Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
tutorial:dev:ad_groups_sync_workflow [2021/03/11 20:50]
apeterova reorganization and specification of the properties 		tutorial:dev:ad_groups_sync_workflow [2021/03/11 21:05] (current)
apeterova more info and typos
Line 56: Line 56:
 Following properties are used, when the workflow is used for creating roles that manage group membership of accounts in a connected system: Following properties are used, when the workflow is used for creating roles that manage group membership of accounts in a connected system:
   * **idm.pub.acc.syncRole.provisioningOfIdentities.system.code** - (default: null, _**mandatory**_) - it is code (name) of the system, which is used for provisioning the identities to the system. E.g. "AD users". It is mandatory attribute, otherwise workflow will not be working.    * **idm.pub.acc.syncRole.provisioningOfIdentities.system.code** - (default: null, _**mandatory**_) - it is code (name) of the system, which is used for provisioning the identities to the system. E.g. "AD users". It is mandatory attribute, otherwise workflow will not be working. 
-  * **idm.pub.acc.syncRole.system.mapping.objectClassName** - (default: \_\_ACCOUNT\_\_) this is important to provisioning member attribute of identity. It is an object class name of identity schema. It should stay "\_\_ACCOUNT\_\_"+  * **idm.pub.acc.syncRole.system.mapping.objectClassName** - (default: \_\_ACCOUNT\_\_) this is important to provisioning member attribute of identity. It is an object class name of identity schema. It should stay "\_\_ACCOUNT\_\_"
   * **idm.pub.acc.syncRole.system.mapping.attributeMemberOf** - (default: ldapGroups) - it is the name of an attribute in a mapping of identity provisioning. It is usually ldapGroups (recommended) or memberOf. This attribute will be added to role's mapping with transformation script (which will be set later).   * **idm.pub.acc.syncRole.system.mapping.attributeMemberOf** - (default: ldapGroups) - it is the name of an attribute in a mapping of identity provisioning. It is usually ldapGroups (recommended) or memberOf. This attribute will be added to role's mapping with transformation script (which will be set later).
   * **idm.pub.acc.syncRole.system.mapping.attributeRoleIdentificator** - (default: distinguishedName) - the name of an attribute in the connector, which holds the distinguished name of a role object.   * **idm.pub.acc.syncRole.system.mapping.attributeRoleIdentificator** - (default: distinguishedName) - the name of an attribute in the connector, which holds the distinguished name of a role object.
Line 62: Line 62:
 Managing group membership of account - more special options for the roles: Managing group membership of account - more special options for the roles:
   * **idm.pub.acc.syncRole.roleSystem.forwardManagement.value** - (default: false) - every role, which manages group membership on the connected system, has the option [[devel:documentation:accounts:adm:accounts#forward_identity_account_management|forward account management]]. This property can set this option.   * **idm.pub.acc.syncRole.roleSystem.forwardManagement.value** - (default: false) - every role, which manages group membership on the connected system, has the option [[devel:documentation:accounts:adm:accounts#forward_identity_account_management|forward account management]]. This property can set this option.
-  * **idm.pub.acc.syncRole.roleSystem.update.manageforwardManagement** - (default: false) - This property will manage [[devel:documentation:accounts:adm:accounts#forward_identity_account_management|forward account management]] option even when updating existing roles by the synchronization. +  * **idm.pub.acc.syncRole.roleSystem.update.manageforwardManagement** - (default: false) - this property will manage [[devel:documentation:accounts:adm:accounts#forward_identity_account_management|forward account management]] option even when updating existing roles by the synchronization. 
-  * **idm.pub.acc.syncRole.roles.nameOfRoles.doNotSentValueOnExclusion** - (default: null) - every role, which manages group membership on the connected system, has the option to [[devel:documentation:systems:dev:system-mapping#skip_merged_value_if_contract_is_excluded|skip the value if it's assigned on an excluded contract]] (see the [[tutorial:adm:systems_-_ad_remove_group_membership_when_the_contract_is_excluded|tutorial about this]]. Add to this property names of new roles separated with comma, which should have this options set (i.e., they should be skipped when the contract is excluded). (Does not work with roles, which have comma in name.) +  * **idm.pub.acc.syncRole.roles.nameOfRoles.doNotSentValueOnExclusion** - (default: null) - every role, which manages group membership on the connected system, has the option to [[devel:documentation:systems:dev:system-mapping#skip_merged_value_if_contract_is_excluded|skip the value if it's assigned on an excluded contract]] (see the [[tutorial:adm:systems_-_ad_remove_group_membership_when_the_contract_is_excluded|tutorial about this]]). Add to this property names of new roles separated with comma, which should have this option set (i.e., they should be skipped when the contract is excluded). (Does not work with roles, which have comma in name.) 
-  * **idm.pub.acc.syncRole.roles.update.nameOfRoles.manageSentValueOnExclusion** - (default: false) - This property will set the property [[devel:documentation:systems:dev:system-mapping#skip_merged_value_if_contract_is_excluded|skip the value if it's assigned on an excluded contract]] even when updating existing roles by the synchronization.+  * **idm.pub.acc.syncRole.roles.update.nameOfRoles.manageSentValueOnExclusion** - (default: false) - this property will set the option [[devel:documentation:systems:dev:system-mapping#skip_merged_value_if_contract_is_excluded|skip the value if it's assigned on an excluded contract]] even when updating existing roles by the synchronization. The option will be set to all roles in the property ''idm.pub.acc.syncRole.roles.nameOfRoles.doNotSentValueOnExclusion'' and unset to all other AD roles.
  
 The workflow enables loading group membership from the system. That means, if the group in AD have some members and you want to assign roles to identities IdM based on that, you can use this workflow to do it. Typically, you would do it only as an **initial** loading. Necessary properties: The workflow enables loading group membership from the system. That means, if the group in AD have some members and you want to assign roles to identities IdM based on that, you can use this workflow to do it. Typically, you would do it only as an **initial** loading. Necessary properties:
   * **idm.pub.acc.syncRole.identity.eav.externalIdentifier.code** - (default: null, _**mandatory for resolving group membership**_) - code of EAV with a distinguished name of identities. It is used when creating a new role for a new group, or when loading group membership for existing roles. All identities managed by IdM in AD have to have the EAV containing their current **distinguishedName**, otherwise resolving membership will not work. Load the value to the EAV (recommended name: **distinguishedName**) when you run reconciliation of identities. FIXME create a tutorial. Then set the value "distinguishedName" to this property. **Once you load the group membership, remove this property, so the membership won't be loaded from AD for new roles** (IdM should be the authority for group membership in the standard production use).   * **idm.pub.acc.syncRole.identity.eav.externalIdentifier.code** - (default: null, _**mandatory for resolving group membership**_) - code of EAV with a distinguished name of identities. It is used when creating a new role for a new group, or when loading group membership for existing roles. All identities managed by IdM in AD have to have the EAV containing their current **distinguishedName**, otherwise resolving membership will not work. Load the value to the EAV (recommended name: **distinguishedName**) when you run reconciliation of identities. FIXME create a tutorial. Then set the value "distinguishedName" to this property. **Once you load the group membership, remove this property, so the membership won't be loaded from AD for new roles** (IdM should be the authority for group membership in the standard production use).
-  * **idm.pub.acc.syncRole.update.resolveMembership** - (true/false, default: false) - With this property you can turn on resolving memberships of roles even in other situation than creating role. Recommended way: Turn it on for initial loading of group membership, turn it off afterwards. Note that resolving membership of newly created roles is done independently of this property, see the note in the property idm.pub.acc.syncRole.identity.eav.externalIdentifier.code above. +  * **idm.pub.acc.syncRole.update.resolveMembership** - (true/false, default: false) - with this property you can turn on resolving memberships of roles even in other situations than creating role. Recommended way: Turn it on for initial loading of group membership, turn it off afterwards. Note that resolving membership of newly created roles is done independently of this property, see the note in the property ''idm.pub.acc.syncRole.identity.eav.externalIdentifier.code'' above. 
-  * **idm.pub.acc.syncRole.roles.attributeNameOfMembership** - (default: member) - it is name of attribute of role in source system, which holds identificators of identities+  * **idm.pub.acc.syncRole.roles.attributeNameOfMembership** - (default: member) - it is name of attribute of role in source system, which holds identificators of identities. The default value is typical for AD.
  
-Settings of the created role - properties connected to the requesting of roles and role approval: +Settings of the created role - properties connected to the requesting of roles and the role approval: 
-  * **idm.pub.acc.syncRole.role.canBeRequested** - (true/false, default: false) - sets to all roles, if the role can be requested by identity+  * **idm.pub.acc.syncRole.role.canBeRequested** - (true/false, default: false) - sets to all roles, if the role can be requested by common users (not superadmin)
   * **idm.pub.acc.syncRole.role.update.manageCanBeRequested** - (true/false, default: false) - enable/disable setting can-be-requested role attribute   * **idm.pub.acc.syncRole.role.update.manageCanBeRequested** - (true/false, default: false) - enable/disable setting can-be-requested role attribute
-  * **idm.pub.acc.syncRole.roles.create.priorityOfRoles** - (default: null, values: 1,2,3,4) - This property will set priority of roles, on this authorization workflow will be changed. **Only on create.** +  * **idm.pub.acc.syncRole.roles.create.priorityOfRoles** - (default: null, values: 1,2,3,4) - this property will set criticality (priorityof roles, which affects the [[tutorial:adm:role_change_configuration#role_criticalitypriority|approval process]]. **Only on create.** 
-  * **idm.pub.acc.syncRole.roles.create.garanteeOfRoles** - (default: null) - Fill in name of role, which will become the Role authorizer of all Ldap/AD roles. **Only on create.**+  * **idm.pub.acc.syncRole.roles.create.garanteeOfRoles** - (default: null) - fill in name of role, which will become the Role authorizer of all created roles. **Only on create.**
  
 The workflow can create the folders in the role catalogue. It can be either one folder, or the tree structure of folders based on the DNs of the roles: The workflow can create the folders in the role catalogue. It can be either one folder, or the tree structure of folders based on the DNs of the roles:
-  * **idm.pub.acc.syncRole.roleCatalog.ResolveCatalog** - (true/false, default: true) - This property enables creating of new folders in the role catalogue. Set to false if you don't want to create and add roles to the role catalogue at all. +  * **idm.pub.acc.syncRole.roleCatalog.ResolveCatalog** - (true/false, default: true) - this property enables creating of new folders in the role catalogue. Set it to false if you don't want to create and add roles to the role catalogue at all. 
-  * **idm.pub.acc.syncRole.roles.allToOneCatalog** - (default: null) - Use this property, if you want to add all roles in one folder. Set the name of the folder to this property. If a folder with the same code already exists, the workflow will create a new one (it won't reuse already existing folder). +  * **idm.pub.acc.syncRole.roles.allToOneCatalog** - (default: null) - use this property, if you want to add all roles in one folder. Set the name of the folder to this property. If a folder with the same code already exists, the workflow will create a new one (it won't reuse already existing folder). 
-  * **idm.pub.acc.syncRole.roleCatalog.catalogueTreeInOneCatalog** - (default: null) - Use this property, if you want to create and add roles in a tree structure of folders. Set the name of the root folder to this property. The workflow will create a tree of folders under this root folder. If this property will be changed, new catalog folder will be created. Name of folders in the role catalogu can be changed in IdM.+  * **idm.pub.acc.syncRole.roleCatalog.catalogueTreeInOneCatalog** - (default: null) - use this property, if you want to create and add roles in a tree structure of folders. Set the name of the root folder to this property. The workflow will create a tree of folders under this root folder. If this property will be changed, new catalog folder will be created. Name of folders in the role catalogue can be changed in IdM.
  
  
  • by apeterova