Differences
This shows you the differences between two versions of the page.
Next revision Both sides next revision | |||
devel:documentation:adm:systems [2019/02/26 07:26] kotisovam created a whole chapter moved - and edited - from devel to admin guide section |
devel:documentation:adm:systems [2019/02/26 08:29] kotisovam [Password for confidential storage] parts moved (edited) from "Connector configuration and attribute mapping" |
||
---|---|---|---|
Line 30: | Line 30: | ||
- | ==== Password for confidential storage ==== | + | |
+ | ===== End systems connected to CzechIdM ===== | ||
+ | |||
+ | Systems get connected to IdM through synchronization and provisioning operations. | ||
+ | |||
+ | ==== Steps to connect a new system: ==== | ||
+ | - a new system named **Name-of-your-choice** must be created | ||
+ | - you choose a suitable database connector for it | ||
+ | - you need to set the connector up | ||
+ | - create a system scheme: either manually, or it is returned by the connector. In doing so, you get all the attributes available in the system | ||
+ | - then, map all these attributes. This serves two basic purposes: | ||
+ | - makes the scheme attributes accessible to the IdM system-users | ||
+ | - defines which value the attribute is to be mapped into in the IdM system (identity, group, extended attribute, hidden attribute). | ||
+ | - for optimalization purposes, an attribute can be cached. New attribute mapping is marked as ' | ||
+ | - in order to create an account for this user in the end system, | ||
+ | * you must link a new role to the system | ||
+ | * and assign this role to a user | ||
+ | |||
+ | |||
+ | ====== Synchronization/ | ||
+ | |||
+ | An attribute mapping strategy defines how attributes, and particularly their values, will be handled during provisioning and synchronization. | ||
+ | |||
+ | Here’s a list of strategies to consider: | ||
+ | |||
+ | * **SET (set as IdM calculates)**: | ||
+ | |||
+ | * **WRITE-IF-NULL (Set only if the value on the system is null)** - Before the final comparison whether a value is non-existent, | ||
+ | |||
+ | * This strategy is applied both to account **editing** and its **creation**. | ||
+ | |||
+ | * **CREATE (Set only when creating)** | ||
+ | |||
+ | * **MERGE:** alters the logic of calculating attributes and their values. If there are more attributes overloading the same default attribute, all the values are merged into one. This resulting value (list) is sent to the IdM system as a " | ||
+ | |||
+ | * **AUTHORITATIVE_MERGE (Authoritative merge)**: alters the logic of calculating attributes and their values. The original values of the attribute on the end system are not taken into account (i.e. if some other system or administrator had put a different value to the attribute, it would be ignored by IdM). | ||
+ | |||
+ | <note tip>The **WRITE-IF-NULL** strategy has a lower priority than **SET**, **MERGE** and **AUTHORITATIVE_MERGE**. Therefore, if we define one attribute with the **SET** strategy and another one with the **WRITE-IF-NULL** strategy in the default mapping on the system, then the value of the **WRITE-IF-NULL** attribute is never used. In this case, it is advisable to define the attribute with only the **WRITE-IF-NULL** strategy in the default mapping. The other attribute with the **SET** strategy will have to be defined in the role as an overload of the default attribute.</ | ||
+ | |||
+ | The **CREATE** strategy has a lower priority than **WRITE-IF-NULL**, | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | |||
+ | ===== Additional characteristics of strategies ===== | ||
+ | |||
+ | Aside from a strategy, every attribute can also have the indications **Always send** and **Send only if IdM value exists**. These indications can be combined with all the above strategies. | ||
+ | |||
+ | * **Always send** - ensures that the attribute will be sent to the end system even when it has been assessed that its value hasn't changed. | ||
+ | * **Send only if IdM value exists** - ensures that the attribute will be sent only when the calculated IdM value has some value (if it is a String type value, it cannot be blank). This setting ensures that the IdM system doesn' | ||
+ | |||
+ | ===== Password for confidential storage | ||
In previous IdM versions (> | In previous IdM versions (> |