Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
devel:documentation:synchronization:dev:tree-sync [2018/05/23 14:38] svandav |
devel:documentation:synchronization:dev:tree-sync [2020/06/11 06:50] tomiskar |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ===== Synchronization - tree nodes ===== | ||
+ | {{tag> sync tree}} | ||
+ | |||
+ | An example of organizational structure synchronization can be found in the admin guide. | ||
+ | |||
+ | |||
+ | === Basic algorithm === | ||
+ | * Root search | ||
+ | * For each root, are recursively searched a children (based on equality value the identity | ||
+ | |||
+ | <note note> Situation ** The account does not exist **, it is solely based on a comparison of the existence of accounts on the target system against the existence of IDM accounts. </ | ||
+ | ==== Finding tree roots ==== | ||
+ | The roots of the tree are searched over the set of all accounts obtained from the target system. The reason why roots are not found using the ** search ** method on the end system is that their definition is in some cases too complex (the search criteria in the IC module are inadequate). | ||
+ | Such a case is, for example, a situation where roots are all the elements (accounts) whose ** parent ** attribute are shown to themselves. | ||
+ | |||
+ | Root search is performed using the Groovy script in the synchronization configuration ** tree root / tree definition **. This script runs over all system elements. If ** Boolean.TRUE ** returns, then the element is root. If it returns ** Boolean.FALSE **, it is not the root. The entry of this script is ** account ** (IcObject), an object of the element received from the IC module. | ||
+ | |||
+ | <note tip> If the root trace script is not filled, then every element whose ** parent ** attribute is ** null ** is considered to be root. </ | ||
+ | |||
+ | ** Example of a script addressing the situation described above **: | ||
+ | |||
+ | <code groovy> | ||
+ | |||
+ | if(account){ | ||
+ | // Get value from parent attribute | ||
+ | def parentValue = account.getAttributeByName(" | ||
+ | // Get value from ID attribute | ||
+ | def uidValue = account.getAttributeByName(" | ||
+ | |||
+ | // Root is account, where is parent value equals with ID (externalId) value. | ||
+ | | ||
+ | // We need clear value of parent attribute. In IDM has roots always parent = null. | ||
+ | | ||
+ | | ||
+ | } | ||
+ | } | ||
+ | |||
+ | return Boolean.FALSE; | ||
+ | </ | ||
+ | |||
+ | ==== How to synchronize all nodes under one already existing? ==== | ||
+ | Sometime we need synchronize all nodes from the source system under one node wich exists in the IdM. | ||
+ | |||
+ | For definition of that ' | ||
+ | |||
+ | * The transfromation from the system (on ' | ||
+ | * Selectbox on UI (configuration of the sync), because we sometime want to use more 'Super parent' | ||
+ | |||
+ | **Super parent node can be defined in the transformation searching roots**. This script is defined on the sync configuration and we can set **ID of super parent node** to **parent** attribute. | ||
+ | < | ||
+ | |||
+ | |||
+ | <code groovy> | ||
+ | |||
+ | if(account){ | ||
+ | // Get value from parent attribute | ||
+ | def parentValue = account.getAttributeByName(" | ||
+ | |||
+ | // Root is account, where is parent value is null | ||
+ | | ||
+ | // Set default node | ||
+ | | ||
+ | | ||
+ | } | ||
+ | } | ||
+ | |||
+ | return Boolean.FALSE; | ||
+ | </ | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | <note warning> | ||
+ | |||
+ | <note warning> | ||
+ | |||
+ | ===== Actions after end of sync ===== | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | ==== Automatic roles ==== | ||
+ | |||
+ | Recalculation of automatic roles is skipped during sync. Recalculation of automatic roles can be (**should be**) correctly started after the end of the sync. This can be ensured by the property ' | ||
+ | |||