IdStory Identity Manager

Basic implementation is done:

• Identity sync now have specific configuration - SysSyncIdentityConfig (table, entity, dto added for it), where can be selected "default role" (tab Specific settings on the sync configuration).
• Default role is assigne to the prime contract. Prime contract is returned from IdmIdentityContract.getPrimeValidContract. This contract cannot be invalid. If none valid contract is found, then sync's item will be marked as warning (role will be not assigned).
• Role request and concept are creates for every sync item (where default role are assignes).
• Default role is assigned for every link (identity-account) created during sync. Supported actions: Create entity, Link, Link and update account.
• Created change script for create data in to SysSyncIdentityConfig.
• The discussion shows, that we need sync of protection mode, but this is not goal of this task. I created task #844 for this.

• Tests
• Documentation

• Tests were created (IdentitySyncTest).
• Everything are in develop.
• Remains documentation. Alca, could you please make it?

• "Default role" shouldn't be a required field of the synchronization. (Sometimes I don't want to assign any role during synchronization. It wouldn't be even possible for systems without provisioning, e.g. HR systems)
• Two "Links to accounts" were created for the user who got the role. Both links are assigned by the role "LDAP". For more info please see the screenshots and the log below.
• Even if the option is set to "Create link" for the "Not linked" state, the provisioning was called during the synchronization (according to the docs, it shouldn't - https://wiki.czechidm.com/tutorial/adm/synchronization)
• "Do you really want to start synchronization/reconciliation '' manually?" - the name of the resource is missing in this message and also in the next message about starting the synchronization

• Collation Attribute -> Correlation Attribute
• "When sync creating a relation between identity and account, this role will be assigned to the identity. This role will be linked to the main contractual relationship of identity."
  -> "If the synchronization creates a link between an identity and an account, this role will be assigned to the identity. This assignment will be linked to the main contractual relationship of the identity."

-------------------------------------------------------------
More info about duplicated links:
Settings: the system is read-only, the Identifier is "__NAME__" for both Provisioning and Synchronization mapping, Reconciliation is checked, only the state Not linked -> Create link is configured, Default role is "LDAP" (no attributes are mapped within it)

Sync logs show info only about the first link:
2017-12-04T19:33:12.708+01:00: System entity was not found. We will find account for uid (j.doe) directly
-------------------------
2017-12-04T19:33:12.712+01:00: SystemEntity for this uid doesn't exist. We will create it.
-------------------------
2017-12-04T19:33:12.722+01:00: Account doesn't exist in IDM
-------------------------
2017-12-04T19:33:12.728+01:00: Account doesn't exist, but an entity was found by correlation (entity unlinked).
-------------------------
2017-12-04T19:33:12.728+01:00: Unlinked action is LINK
-------------------------
2017-12-04T19:33:12.798+01:00: Account with uid j.doe and id a7fbe217-9289-4568-bf77-500736ac74c8 was created
-------------------------
Default role [LDAP] is defines and will be assigned to the identity [j.doe].
-------------------------
2017-12-04T19:33:13.350+01:00: Entity account relation with id (86cebc46-b3be-4be2-9a2c-8cf3a15552e8), between account (j.doe) and entity (j.doe) was created
-------------------------
2017-12-04T19:33:13.351+01:00: Operation count for [LINK] is [1]

The same duplication of the links happens for the state Missing entity -> Create entity.

please see the comment above

• "Default role" shouldn't be a required field of the synchronization. (Sometimes I don't want to assign any role during synchronization. It wouldn't be even possible for systems without provisioning, e.g. HR systems)
  • I agree, default role shouldn't be a mandatory. I only forgotten remove the validation on the FE. Fixed
• Two "Links to accounts" were created for the user who got the role. Both links are assigned by the role "LDAP". For more info please see the screenshots and the log below.
  • Duplication creates from the default role that assignes the same system. The first link is created by assigning the role and the second by sync.
    I've modified sync to searching for duplicate links in this case. If such a link is found, it is used and the new one is not created. This is logged in the sync log.
• Even if the option is set to "Create link" for the "Not linked" state, the provisioning was called during the synchronization (according to the docs, it shouldn't - https://wiki.czechidm.com/tutorial/adm/synchronization)
  • Sync generally works as described in the documentation. Provisioning is called here because of the assigned role that calls provisioning itself. I can not solve this another way now.
• "Do you really want to start synchronization/reconciliation '' manually?" - the name of the resource is missing in this message and also in the next message about starting the synchronization
  • Fixed
• Translation suggestions were accepted and implemented :-).

Modifications are in the develop.

Thanks for implementing my comments. I tested it again and everything worked well.

I wrote the admin documentation to https://wiki.czechidm.com/tutorial/adm/synchronization#specific_synchronization_options. I would like to write a complete tutorial for initial reconciliation of an system with default role, sometime during this week, but there is no reason to wait for it in this ticket :-)
I didn't write anything to the devel guide of synchronization (https://wiki.czechidm.com/devel/dev/synchronization), please consider if there is anything that should be added there.

Nice documentation thanks for that. I copied this article to the develop documentation. I know it is redundant, but I think it is correct in the documentation.