Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
devel:documentation:synchronization:dev:tree-sync [2020/06/17 13:08]
tomiskar [Automatic roles] 		devel:documentation:synchronization:dev:tree-sync [2021/04/07 19:11] (current)
apeterova info about parent attributes
Line 2: Line 2:
 {{tag> sync tree}} {{tag> sync tree}}
  
-An example of organizational structure synchronization can be found in the admin guide.+An example of organizational structure synchronization can be found in the [[tutorial:adm:systems_db_treenodes|admin guide]].
  
  
 === Basic algorithm === === Basic algorithm ===
   * Root search    * Root search 
-  * For each rootare recursively searched a children (based on equality value the identity  ** UID ** (identifier) parent attribute ** parent **  and childe attribute). * Synchronization is started for each tree element. +  * For each root are recursively searched all its child nodes (based on the equality where the ** UID ** (identifier) of the parent node equals  ** parent ** attribute of the child node). 
 +  * Synchronization is started for each tree element. 
  
 <note note> Situation ** The account does not exist **, it is solely based on a comparison of the existence of accounts on the target system against the existence of IDM accounts. </note> <note note> Situation ** The account does not exist **, it is solely based on a comparison of the existence of accounts on the target system against the existence of IDM accounts. </note>
 ==== Finding tree roots ==== ==== Finding tree roots ====
-The roots of the tree are searched over the set of all accounts obtained from the target system. The reason why roots are not found using the ** search ** method on the end system is that their definition is in some cases too complex (the search criteria in the IC module are inadequate).+The roots of the tree are searched over the set of all accounts obtained from the source system. The reason why roots are not found using the ** search ** method on the end system is that their definition is in some cases too complex (the search criteria in the IC module are inadequate).
 Such a case is, for example, a situation where roots are all the elements (accounts) whose ** parent ** attribute are shown to themselves. Such a case is, for example, a situation where roots are all the elements (accounts) whose ** parent ** attribute are shown to themselves.
  
-Root search is performed using the Groovy script in the synchronization configuration ** tree root / tree definition **. This script runs over all system elements. If ** Boolean.TRUE ** returns, then the element is root. If it returns ** Boolean.FALSE **, it is not the root. The entry of this script is ** account ** (IcObject), an object of the element received from the IC module.+Root search is performed using the Groovy script in the synchronization configuration ** Definition of tree roots **. This script runs over all system elements. If it returns ** Boolean.TRUE **, then the element is root. If it returns ** Boolean.FALSE **, it is not the root. The entry of this script is ** account ** (IcObject), an object of the element received from the IC module, so the names of the attributes are the names of the scheme attributes.
  
-<note tip> If the root trace script is not filled, then every element whose ** parent ** attribute is ** null ** is considered to be root. </note>+<note tip> If the root definition script is not filled, then every element whose ** parent ** attribute is ** null ** is considered to be root. </note>
  
 ** Example of a script addressing the situation described above **: ** Example of a script addressing the situation described above **:
  
 <code groovy> <code groovy>
 +// Name of the attribute in the scheme attributes, which contains the relation to the parent tree node 
 +String PARENT_ATTR_NAME = "parent";
 if(account){ if(account){
  // Get value from parent attribute  // Get value from parent attribute
- def parentValue = account.getAttributeByName("parent").getValue();+ def parentValue = account.getAttributeByName(PARENT_ATTR_NAME).getValue();
  // Get value from ID attribute  // Get value from ID attribute
  def uidValue = account.getAttributeByName("id").getValue();  def uidValue = account.getAttributeByName("id").getValue();
Line 31: Line 33:
  if(parentValue != null && parentValue.equals(uidValue)){  if(parentValue != null && parentValue.equals(uidValue)){
      // We need clear value of parent attribute. In IDM has roots always parent = null.      // We need clear value of parent attribute. In IDM has roots always parent = null.
-     account.getAttributeByName("id_nadraz_prac_mista").setValues(null);+     account.getAttributeByName(PARENT_ATTR_NAME).setValues(null);
      return Boolean.TRUE;      return Boolean.TRUE;
  }  }
Line 40: Line 42:
  
 ==== How to synchronize all nodes under one already existing? ==== ==== How to synchronize all nodes under one already existing? ====
-Sometime we need synchronize all nodes from the source system under one node wich exists in the IdM.+Sometimes we need to synchronize all nodes from the source system under one node which already exists in the IdM.
  
-For definition of that '**Super parent**' node we cannot using:+For definition of that '**Super parent**' node we cannot use:
    
-  * The transfromation from the system (on 'parent' attribute), because we offten using null value in the parent attribute as definition the root node. +  * The transformation from the system (on 'parent' attribute), because we often use null value in the parent attribute as definition the root node. 
-  * Selectbox on UI (configuration of the sync), because we sometime want to use more 'Super parent' nodes (in case we have more roots and every one shuld be under different 'Super parent').+  * Selectbox on UI (configuration of the sync), because we sometimes want to use more 'Super parent' nodes (in case we have more roots and some of them should be under different 'Super parent').
  
-**Super parent node can be defined in the transformation searching roots**. This script is defined on the sync configuration and we can set **ID of super parent node** to **parent** attribute. +**Super parent node can be defined in the script for "Definition of tree roots"**. This script is defined on the sync configuration and we can set **ID of super parent node** to **parent** attribute. 
-<note>Using an ID instead of a node's code is an intent for optimization reasons. When searching for a super parent, first verify that it is a UUID value, which is much faster than searching the node by code.</note>+<note>Using an ID instead of a node's code is an intent for optimization reasons. When searching for a super parent, IdM first checks if it is a UUID value, which is then much faster than searching the node by code.</note>
  
  
 <code groovy> <code groovy>
 +// Name of the attribute in the scheme attributes, which contains the relation to the parent tree node 
 +String PARENT_ATTR_NAME = "parent";
 if(account){ if(account){
  // Get value from parent attribute  // Get value from parent attribute
- def parentValue = account.getAttributeByName("parent").getValue();+ def parentValue = account.getAttributeByName(PARENT_ATTR_NAME).getValue();
    
  // Root is account, where is parent value is null  // Root is account, where is parent value is null
  if(parentValue == null){  if(parentValue == null){
      // Set default node      // Set default node
-     account.getAttributeByName("parent").setValues(["00a8aa04-667a-412e-bf3c-d892f2d9ca18"]);+     account.getAttributeByName(PARENT_ATTR_NAME).setValues(["00a8aa04-667a-412e-bf3c-d892f2d9ca18"]);
      return Boolean.TRUE;      return Boolean.TRUE;
  }  }
Line 70: Line 73:
 {{ :devel:documentation:synchronization:dev:tree_sync.png |}} {{ :devel:documentation:synchronization:dev:tree_sync.png |}}
  
-<note warning>All roots in IDMmust have **parent attribute = null**. In case when is roots define different (for example parent points on itself), then is important do transformation for each root (how looks script above).</note>+<note warning>All roots in IDM must have **parent attribute = null**. If the root is defined in a different way by the source system (for example parent points on itself), then it is important to do the transformation for each root (see the example script above).</note>
  
 <note warning>Leaving **uid** attribute and **parent** reference equal makes the synchronization loop infinitely - take care while setting the root computation script.</note> <note warning>Leaving **uid** attribute and **parent** reference equal makes the synchronization loop infinitely - take care while setting the root computation script.</note>
  • by tomiskar