Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | Next revision Both sides next revision | ||
tutorial:adm:synchronization [2018/11/15 11:22] svandav [Specific synchronization options] |
tutorial:adm:synchronization [2018/11/15 11:24] svandav [Specific synchronization options] |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Synchronization - generic system synchronization configuration ====== | ||
+ | Synchronization can be configured in **Systems -> System detail (magnifying glass sign) -> Synchronization**. If it is desired to add a new synchronization for the system, use the green Add button. It the configuration of already set synchronization is to be done, the magnifying glass sign should be clicked on. | ||
+ | {{ : | ||
+ | |||
+ | ===== Creating a new synchronization ===== | ||
+ | |||
+ | ==== Basic synchronization options ==== | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | There are following options in the basic settings: | ||
+ | * **Allowed** - only allowed synchronizations can be started, either manually or as [[devel: | ||
+ | * **Reconciliation** - if the synchronization should run in the " | ||
+ | * **Name** - name of your choice | ||
+ | * **Set of mapped attributes** - those are attributes from [[.: | ||
+ | * **Correlation attribute** - the attribute used for matching accounts and identities (i.e. finding the entities to be linked). The correlation attribute can be any attribute from the attribute mapping of the synchronization. The correlation attribute is always required in current version of CzechIdM, since the object vs entities states are computed before operations take place. | ||
+ | * **Token** - the value is the token of the last synchronization run. If the token is e.g. timestamp, the value can be time of last synchronization run. It is recommended to leave the option its current value. | ||
+ | * **Description** - optional description of the synchronization definition | ||
+ | |||
+ | |||
+ | ==== Synchronization states and actions ==== | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | During the process of synchronization, | ||
+ | * **Linked** - Object and Entity has been previously (by synchronization or manually) linked. The following actions can be performed on object and entity in this situation: | ||
+ | * **Update entity**: This updates the CzechIdM entity linked to the connected system object. The update is done on the basis of synchronization attribute mapping. After saving the entity, the standard provisioning is called. | ||
+ | * **Update account**: This calls the standard provisioning. Synchronization only calls the event, it does not perform provisioning itself. So if the provisioning is asynchronous, | ||
+ | * **Remove link**: This deletes the link between the CzechIdM entity and connected system object. It does not perform editing of the CzechIdM entity itself, it does not call provisioning. | ||
+ | * **Remove link and appropriate roles**: This removes the links, as in the previous case. In case of CzechIdM identity it also removes roles that are linked with this account. | ||
+ | * **Ignore**: This action does not perform any active operation. | ||
+ | * **Not Linked** - This is a situation when there is no link between the entity in CzechIdM and object in connected system. Since the link does not exist yet, the identity has been found using a **correlation attribute**. The following actions can be performed in Not Linked situation: | ||
+ | * **Create link**: This creates a link between CzechIdM entity and object. Editing of the identity itself is not done, provisioning is not called. | ||
+ | * **Create link and update entity** (since 8.0): A link is created in the same way as in the previous case. In addition, the linked entity is updated on the basis of synchronization attribute mapping. After saving the entity, the standard provisioning is called. | ||
+ | * **Create link and update account**: A link is created in the same way as in the previous case. In addition, the account on the end system is updated - an event for running provisioning is called. | ||
+ | * **Ignore**: This action does not perform any active operation. | ||
+ | * **Missing Entity** - This is a situation when there is no entity in CzechIdM matching object in the connected system. The following actions can be performed in this situation: | ||
+ | * **Create entity**: creates an entity in CzechIdM and a link it to object in connected system. The creation is done based on the attribute mapping chosen in synchronization configuration. The creation of entity calls provisioning. | ||
+ | * **Ignore**: This action does not perform any active operation. | ||
+ | * **Missing Account** - This is a situation when there is no object on the end system matching the entity in CzechIdM. The following actions can be performed in this situation: | ||
+ | * **Create account**: Synchronization calls entity provisioning, | ||
+ | * **Remove entity**: This deletes the entity in CzechIdM and the link to object in connected system. | ||
+ | * **Remove link**: This deletes the link between the entity in CzechIdM and object in connected system. Editing of the entity itself is not done, provisioning is not called. | ||
+ | * **Remove link and appropriate roles**: This removes the links, as in the previous case, however, it also removes the linked identity roles. In other words, it removes the roles which were assigned to the identity by the account. | ||
+ | * **Ignore**: This action does not perform any active operation. | ||
+ | |||
+ | ==== Specific synchronization options ==== | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | You can configure additional synchronization options for specific uses: | ||
+ | * **Default role** - The value can be any role in CzechIdM. This value is used in the case that the synchronization links an existing system account to an existing or a new identity in CzechIdM. If the default role is specified, this role will be assigned to the identity for its main valid contractual relationship. Then the link to the account will be created with the property **Assigned by role** set to the default role. If the default role is empty, the link to the account will be created as well, only without the property " | ||
+ | * The main use-case for this option is **initial linking of accounts during the reconciliation** of a system, where the accounts will be further managed by CzechIdM - e.g. LDAP, AD. The default role will be usually configured for provisioning on this system, see [[tutorial: | ||
+ | * This option is supported in the following actions of the synchronization: | ||
+ | * The role assignment skips an approval process - the corresponding role request will be processed **Without approval**. | ||
+ | * If the identity doesn' | ||
+ | * Note that the role will be assigned to the identity regardless of other role assignments of the identity. So even if the identity already had the same role assigned, the role would be assigned again and the created account' | ||
+ | * **Behavior of the default role for inactive identities** (since 9.3.0): This option is required in the case that a **Default role** (see above) is specified for the synchronization. If the synchronized identity doesn' | ||
+ | * **DO\_NOT\_LINK**: | ||
+ | * **LINK\_PROTECTED**: | ||
+ | * **LINK**: The account will be just linked to the identity without the property " | ||
+ | * **After end, start the automatic role recalculation** - After synchronization correctly ended recalculation of automatic role will be started. | ||
+ | * **Create default contracts for new identities** (since 8.2.0) - If a new identity is created during synchronization, |