Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
tutorial:adm:synchronization [2018/11/15 11:22]
svandav [Specific synchronization options]
tutorial:adm:synchronization [2018/11/15 11:24] (current)
svandav [Specific synchronization options]
Line 60: Line 60:
     * **DO\_NOT\_LINK**:​ The account won't be linked and the identity won't be updated or created at all. The result of processing this item is **Ignore**. Typically, you will use this option when you connect a system to IdM in which you expect some old unwanted accounts, and you don't want to manage them anymore.     * **DO\_NOT\_LINK**:​ The account won't be linked and the identity won't be updated or created at all. The result of processing this item is **Ignore**. Typically, you will use this option when you connect a system to IdM in which you expect some old unwanted accounts, and you don't want to manage them anymore.
     * **LINK\_PROTECTED**:​ The account will be linked to the identity without the property "​Assigned by role", but it will be put into the [[devel:​documentation:​accounts#​protected_state_of_accounts|protected state]]. The length of the protection is based on the last expired contract of the identity and the **Length of protection interval** configured in the provisioning mapping for this system. Note that this can be in the past if you have a short protection interval, so the account can be deleted as soon as the task for deleting expired accounts ([[devel:​documentation:​application_configuration:​dev:​scheduled_tasks:​task-scheduler#​accountprotectionexpirationtaskexecutor|AccountProtectionExpirationTaskExecutor]]) starts. If the identity doesn'​t have any expired contract (it has no contracts, or only future contracts), the current date is used as the start of the protection. Typically, you will use this option if you connect a system to IdM in which you intentionally keep old accounts, and you want to have some control over these accounts by IdM (e.g. if the original owner got a new valid contract, the original account should be reused). This option requires an existing [[tutorial:​adm:​systems#​attributes_mapping|provisioning mapping]] with **Account protection** enabled, otherwise the synchronization wouldn'​t start.     * **LINK\_PROTECTED**:​ The account will be linked to the identity without the property "​Assigned by role", but it will be put into the [[devel:​documentation:​accounts#​protected_state_of_accounts|protected state]]. The length of the protection is based on the last expired contract of the identity and the **Length of protection interval** configured in the provisioning mapping for this system. Note that this can be in the past if you have a short protection interval, so the account can be deleted as soon as the task for deleting expired accounts ([[devel:​documentation:​application_configuration:​dev:​scheduled_tasks:​task-scheduler#​accountprotectionexpirationtaskexecutor|AccountProtectionExpirationTaskExecutor]]) starts. If the identity doesn'​t have any expired contract (it has no contracts, or only future contracts), the current date is used as the start of the protection. Typically, you will use this option if you connect a system to IdM in which you intentionally keep old accounts, and you want to have some control over these accounts by IdM (e.g. if the original owner got a new valid contract, the original account should be reused). This option requires an existing [[tutorial:​adm:​systems#​attributes_mapping|provisioning mapping]] with **Account protection** enabled, otherwise the synchronization wouldn'​t start.
-    * **LINK**: The account will be just linked to the identity without the property "​Assigned by role". The result of processing this item is **Warning**,​ because such account is not managed by role assignment - it will exist as long as the corresponding identity exists regardless of its (in)activity. This option is for backward compatibility mainly, because such was the behavior in the versions < 9.2.3.+    * **LINK**: The account will be just linked to the identity without the property "​Assigned by role". The result of processing this item is **Warning**,​ because such account is not managed by role assignment - it will exist as long as the corresponding identity exists regardless of its (in)activity. This option is for backward compatibility mainly, because such was the behavior in the versions < 9.3.0.
   * **After end, start the automatic role recalculation** - After synchronization correctly ended recalculation of automatic role will be started. ​   * **After end, start the automatic role recalculation** - After synchronization correctly ended recalculation of automatic role will be started. ​
   * **Create default contracts for new identities** (since 8.2.0) - If a new identity is created during synchronization,​ a default contract will be created for the identity. To use this feature, you must also enable creating default contracts in the [[devel:​documentation:​application_configuration:​dev:​backend#​identity|application configuration]] (''​idm.pub.core.identity.create.defaultContract.enabled=true''​). Note that default contracts weren'​t created in the versions 7.6 - 8.1.x.   * **Create default contracts for new identities** (since 8.2.0) - If a new identity is created during synchronization,​ a default contract will be created for the identity. To use this feature, you must also enable creating default contracts in the [[devel:​documentation:​application_configuration:​dev:​backend#​identity|application configuration]] (''​idm.pub.core.identity.create.defaultContract.enabled=true''​). Note that default contracts weren'​t created in the versions 7.6 - 8.1.x.