Project

General

Profile

Actions
Copy link

Task #976

closed

Remove comparison by account and entity ids during synchronization

Added by Marcel Poul about 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Vít Švanda
Category:
Synchronization
Target version:
Hematite (8.0.0)
Start date:
02/20/2018
Due date:
% Done:

100%

Estimated time:
Owner:

Description

Today I came across a situation that the first synchronization of contracts (identities would work too) ended with 500 objects in the state LINKED. Which is of course weird, since it is the first run of synchronization.
The source of the problem is not easy to find.

how to reproduce:

identificator of the synchronization is different from the identificator of the connector - e.g. PersonalNumber (sync) and UID (connector). Even though each attribute values are unique in their scope, they are not unique globally (some UID == PersonalNumber).

Behaviour:

During synchronization, IdM tries to look for Account object in IdM with id of Entity object. If it does not exists and also Contract is not found by Correlation attribute it ends with MISSING ENTITY state. ok then you usually make Create entity operation and thus create those objects:

IdM entity (login=pers. number) | Account (pers. number) | Entity (uid)
1000 | 1000 | 100

Then the synchronization comes to the point when it get object with uid 1000 and found no Entity, so create one. Then the crucial and a little bit tricky part of synchronization takes part: IdM tries to find some Account with id of the same value of current object which is 1000. (Without correlation attribute! just based on chosen id attributes). And voila there is one already created before. Then IdM end this turn with LINKED state.

Thus you can get many LINKED states for the first run of your synchronization. And thus effectively remove from you the option of choosing the id of the synchronization different from connector id (which can be sometimes hardcoded and not much user friendly)

This is from my point of view very confusing behaviour. I discussed this with Vítek and get the point why it was implemented. But thinking of it again and again, it is more confusing that of some benefit. Taking into account that also Provisioning can have its own id, this is very user/admin unfriendly. I would rather remove this comparison from synchronization (as well as we did before with "UPDATE operation instead of CREATE if ids are the same for account and entity").

Related issues

Related to IdStory Identity Manager - Task #977: Account management in GUINewVít Švanda02/20/2018

Actions
Actions
Copy link

Also available in: Atom PDF