Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | |||
tutorial:dev:ad_groups_sync_workflow [2021/03/11 20:50] apeterova reorganization and specification of the properties |
tutorial:dev:ad_groups_sync_workflow [2021/03/11 21:05] (current) apeterova more info and typos |
||
---|---|---|---|
Line 56: | Line 56: | ||
Following properties are used, when the workflow is used for creating roles that manage group membership of accounts in a connected system: | Following properties are used, when the workflow is used for creating roles that manage group membership of accounts in a connected system: | ||
* **idm.pub.acc.syncRole.provisioningOfIdentities.system.code** - (default: null, _**mandatory**_) - it is code (name) of the system, which is used for provisioning the identities to the system. E.g. "AD users" | * **idm.pub.acc.syncRole.provisioningOfIdentities.system.code** - (default: null, _**mandatory**_) - it is code (name) of the system, which is used for provisioning the identities to the system. E.g. "AD users" | ||
- | * **idm.pub.acc.syncRole.system.mapping.objectClassName** - (default: \_\_ACCOUNT\_\_) this is important to provisioning member attribute of identity. It is an object class name of identity schema. It should stay " | + | * **idm.pub.acc.syncRole.system.mapping.objectClassName** - (default: \_\_ACCOUNT\_\_) |
* **idm.pub.acc.syncRole.system.mapping.attributeMemberOf** - (default: ldapGroups) - it is the name of an attribute in a mapping of identity provisioning. It is usually ldapGroups (recommended) or memberOf. This attribute will be added to role's mapping with transformation script (which will be set later). | * **idm.pub.acc.syncRole.system.mapping.attributeMemberOf** - (default: ldapGroups) - it is the name of an attribute in a mapping of identity provisioning. It is usually ldapGroups (recommended) or memberOf. This attribute will be added to role's mapping with transformation script (which will be set later). | ||
* **idm.pub.acc.syncRole.system.mapping.attributeRoleIdentificator** - (default: distinguishedName) - the name of an attribute in the connector, which holds the distinguished name of a role object. | * **idm.pub.acc.syncRole.system.mapping.attributeRoleIdentificator** - (default: distinguishedName) - the name of an attribute in the connector, which holds the distinguished name of a role object. | ||
Line 62: | Line 62: | ||
Managing group membership of account - more special options for the roles: | Managing group membership of account - more special options for the roles: | ||
* **idm.pub.acc.syncRole.roleSystem.forwardManagement.value** - (default: false) - every role, which manages group membership on the connected system, has the option [[devel: | * **idm.pub.acc.syncRole.roleSystem.forwardManagement.value** - (default: false) - every role, which manages group membership on the connected system, has the option [[devel: | ||
- | * **idm.pub.acc.syncRole.roleSystem.update.manageforwardManagement** - (default: false) - This property will manage [[devel: | + | * **idm.pub.acc.syncRole.roleSystem.update.manageforwardManagement** - (default: false) - this property will manage [[devel: |
- | * **idm.pub.acc.syncRole.roles.nameOfRoles.doNotSentValueOnExclusion** - (default: null) - every role, which manages group membership on the connected system, has the option to [[devel: | + | * **idm.pub.acc.syncRole.roles.nameOfRoles.doNotSentValueOnExclusion** - (default: null) - every role, which manages group membership on the connected system, has the option to [[devel: |
- | * **idm.pub.acc.syncRole.roles.update.nameOfRoles.manageSentValueOnExclusion** - (default: false) - This property will set the property | + | * **idm.pub.acc.syncRole.roles.update.nameOfRoles.manageSentValueOnExclusion** - (default: false) - this property will set the option |
The workflow enables loading group membership from the system. That means, if the group in AD have some members and you want to assign roles to identities IdM based on that, you can use this workflow to do it. Typically, you would do it only as an **initial** loading. Necessary properties: | The workflow enables loading group membership from the system. That means, if the group in AD have some members and you want to assign roles to identities IdM based on that, you can use this workflow to do it. Typically, you would do it only as an **initial** loading. Necessary properties: | ||
* **idm.pub.acc.syncRole.identity.eav.externalIdentifier.code** - (default: null, _**mandatory for resolving group membership**_) - code of EAV with a distinguished name of identities. It is used when creating a new role for a new group, or when loading group membership for existing roles. All identities managed by IdM in AD have to have the EAV containing their current **distinguishedName**, | * **idm.pub.acc.syncRole.identity.eav.externalIdentifier.code** - (default: null, _**mandatory for resolving group membership**_) - code of EAV with a distinguished name of identities. It is used when creating a new role for a new group, or when loading group membership for existing roles. All identities managed by IdM in AD have to have the EAV containing their current **distinguishedName**, | ||
- | * **idm.pub.acc.syncRole.update.resolveMembership** - (true/ | + | * **idm.pub.acc.syncRole.update.resolveMembership** - (true/ |
- | * **idm.pub.acc.syncRole.roles.attributeNameOfMembership** - (default: member) - it is name of attribute of role in source system, which holds identificators of identities | + | * **idm.pub.acc.syncRole.roles.attributeNameOfMembership** - (default: member) - it is name of attribute of role in source system, which holds identificators of identities. The default value is typical for AD. |
- | Settings of the created role - properties connected to the requesting of roles and role approval: | + | Settings of the created role - properties connected to the requesting of roles and the role approval: |
- | * **idm.pub.acc.syncRole.role.canBeRequested** - (true/ | + | * **idm.pub.acc.syncRole.role.canBeRequested** - (true/ |
* **idm.pub.acc.syncRole.role.update.manageCanBeRequested** - (true/ | * **idm.pub.acc.syncRole.role.update.manageCanBeRequested** - (true/ | ||
- | * **idm.pub.acc.syncRole.roles.create.priorityOfRoles** - (default: null, values: 1,2,3,4) - This property will set priority of roles, | + | * **idm.pub.acc.syncRole.roles.create.priorityOfRoles** - (default: null, values: 1,2,3,4) - this property will set criticality (priority) of roles, |
- | * **idm.pub.acc.syncRole.roles.create.garanteeOfRoles** - (default: null) - Fill in name of role, which will become the Role authorizer of all Ldap/ | + | * **idm.pub.acc.syncRole.roles.create.garanteeOfRoles** - (default: null) - fill in name of role, which will become the Role authorizer of all created |
The workflow can create the folders in the role catalogue. It can be either one folder, or the tree structure of folders based on the DNs of the roles: | The workflow can create the folders in the role catalogue. It can be either one folder, or the tree structure of folders based on the DNs of the roles: | ||
- | * **idm.pub.acc.syncRole.roleCatalog.ResolveCatalog** - (true/ | + | * **idm.pub.acc.syncRole.roleCatalog.ResolveCatalog** - (true/ |
- | * **idm.pub.acc.syncRole.roles.allToOneCatalog** - (default: null) - Use this property, if you want to add all roles in one folder. Set the name of the folder to this property. If a folder with the same code already exists, the workflow will create a new one (it won't reuse already existing folder). | + | * **idm.pub.acc.syncRole.roles.allToOneCatalog** - (default: null) - use this property, if you want to add all roles in one folder. Set the name of the folder to this property. If a folder with the same code already exists, the workflow will create a new one (it won't reuse already existing folder). |
- | * **idm.pub.acc.syncRole.roleCatalog.catalogueTreeInOneCatalog** - (default: null) - Use this property, if you want to create and add roles in a tree structure of folders. Set the name of the root folder to this property. The workflow will create a tree of folders under this root folder. If this property will be changed, new catalog folder will be created. Name of folders in the role catalogu | + | * **idm.pub.acc.syncRole.roleCatalog.catalogueTreeInOneCatalog** - (default: null) - use this property, if you want to create and add roles in a tree structure of folders. Set the name of the root folder to this property. The workflow will create a tree of folders under this root folder. If this property will be changed, new catalog folder will be created. Name of folders in the role catalogue |