Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
tutorial:dev:ad_groups_sync_workflow [2020/03/25 06:57]
kucerar New sync options for using in multiple systems 		tutorial:dev:ad_groups_sync_workflow [2021/03/11 21:05] (current)
apeterova more info and typos
Line 48: Line 48:
  
 ===== Set aplication properties ===== ===== Set aplication properties =====
-Workflow was updated and now you can just add properties to aplication and you do not have to anyhow change workflow file. Aplication property are specified in **Settings** agenda in **Configuration** tab (like you can see on picture bellow).+Workflow was updated and now you can just add properties to application and you do not have to anyhow change workflow file. Application property are specified in **Settings** agenda in **Configuration** tab (like you can see on picture bellow).
  
 {{ :tutorial:dev:syncroleproperties.png |}} {{ :tutorial:dev:syncroleproperties.png |}}
  
-With button **Add** you can add any property described bellow and configure workflow. +With button **Add** you can add any property described below and configure workflow. 
-  * **idm.pub.acc.syncRole.role.canBeRequested** - (true/false, default: false) - sets to all roles, if the role can be requested by identity+ 
 +Following properties are used, when the workflow is used for creating roles that manage group membership of accounts in a connected system: 
 +  * **idm.pub.acc.syncRole.provisioningOfIdentities.system.code** - (default: null, _**mandatory**_) - it is code (name) of the system, which is used for provisioning the identities to the system. E.g. "AD users". It is mandatory attribute, otherwise workflow will not be working.  
 +  * **idm.pub.acc.syncRole.system.mapping.objectClassName** - (default: \_\_ACCOUNT\_\_) - this is important to provisioning member attribute of identity. It is an object class name of identity schema. It should stay "\_\_ACCOUNT\_\_" 
 +  * **idm.pub.acc.syncRole.system.mapping.attributeMemberOf** - (default: ldapGroups) - it is the name of an attribute in a mapping of identity provisioning. It is usually ldapGroups (recommended) or memberOf. This attribute will be added to role's mapping with transformation script (which will be set later). 
 +  * **idm.pub.acc.syncRole.system.mapping.attributeRoleIdentificator** - (default: distinguishedName) - the name of an attribute in the connector, which holds the distinguished name of a role object. 
 + 
 +Managing group membership of account - more special options for the roles: 
 +  * **idm.pub.acc.syncRole.roleSystem.forwardManagement.value** - (default: false) - every role, which manages group membership on the connected system, has the option [[devel:documentation:accounts:adm:accounts#forward_identity_account_management|forward account management]]. This property can set this option. 
 +  * **idm.pub.acc.syncRole.roleSystem.update.manageforwardManagement** - (default: false) - this property will manage [[devel:documentation:accounts:adm:accounts#forward_identity_account_management|forward account management]] option even when updating existing roles by the synchronization. 
 +  * **idm.pub.acc.syncRole.roles.nameOfRoles.doNotSentValueOnExclusion** - (default: null) - every role, which manages group membership on the connected system, has the option to [[devel:documentation:systems:dev:system-mapping#skip_merged_value_if_contract_is_excluded|skip the value if it's assigned on an excluded contract]] (see the [[tutorial:adm:systems_-_ad_remove_group_membership_when_the_contract_is_excluded|tutorial about this]]). Add to this property names of new roles separated with comma, which should have this option set (i.e., they should be skipped when the contract is excluded). (Does not work with roles, which have comma in name.) 
 +  * **idm.pub.acc.syncRole.roles.update.nameOfRoles.manageSentValueOnExclusion** - (default: false) - this property will set the option [[devel:documentation:systems:dev:system-mapping#skip_merged_value_if_contract_is_excluded|skip the value if it's assigned on an excluded contract]] even when updating existing roles by the synchronization. The option will be set to all roles in the property ''idm.pub.acc.syncRole.roles.nameOfRoles.doNotSentValueOnExclusion'' and unset to all other AD roles. 
 + 
 +The workflow enables loading group membership from the system. That means, if the group in AD have some members and you want to assign roles to identities IdM based on that, you can use this workflow to do it. Typically, you would do it only as an **initial** loading. Necessary properties: 
 +  * **idm.pub.acc.syncRole.identity.eav.externalIdentifier.code** - (default: null, _**mandatory for resolving group membership**_) - code of EAV with a distinguished name of identities. It is used when creating a new role for a new group, or when loading group membership for existing roles. All identities managed by IdM in AD have to have the EAV containing their current **distinguishedName**, otherwise resolving membership will not work. Load the value to the EAV (recommended name: **distinguishedName**) when you run reconciliation of identities. FIXME create a tutorial. Then set the value "distinguishedName" to this property. **Once you load the group membership, remove this property, so the membership won't be loaded from AD for new roles** (IdM should be the authority for group membership in the standard production use). 
 +  * **idm.pub.acc.syncRole.update.resolveMembership** - (true/false, default: false) - with this property you can turn on resolving memberships of roles even in other situations than creating role. Recommended way: Turn it on for initial loading of group membership, turn it off afterwards. Note that resolving membership of newly created roles is done independently of this property, see the note in the property ''idm.pub.acc.syncRole.identity.eav.externalIdentifier.code'' above. 
 +  * **idm.pub.acc.syncRole.roles.attributeNameOfMembership** - (default: member) - it is name of attribute of role in source system, which holds identificators of identities. The default value is typical for AD. 
 + 
 +Settings of the created role - properties connected to the requesting of roles and the role approval: 
 +  * **idm.pub.acc.syncRole.role.canBeRequested** - (true/false, default: false) - sets to all roles, if the role can be requested by common users (not superadmin)
   * **idm.pub.acc.syncRole.role.update.manageCanBeRequested** - (true/false, default: false) - enable/disable setting can-be-requested role attribute   * **idm.pub.acc.syncRole.role.update.manageCanBeRequested** - (true/false, default: false) - enable/disable setting can-be-requested role attribute
-  * **idm.pub.acc.syncRole.system.mapping.objectClassName** - (default: \_\_ACCOUNT\_\_) this is important to provisioning member attribute of identity. It is an object class name of identity schema. It supposedly can stay as "\_\_ACCOUNT\_\_" +  * **idm.pub.acc.syncRole.roles.create.priorityOfRoles** - (default: null, values: 1,2,3,4this property will set criticality (priority) of roles, which affects the [[tutorial:adm:role_change_configuration#role_criticalitypriority|approval process]]. **Only on create.** 
-  * **idm.pub.acc.syncRole.system.mapping.attributeMemberOf** - (default: ldapGroups- it is the name of an attribute in a mapping of identity provisioning. It is usually memberOf or ldapGroup. This attribute will be added to role's mapping with tramsformation script (which will be set later)-  +  * **idm.pub.acc.syncRole.roles.create.garanteeOfRoles** - (default: null) - fill in name of rolewhich will become the Role authorizer of all created roles. **Only on create.** 
-  * **idm.pub.acc.syncRole.system.mapping.attributeRoleIdentificator** - (default: distinguishedName) - the name of an attribute in the connector, which holds the distinguished name of a role. + 
-  * **idm.pub.acc.syncRole.provisioningOfIdentities.system.code** - (default: null, _**mandatory**_) - it is code (nameof the systemwhere identities have provisioning.It is now mandatory attribute, otherwise workflow will not be working +The workflow can create the folders in the role catalogue. It can be either one folder, or the tree structure of folders based on the DNs of the roles: 
-  * **idm.pub.acc.syncRole.identity.eav.externalIdentifier.code** - (default: null) - code of eav of a distinguished name of identities. it is used in creating entity in the situation of a Missing entity. It is important when groups in AD already have members and some of the identities DNs cannot be calculated again. +  * **idm.pub.acc.syncRole.roleCatalog.ResolveCatalog** - (true/false, default: true) - this property enables creating of new folders in the role catalogue. Set it to false if you don't want to create and add roles to the role catalogue at all
-  * **idm.pub.acc.syncRole.roleCatalog.ResolveCatalog** - (true/false, default: true) - This property will disable creating of catalogue. +  * **idm.pub.acc.syncRole.roles.allToOneCatalog** - (default: null) - use this property, if you want to add all roles in one folder. Set the name of the folder to this propertyIf a folder with the same code already exists, the workflow will create a new one (it won't reuse already existing folder)
-  * **idm.pub.acc.syncRole.update.resolveMembership** - (true/false, default: false) - With this property you can turn on resolving memberships of roles even in other situation than creating role. This is usually used, when connecting system for synchronization of roles, when you forgot configure 'externalIdentifier'+  * **idm.pub.acc.syncRole.roleCatalog.catalogueTreeInOneCatalog** - (default: null) - use this property, if you want to create and add roles in a tree structure of folders. Set the name of the root folder to this property. The workflow will create tree of folders under this root folder. If this property will be changed, new catalog folder will be created. Name of folders in the role catalogue can be changed in IdM. 
-  * **idm.pub.acc.syncRole.roles.allToOneCatalog** - (default: null) - Add name of catalogall roles will be added to this 'folder+ 
-  * **idm.pub.acc.syncRole.roles.attributeNameOfMembership** - (default: member) - it is name of attribute of role in source system, which holds identificators of identities +
-  * **idm.pub.acc.syncRole.roleCatalog.catalogueTreeInOneCatalog** - (default: null) - if creating of catalog like DN is enabled, this property will create tree of catalogues under root catalog. Name of this root catalog set in this property. Catalogue folder have to and will be created in workflow process. If this property will be changed, new catalog folder will be created. Name of catalogues can be changed in IdM. +
-  * **idm.pub.acc.syncRole.roleSystem.forwardManagement.value** - (default: false) - When role is created with connected system and it manages membership. In this case there is option 'forward management'. This property will set this option. +
-  * **idm.pub.acc.syncRole.roleSystem.update.manageforwardManagement** - (default: false) - This property will manage 'forward management' option even on update roles. +
-  * **idm.pub.acc.syncRole.roles.nameOfRoles.doNotSentValueOnExclusion** - (default: null) - On role create with connected system and system attribute, there is option, this attribute will be skipped on excluded contract. Add to this property names of roles separeted with comma. (does not work with roles, which has comma in name) +
-  * **idm.pub.acc.syncRole.roles.update.nameOfRoles.manageSentValueOnExclusion** - (default: false) - This property will manage skip of attribute option even on update roles. +
-  * **idm.pub.acc.syncRole.roles.create.priorityOfRoles** - (default: null, values: 1,2,3,4) - This property will set priority of roles, on this autorization workflow will be changed. **Only on create.** +
-  * **idm.pub.acc.syncRole.roles.create.garanteeOfRoles** - (default: null) - Fiil in name of role, which will become garantee of all Ldap/AD roles. **Only on create.**+
 Since Extras version 1.8.0 you can use two new options which will help with following use case: I have more then 1 AD system connected as group source. Now the workflow has "global" configuration via application properties so I am not able to run scheduled synchronization and put group from one AD to catalog "one" and from second AD to catalog "two" and similar issue is with mapped systems.   Since Extras version 1.8.0 you can use two new options which will help with following use case: I have more then 1 AD system connected as group source. Now the workflow has "global" configuration via application properties so I am not able to run scheduled synchronization and put group from one AD to catalog "one" and from second AD to catalog "two" and similar issue is with mapped systems.  
 This changes are backward compatible because if you don't set these new properties the WF behavior is same as in previous version. This changes are backward compatible because if you don't set these new properties the WF behavior is same as in previous version.
  • by kucerar