• State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 95 subscribers
  • Views 5144 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UNS fullsync - object matching rule ignoring objects

TimStaddon
over 8 years ago

Hi

I'm having some difficulty with the full sync between UNS and a target system built from a SQL database which uses an autonumber column for its ID column.

If records are created in the target system first, I build the DistinguishedName to include the ID, like this: UID=92,CN=xxx.yyy,system=SampleOrderSystem. By default, Identity Manager uses a distinguishedname convention CN=xxx yyy,system=systemname, but after a fullsync we can update the distinguishedname to contain the ID. In addition to this, I've started storing the UID number in a custom attribute called CCC_UNSAccountB_UID.

But if an object is created in Identity Manager first, we have to wait for a callback from the target system to know what its UID in the target system has been assigned to - it won't be in the distinguishedname or CCC_UNSAccountB_UID until then.

I have a script property called DistinguishedNameContainsUID which consistently gives us the UID from the distinguishedname in UNS if one already exists, else it returns an empty string:

dim Result as String = ""
Dim dn as String = $DistinguishedName$
Dim UIDPattern As String = "^UID=(?<uid>.+?)(?<!\\),"
Dim re As Regex = New Regex(UIDPattern)
Dim m As Match = re.Match(dn)

If m.Success Then
    ' Item with index 1 returns the first group match.
    Result = m.Groups(1).Value
End If

return Result

Another script property, CNWithoutSpacesIfNoUID, gives us the ConcatNames from UNS if DistinguishedNameContainsUID is empty:

Dim CNWithoutSpaces as String = ""
if $CCC_UNSAccountB_UID$= "" AND $DistinguishedNameContainsUID$="" then
    CNWithoutSpaces = $LastName$ & $FirstName$
end if

The object mapping rules are such that if the UID is the same on both sides then we have a one-to-one match between UNS and the target system, but if there is no ID on the UNS account then we have to match using lastname and firstname. Although this could be problematic if we simply used the name fields, you would never see more than one UNSAccountB row with the same CNWithoutSpaces response at the same time for the simple reason that the value is only valid during the interval between two steps within a single synchronization workflow.

So this workflow runs perfectly as long as an account is created in the target system first, but I keep having problems if someone creates an account in Manager first.

For example, on the last unit test I created a UNS account for a test user, ran the sync, and the result was one UNSAccountB row created without the UIDs (as I'd expect), which triggered the account creation in the target system, swiftly followed by another one when the target system returned the UID... 

If I then simulate another sync, I can see this in the simulation report:

 Processed objects
 Schema type               Method                   Count
 UNSAccountB               Delete                   1
 UNSAccountB               Update                   1
 Executed methods on system objects
 Schema type   System object                                      Method
 UNSAccountB   SampleOrderSystem/Test 001 (SampleOrderSystem)     Delete
 UNSAccountB   SampleOrderSystem/001.Test/98 (SampleOrderSystem)  Update

So this actually means the provisioning workflow is going to delete the record that we explicitly requested from Manager and which already matches a legitimate person object in use, in order to maintain the record that matches a totally different Person object unrelated to the employee we were managing.

Can anyone think of a way to configure this sync so that the target system --> UNS sync workflow updates the existing record instead of ignoring it completely? After all, that UNS account already has everything in it EXCEPT the UID...

Cheers

Tim

  • 0 over 8 years ago

    You have to come up with a object matching rule that will work in the case of the initial object creation in 1IM.

    Using the "auto-generated" id alone - in any form - will not work, as far as I can see.

    For the same reason, the AD sync uses 2 object matching rules for the OUs, one primary and one alternate rule. The primary rule is using the ObjectGUID to match the objects on both side and if that fails (and only then) it tries the second rule which is match by DN.

    For your use-case this means you have to create an unique criteria (if it is in DN or any other property), that is not dependent on the auto-created ID. And you should read the auto-generated id into 1IM directly after the object has been created in the external database. To do that, check the option "Force mapping against direction of synchronization" for the mapping rule of the id.

    You could then create the two matching rule, so that the primary rule would be a match by the ID and the alternate rule would be matching by your other criteria, that does not contain the ID.

    HtH

    Markus

  • 0 over 8 years ago
    Thanks Markus.

    You were right; the sync from UNSAccountB to the target system simply needed the DistinguishedName and UID property mapping rules to be configured against the direction of sync, after configuring the object mapping rules as follows:

    1. CCC_UNSAccountB_UID to target system Id (converted to string)
    2. DIstinguishedNameContainsUID to target system Id (converted to string)
    3. CNWithoutSpacesIfNoID to CNWithoutSpaces