Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
tutorial:adm:systems [2019/05/16 11:09] tomiskartutorial:adm:systems [2024/08/12 10:06] (current) cem
Line 3: Line 3:
 System connection configuration is initiated in the menu tab **Systems**. Above the list of current systems there is a button **Add**. System connection configuration is initiated in the menu tab **Systems**. Above the list of current systems there is a button **Add**.
  
-{{ :devel:adm:system_list.png?600 | System list}}+ 
 +{{ :tutorial:adm:system_table.png?700 | System list}} 
  
 ===== Basic information ===== ===== Basic information =====
  
 Click on it to connect new system. On the new system page one must provide some basic information: Click on it to connect new system. On the new system page one must provide some basic information:
- +{{ :tutorial:adm:system_detail.png?700 | Connecting a new system}}
-{{ :tutorial:adm:new-system.png?600 | Connecting a new system}}+
  
   * **System name** - naming of your choice   * **System name** - naming of your choice
   * **Use remote connector server** - Connectors are means of interface between CzechIdM and other systems. Connectors run in a connector server. A local server provided by CzechIdM directly is usually used. So this checkbox will be usually unticked. There are some exceptions for specific connectors that must run remotely. For example connectors which call commands locally on the connected system server and therefore must be placed there. Exchange connector, for instance, uses calling of PowerShell commands directly on a domain controller server in an AD domain.   * **Use remote connector server** - Connectors are means of interface between CzechIdM and other systems. Connectors run in a connector server. A local server provided by CzechIdM directly is usually used. So this checkbox will be usually unticked. There are some exceptions for specific connectors that must run remotely. For example connectors which call commands locally on the connected system server and therefore must be placed there. Exchange connector, for instance, uses calling of PowerShell commands directly on a domain controller server in an AD domain.
   * **Password policy** for validation and generation - [[.:password_policy|see the chapter]] about password policies.   * **Password policy** for validation and generation - [[.:password_policy|see the chapter]] about password policies.
 +  * **Lower criticality of password policy for validation by role** - If this checkbox is selected, the password validation will use the criticality level defined for the role instead of the system policy.
 +  * **Lower criticality of password policy for generating by role** - If this checkbox is selected, the password generation will use the criticality level defined for the role instead of the system policy.
   * **Description** – an optional description of the system. It is customary to describe the purpose of the connected system, for example: “HR system – loading of job positions and departments”.   * **Description** – an optional description of the system. It is customary to describe the purpose of the connected system, for example: “HR system – loading of job positions and departments”.
-  * **Virtual** - some systems can be managed via user tasks instead of direct communication. See the chapter about [[.:modules:virtual_systems|virtual systems]]. 
-  * **Asynchronous provisioning** - if the provisioning is asynchronous for the system, all the data is stored in the queue and managed by appropriate scheduled task. [[devel:adm:scheduled_tasks|Long running task]] ProvisioningQueueTaskExecutor operates above the queue periodically and starts CREATED provisioning operation processing. Make sure you have **ProvisioningQueueTaskExecutor** configured, if you have some target system switched to use asynchronous provisioning. This is recommended option, since it significantly improves responsiveness of the application. 
   * **State** –  system states other than active:   * **State** –  system states other than active:
     * **Readonly** - **with** provisioning queue – Systems marked in this way allow data reading only and are either source systems in CzechIdM or systems which are controlled but provisioning of data to them is intentionally prohibited for some time. In the latter case, all provisioned data is sent to the provisioning queue. The provisioning queue and history is displayed by: Systems -> system detail (magnifying glass) -> Provisioning. See the chapter [[.:audit|Audit]].     * **Readonly** - **with** provisioning queue – Systems marked in this way allow data reading only and are either source systems in CzechIdM or systems which are controlled but provisioning of data to them is intentionally prohibited for some time. In the latter case, all provisioned data is sent to the provisioning queue. The provisioning queue and history is displayed by: Systems -> system detail (magnifying glass) -> Provisioning. See the chapter [[.:audit|Audit]].
Line 22: Line 23:
     * **Inactive** - **with** provisioning queue - Inactive systems do not allow even reading operations. If provisioning to such a system is to take place, then the operations end up in a queue as in the case of Readonly systems.     * **Inactive** - **with** provisioning queue - Inactive systems do not allow even reading operations. If provisioning to such a system is to take place, then the operations end up in a queue as in the case of Readonly systems.
     * **Inactive** - **without** provisioning queue - Inactive systems do not allow even reading operations. Provisioning operations are not saved into queue, cannot be executed again. IdM account is created only (uid attribute only).     * **Inactive** - **without** provisioning queue - Inactive systems do not allow even reading operations. Provisioning operations are not saved into queue, cannot be executed again. IdM account is created only (uid attribute only).
 +  * **Asynchronous provisioning** - if the provisioning is asynchronous for the system, all the data is stored in the queue and managed by appropriate scheduled task. [[devel:adm:scheduled_tasks|Long running task]] ProvisioningQueueTaskExecutor operates above the queue periodically and starts CREATED provisioning operation processing. Make sure you have **ProvisioningQueueTaskExecutor** configured, if you have some target system switched to use asynchronous provisioning. This is recommended option, since it significantly improves responsiveness of the application.
 +  * **Block operations** - Block (create, edit or delete) operation will block checked operation.
 <note important> Attribute values of Inactive systems with provisioning queue is available **are** calculated in the provisioning log.</note> <note important> Attribute values of Inactive systems with provisioning queue is available **are** calculated in the provisioning log.</note>
 ===== Configuration ===== ===== Configuration =====
Line 64: Line 67:
   * java.lang.String   * java.lang.String
   * java.lang.Integer   * java.lang.Integer
 +
 +All allowed types based on connid FrameworkUtil
 +  * String.class
 +  * Long.class
 +  * Character.class
 +  * Double.class
 +  * Float.class
 +  * Integer.class
 +  * Boolean.class
 +  * Byte.class
 +  * byte[].class
 +  * BigDecimal.class
 +  * BigInteger.class
 +  * Map.class
 +
  
 {{ :devel:adm:attribute_detail.png?600 | Attribute detail}} {{ :devel:adm:attribute_detail.png?600 | Attribute detail}}
Line 99: Line 117:
 Click on the Add button to create a new attribute in current mapping.  Click on the Add button to create a new attribute in current mapping. 
  
-{{ :devel:adm:attribute_mapping_detail_part2.png?600 | Detail of attribute in the attributes mapping }}+{{ :tutorial:adm:screenshot_2024-08-12_at_11.33.23.png?900 | Detail of attribute in the attributes mapping }}
  
 These options can be filled: These options can be filled:
   * **Disabled** - If the attribute is disabled in mapping, it is not provisioned or synchronized.   * **Disabled** - If the attribute is disabled in mapping, it is not provisioned or synchronized.
-  * **Attribute in scheme** - attributes from the connected system available in the current scheme.+  * **Attribute in schema** - attributes from the connected system available in the current scheme
 +  * **Identifier** - Attribute is unique identifier of this object. 
 +  * **Entity attribute** - Attribute is part of entity. 
 +  * **Extended attribute** - Attribute isn't part of entity and his value and name is stored in EAV attributes.
   * **Name** - Unique system identifier, this value is used in select boxes and in entities info   * **Name** - Unique system identifier, this value is used in select boxes and in entities info
   * **Strategy** - defines the strategy for the provisioning or synchronization. Available values:   * **Strategy** - defines the strategy for the provisioning or synchronization. Available values:
Line 117: Line 138:
  
 Other options of the mapped attribute are: Other options of the mapped attribute are:
-  * **Always sent** -  Send this attribute to system always even if value isn't change (transformation rules is applied).+  * **Send always** -  Send this attribute to system always even if value isn't change (transformation rules is applied).
   * **Send IdM value only if its not null** - Send this attribute only if value after transformation will not be null.   * **Send IdM value only if its not null** - Send this attribute only if value after transformation will not be null.
-  * **Identifier** - Attribute is unique identifier of this object. 
-  * **Entity attribute** - Attribute is part of entity. 
-  * **Extended attribute** - Attribute isn't part of entity and his value and name is stored in EAV attributes. 
   * **Confidential attribute** - Attribute value will be stored in confidential storage.   * **Confidential attribute** - Attribute value will be stored in confidential storage.
   * **Authentication attribute** - With this attribute will be do authentication to end system (for example: username)   * **Authentication attribute** - With this attribute will be do authentication to end system (for example: username)
   * **Include on password change** - Include this attribute when is provisioning password (reset, cahnge, create new)   * **Include on password change** - Include this attribute when is provisioning password (reset, cahnge, create new)
 +  * **Include only when criticality is changed to stronger** - The value of the attribute will only be sent to the target system when the aggregated password policy criticality is changed to stronger one. It will not be used in standard provisioning. 
 +  * **Include only when criticality is changed to weaker** - The value of the attribute will only be sent to the target system when the aggregated password policy criticality is changed to weaker one. It will not be used in standard provisioning. 
 +  * **Attribute with password** - Attribute will contain value of password. The attribute can't be override by role mapping. Into transformation will be add password in object GuardedString. Script must return null, or GuardedString.
  
 {{ :devel:adm:attribute_mapping_detail_part1.png?600 | Detail of attribute in the attributes mapping - transformations }} {{ :devel:adm:attribute_mapping_detail_part1.png?600 | Detail of attribute in the attributes mapping - transformations }}
  • by tomiskar