Tree provisioning has a different behavior than the provision of identities. The main difference is the absence of a separate account management mechanism. In the case of identities, the Account management that creates and (depending on) the IDM account depending on the assigned roles.
In the case of trees, account management is directly linked to the creation / modification / deletion event of the tree node.
If we
create a new tree node, the event is published and catched by the processor (in the
ACC module)
TreeNodeSaveProcessor. This first creates an
IDM account by calling ProvisioningService.createAccountsForAllSystems. It creates an IDM account (and associated bindings) for all systems that have provisioning mapping for that tree type. Subsequently, the
provisioning itself is triggered.
If we modify a tree node, the event is published and catched by the same processor and performs the same operations as the previous point.
If we
delete a tree node, the delete event is published and catched by
TreeNodeDeleteProcessor. This processor deletes all
AccTreeAccount relations and linked AccAccount (account on end system too).
Provides tree provisioning by default
TreeProvisioningExecutor, which primarily resolves the conversion between the parent IdmTreeNode and the value of the parent attribute on the system.