Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
devel:documentation:synchronization:dev:synchronization [2019/07/25 07:21]
svandav 		devel:documentation:synchronization:dev:synchronization [2020/10/09 09:04]
husniko [Entities that supports sync]
Line 1: Line 1:
-====== Synchronization ======+====== Synchronization (of identities) ======
 {{tag> sync identity}} {{tag> sync identity}}
  
Line 12: Line 12:
 | Tree                  | IdmTreeNodeDto            |[[..:..:synchronization:dev:tree-sync|]]                         | | Tree                  | IdmTreeNodeDto            |[[..:..:synchronization:dev:tree-sync|]]                         |
 | Role                  | IdmRoleDto            |[[..:..:synchronization:dev:role-sync|]]                          | | Role                  | IdmRoleDto            |[[..:..:synchronization:dev:role-sync|]]                          |
-| Role catalogue                  | IdmRoleCatalogueDto            |                          |+| Role catalogue                  | IdmRoleCatalogueDto            |[[..:..:synchronization:dev:role-catalogue-sync|]]                          |
 | | | |
    
Line 221: Line 221:
  
 ===== Specific synchronization options ===== ===== Specific synchronization options =====
 +{{tag>specific sync identity options settings}}
  
-{{ :tutorial:adm:synchronization_details_identities.png?nolink |}}+{{ :devel:documentation:synchronization:dev:sync-specific-settings.png? |}}
  
 You can configure additional synchronization options for specific uses: You can configure additional synchronization options for specific uses:
   * **Default role** - The value can be any role in CzechIdM. This value is used in the case that the synchronization links an existing system account to an existing or a new identity in CzechIdM. If the default role is specified, this role will be assigned to the identity for its main valid contractual relationship. Then the link to the account will be created with the property **Assigned by role** set to the default role. If the default role is empty, the link to the account will be created as well, only without the property "Assigned by role".   * **Default role** - The value can be any role in CzechIdM. This value is used in the case that the synchronization links an existing system account to an existing or a new identity in CzechIdM. If the default role is specified, this role will be assigned to the identity for its main valid contractual relationship. Then the link to the account will be created with the property **Assigned by role** set to the default role. If the default role is empty, the link to the account will be created as well, only without the property "Assigned by role".
 +  * **Assign default role to all valid contracts** - If the default role is selected and this option is checked, then the default role will not be assigned to the main contract, but to all valid or in future valid contracts of the identity. As in previous step, the assigning is realized via role-request and this request is executed immediately without approving.
     * The main use-case for this option is **initial linking of accounts during the reconciliation** of a system, where the accounts will be further managed by CzechIdM - e.g. LDAP, AD. The default role will be usually configured for provisioning on this system, see [[tutorial:adm:provisioning]].     * The main use-case for this option is **initial linking of accounts during the reconciliation** of a system, where the accounts will be further managed by CzechIdM - e.g. LDAP, AD. The default role will be usually configured for provisioning on this system, see [[tutorial:adm:provisioning]].
     * This option is supported in the following actions of the synchronization: Missing Entity -> Create entity, Not Linked -> Create link, Create link and update entity, Create link and update account.     * This option is supported in the following actions of the synchronization: Missing Entity -> Create entity, Not Linked -> Create link, Create link and update entity, Create link and update account.
Line 237: Line 239:
   * **After end, start the automatic role recalculation** - After synchronization correctly ended recalculation of automatic role will be started.    * **After end, start the automatic role recalculation** - After synchronization correctly ended recalculation of automatic role will be started. 
   * **Create default contracts for new identities** - If a new identity is created during synchronization, a default contract will be created for the identity. To use this feature, you must also enable creating default contracts in the [[devel:documentation:application_configuration:dev:backend#identity|application configuration]] (''idm.pub.core.identity.create.defaultContract.enabled=true'').   * **Create default contracts for new identities** - If a new identity is created during synchronization, a default contract will be created for the identity. To use this feature, you must also enable creating default contracts in the [[devel:documentation:application_configuration:dev:backend#identity|application configuration]] (''idm.pub.core.identity.create.defaultContract.enabled=true'').
 +
 +===== Differential sync (process only differences) =====
 +
 +The goal of **differential synchronization** is to update the synchronized entity only if at least one mapped attribute value has changed. This **prevents unnecessary event creation** in the system.
 +
 +**Differential synchronization only checks the values of the mapped attributes**. Ie. if the attribute that we do not map in IdM changes in the source account, the differential synchronization will not detect the change and the entity will not be saved.
 +
 +<note tip>You can turn on differential sync in both **reconciliation** and standard **sync** modes.</note>
 +
 +
 +If differential synchronization evaluates that the account has not changed against to the entity in IdM, the account is marked as **IGNORE** (blue color) in the sync log.
 +
 +**In the picture below**, only **one** change was detected.
 +
 +Therefore, **18 elements** are marked as **IGNORE** and **one** is marked as **SUCCESS** (green color):
 +
 +{{ :devel:documentation:synchronization:dev:diff_sync_use_.png?1000 |}}
 +
 +
 +{{ :devel:documentation:synchronization:dev:diff_sync_use_log.png?600 |}}
 +
 +==== How differential sync can be enabled? ====
 +
 +Differential sync can be enabled on the detail of sync, where **Process only differences** have to be checked.
 +
 +{{ :devel:documentation:synchronization:dev:diff_sync.png?1000 |}}
 +
 +==== When differential sync shoud be disabled ====
 +Differential synchronization can (especially in reconciliation mode) significantly **increase system speed**. **Normally there is no reason for it not to be activated**.
 +
 +The only situation where differential synchronization cannot be used is when we require all synchronized entities to be saved because of **project-specific processors** that are linked to the save event.
 +
 +
  
 ===== Events ===== ===== Events =====
Line 274: Line 309:
   * **Linked** - only if the action **Update entity** or **Update account** is configured and the property ''idm.sec.acc.provisioning.allowedAutoMappingOnExistingAccount'' is ''true''.   * **Linked** - only if the action **Update entity** or **Update account** is configured and the property ''idm.sec.acc.provisioning.allowedAutoMappingOnExistingAccount'' is ''true''.
     * Reason: The system entity is linked to an IdM entity. By removing "wish", we would effectively do auto mapping, because following provisioning attempts would be Update and not Create. So we can remove "wish" only if auto mapping is allowed.     * Reason: The system entity is linked to an IdM entity. By removing "wish", we would effectively do auto mapping, because following provisioning attempts would be Update and not Create. So we can remove "wish" only if auto mapping is allowed.
 +
 +===== User type (projection) =====
 +{{tag>projection user type}}
 +Since version **10.3.0**, identity synchronization supports sync of a user type:
 +
 +  * On the attribute detail, select the entity filed **User type (IdmFormProjectionDto)**.
 +  * The output of the **transformation from the system** can be a user-type **identifier** or its **code** (the **IdmFormProjectionDto** object).
 +
 +User type **provisioning** is also supported from this version:
 +
 +  * On the attribute detail, select the entity filed **User type (IdmFormProjectionDto)**.
 +  * Input value in **transformation to the system** is user type object (**IdmFormProjectionDto**).
 +
 +For provisioning a code of user type, you can use **this example:**
 +<code>
 +if (attributeValue != null) {
 +    return attributeValue.getCode();
 +}
 +</code>
 +
 +
 +
 +
  
  • by cem