• State Verified Answer
  • Replies 6 replies
  • Subscribers 96 subscribers
  • Views 5529 views
  • Users 0 members are here
Options
Related

Setting target system as real readonly

prueegg
over 6 years ago

I'm working now on 7.1.1

 

I've seen, that the Sync Project defines now two readonly flags. One for the connection to OIM and one to the target system.

To have the Targetsystem as readonly I have to set the readonly flag for the target system.

 

This works fine for the synch (Target --> OIM).

But provisioning (OIM --> Target) jobs are still created since the NamespaceManagedBy is set to 'VISYNC'.

The provisioning jobs will end in a FROZEN afterwards since the target system connection is set to readonly.
But I want to have the possibility to switch a specific target to readonly without cleaning up a lot of frozens.

 

Therefore I think setting the NamespaceManagedBy from 'VISYNC' to 'READONLY' would be the correct approach, but the Manager doesn't allow me to do that change. (The change in the other direction was ok)

 

Finally my question:

Is it a good idea to switch readonly on/off via SQL on the NamespaceManagedBy field?

 

PS:

The other option would be to deal with the entries in DPRObjectOperation, but that wouldn't be real fun.

Parents
  • +1 over 6 years ago

    The provisioning jobs have been created because you do have the Ad-Hoc workflows in your sync project. In that case, the read-only can be used as a quick switch to disable all write operations to the target system, but being able to re-activate the process steps later on, when you set the target system connection to writeable again.

    If you want to disable the generation of your provisioning processes for some or all of the objects in your synchronization project, just remove or disable the workflow steps that write the objects to the target system (see screenshot).

  • 0 over 4 years ago in reply to Markus Weiss-Ehlers

    Hi Markus 

    Thanks for your reply here. I am facing one problem in of our lower environment as provisioning is not working for online exchange. After investigating further I found NamespaceManagedBy set to 'READONLY'. I have updated to 'VISYNC' using SQL command as manager does not allow me to edit. Still update event is not firing. 

    How i can properly change 'READONLY' to 'VISYNC'?

    Thanks in advance

  • 0 over 4 years ago in reply to sshaik3

    NamespaceManagedBy has serious side effects. Therefor changes are not allowed. Don't change NamespaceManagedBy via SQL!
    "READONLY" is an unfortunate naming. It basically disables most of the functionality that enforce data consistency for the respective target system. (Customizer, mandatory field checks, templates, ...)
    An example use case: There is no access to a specific Active Directory domain. Only a bunch of csv files with partial data that require attestation and/or reporting. Using NamespaceManagedBy ="READONLY" you can import AD groups and AD accounts without importing containers, organisational units, objectClass information, group flags and so on.

    Going from READONLY to VISYNC would require to perform a data consistency check on all objects of the respective target system instance. Checking mandatory fields, Customizer checks, and so on. Depending on size and target system constraints this is only possible in theory.
    Going from VISYNC to READONLY is not permitted, because it is be a one way ticket.

  • 0 over 4 years ago in reply to Andreas Finsterbusch

    Thanks for your reply Andreas. I can check the data inconsistency using designer tool however how do I change NamespaceManagedBy  from readonly to visync?  I have tried to change the value using manger and object browser it seems they are not permitted.

    any light in this regard would be very helpful to solve my problem. Thanks

Reply
  • 0 over 4 years ago in reply to Andreas Finsterbusch

    Thanks for your reply Andreas. I can check the data inconsistency using designer tool however how do I change NamespaceManagedBy  from readonly to visync?  I have tried to change the value using manger and object browser it seems they are not permitted.

    any light in this regard would be very helpful to solve my problem. Thanks

Children
  • 0 over 4 years ago in reply to sshaik3

    The data consistency checks in designer check for referential integrity and OneIM specific constraints. This checks won't check all required target system specific constraints.
    To my knowledge there is no check in the Designer fixing bad DistinguishedNames.

    "how do I change NamespaceManagedBy from readonly to visync" In general: you don't. It is not permitted due to the huge side effects and the extensive required checks.

    In the rare case that you started with a NamespaceManagedBy=visync target system and you changed to "readonly" using SQL and didn't do any changes to the target system data in the database, changing back to NamespaceManagedBy=visync using SQL should be okay.

    If you started with a NamespaceManagedBy=visync target system and you changed to "readonly" using SQL and also did changes to the target system data in the database your best option is a restore of the database. If no suitable backup is available no pretty options are left. To clean up the data inconsistency changing back to NamespaceManagedBy=visync using SQL.
    1) Reset all revision information of the synchronization project and run the synchronization.
    2) Review the synchronization logs, clean up the errors, clean up the outstandings.
    3) Check the jobqueue for frozen jobs and fix there issues
    4) Restart at step 1) till nothing turns up to fix or clean up in step 2) and 3)