synchronization.
The option can only be set if:
The property mapping rule may not be run in both directions. |
Detecting rogue modifications |
Specifies whether rogue modifications are identified and logged if the direction of synchronization is opposite to the mapping direction.
The option can only be set if:
- The direction of mapping is Target system or One Identity Manager.
- Force mapping against direction of synchronization is disabled.
If this option is set, rogue modifications are detected and logged. The log can be evaluated after synchronization. For more information, see Synchronization analysis.
If the option is not set, the property mapping rule is ignored by synchronization.
For more information, see Detecting rogue modifications. |
Correct rogue modifications |
Specifies whether rogue modifications are corrected if the direction of synchronization is opposite to the mapping direction.
The option can only be set if:
- Detecting rogue modifications is enabled.
- The direction of mapping is Target system or One Identity Manager.
- Force mapping against direction of synchronization is disabled.
If the option is set, the property mapping rule is run by synchronization. The in the connected system is overwritten with the value from the primary system. Thus rogue changes are ignored.
If the option is not set, rogue changes are only logged.
For more information, see Detecting rogue modifications. |
Multi-value sort order |
Specifies whether the order in which the values of multi-valued schema properties are sorted must be respected when detecting rogue modifications.
-
Respect sort order: The order in which values are sorted is relevant. Rogue modification detection checks whether all values in both mapped schema properties are in the identical order.
-
Ignore sort order: The order in which the values are sorted is irrelevant. Rogue modification detection checks whether all values in both mapped schema properties exist irrespective of their sort order.
-
Automatic: The connector automatically determines whether the sort order is be respected. This is taken into account when a schema property is set, DPRSchemaProperty.IsMvpOrderSignificant=1 that can be overridden by the mapping.
This field is only displayed if all the following apply:
-
Both schema properties are multi-value
-
Force mapping against direction of synchronization is disabled
-
Detecting rogue modifications is enabled
-
Handle first property value as single value is disabled
For more information, see Detecting rogue modifications. |
Ignore case |
Specifies whether changes that only differ through case are ignored by the mapping. This option affects only schema properties with the String data type. |
Deal with the first value of the property as a single value |
If a multi-value schema property is mapped using a value compare rule, the first value from the value list is taken into account by synchronization. |
Disable merge mode support |
Specifies whether to disable merge mode for single provisioning of memberships in this property mapping rule. If the option is set, when memberships are provisioned and merge mode is enabled on the , the entire membership list is also transferred.
For more information, see Single membership provisioning. |
Table 41: Additional detail of a multi-reference mapping rule
Only include these |
Select all members in the value list to be mapped to the schema property of the connected system. |
Exclude these |
Select all members in the value list not to be mapped to the schema property of the connected system. |
The functionality of property rules can be tested on an object pair that meet the object matching criteria. Furthermore, the test can be run on a new object pair that does not contain any values. To run the test, change the properties of one of the objects. The test dialog shows what changes have been made in each system. The changed objects can be copied into the clipboard and used for further analysis.
The Test object matching rules... dialog shows all mapped schema properties from the selected mapping. The schema property values that have write access can be edited.
Table 42: Meaning of icons in the test dialog
|
Filters the list of object pairs that match the object matching rules. |
|
Discards all changes made to the objects. |
|
Copies objects to the clipboard. |
Automatic |
Specifies whether the mapping is run automatically once a value changes.
If a value in the target system object has changed, mapping is carried out in One Manager and vice versa. This applies all the property mapping rules. |
|
Maps to One Identity Manager. This applies all the property mapping rules. |
|
Maps to the target system. This applies all the property mapping rules. |
Close |
Closes the test dialog. |
To test property mapping rules with a new object pair
-
In the , select the Mappings category.
-
Select a mapping in the navigation view.
-
In the property mapping rule view's toolbar, click .
This open the Test property mapping rules dialog and displays empty .
-
Enter values for the target system object.
-
Enter values for the database object.
To test property mapping rules with a fixed object pair
-
In the Synchronization Editor, select the Mappings category.
-
Select a mapping in the navigation view.
-
In the object matching rule view's toolbar, click .
-
In the Test object matching rules dialog, double-click the object pair you want to test with property mapping rules.
This open the Test property mapping rules dialog and displays the object properties of the selected object pair. The Test object pairs section shows all the object pairs that meet the object matching criteria.
-
(Optional) To run the test with a different object pair, double-click an object pair in the Test object pairs section.
-
Change the target system object's properties.
-
Change the database object's properties.
Object matching rules assign schema properties through which system objects can be uniquely identified. For example, Active Directory groups can be uniquely identified by the DistinguishedName and ObjectGUID schema properties.
Object matching rules can be added or created from property rules. If system objects can only be identified through several schema properties, different property mapping rules can be linked with logical operators to form an object matching rule.
NOTE: Using object matching rules of this type can slow down . Instead, use a virtual schema property to link the schema properties required for matching and create an object matching rule with it.
If several object matching rules are set up, they are run in the order in which they are listed in the rule view. The rule at the top is the primary rule, all other are marked as alternatives. If a system object can be identified uniquely by the primary rule, the alternative rule are not run. If a system object cannot be identified by the primary rule, One Manager uses the next alternative rule to determine a suitable system object. If non of the rules can identify a suitable system object, the object does not have a partner can is handled as new or deleted.
Example
The following object matching rules are defined for mapping Active Directory groups:
- Object GUID <-> Object GUID (primary rule)
- Distinguished name <-> Obj-Dist-Name (alternative rule)
- Object SID <-> Object-Sid (alternative rule no. 2)
Properties of an Active Directory group are modified in One Identity Manager. During provisioning, the Active Directory connector tries to identify the group in the target system by using the object GUID. It does not find an object with this object GUID so the alternative object matching rule is applied. The connector identifies an object with the same distinguished name and updates this object in the target system.
NOTE:
-
Object matching rules must use schema properties with read-access. Write-only schema properties are not suitable for identification of system objects.
-
properties used to identify system objects must contain a value. If a schema property contains is empty, the object matching rule is ignored and the next alternative rule is applied.
-
If several system objects that fulfill the matching criteria are found, a message appears in the synchronization log. These objects are ignored as processing continues.
If several system objects are found, either there is corrupt data in connected systems or the matching critera is not unique. Clean up the data in the connected systems and adjust the object matching rules.
Detailed information about this topic