9.7:documentation:adm:synchronization

Synchronization: account situations

Apart from accounts, it is also possible to synchronize other types of entities (roles, trees, …). In this chapter, synchronization is outlined only between an account and an identity.

Situations

During the synchronization process, the situation which an account finds itself in, based on the state in IdM, is evaluated for every account. Basic synchronization configuration involves setting the type of action which should be done in a given situation.

There is a finite number of synchronization situations that may be detected. Here’s a list of them:

  • (non)-existent links
  • (non)-existent entities
  • (non)-existent accounts

Existent link

The situation when a corresponding account exists in IdM for a given account on the system (AccAccount).

In these circumstances, it is possible to proceed with the following actions:

  • Update an entity - will update the identity linked to an account. The update is done based on the mapping linked to the synchronization. At present, mapping enables to update the attributes of identity itself, and also the attributes saved in the warehouse of advanced attributes as well as in the coded warehouse. After saving an entity, standard provisioning is always initiated.
  • Update an account - this initiates standard provisioning. Synchronization initiates an event, it does not do the provisioning itself.
  • Remove a link - this removes the link in IdM, meaning it removes the account (AccAccount) and the links between the identity and account (AccIdentityAccount). It does not modify the identity itself, nor does it initiate provisioning.
  • Remove a link and related roles - it removes the links just like in the previous case but it also removes the identity roles which are linked to the corresponding (AccIdentityAccount). In other words, it removes the roles which assigned a given account to the identity.
  • Ignore - This action does not perform any active operation.

Non-existent link

A situation in which there is no link to a given account on the system (account in IdM), but an identity exists.

Since the link does not exist, in this case an identity has been found through a correlation attribute. A correlation attribute is any one of the attributes from the related synchronization mapping (the correlation attribute is mandatory).

At present, the correlation attribute enables searching by identity attributes (username, firstName, lastName, email, personal number) and searching by extended (EAV) attributes.

For example, if you want to find (identify) identities in IdM based on the correspondence of the user name username and the account attribute login, you can use the following correlation attribute:

Such being the case, it is possible to proceed with the following actions:

  • Create a link - this creates a link in IdM, meaning it creates an account (AccAccount) and the link between the identity and the account (AccIdentityAccount). It does not modify the identity itself, nor does it initiate provisioning.
  • Create a link and update an entity (since 8.0) - The link is created just like in the previous case. Additionally, the entity is updated. The update is executed based on the mapping linked to the synchronization. After saving an entity, standard provisioning is always initiated.
  • Create a link and update an account - The link is created like in the previous case. In addition, the account is updated on the end system, meaning that an event for running the provisioning is initiated.
  • Ignore - This action does not perform any active operation.

Non-existent entity

A situation in which there is no identity in IdM for a given account on the system.

Under the circumstances, it is possible to proceed with the following actions:

  • Create an entity - it creates an identity and a link in IdM. The creation is done according to the mapping set up in synchronization. Creation of an entity will initiate provisioning (account update).
  • Ignore - This action does not perform any active operation.
In versions 7.6 - 8.1.x (in identity synchronization), a default contractual relationship (when creating a new identity) didn’t use to be created! Since 8.2, it's controlled by specific settings of the synchronization.

Non-existent account

A situation in which there is no account on the end system for a given account in IdM.

This applies when a connector supports the operation DELETE. This means that the connector is able to provide information on what accounts have been deleted on the end system since the last synchronization. Also, this situation can be typically used in reconciliation when all the accounts within IdM are iterated overnight, verifying if accounts exist on the end system - if they don’t, a preset action is initiated.

Although the response to the DELETE state has been implemented in synchronization, most connectors do not support this operation! The operation is no longer available provided you use a custom filter.

In this case, it is possible to proceed with the following actions:

  • Create an account - Synchronization only initiates an event for the linked entity IdentityEventType.UPDATE that will initiate provisioning and so the account is to be created on the end system.
  • Delete an entity - it deletes the account in IdM, the link between the account and the identity.
  • Remove a link - it removes the link in IdM, meaning it removes the account (AccAccount) and the links between the identity and account (AccIdentityAccount). It does not modify the identity itself, nor does it initiate provisioning.
  • Remove a link and related roles - it removes the links like in the previous case but it also removes the identity roles which are linked to the corresponding (AccIdentityAccount). In other words, it removes the roles which had assigned a given account to the identity.
  • Ignore - This action does not perform any active operation.