To single schema properties, it could be necessary to declare one of the connected systems as the data master. Property mapping rules for these schema properties all have the same direction of mapping. If editing these schema properties is not technically restricted in any of the connected systems, you can also change their values in a system that is not the data master.
If the matches the direction of mapping these changes are overwritten by the next synchronization.
If the direction of synchronization is opposite to the direction of mapping, data that cannot be corrected by synchronization becomes inconsistent because the property mapping rules are not executed. Change like this are consider to be “rogue modifications”. In this case, a modification is considered to be any difference between the object properties of the connected systems, irrespective of the system the object was actually modified.
Synchronization can identify (rogue detection), log, and correct (rogue correction) rogue modifications. You can configure the respective behavior in the property mapping rules.
Prerequisites
To detect and log rogue modifications
To correct rogue modifications
- In addition, set the Correct rogue modifications option in the property mapping rule.
NOTE: Rogue modifications can only be corrected if there is write access for schema property to be corrected.
Synchronization Sequence with Modification Detection
-
A property mapping rule is detected whose mapping direct is opposite to the actual direction of synchronization.
-
If Detect rogue modifications is set, One Identity Manager checks the object of the connected system for rogue modifications. are logged.
The log can be evaluated after synchronization. For more information, see Synchronization analysis.
-
If the Correct rogue modifications option is set, One Identity Manager executes the property mapping rule. The object property in the connected system is overwritten with the value from the data master.
NOTE: Rogue modifications are also handled when object modifications are provisioned.
Modification detection can be usefully applied if a synchronization workflow and a provisioning workflow are configured, which means, the direction of synchronization is One Identity Manager and for certain schema properties the direction of mapping is the target system. In this case, only changes made to the schema properties that were made in the target system are detected as rogue modifications.
Example
The synchronization direction One Identity Manager is specified for synchronizing Active Directory groups. The groups and their properties are created, edited, and deleted in Active Directory. Only the group’s account manager is going to be assigned and changed in One Identity Manager.
Table 26: Synchronization Configuration
|
Direction of Synchronization: |
To the One Identity Manager |
|
for schema properties: |
ADSGroup.ObjectKeyManager - Group.name of manager |
|
: |
To the target system |
|
Detecting rogue modifications: |
Set |
|
Correct rogue modifications: |
Set |
Synchronization adds new groups in One Identity Manager. An account manager is assigned in One Identity Manager. This modification is provisioned in the target system.
There is no technical restriction to editing the account manager in the target system. If the account manager is changed in Active Directory, there is a discrepancy in the data, meaning a rogue modification. This change is detected, logged, and reverted by the next synchronization. The property matching rule is executed and the value in the target system is overwritten with the value from the One Identity Manager database.
It may make sense to use modification detection together with the Ignore mapping direction restrictions on adding option. As in the example, a new group is added in Active Directory. This initially assigned an account manager.
By synchronizing, the group is added in One Identity Manager but the account manager remains empty because the property mapping rule is not executed.
Before the account manager is assigned in One Identity Manager, the Active Directory is synchronized again. This detects a rogue modification (empty value in the database - account manager assigned in the target system). As a result, the value in the target system is corrected, deleting the account manager.
To avoid such situations, set the Ignore mapping direction restrictions on adding option. This means, the property mapping rule for the account manager is executed when the group is added and the account manager is assigned in the database. The subsequent synchronization does not detect a rogue modification because the account manager is identical in both systems.
To execute a property mapping rule on adding
Related topics
The source for the user data and permissions managed by One Identity Manager may be different systems. For example, SAP R/3 user accounts are managed in One Identity Manager. The associated employee data, however, is imported into the database through the from another system.
The CSV import may cause the objects coming from another target system through to be modified. For example, the first and last names of an SAP user account change when the first and last names of an employee change through the CSV import. Changes to the SAP user account should be immediately provisioned in SAP R/3. To illustrate this, the connected systems will be named "primary systems" in the following; the systems whose data is synchronized with the CSV connector as "secondary systems".
Figure 12: Example of synchronizing user data with different systems
You can specify whether the data comes from a secondary system in the . In this case, changes are provisioned immediately (actually during synchronization) in the primary system. Conversely, the provisioning process may not start if primary systems are being synchronized.
To configure immediate provisioning when synchronizing a secondary system
- Open the for the secondary system.
For more information, see How to edit a synchronization project.
- Edit the synchronization step properties.
Set the Import data option on the General tab.
For more information, see How to edit synchronization steps.
NOTE: To prevent immediately provisioning of a primary system during synchronization, open the primary system synchronization project and disable the Import data option in the synchronization step.
The session variable FullSync=FALSE is set if the Data import option is enabled. The session variable is set to FullSync=TRUE if the option is disabled. Different processes, scripts, and templates are only executed in the One Identity Manager database if FullSync=FALSE. In this context it means they are only synchronized with a secondary system. Synchronizing with a primary system ignores processes, scripts, and templates.
Related topics
You have two options for deleting objects in the One Identity Manager, which do not exist in the target system, by using .
- The objects are deleted immediately on synchronization.
You can view the synchronization log to see which objects have been deleted.
NOTE: Memberships that exist based on an inheritance cannot be deleted immediately. They are always marked as outstanding.
- The objects are marked as outstanding by synchronization.
Outstanding objects must be post-processed separately in One Identity Manager. They can either be deleted or published in the target system in the process. This prevents objects being deleted because of an incorrect data situation or an incorrect synchronization configuration.
Outstanding objects:
-
Cannot be edited in One Identity Manager.
-
Are ignored by subsequent synchronizations.
-
Are ignored by inheritance calculations.
This means, all memberships and assignments remain intact until the outstanding objects have been processed.
To delete objects immediately in One Identity Manager
- Edit the properties.
For more information, see How to edit synchronization steps.
- Select the Processing tab.
- Specify the processing method. Select the following options as appropriate:
| Objects that are only found in One Identity Manager: |
Delete |
To mark object as outstanding in One Identity Manager
- Edit the synchronization step properties.
For more information, see How to edit synchronization steps.
- Select the Processing tab.
- Specify the processing method. Select the following options as appropriate:
| Objects that are only found in One Identity Manager: |
MarkAsOutstanding |
Outstanding objects cannot be editing in One Identity Manager until they have been verified. They are ignored by every other synchronization.
To delete outstanding objects in the One Identity Manager
- Start the Manager.
- Select the <target system type> | synchronization: <target system type> | <table> category.
- Select the objects you want to delete. Multi-select is possible.
- Click
.
- Confirm the security prompt with Yes.
The selected objects are immediately deleted in the One Identity Manager database. Deferred deletion is not taken into account. The "outstanding" label is removed from the objects.
Related topics
All the schema data (schema types and schema properties) of the target system schema and the One Identity Manager schema are available when you are editing a . Only a part of this data is really needed for configuring synchronization. If a synchronization project is finished, the schema is compressed to remove unnecessary data from the synchronization project. This can speed up the loading of the synchronization project.
To shrink the system connection schema
- Select Configuration | .
- OR -
Select Configuration | One Identity Manager connection.
- Click Shrink schema... in the General view.
- Mark all the schema types that should not be removed.
These schema types remain there and can still be used in the synchronization configuration.
- Click OK.
You can add the deleted schema data back into the synchronization project again later. To do this you must update the respective schema.
Related topics
