Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
devel:documentation:synchronization:dev:synchronization [2019/07/25 07:21] svandav |
devel:documentation:synchronization:dev:synchronization [2020/10/09 09:04] husniko [Entities that supports sync] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Synchronization ====== | + | ====== Synchronization |
{{tag> sync identity}} | {{tag> sync identity}} | ||
Line 12: | Line 12: | ||
| Tree | IdmTreeNodeDto | | Tree | IdmTreeNodeDto | ||
| Role | IdmRoleDto | | Role | IdmRoleDto | ||
- | | Role catalogue | + | | Role catalogue |
| | | | | | ||
Line 221: | Line 221: | ||
===== Specific synchronization options ===== | ===== Specific synchronization options ===== | ||
+ | {{tag> | ||
- | {{ :tutorial:adm:synchronization_details_identities.png?nolink | + | {{ :devel:documentation:synchronization: |
You can configure additional synchronization options for specific uses: | You can configure additional synchronization options for specific uses: | ||
* **Default role** - The value can be any role in CzechIdM. This value is used in the case that the synchronization links an existing system account to an existing or a new identity in CzechIdM. If the default role is specified, this role will be assigned to the identity for its main valid contractual relationship. Then the link to the account will be created with the property **Assigned by role** set to the default role. If the default role is empty, the link to the account will be created as well, only without the property " | * **Default role** - The value can be any role in CzechIdM. This value is used in the case that the synchronization links an existing system account to an existing or a new identity in CzechIdM. If the default role is specified, this role will be assigned to the identity for its main valid contractual relationship. Then the link to the account will be created with the property **Assigned by role** set to the default role. If the default role is empty, the link to the account will be created as well, only without the property " | ||
+ | * **Assign default role to all valid contracts** - If the default role is selected and this option is checked, then the default role will not be assigned to the main contract, but to all valid or in future valid contracts of the identity. As in previous step, the assigning is realized via role-request and this request is executed immediately without approving. | ||
* The main use-case for this option is **initial linking of accounts during the reconciliation** of a system, where the accounts will be further managed by CzechIdM - e.g. LDAP, AD. The default role will be usually configured for provisioning on this system, see [[tutorial: | * The main use-case for this option is **initial linking of accounts during the reconciliation** of a system, where the accounts will be further managed by CzechIdM - e.g. LDAP, AD. The default role will be usually configured for provisioning on this system, see [[tutorial: | ||
* This option is supported in the following actions of the synchronization: | * This option is supported in the following actions of the synchronization: | ||
Line 237: | Line 239: | ||
* **After end, start the automatic role recalculation** - After synchronization correctly ended recalculation of automatic role will be started. | * **After end, start the automatic role recalculation** - After synchronization correctly ended recalculation of automatic role will be started. | ||
* **Create default contracts for new identities** - If a new identity is created during synchronization, | * **Create default contracts for new identities** - If a new identity is created during synchronization, | ||
+ | |||
+ | ===== Differential sync (process only differences) ===== | ||
+ | |||
+ | The goal of **differential synchronization** is to update the synchronized entity only if at least one mapped attribute value has changed. This **prevents unnecessary event creation** in the system. | ||
+ | |||
+ | **Differential synchronization only checks the values of the mapped attributes**. Ie. if the attribute that we do not map in IdM changes in the source account, the differential synchronization will not detect the change and the entity will not be saved. | ||
+ | |||
+ | <note tip>You can turn on differential sync in both **reconciliation** and standard **sync** modes.</ | ||
+ | |||
+ | |||
+ | If differential synchronization evaluates that the account has not changed against to the entity in IdM, the account is marked as **IGNORE** (blue color) in the sync log. | ||
+ | |||
+ | **In the picture below**, only **one** change was detected. | ||
+ | |||
+ | Therefore, **18 elements** are marked as **IGNORE** and **one** is marked as **SUCCESS** (green color): | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | |||
+ | {{ : | ||
+ | |||
+ | ==== How differential sync can be enabled? ==== | ||
+ | |||
+ | Differential sync can be enabled on the detail of sync, where **Process only differences** have to be checked. | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | ==== When differential sync shoud be disabled ==== | ||
+ | Differential synchronization can (especially in reconciliation mode) significantly **increase system speed**. **Normally there is no reason for it not to be activated**. | ||
+ | |||
+ | The only situation where differential synchronization cannot be used is when we require all synchronized entities to be saved because of **project-specific processors** that are linked to the save event. | ||
+ | |||
+ | |||
===== Events ===== | ===== Events ===== | ||
Line 274: | Line 309: | ||
* **Linked** - only if the action **Update entity** or **Update account** is configured and the property '' | * **Linked** - only if the action **Update entity** or **Update account** is configured and the property '' | ||
* Reason: The system entity is linked to an IdM entity. By removing " | * Reason: The system entity is linked to an IdM entity. By removing " | ||
+ | |||
+ | ===== User type (projection) ===== | ||
+ | {{tag> | ||
+ | Since version **10.3.0**, identity synchronization supports sync of a user type: | ||
+ | |||
+ | * On the attribute detail, select the entity filed **User type (IdmFormProjectionDto)**. | ||
+ | * The output of the **transformation from the system** can be a user-type **identifier** or its **code** (the **IdmFormProjectionDto** object). | ||
+ | |||
+ | User type **provisioning** is also supported from this version: | ||
+ | |||
+ | * On the attribute detail, select the entity filed **User type (IdmFormProjectionDto)**. | ||
+ | * Input value in **transformation to the system** is user type object (**IdmFormProjectionDto**). | ||
+ | |||
+ | For provisioning a code of user type, you can use **this example:** | ||
+ | < | ||
+ | if (attributeValue != null) { | ||
+ | return attributeValue.getCode(); | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | |||