Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:dev:ad_groups_sync_workflow [2019/03/04 14:16] hanakp [Set aplication properties] |
tutorial:dev:ad_groups_sync_workflow [2020/03/25 06:57] kucerar New sync options for using in multiple systems |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Systems - Groups synchronization workflow ====== | ====== Systems - Groups synchronization workflow ====== | ||
+ | {{tag> | ||
+ | |||
+ | <note important> | ||
This tutorial is intended as a guide to modify workflow for synchronization groups from Active Directory. | This tutorial is intended as a guide to modify workflow for synchronization groups from Active Directory. | ||
Line 10: | Line 13: | ||
* provisioning of membership of identities to another system | * provisioning of membership of identities to another system | ||
* resolve membership - users already have assigned groups in another system | * resolve membership - users already have assigned groups in another system | ||
+ | |||
+ | <note tip>For management of membership there is currently a few special chars, which are unsupported. In name of roles, there cannot be: " ' \</ | ||
Line 48: | Line 53: | ||
With button **Add** you can add any property described bellow and configure workflow. | With button **Add** you can add any property described bellow and configure workflow. | ||
- | * **idm.pub.acc.syncRole.role.canBeRequested** - (true/ | + | * **idm.pub.acc.syncRole.role.canBeRequested** - (true/false, default: |
- | * **idm.pub.acc.syncRole.system.mapping.objectClassName** - this is important to provisioning member attribute of identity. It is an object class name of identity schema. It supposedly can stay as " | + | * **idm.pub.acc.syncRole.role.update.manageCanBeRequested** - (true/ |
- | * **idm.pub.acc.syncRole.system.mapping.attributeMemberOf** - it is the name of an attribute in a mapping of identity provisioning. It is usually memberOf or ldapGroup. This attribute will be added to role's mapping with tramsformation script (which will be set later). - | + | * **idm.pub.acc.syncRole.system.mapping.objectClassName** - (default: \_\_ACCOUNT\_\_) |
- | * **idm.pub.acc.syncRole.system.mapping.attributeRoleIdentificator** - the name of an attribute in the connector, which holds the distinguished name of a role. | + | * **idm.pub.acc.syncRole.system.mapping.attributeMemberOf** |
- | * **idm.pub.acc.syncRole.provisioningOfIdentities.system.code** - it is code (name) of the system, where identities have provisioning. | + | * **idm.pub.acc.syncRole.system.mapping.attributeRoleIdentificator** |
- | * **idm.pub.acc.syncRole.identity.eav.externalIdentifier.code** - code of eav of a distinguished name of identities. it is used in creating entity in the situation of a Missing entity. It is important when groups in AD already have members and some of the identities DNs cannot be calculated again. | + | * **idm.pub.acc.syncRole.provisioningOfIdentities.system.code** |
- | * **idm.pub.acc.syncRole.roleCatalog.ResolveCatalog** - (true/ | + | * **idm.pub.acc.syncRole.identity.eav.externalIdentifier.code** |
- | * **idm.pub.acc.syncRole.update.resolveMembership** - (true/ | + | * **idm.pub.acc.syncRole.roleCatalog.ResolveCatalog** - (true/false, default: true) - This property will disable creating of catalogue. |
- | * **idm.pub.acc.syncRole.roles.allToOneCatalog** - Add name of catalog. all roles will be added to this ' | + | * **idm.pub.acc.syncRole.update.resolveMembership** - (true/false, default: |
- | * **idm.pub.acc.syncRole.roles.attributeNameOfMembership** - Default value 'member', | + | * **idm.pub.acc.syncRole.roles.allToOneCatalog** |
- | + | * **idm.pub.acc.syncRole.roles.attributeNameOfMembership** - (default: | |
+ | * **idm.pub.acc.syncRole.roleCatalog.catalogueTreeInOneCatalog** - (default: null) - if creating of catalog like DN is enabled, this property will create tree of catalogues under root catalog. Name of this root catalog set in this property. Catalogue folder have to and will be created in workflow process. If this property will be changed, new catalog folder will be created. Name of catalogues can be changed in IdM. | ||
+ | * **idm.pub.acc.syncRole.roleSystem.forwardManagement.value** - (default: false) - When role is created with connected system and it manages membership. In this case there is option ' | ||
+ | * **idm.pub.acc.syncRole.roleSystem.update.manageforwardManagement** - (default: false) - This property will manage ' | ||
+ | * **idm.pub.acc.syncRole.roles.nameOfRoles.doNotSentValueOnExclusion** - (default: null) - On role create with connected system and system attribute, there is option, this attribute will be skipped on excluded contract. Add to this property names of roles separeted with comma. (does not work with roles, which has comma in name) | ||
+ | * **idm.pub.acc.syncRole.roles.update.nameOfRoles.manageSentValueOnExclusion** - (default: false) - This property will manage skip of attribute option even on update roles. | ||
+ | * **idm.pub.acc.syncRole.roles.create.priorityOfRoles** - (default: null, values: 1,2,3,4) - This property will set priority of roles, on this autorization workflow will be changed. **Only on create.** | ||
+ | * **idm.pub.acc.syncRole.roles.create.garanteeOfRoles** - (default: null) - Fiil in name of role, which will become garantee of all Ldap/AD roles. **Only on create.** | ||
+ | Since Extras version 1.8.0 you can use two new options which will help with following use case: I have more then 1 AD system connected as group source. Now the workflow has " | ||
+ | This changes are backward compatible because if you don't set these new properties the WF behavior is same as in previous version. | ||
+ | If you set this property then the new behavior will be turned on. | ||
+ | * **idm.pub.acc.syncRole.roles.catalogByCodeList** - UUID of code list for catalogs for each system. Item in code list has UUID of source system and as value they have code of role catalog | ||
+ | * **idm.pub.acc.syncRole.provisioningOfIdentities.codeList** - UUID of code list for mapped sysmtes for each system. Item in code list has UUID value of AD group system which is used for synchronization and as value UUID of AD system which is used for user provisioning | ||
===== Set attributes activity ===== | ===== Set attributes activity ===== | ||
This activity is to get some attributes from icAttributes as name and distinguished name. You can get another if they will be needed in the following activities. | This activity is to get some attributes from icAttributes as name and distinguished name. You can get another if they will be needed in the following activities. |