Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
tutorial:dev:ad_groups_sync_workflow [2019/12/10 12:24] stloukalp [Set aplication properties] |
tutorial:dev:ad_groups_sync_workflow [2021/03/11 20:50] apeterova reorganization and specification of the properties |
||
---|---|---|---|
Line 48: | Line 48: | ||
===== Set aplication properties ===== | ===== Set aplication properties ===== | ||
- | Workflow was updated and now you can just add properties to aplication | + | Workflow was updated and now you can just add properties to application |
{{ : | {{ : | ||
- | With button **Add** you can add any property described | + | With button **Add** you can add any property described |
+ | |||
+ | Following properties are used, when the workflow is used for creating roles that manage group membership of accounts in a connected system: | ||
+ | * **idm.pub.acc.syncRole.provisioningOfIdentities.system.code** - (default: null, _**mandatory**_) - it is code (name) of the system, which is used for provisioning the identities to the system. E.g. "AD users" | ||
+ | * **idm.pub.acc.syncRole.system.mapping.objectClassName** - (default: \_\_ACCOUNT\_\_) this is important to provisioning member attribute of identity. It is an object class name of identity schema. It should stay " | ||
+ | * **idm.pub.acc.syncRole.system.mapping.attributeMemberOf** - (default: ldapGroups) - it is the name of an attribute in a mapping of identity provisioning. It is usually ldapGroups (recommended) or memberOf. This attribute will be added to role's mapping with transformation script (which will be set later). | ||
+ | * **idm.pub.acc.syncRole.system.mapping.attributeRoleIdentificator** - (default: distinguishedName) - the name of an attribute in the connector, which holds the distinguished name of a role object. | ||
+ | |||
+ | Managing group membership of account - more special options for the roles: | ||
+ | * **idm.pub.acc.syncRole.roleSystem.forwardManagement.value** - (default: false) - every role, which manages group membership on the connected system, has the option [[devel: | ||
+ | * **idm.pub.acc.syncRole.roleSystem.update.manageforwardManagement** - (default: false) - This property will manage [[devel: | ||
+ | * **idm.pub.acc.syncRole.roles.nameOfRoles.doNotSentValueOnExclusion** - (default: null) - every role, which manages group membership on the connected system, has the option to [[devel: | ||
+ | * **idm.pub.acc.syncRole.roles.update.nameOfRoles.manageSentValueOnExclusion** - (default: false) - This property will set the property [[devel: | ||
+ | |||
+ | The workflow enables loading group membership from the system. That means, if the group in AD have some members and you want to assign roles to identities IdM based on that, you can use this workflow to do it. Typically, you would do it only as an **initial** loading. Necessary properties: | ||
+ | * **idm.pub.acc.syncRole.identity.eav.externalIdentifier.code** - (default: null, _**mandatory for resolving group membership**_) - code of EAV with a distinguished name of identities. It is used when creating a new role for a new group, or when loading group membership for existing roles. All identities managed by IdM in AD have to have the EAV containing their current **distinguishedName**, | ||
+ | * **idm.pub.acc.syncRole.update.resolveMembership** - (true/ | ||
+ | * **idm.pub.acc.syncRole.roles.attributeNameOfMembership** - (default: member) - it is name of attribute of role in source system, which holds identificators of identities | ||
+ | |||
+ | Settings of the created role - properties connected to the requesting of roles and role approval: | ||
* **idm.pub.acc.syncRole.role.canBeRequested** - (true/ | * **idm.pub.acc.syncRole.role.canBeRequested** - (true/ | ||
* **idm.pub.acc.syncRole.role.update.manageCanBeRequested** - (true/ | * **idm.pub.acc.syncRole.role.update.manageCanBeRequested** - (true/ | ||
- | * **idm.pub.acc.syncRole.system.mapping.objectClassName** - (default: | + | * **idm.pub.acc.syncRole.roles.create.priorityOfRoles** - (default: |
- | * **idm.pub.acc.syncRole.system.mapping.attributeMemberOf** - (default: ldapGroups) - it is the name of an attribute in a mapping of identity provisioning. It is usually memberOf or ldapGroup. | + | * **idm.pub.acc.syncRole.roles.create.garanteeOfRoles** - (default: null) - Fill in name of role, which will become the Role authorizer of all Ldap/AD roles. **Only on create.** |
- | | + | |
- | * **idm.pub.acc.syncRole.provisioningOfIdentities.system.code** - (default: null, _**mandatory**_) - it is code (name) of the system, where identities have provisioning.It is now mandatory attribute, otherwise workflow | + | The workflow can create the folders |
- | | + | * **idm.pub.acc.syncRole.roleCatalog.ResolveCatalog** - (true/ |
- | * **idm.pub.acc.syncRole.roleCatalog.ResolveCatalog** - (true/ | + | * **idm.pub.acc.syncRole.roles.allToOneCatalog** - (default: null) - Use this property, if you want to add all roles in one folder. Set the name of the folder to this property. If a folder with the same code already exists, the workflow |
- | * **idm.pub.acc.syncRole.update.resolveMembership** - (true/false, default: false) - With this property | + | * **idm.pub.acc.syncRole.roleCatalog.catalogueTreeInOneCatalog** - (default: null) - Use this property, |
- | * **idm.pub.acc.syncRole.roles.allToOneCatalog** - (default: null) - Add name of catalog. all roles will be added to this ' | + | |
- | * **idm.pub.acc.syncRole.roles.attributeNameOfMembership** - (default: member) - it is name of attribute of role in source system, which holds identificators of identities | + | |
- | * **idm.pub.acc.syncRole.roleCatalog.catalogueTreeInOneCatalog** - (default: null) - if creating | + | |
- | * **idm.pub.acc.syncRole.roleSystem.forwardManagement.value** - (default: false) - When role is created with connected system and it manages membership. In this case there is option ' | + | |
- | * **idm.pub.acc.syncRole.roleSystem.update.manageforwardManagement** - (default: false) - This property will manage ' | + | |
- | * **idm.pub.acc.syncRole.roles.nameOfRoles.doNotSentValueOnExclusion** - (default: null) - On role create with connected system and system attribute, there is option, this attribute will be skipped on excluded contract. Add to this property names of roles separeted with comma. (does not work with roles, which has comma in name) | + | |
- | * **idm.pub.acc.syncRole.roles.update.nameOfRoles.manageSentValueOnExclusion** - (default: false) - This property will manage skip of attribute option even on update roles. | + | |
- | * **idm.pub.acc.syncRole.roles.create.priorityOfRoles** - (default: null) - This property will set priority of roles, on this autorization workflow will be changed. **Only on create.** | + | |
- | * **idm.pub.acc.syncRole.roles.create.garanteeOfRoles** - (default: null) - This option will set role garantee of all Ldap roles. **Only on create.** | + | |
+ | Since Extras version 1.8.0 you can use two new options which will help with following use case: I have more then 1 AD system connected as group source. Now the workflow has " | ||
+ | This changes are backward compatible because if you don't set these new properties the WF behavior is same as in previous version. | ||
+ | If you set this property then the new behavior will be turned on. | ||
+ | * **idm.pub.acc.syncRole.roles.catalogByCodeList** - UUID of code list for catalogs for each system. Item in code list has UUID of source system and as value they have code of role catalog | ||
+ | * **idm.pub.acc.syncRole.provisioningOfIdentities.codeList** - UUID of code list for mapped sysmtes for each system. Item in code list has UUID value of AD group system which is used for synchronization and as value UUID of AD system which is used for user provisioning | ||
===== Set attributes activity ===== | ===== Set attributes activity ===== | ||
This activity is to get some attributes from icAttributes as name and distinguished name. You can get another if they will be needed in the following activities. | This activity is to get some attributes from icAttributes as name and distinguished name. You can get another if they will be needed in the following activities. |