立即与支持人员聊天
与支持团队交流

Identity Manager 9.1.1 - One Identity Manager Connector User Guide

Disabling system synchronization

Regular synchronization can only be started if schedules are enabled.

To prevent regular synchronization

  • In the Designer, disable the Daily database synchronization, Frequent database synchronization, andMost frequent database synchronization schedules.

If you do not want synchronization to be started manually, deactivate the synchronization project as well.

To deactivate the synchronization project

  1. In the Synchronization Editor, open the synchronization project.

  2. Select the General view on the start page.

  3. Click Deactivate project.

Related topics

Setting up synchronization using custom configuration

To manually set up synchronization with a One Identity Manager database, follow the steps described here.

To set up synchronization manually

  1. Install and configure a synchronization server and declare the server as a Job server in One Identity Manager.
  2. Provide One Identity Manager users with the required permissions for setting up synchronization and post-processing synchronization objects.

  3. Create a synchronization project with the Synchronization Editor.
Detailed information about this topic

Users and permissions for synchronizing

In the synchronization with the database connectors, there are three use cases for mapping synchronization objects in the One Identity Manager data model.

  1. Mapping custom target systems

  2. Mapping default tables (for example Person or Department)

  3. Mapping custom tables

In the case of One Identity Manager tools non role-based login, it is sufficient to add a system user in the DPR_EditRights_Methods and QBM_LaunchPad permissions groups. For more information about system users and permissions groups, see the One Identity Manager Authorization and Authentication Guide.

Table 2: Users and permissions groups for non role-based login
User Tasks

One Identity Manager administrators

One Identity Manager administrator and administrative system users Administrative system users are not added to application roles.

One Identity Manager administrators:

  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.

  • Create system users and permissions groups for non role-based login to administration tools in the Designer as required.

  • Enable or disable additional configuration parameters in the Designer as required.

  • Create custom processes in the Designer as required.

  • Create and configure schedules as required.

System users in the DPR_EditRights_Methods permissions group

  • Configure and start synchronization in the Synchronization Editor.

  • Edit the synchronization's target system types as well as outstanding objects in the Manager.

System users in the QBM_LaunchPad permissions group

  • Working with the Launchpad.

There are different steps required for role-based login, in order to equip One Identity Manager users with the required permissions for setting up synchronization and post-processing of synchronization objects.

Table 3: User and permissions groups for role-based login: Mapped as custom target system
User Tasks

One Identity Manager administrators

One Identity Manager administrator and administrative system users Administrative system users are not added to application roles.

One Identity Manager administrators:

  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.

  • Create system users and permissions groups for non role-based login to administration tools in the Designer as required.

  • Enable or disable additional configuration parameters in the Designer as required.

  • Create custom processes in the Designer as required.

  • Create and configure schedules as required.

Target system administrators

Target system administrators must be assigned to the Target systems | Administrators application role.

Users with this application role:

  • Administer application roles for individual target system types.

  • Specify the target system manager.

  • Set up other application roles for target system managers if required.

  • Specify which application roles for target system managers are mutually exclusive.

  • Authorize other employees to be target system administrators.

  • Do not assume any administrative tasks within the target system.

Target system managers

Users with this application role:

  • Assume administrative tasks for the target system.

  • Create, change, or delete target system objects.

  • Edit password policies for the target system.

  • Can add employees who have another identity than the Primary identity.

  • Configure synchronization in the Synchronization Editor and define the mapping for comparing target systems and One Identity Manager.

  • Edit the synchronization's target system types and outstanding objects.

  • Authorize other employees within their area of responsibility as target system managers and create child application roles if required.

Table 4: User and permissions groups for role-based login: Default table mapping
User Tasks

One Identity Manager administrators

One Identity Manager administrator and administrative system users Administrative system users are not added to application roles.

One Identity Manager administrators:

  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.

  • Create system users and permissions groups for non role-based login to administration tools in the Designer as required.

  • Enable or disable additional configuration parameters in the Designer as required.

  • Create custom processes in the Designer as required.

  • Create and configure schedules as required.

Custom application role

Users with this application role:

  • Configure and start synchronization in the Synchronization Editor.

  • Edit the synchronization's target system types as well as outstanding objects in the Manager.

The application role gets its permissions through a custom permissions group and the vi_4_SYNCPROJECT_ADMIN permissions group.

Table 5: Users and permissions groups for role-based login: Custom table mapping (only custom configuration)
User Tasks

One Identity Manager administrators

One Identity Manager administrator and administrative system users Administrative system users are not added to application roles.

One Identity Manager administrators:

  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.

  • Create system users and permissions groups for non role-based login to administration tools in the Designer as required.

  • Enable or disable additional configuration parameters in the Designer as required.

  • Create custom processes in the Designer as required.

  • Create and configure schedules as required.

Application roles for custom tasks

Administrators must be assigned to the Custom | Administrators application role.

Users with this application role:

  • Administrate custom application roles.

  • Set up other application roles for managers if required.

Manager for custom tasks

Managers must be assigned to the Custom | Managers application role or a child role.

Users with this application role:

  • Add custom task in One Identity Manager.

  • Configure and start synchronization in the Synchronization Editor.

  • Edit the synchronization's target system types as well as outstanding objects in the Manager.

You can use these application roles, for example, to guarantee One Identity Manager user permissions on custom tables or columns. All application roles that you define here must obtain their permissions through custom permissions groups.

The application role gets its permissions through a custom permissions group and the vi_4_SYNCPROJECT_ADMIN permissions group.

To configure synchronization projects and target system synchronization (in the use cases 2 and 3)

  1. Set up a custom permissions group with all permissions for configuring synchronization and editing synchronization objects.

  2. Assign a custom application role to this permissions group.

Detailed information about this topic

Setting up custom application roles for custom configuration

For role-based login, create a custom application role to guarantee One Identity Manager users the necessary permissions for configuring synchronization and handling outstanding objects. This application role obtains the required permissions by using a custom permissions group.

To set up an application role for synchronization (use case 2):

  1. In the Manager, select the default application role to use to edit the objects you want to synchronization.

    • Establish the application role's default permissions group.

    If you want to import employee data, for example, select the Identity Management | Employees | Administrators application role. The default permissions group of this application role is vi_4_PERSONADMIN.

  2. In the Designer, create a new permissions group .

    • Set the Only use for role based authentication option.

  3. Make the new permissions group dependent on the vi_4_SYNCPROJECT_ADMIN permissions group.

    Then the vi_4_SYNCPROJECT_ADMIN permissions groups must be assigned as the parent permissions group. This means that the new permissions group inherits the properties.

  4. Make the new permissions group dependent on the default permissions group of the selected default application role.

    Then the default permissions groups must be assigned as the parent permissions group. This means that the new permissions group inherits the properties.

  5. Save the changes.
  6. In the Manager, create a new application role.

    1. Assign the selected application role to be the parent application role.

    2. Assign the newly created permissions group.

  7. Assign employees to this application role.

  8. Save the changes.

To set up an application role for synchronization (use case 3):

  1. In the Designer, create a new permissions group for custom tables that are populated by synchronization.

    • Set the Only use for role based authentication option.

  2. Guarantee this permissions group all the required permissions to the custom tables.

  3. Create another permissions group for synchronization.

    • Set the Only use for role based authentication option.

  4. Make the permissions group for synchronization dependent on the permissions group for custom tables.

    Then the permissions group for custom tables must be assigned as the parent permissions group. This means the permissions groups for synchronization inherits its properties.

  5. Make the permissions group for synchronization dependent on the vi_4_SYNCPROJECT_ADMIN permissions group.

    Then the vi_4_SYNCPROJECT_ADMIN permissions groups must be assigned as the parent permissions group. This means the permissions groups for synchronization inherits its properties.

  6. Save the changes.
  7. In the Manager, create a new application role.

    1. Assign the Custom | Managers application role as the parent application role.

    2. Assign the permissions group for the synchronization.

  8. Assign employees to this application role.

  9. Save the changes.

For more information about setting up application roles and permissions groups, see the One Identity Manager Authorization and Authentication Guide.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级