Differences

This shows you the differences between two versions of the page.

--- devel:documentation:systems:dev:system-mapping [2019/07/02 09:13]
svandav [Skip merged value if contract is excluded]
+++ devel:documentation:systems:dev:system-mapping [2021/03/26 10:32] (current)
svandav [Send additional attributes with password]
@@ Line 1: / Line 1: @@
 ====== Connector configuration and attribute mapping ======
-{{tag>connector mapping system configuration }}
+{{tag>connector mapping system configuration merge authoritative skip excluded }}
 ===== Connector configuration =====
+{{tag>connector configuration}}
 Creation of a newly connected system will be demonstrated on a database connector (ConnIdDBBundle).
 Firstly, we will create a new system named **Table** and choose the database connector.
@@ Line 12: / Line 13: @@
 ==== Connector pool configuration ====
+{{tag>connector pool}}
 **The connector pool** is a very useful feature that avoids unnecessarily creating a new connector instance each time a connector is called. Typically, each connector instance also creates a connection to that target system. It is effective to maintain these connections for **longer periods and for multiple calls**.
@@ Line 35: / Line 37: @@
+==== Additional connector configuration ====
+{{tag>operation options}}
+The additional connector configuration tab lets you configure so called operation options for each type of connector. These options are then passed to each invocation of given connector. This enables us to further tweak connection paramters for each system, such as list of attributes, which should be returned from target system.
+Each system has its own set of operation options. By default, only PAGE_SIZE and ATTRS_TO_GET is available for each connector, but you can easily add other options using corresponding form definition.
+=== Example operation options: ===
+  * **PAGE\_SIZE** - Number of records returned in paged search operation. This option is used for example in LDAP/AD connector
+  * **ATTRS\_TO\_GET** - List of attributes, which should be returned from system
+<note tip>Operation options are persisted in EAV attributes and use form definition with code "operation-options-connector-configuration-CONNECTOR_FULL_NAME_AND_VERSION".</note>
+{{ :devel:documentation:systems:dev:operation_options.png |}}
 ===== System scheme =====
+{{tag>system scheme}}
 When the connector is configured correctly, we can move on to the **System scheme** tab. There, we will create the scheme either manually or we will use the scheme which will be returned by the connector itself (according to the filled-in configuration).
@@ Line 52: / Line 70: @@
 ===== Attribute mapping =====
+{{tag>attribute mapping}}
 When the system scheme is created, we can move on to attribute mapping in the **Attribute mapping** tab. Mapping serves two basic purposes:
@@ Line 90: / Line 109: @@
 <note tip>Configuration is effective for all target systems. All target system will be using one configured way (configuration per-system is not implemented, coming soon).</note>
+=== Send attribute only on password change ===
+Since version **11.0.0** a new flag **Send only on password change** was added to the attribute detail.
+If is this flag checked, then the attribute will be send to the system only during change of password operation. It means that this attribute will be ignored in standard provisioning operations (create/update).
+<note important>This checkbox can be use only if attribute has checked flag **Send additional attributes with password**.</note>
@@ Line 121: / Line 146: @@
 ====== Mapped attribute strategy ======
+{{tag>attribute strategy}}
 The attribute strategy defines how will the attribute and primarily its value be dealt with during provisioning and synchronization.
@@ Line 152: / Line 178: @@
 ==== AUTHORITATIVE_MERGE (Authoritative merge) ====
+{{tag>authoritative merge}}
 This strategy (identically to MERGE) alters the logic of calculating attributes and their values. With the other strategies applies the following: if there are more occurrences of the same strategy for the same attribute (more overloaded attributes in more roles), the one with the highest priority is found (according to role priorities or their names). The resulting value going into provisioning is calculated on the basis of this one attribute only.
@@ Line 166: / Line 193: @@
 ==== MERGE (Merge) ====
+{{tag>merge controlled}}
 <note warning>Since version **9.3.0** was provisioning merge completely reimplemented!</note>
@@ Line 192: / Line 220: @@
 That persisted 'cache' is evicted when definiton for that attribut is changed on the role (SysRoleSystemAttribute).
-The evicted cache is **recalculated** by using the **AttributeControlledValuesRecalculationTaskExecutor** task, which is run after each save of attribute mapping on a role. In this case, this task recalculates the cache for all evicted attributes of the provisioning mapping.
+The evicted cache is **recalculated** by using the **AttributeControlledValuesRecalculationTaskExecutor** task. This task recalculates the cache for all evicted attributes of the provisioning mapping.
+<note important>Since version **9.7.5** is recalculation of evicted attribute **not starts on save a attribute** (SysRoleSystemAttribute)! Attribute on the system is **marked as evicted only**. Recalculation will be processed during first using of controlled values. This is typically on first **update provisioning**. **Beware** if new account is created and create provisioning is executed, then recalculation is not executed, because in this situation are controlled values not needed!</note>
+<note important>The merge attribute value must be a **constant**. For performance reasons, all system merge values are cached and this cache is recalculated only if the corresponding **role attribute changes**! **If the value is dynamic, the cache will not contain the correct data!**</note>
 {{ :devel:documentation:systems:dev:controlledvaluestask.png |}}