Role synchronization works according to the same rules as identity synchronization. In this page we will described only extra behavior specific for this synchronization.
A role in IdM is a basic entity that is used to define permissions in IdM. Therefore, if such a role is assigned to an identity, the identities obtain the permissions that are defined on the role. In addition to permissions in IdM, a role can define connections to a specific external system. This means that the identity to which the role will be assigned will in this case obtain an account on the external system.
As part of the synchronization of roles, we will primarily deal with the second case, ie the connection of external systems.
As part of role synchronization, we often talk about group synchronization. A group is a term from external systems, typically MS AD, where it is equivalent to a role in IdM. Ie. defines the membership of users in a given group, just as a role defines the membership of identities in a given role in IdM.
The goal of membership management is to ensure that by assigning a role (created based on this synchronization) to a user, that role/group is provisioned to the end system with members.
For using this feature, we must:
By activating the membership management feature, each synchronized role in IdM will be linked to a system with members. In addition, an attribute is mapped to the role that determines what roles the user has on the membership system. As the output of the transformation to the system for this attribute, the value from the attribute identifying the role will be used. Typically this is the DN of the role.
This feature will ensure that we assign synchronized roles to existing users in IdM. In other words, the external system becomes the authority for IdM.
Be careful, the roles are assigned only to the primary contracts of the users for now.
Compared to the previous solution, this operation does not require any additional attribute on identities containing an identifier (typically a DN). In order for this attribute not to be needed, the synchronization must perform a conversion between the identifier in the membership and the identifier of each user. That is, if one of the roles from the end system contains an attribute with members and those members are identified by, for example, a DN, then the corresponding identities must be found in IdM.
The problem with this task is that the identities may not contain this identifier. The solution is to call the external system with members by an identifier obtained from the role (DN). The system will return the member, including the primary identifier that is used in IdM to identify the account (typically sAMAccountName). This identifier is then used to find the account and identity in the IdM.
From the above, it follows that the end system call with members, thus takes N times, where N is the number of members. To avoid redundant calls to the system with members, the results are stored in cache for this case. This cache is cleared after the synchronization is complete.
If it is identified that a given role is to be assigned to an identity in IdM, then a request is created for that identity. For optimization reasons, such a request is not execute immediately, but only after the entire synchronization is complete. Thus, the goal is to create only one request for one identity, where this request will contain all the required role changes resulting from the synchronization.
For using this feature, we must:
Role catalog management ensures that synchronized roles are included in the IdM role catalog. How roles are cataloged depends on the transformation we choose in the attribute that builds the catalog.
For using this feature, we must:
The product contains two scripts addressing different role cataloging strategies:
You can activate other specific features, such as: