Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
tutorial:dev:ad_groups_sync_workflow [2019/03/04 14:16] hanakp [Set aplication properties] |
tutorial:dev:ad_groups_sync_workflow [2021/03/11 21:05] (current) apeterova more info and typos |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Systems - Groups synchronization workflow ====== | ====== Systems - Groups synchronization workflow ====== | ||
+ | {{tag> | ||
+ | |||
+ | <note important> | ||
This tutorial is intended as a guide to modify workflow for synchronization groups from Active Directory. | This tutorial is intended as a guide to modify workflow for synchronization groups from Active Directory. | ||
Line 10: | Line 13: | ||
* provisioning of membership of identities to another system | * provisioning of membership of identities to another system | ||
* resolve membership - users already have assigned groups in another system | * resolve membership - users already have assigned groups in another system | ||
+ | |||
+ | <note tip>For management of membership there is currently a few special chars, which are unsupported. In name of roles, there cannot be: " ' \</ | ||
Line 43: | Line 48: | ||
===== Set aplication properties ===== | ===== Set aplication properties ===== | ||
- | Workflow was updated and now you can just add properties to aplication | + | Workflow was updated and now you can just add properties to application |
{{ : | {{ : | ||
- | With button **Add** you can add any property described | + | With button **Add** you can add any property described |
- | * **idm.pub.acc.syncRole.role.canBeRequested** - (true/false) - sets to all roles, if the role can be requested by identity | + | |
- | * **idm.pub.acc.syncRole.system.mapping.objectClassName** - this is important to provisioning member attribute of identity. It is an object class name of identity schema. It supposedly can stay as " | + | Following properties are used, when the workflow is used for creating roles that manage group membership of accounts in a connected system: |
- | * **idm.pub.acc.syncRole.system.mapping.attributeMemberOf** - it is the name of an attribute in a mapping of identity provisioning. It is usually | + | * **idm.pub.acc.syncRole.provisioningOfIdentities.system.code** - (default: null, _**mandatory**_) - it is code (name) of the system, which is used for provisioning |
- | * **idm.pub.acc.syncRole.system.mapping.attributeRoleIdentificator** - the name of an attribute in the connector, which holds the distinguished name of a role. | + | * **idm.pub.acc.syncRole.system.mapping.objectClassName** |
- | * **idm.pub.acc.syncRole.provisioningOfIdentities.system.code** - it is code (name) | + | * **idm.pub.acc.syncRole.system.mapping.attributeMemberOf** |
- | * **idm.pub.acc.syncRole.identity.eav.externalIdentifier.code** - code of eav of a distinguished name of identities. | + | * **idm.pub.acc.syncRole.system.mapping.attributeRoleIdentificator** |
- | * **idm.pub.acc.syncRole.roleCatalog.ResolveCatalog** - (true/ | + | |
- | * **idm.pub.acc.syncRole.update.resolveMembership** - (true/ | + | Managing group membership of account - more special options for the roles: |
- | * **idm.pub.acc.syncRole.roles.allToOneCatalog** - Add name of catalog. | + | * **idm.pub.acc.syncRole.roleSystem.forwardManagement.value** - (default: false) - every role, which manages group membership on the connected |
- | * **idm.pub.acc.syncRole.roles.attributeNameOfMembership** - Default value ' | + | * **idm.pub.acc.syncRole.roleSystem.update.manageforwardManagement** - (default: false) - this property will manage [[devel: |
+ | * **idm.pub.acc.syncRole.roles.nameOfRoles.doNotSentValueOnExclusion** - (default: null) - every role, which manages group membership on the connected system, has the option to [[devel: | ||
+ | * **idm.pub.acc.syncRole.roles.update.nameOfRoles.manageSentValueOnExclusion** - (default: false) - this property will set the option [[devel: | ||
+ | |||
+ | The workflow enables loading group membership from the system. That means, if the group in AD have some members and you want to assign roles to identities IdM based on that, you can use this workflow to do it. Typically, you would do it only as an **initial** loading. Necessary properties: | ||
+ | * **idm.pub.acc.syncRole.identity.eav.externalIdentifier.code** | ||
+ | * **idm.pub.acc.syncRole.update.resolveMembership** - (true/false, default: | ||
+ | * **idm.pub.acc.syncRole.roles.attributeNameOfMembership** - (default: member) - it is name of attribute of role in source system, which holds identificators of identities. The default value is typical for AD. | ||
+ | |||
+ | Settings of the created role - properties connected to the requesting of roles and the role approval: | ||
+ | * **idm.pub.acc.syncRole.role.canBeRequested** - (true/ | ||
+ | * **idm.pub.acc.syncRole.role.update.manageCanBeRequested** - (true/false, default: | ||
+ | * **idm.pub.acc.syncRole.roles.create.priorityOfRoles** - (default: null, values: 1,2,3,4) - this property | ||
+ | * **idm.pub.acc.syncRole.roles.create.garanteeOfRoles** - (default: null) - fill in name of role, which will become the Role authorizer of all created | ||
+ | |||
+ | The workflow can create the folders | ||
+ | * **idm.pub.acc.syncRole.roleCatalog.ResolveCatalog** - (true/false, default: true) - this property enables creating of new folders in the role catalogue. Set it to false if you don't want to create and add roles to the role catalogue at all. | ||
+ | * **idm.pub.acc.syncRole.roles.allToOneCatalog** - (default: null) - use this property, if you want to add all roles in one folder. Set the name of the folder | ||
+ | * **idm.pub.acc.syncRole.roleCatalog.catalogueTreeInOneCatalog** - (default: null) - use this property, if you want to create and add roles in a tree structure of folders. Set the name of the root folder to this property. The workflow will create a tree of folders under this root folder. If this property will be changed, new catalog folder will be created. Name of folders in the role catalogue can be changed in IdM. | ||
+ | Since Extras version 1.8.0 you can use two new options which will help with following use case: I have more then 1 AD system connected as group source. Now the workflow has " | ||
+ | This changes are backward compatible because if you don't set these new properties the WF behavior is same as in previous version. | ||
+ | If you set this property then the new behavior will be turned on. | ||
+ | * **idm.pub.acc.syncRole.roles.catalogByCodeList** - UUID of code list for catalogs for each system. Item in code list has UUID of source system and as value they have code of role catalog | ||
+ | * **idm.pub.acc.syncRole.provisioningOfIdentities.codeList** - UUID of code list for mapped sysmtes for each system. Item in code list has UUID value of AD group system which is used for synchronization and as value UUID of AD system which is used for user provisioning | ||
===== Set attributes activity ===== | ===== Set attributes activity ===== | ||
This activity is to get some attributes from icAttributes as name and distinguished name. You can get another if they will be needed in the following activities. | This activity is to get some attributes from icAttributes as name and distinguished name. You can get another if they will be needed in the following activities. |