Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
tutorial:dev:ad_groups_sync_workflow [2018/12/20 15:30] stloukalp |
tutorial:dev:ad_groups_sync_workflow [2021/03/11 21:05] (current) apeterova more info and typos |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Systems - Groups synchronization workflow ====== | ||
+ | {{tag> | ||
+ | <note important> | ||
+ | |||
+ | This tutorial is intended as a guide to modify workflow for synchronization groups from Active Directory. | ||
+ | After modifying this workflow, synchronization of groups can: | ||
+ | * create automatic roles by: | ||
+ | * organization structure | ||
+ | * attributes | ||
+ | * create role catalog | ||
+ | * roles assigned to catalog | ||
+ | * provisioning of membership of identities to another system | ||
+ | * resolve membership - users already have assigned groups in another system | ||
+ | |||
+ | <note tip>For management of membership there is currently a few special chars, which are unsupported. In name of roles, there cannot be: " ' \</ | ||
+ | |||
+ | |||
+ | ===== Before you start ===== | ||
+ | In this tutorial we will be using Eclipse and Activiti framework. | ||
+ | |||
+ | ===== Workflow ===== | ||
+ | For synchronization groups from AD, we have prepared workflow [[https:// | ||
+ | |||
+ | The workflow has modified these actions: | ||
+ | * Linked/ | ||
+ | * Missing entity/ | ||
+ | * Unlinked/ | ||
+ | |||
+ | Workflow is divided into 9 activities, but only the first four activities are mainly to be modified. | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | ===== Data Objects ===== | ||
+ | First of all is crucial to set data objects in **Data Objects** tab. | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | * STRUCTURE\_FORM\_ATTRIBUTE - code of eav of organization tree node. It is used to add an automatic role by organization structure. And every organization structure should have an eav with some value to determine, which role will have an automatic role on which tree node. | ||
+ | * CODE\_OF\_TYPE\_STRUCTURE - code of structure, this define which organization tree will be used for searching/ | ||
+ | |||
+ | * AUTO\_ROLE\_ORG\_STRUCTURE\_ENABLED - if false, automatic roles by attribute methods are skipped. | ||
+ | * AUTO\_ROLE\_ATTRIBUTES\_ENABLED - if false, automatic roles by organization structure methods are skipped. | ||
+ | |||
+ | ===== Set aplication properties ===== | ||
+ | Workflow was updated and now you can just add properties to application and you do not have to anyhow change workflow file. Application property are specified in **Settings** agenda in **Configuration** tab (like you can see on picture bellow). | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | With button **Add** you can add any property described below and configure workflow. | ||
+ | |||
+ | Following properties are used, when the workflow is used for creating roles that manage group membership of accounts in a connected system: | ||
+ | * **idm.pub.acc.syncRole.provisioningOfIdentities.system.code** - (default: null, _**mandatory**_) - it is code (name) of the system, which is used for provisioning the identities to the system. E.g. "AD users" | ||
+ | * **idm.pub.acc.syncRole.system.mapping.objectClassName** - (default: \_\_ACCOUNT\_\_) - this is important to provisioning member attribute of identity. It is an object class name of identity schema. It should stay " | ||
+ | * **idm.pub.acc.syncRole.system.mapping.attributeMemberOf** - (default: ldapGroups) - it is the name of an attribute in a mapping of identity provisioning. It is usually ldapGroups (recommended) or memberOf. This attribute will be added to role's mapping with transformation script (which will be set later). | ||
+ | * **idm.pub.acc.syncRole.system.mapping.attributeRoleIdentificator** - (default: distinguishedName) - the name of an attribute in the connector, which holds the distinguished name of a role object. | ||
+ | |||
+ | Managing group membership of account - more special options for the roles: | ||
+ | * **idm.pub.acc.syncRole.roleSystem.forwardManagement.value** - (default: false) - every role, which manages group membership on the connected system, has the option [[devel: | ||
+ | * **idm.pub.acc.syncRole.roleSystem.update.manageforwardManagement** - (default: false) - this property will manage [[devel: | ||
+ | * **idm.pub.acc.syncRole.roles.nameOfRoles.doNotSentValueOnExclusion** - (default: null) - every role, which manages group membership on the connected system, has the option to [[devel: | ||
+ | * **idm.pub.acc.syncRole.roles.update.nameOfRoles.manageSentValueOnExclusion** - (default: false) - this property will set the option [[devel: | ||
+ | |||
+ | The workflow enables loading group membership from the system. That means, if the group in AD have some members and you want to assign roles to identities IdM based on that, you can use this workflow to do it. Typically, you would do it only as an **initial** loading. Necessary properties: | ||
+ | * **idm.pub.acc.syncRole.identity.eav.externalIdentifier.code** - (default: null, _**mandatory for resolving group membership**_) - code of EAV with a distinguished name of identities. It is used when creating a new role for a new group, or when loading group membership for existing roles. All identities managed by IdM in AD have to have the EAV containing their current **distinguishedName**, | ||
+ | * **idm.pub.acc.syncRole.update.resolveMembership** - (true/ | ||
+ | * **idm.pub.acc.syncRole.roles.attributeNameOfMembership** - (default: member) - it is name of attribute of role in source system, which holds identificators of identities. The default value is typical for AD. | ||
+ | |||
+ | Settings of the created role - properties connected to the requesting of roles and the role approval: | ||
+ | * **idm.pub.acc.syncRole.role.canBeRequested** - (true/ | ||
+ | * **idm.pub.acc.syncRole.role.update.manageCanBeRequested** - (true/ | ||
+ | * **idm.pub.acc.syncRole.roles.create.priorityOfRoles** - (default: null, values: 1,2,3,4) - this property will set criticality (priority) of roles, which affects the [[tutorial: | ||
+ | * **idm.pub.acc.syncRole.roles.create.garanteeOfRoles** - (default: null) - fill in name of role, which will become the Role authorizer of all created roles. **Only on create.** | ||
+ | |||
+ | The workflow can create the folders in the role catalogue. It can be either one folder, or the tree structure of folders based on the DNs of the roles: | ||
+ | * **idm.pub.acc.syncRole.roleCatalog.ResolveCatalog** - (true/ | ||
+ | * **idm.pub.acc.syncRole.roles.allToOneCatalog** - (default: null) - use this property, if you want to add all roles in one folder. Set the name of the folder to this property. If a folder with the same code already exists, the workflow will create a new one (it won't reuse already existing folder). | ||
+ | * **idm.pub.acc.syncRole.roleCatalog.catalogueTreeInOneCatalog** - (default: null) - use this property, if you want to create and add roles in a tree structure of folders. Set the name of the root folder to this property. The workflow will create a tree of folders under this root folder. If this property will be changed, new catalog folder will be created. Name of folders in the role catalogue can be changed in IdM. | ||
+ | |||
+ | |||
+ | Since Extras version 1.8.0 you can use two new options which will help with following use case: I have more then 1 AD system connected as group source. Now the workflow has " | ||
+ | This changes are backward compatible because if you don't set these new properties the WF behavior is same as in previous version. | ||
+ | If you set this property then the new behavior will be turned on. | ||
+ | * **idm.pub.acc.syncRole.roles.catalogByCodeList** - UUID of code list for catalogs for each system. Item in code list has UUID of source system and as value they have code of role catalog | ||
+ | * **idm.pub.acc.syncRole.provisioningOfIdentities.codeList** - UUID of code list for mapped sysmtes for each system. Item in code list has UUID value of AD group system which is used for synchronization and as value UUID of AD system which is used for user provisioning | ||
+ | ===== Set attributes activity ===== | ||
+ | This activity is to get some attributes from icAttributes as name and distinguished name. You can get another if they will be needed in the following activities. | ||
+ | And also there is setted attribute: | ||
+ | |||
+ | < | ||
+ | |||
+ | value of this attribute will be used as transformation script. (It will be used for provisioning of member attribute of identities). | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | ===== Set automatic role by org structure ===== | ||
+ | In this script, it is crucial to determine for a role to find tree node (organization) to create an automatic role by organization structure and set it to a variable like: | ||
+ | |||
+ | < | ||
+ | |||
+ | This script can be just slightly changed to work perfectly fine. In the default state, it is searching for a tree node, which has a name of the role in eav. In a previous activity, we can get even another attribute and with substring, it should be enough. | ||
+ | |||
+ | ===== Set automatic role by attributes ===== | ||
+ | This part is to create attributes for an automatic role. There can be more attributes, but only for identity/ | ||
+ | You should create attributes (by default algorithm) put them into the field and lastly into " | ||
+ | |||
+ | ===== Resolve catalogue ===== | ||
+ | This part is about Roles catalog. There are two methods. The first method creates catalog based on the Distinguished name of the role. The rightmost value of OU is a root of the catalog and then other OUs from the right are represented as folders and roles are assigned in the leftmost OU/catalog. | ||
+ | |||
+ | The other method is for removing folders of a catalog, if a role is transferred to another catalog, find the old one and set it in " | ||
+ | |||
+ | <note tip> | ||
+ | This should be all, but if you made bigger changes in methods you should probably test your new workflow. | ||
+ | After modifying the workflow, don't forget to update this workflow in IdM.</ |