Project

General

Profile

Actions

Defect #1549

closed

Multiple accounts on system after sychronization

Added by Roman Kučera almost 6 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Vít Švanda
Category:
Synchronization
Target version:
Start date:
03/12/2019
Due date:
% Done:

100%

Estimated time:
Affected versions:
Owner:

Description

Use case:
I have AD system with provisioning mapping(identifier is username) and synchronization mapping(identifier username).
Then I'll configure synchronization with correlation attribute personal number and I want to load username from AD to IdM. I have default role for this synchronization which is assigning AD system.
When I run this synchronization the output is that, if user had different username in IdM and AD he has now two accounts for AD one with old username (which is not created when system is read only and I don't to create this account anyway) and one for new username (real working account)

This is probably caused when the default role is assigned during synchronization, then provisioning is called, but with the old username.

Possible workarounds - Don't configure provisioning mapping, before you run this first synchronization or don't assign system to the default role.


Related issues

Related to IdStory Identity Manager - Defect #1852: Synchronization with Do_not_link linked an account to an inactive identity, LINK_PROTECTED linked it without protectionClosedVít Švanda09/13/2019

Actions
Actions #1

Updated by Vít Švanda over 5 years ago

  • Target version set to Rhyolite (9.7.3)

After consultation with Roman, the problem could be occure when value of UID from system and UID from entity is different. In this case is created AccAccount with UID firstly, before is this value updated from the system. This is reason why two accounts can be created.

This is only theory ... not verified yet.

Actions #2

Updated by Vít Švanda over 5 years ago

  • Status changed from New to In Progress
Actions #3

Updated by Vít Švanda over 5 years ago

  • % Done changed from 0 to 70
Actions #4

Updated by Vít Švanda over 5 years ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Vít Švanda to Radek Tomiška
  • % Done changed from 70 to 90

This problem occures durring synchronizatin where:

  1. UIDs from identity in IdM and on system are different.
  2. Sync use correlation attribute different from the UID attribute.
  3. Sync has sets default role.

Undere these conditionals were two accounts created. One for old UID and one for new one. Problem was in phase where was entity in IdM updated. Link to entity was created before this update and it was cause why relation with "old" UID was created.
So the solution for this problem is change the phase for execute update of entity before link is created. There were many problem because on some places were counted with update of entity is after creation of link (for example "InactiveOwnerBehavior.NOT-LINK" do not want update entity, but check was in creation of link method). Next problems were with provisioning, where update of entity executed the provisioning.

On the end I solved all problems (I hope), so the update of entity is executed before the link is created now.

Commit: https://github.com/bcvsolutions/CzechIdMng/commit/c17bedff935f0a105e345389c3396c79ed6764d7

Commit with the test: https://github.com/bcvsolutions/CzechIdMng/commit/d5cbddcfe47a7a52d2c42eca1fc4c3b3129fd20f

Actions #5

Updated by Radek Tomiška over 5 years ago

  • Assignee changed from Radek Tomiška to Vít Švanda
  • % Done changed from 90 to 100

I did test and code review, it works, thx! I configured system mapping and correlation as is mentioned above and i have only one identity account relation.

Actions #6

Updated by Vít Švanda over 5 years ago

  • Status changed from Needs feedback to Resolved
Actions #7

Updated by Vít Švanda over 5 years ago

  • Status changed from Resolved to Closed
Actions #8

Updated by Radek Tomiška over 5 years ago

  • Related to Defect #1852: Synchronization with Do_not_link linked an account to an inactive identity, LINK_PROTECTED linked it without protection added
Actions

Also available in: Atom PDF