An example of organizational structure synchronization can be found in the admin guide.
The roots of the tree are searched over the set of all accounts obtained from the target system. The reason why roots are not found using the search method on the end system is that their definition is in some cases too complex (the search criteria in the IC module are inadequate). Such a case is, for example, a situation where roots are all the elements (accounts) whose parent attribute are shown to themselves.
Root search is performed using the Groovy script in the synchronization configuration tree root / tree definition . This script runs over all system elements. If Boolean.TRUE returns, then the element is root. If it returns Boolean.FALSE , it is not the root. The entry of this script is account (IcObject), an object of the element received from the IC module.
Example of a script addressing the situation described above :
if(account){ // Get value from parent attribute def parentValue = account.getAttributeByName("parent").getValue(); // Get value from ID attribute def uidValue = account.getAttributeByName("id").getValue(); // Root is account, where is parent value equals with ID (externalId) value. if(parentValue != null && parentValue.equals(uidValue)){ // We need clear value of parent attribute. In IDM has roots always parent = null. account.getAttributeByName("id_nadraz_prac_mista").setValues(null); return Boolean.TRUE; } } return Boolean.FALSE;
Sometime we need synchronize all nodes from the source system under one node wich exists in the IdM.
For definition of that 'Super parent' node we cannot using:
Super parent node can be defined in the transformation searching roots. This script is defined on the sync configuration and we can set ID of super parent node to parent attribute.
if(account){ // Get value from parent attribute def parentValue = account.getAttributeByName("parent").getValue(); // Root is account, where is parent value is null if(parentValue == null){ // Set default node account.getAttributeByName("parent").setValues(["00a8aa04-667a-412e-bf3c-d892f2d9ca18"]); return Boolean.TRUE; } } return Boolean.FALSE;
Recalculation of automatic roles is skipped during sync. Recalculation of automatic roles can be (should be) correctly started after the end of the sync. This can be ensured by the property 'After end, start the automatic role recalculation' on the detail of sync configuration. Automatic roles are recalculated for synchronized tree nodes, where tree structure (parent node) was changed.
ProcessSkippedAutomaticRoleByTreeTaskExecutor
can be scheduled as dependent task to contract (or slices) synchronization (with automatic roles are recalculated properly). Recalculation of automatic roles for contracts should be recalculated first (new tree structure and automatic roles will be used), then automatic roles for changed tree nodes can be recalculated with ProcessSkippedAutomaticRoleByTreeTaskExecutor
usage.