Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Last revision Both sides next revision
devel:documentation:adm:export_import [2020/03/16 14:13]
svandav 		devel:documentation:adm:export_import [2021/09/17 15:21]
apeterova [Systems]
Line 1: Line 1:
 ====== IdM data export/import agenda ====== ====== IdM data export/import agenda ======
 +
 +{{tag>export import zip batch}}
  
 This agenda is used to transfer configuration data from one IdM to another. A typical use scenario is when you already have IdM configured on a test environment and now you need to migrate the tested configuration to a production environment. This agenda is used to transfer configuration data from one IdM to another. A typical use scenario is when you already have IdM configured on a test environment and now you need to migrate the tested configuration to a production environment.
Line 41: Line 43:
  
 ==== Export descriptors ==== ==== Export descriptors ====
-Popisovače exportů primárně definují pořadí v jakém se data exportují (stejné pořadí se použije během importu). Jednotlivé popisovače dále obsahují další metadatakterá definují, jak má import z daným typem objektů zacházetMetadata popisovače dále definují:+Export descriptors primarily define the order in which data is exported (the same order is used during import). In additioneach descriptor contains additional metadata that defines how the import should handle that type of objectThe descriptor metadata also defines:
  
 * **Supports authoritative mode** - Defines whether authoritative mode is enabled for this object type. If so, then the import removes other / redundant entities from the target IdM (for example, if the role contains additional guarantors that do not exist in the batch, they will be deleted).Parent fields are uses for find ID of super parents for this batch (system, role, ..). * **Supports authoritative mode** - Defines whether authoritative mode is enabled for this object type. If so, then the import removes other / redundant entities from the target IdM (for example, if the role contains additional guarantors that do not exist in the batch, they will be deleted).Parent fields are uses for find ID of super parents for this batch (system, role, ..).
Line 48: Line 50:
 * **Advanced paring fields** -  Defines fields in DTO, where we need to use advanced paring strategy. It means that we need to check if UUID exists in target system. If not, we will use DTO from embedded map and try to find DTO by code. * **Advanced paring fields** -  Defines fields in DTO, where we need to use advanced paring strategy. It means that we need to check if UUID exists in target system. If not, we will use DTO from embedded map and try to find DTO by code.
 * **Optional** - If is true and DTO will cannot be persisted, because some relation was not found, then only warning will be logged, but batch can continue. * **Optional** - If is true and DTO will cannot be persisted, because some relation was not found, then only warning will be logged, but batch can continue.
 +* **Excluded fields** -  Defines fields in DTO, which will be excluded during the import. It means this fields will be not changed on target IdM. If entity will not exists, then that fields will set to null. For example, the token in sync definition is excluded.
 +
 +<note important>Since version 10.6.0 is **token** field excluded from a import of system sync.</note>
  
  
Line 53: Line 58:
 Version **10.2.0** implements export of **roles**, **systems**, **application configurations**, and some related objects (such as form definitions or catalogs ...). Version **10.2.0** implements export of **roles**, **systems**, **application configurations**, and some related objects (such as form definitions or catalogs ...).
  
-<note important>Passwords (stored in confidentila storage) are **never exported**. When you first import an object that contained a password (for example, a connector configuration (EAV attributes) or password in remote connector server), the password will not be filled in the target IdM. If it is an update of an existing object, then the password in the target IdM will **not be modified** in any way.</note>+<note important>Passwords (stored in confidential storage) are **never exported**. When you first import an object that contained a password (for example, a connector configuration (EAV attributes) or password in remote connector server), the password will not be filled in the target IdM. If it is an update of an existing object, then the password in the target IdM will **not be modified** in any way.</note>
  
 ==== Roles ==== ==== Roles ====
Line 71: Line 76:
  
 ==== Systems ==== ==== Systems ====
 +
 <note tip>Systems may have a relation to a roles (provisioning breaks or roles that allocate the system), so you must always export and import roles before importing systems.</note> <note tip>Systems may have a relation to a roles (provisioning breaks or roles that allocate the system), so you must always export and import roles before importing systems.</note>
  
 Systems are exports with this related objects: Systems are exports with this related objects:
  
-* **Connector configuration** (authoritative mode = **off**) +  * **Connector configuration**  (authoritative mode = **off**) 
-* **Connector pooling configuration** (authoritative mode = **on**) +  * **Connector pooling configuration**  (authoritative mode = **on**) 
-* **Provisioning brake** (authoritative mode = **on**) - Relations to a receivers are mandatory. It means a identities or roles using as receivers must exists in target IdM. +  * **Provisioning brake**  (authoritative mode = **on**) - Relations to a receivers are mandatory. It means a identities or roles using as receivers must exists in target IdM. 
-* **System scheme** (authoritative mode = **on**) +  * **System scheme**  (authoritative mode = **on**) 
-* **System scheme attributes** (authoritative mode = **on**) +  * **System scheme attributes**  (authoritative mode = **on**) 
-* **Mapping** (authoritative mode = **on**) +  * **Mapping**  (authoritative mode = **on**) 
-* **Attributes mapping** (authoritative mode = **on**) - If a particular attribute maps an EAV attribute to an entity (such as identity), then **the attribute definition is also added to the export**. +  * **Attributes mapping**  (authoritative mode = **on**) - If a particular attribute maps an EAV attribute to an entity (such as identity), then **the attribute definition is also added to the export**. 
-* **Role assigns account in systems** (authoritative mode = **on**, optional = **on**) - Relations between system and roles are exports as optional. It means if some of a role isn't found on target IdM, then is that relation skipped (import will be continue). Within exporting of this relations are role-defined attributes also exported (authoritative mode = **on**, optional = **on**). +  * **Role assigns account in systems**  (authoritative mode = **on**, optional = **on**) - Relations between system and roles are exports as optional. It means if some of a role isn't found on target IdM, then is that relation skipped (import will be continue). Within exporting of this relations are role-defined attributes also exported (authoritative mode = **on**, optional = **on**). 
-* **Sync configuration** (authoritative mode = **on**)+  * **Sync configuration**  (authoritative mode = **on**, optional=**on**) - Sync contract/slice configuration contains relation on a tree-type and tree-node object. If this objects will be not found (by ID or code), then whole configuration of the sync will be skipped (not updated, not created, not deleted). 
 +<note important>Since **10.6.0**: **Sync contract/slice configuration**  contains relation on a organization structure and organization node. If this objects will be not found (by ID or code), then whole **configuration of the sync will be skipped**  (not updated, not created, not deleted)</note> 
 + 
 +<note tip>Virtual systems may be imported with some limitations, see the section **Limitations**.</note> 
  
 ==== Application configuration ==== ==== Application configuration ====
  
 Application configurations without authoritative mode. Application configurations without authoritative mode.
 +
 +===== Authorization policies =====
 +
 +**For execute an export action you will need to have:**
 +
 +  * Permission to autocomplete and read, update and create export batch: **Export/Import (IdmExportImport)** | View in select box (autocomplete), Read, Create, Update | BasePermissionEvaluator.
 +  * Permission to see a progress bar: **Scheduler (IdmLongRunningTask)** | Autocomplete| BasePermissionEvaluator.
 +  * Permission for read exported object. For example: To export a application configurations you need: **Configuration (app) (IdmConfiguration)** | Read | BasePermissionEvaluator.
 +
 +<note important>To successfully export, you must have the **permissions to read all objects that will be exported**. For example, if a role contains business roles and you do not have the permissions to them, then the **export will fail**!</note>
 +
 +**For execute an import action in dry-run mode you will need to have:**
 +
 +  * Permission to autocomplete and read, update and create export batch: **Export/Import (IdmExportImport)** | View in select box (autocomplete), Read, Create, Update | BasePermissionEvaluator.
 +  * Permission to see a progress bar: **Scheduler (IdmLongRunningTask)** | Read | BasePermissionEvaluator.
 +  * Permission to read import log: **Export/Import (IdmImportLog)** | Read | BasePermissionEvaluator.
 +
 +**For execute an import action you will need to have:**
 +
 +  * Permission to admin export batch: **Export/Import (IdmExportImport)** | Administration (all) | BasePermissionEvaluator.
 +
 +<note important>Only **import / export administrator** can run import batches!</note>
 +
 +
  
 ===== Performance tests ===== ===== Performance tests =====
Line 122: Line 156:
 ==== No skip implemented  ==== ==== No skip implemented  ====
 <note important>Omitting for recalculation of business roles, incompatible roles or provisioning is not implemented in version 10.2.0!</note> <note important>Omitting for recalculation of business roles, incompatible roles or provisioning is not implemented in version 10.2.0!</note>
 +
 +==== Virtual systems  ====
 +
 +<note tip > Full support of the virtual system export and import has been available since version 11.1. Following workaround should not be necessary anymore. </note>
 +
 +When importing a virtual system, you must make some further adjustments so the imported system behaves in the same way as the exported system. Especially if you use the "rights" attribute or if you changed or [[tutorial:adm:virtual_system_-_adding_or_deleting_managed_extended_attributes#deleting_attributes_on_virtual_systems|removed some of the default attributes]]. After you import the system:
 +  * Go to **Settings -> Form definitions**, search for the definition of type *VsAccount* and name containing the name of your system.
 +  * Go to **Form attributes**, remove the attributes that are superfluous. For the attribute "rights", switch the checkbox "multivalued".
 +
 +More info [[https://redmine.czechidm.com/issues/2550|here]].
 +
 +
  
  
  
  • by apeterova