Task #429
open
Synchronization logs feedback
0%
Description
Feedback for logs of synchronization based on brainstorming of me and Alena P.
List of synchronization logs mixes different types of information in Result field.
Result contains three information insted of one:
1) Situation - because in case of fail is not visible which situation was used.
2) Action - because in case of success is not visible which action was used.
3) Results
Suggestion of solution:
| Summary |
| Missing entity - Create entity - 5 OK / 3 NOK |
| Missing account - Ignore - 10 OK |
-----------------------------------------------
After selection of specific synchronization, next log missing type of Situation, which is important.
Suggestion of solution:
| Situation | Action | Result | Number of operations |
| Missing account | Create Account | Success | 5 |
| Missing account | Create Account | Failed | 3 |
Related issues
Updated by Alena Peterová almost 7 years ago
- Tracker changed from Task to Defect
Changing the type to Defect.
Currect logs are hard to understand for production use. Regular monitoring, solving typical support incidents, or connecting new systems would be complicated and time-consuming.
I will try to explain two most common use cases:
Synchronization of source system (HR system)¶
This is usually run very often, at least every day. At the first sight, I need to distinguish these situations:
A) how many accounts of existing identities were handled and the update was successfull. If there are no accounts, or if there are too many accounts, something is probably wrong with timestamps from HR, that should be checked.
B) how many accounts of existing identities were handled and there was some error - Usually error in HR data or unsupported processes
C) how many accounts didn't have identity and IdM successfully created it. Again, if there are no or too many accounts, there could be something wrong - e.g. creating identities for long-left employees, getting no data from HR for new employees,...
D) how many accounts didn't have identity and IdM couldn't create it - Usually error in HR data, I need to solve it immediatelly, because people will come to work on the first day and nothing is prepared for them.
E) how many "missing accounts" are there. It means usually some error in HR system. Those identities are not correctly updated from HR and can be wrongly handled by personal processes.
On the other hand, typical incident: "What happend with user xy, why wasn't (was) he or she updated and what did IdM do". First thing the administrator needs to do is to check, whether the user was handled by synchronization, what type of situation and what action was used, what was the result. Or whether the user wasn't handled at all, because HR forgot to update him.
Reconciliation of a newly connected end system¶
It is usually run several times.
First, I only want to get information about the Situation - which accounts could be linked to identities and which couldn't - without the actual action. This way I will find out if the correlation is correctly configured. I can also send the information about "missing identity" to the system administrator, who should clean obsolete accounts from the system (there is always some old garbage).
After that, I will run the reconciliation for real. I need to know:
A) how many accounts were already linked before the reconcilation - this number is good for checking that no account is missing
B) how many were newly linked to identities - which ID's to which identities. I will check this report with the administrator, who should approve that linking is correct. (Usual problems: people with the same name have mixed logins, mails or employee numbers and their account are linked incorrectly)
C) how many should be newly linked, IdM tried it, but failed - I will need to find the reason why, correct the errors and run reconciliation again
D) how many accounts are still in "missing identity" state - I will send this report to the administrator, who should approve that those accounts shouldn't be handled by IdM. Or he will find out that there is something wrong in the accounts (missing employeeNumber, typo in login or e-mail which are used for correlation, ....) and must correct them.
This cycle is usually run several times, depending on how much garbage there is on the system.
Updated by Zdeněk Burda almost 7 years ago
- Related to Task #387: Feedback on GUI (when doing admin guide) added
Updated by Alena Peterová over 6 years ago
- Category set to Synchronization
- Add the column Situation in the overview.
There are 2 columns - Action, Result - that mix together 3 pieces of information - Situation, Action, Result. It's sometimes confusing if you don't remember all options, e.g.: green "Create links" means "Not linked -> Create link", but blue "Linked" means "Linked -> Ignore". - Add the list of all processed accounts (updated during running of the synchronization)
I needed to know if some account was already processed and what type of situation. I had to click on detail of every sync result to find it out. - Add shortcut to the log of currently running synchronization - ideally to the list of systems. Now it needs 5 clicks.
Updated by Alena Peterová about 6 years ago
The MISSING_ACCOUNT situation should display the login of the identity, who was the owner of the account. In other situations, the login is displayed correctly. But in MISSING_ACCOUNT there is no way to find out which identity had the missing account. It is also not visible even in Systems > Accounts / Entities. Since the account is really missing, I'm not able to find this information on the end system :)
Updated by Vít Švanda about 6 years ago
I can add this information to item log (id of entity). But I have to find relation between account - entity and load entity. At least for "ignore" action (Missing account situation) this may slow the sync. Is it OK?
Updated by Alena Peterová about 6 years ago
Vít Švanda wrote:
I can add this information to item log (id of entity). But I have to find relation between account - entity and load entity. At least for "ignore" action (Missing account situation) this may slow the sync. Is it OK?
I think it's OK, because:
1) There shouldn't be many MISSING_ACCOUNTS usually.
2) We need this information especially for "ignore" action. I have to know, which identity it is, and only then I can decide which real action is correct (if removing entity, or creating account).