This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Active Directory sync - OneIM as master on specific groups

Hi,

Is it possible to configure One Identity as master on a subset of all AD-groups? We want to be able to take full control over specific groups (preferably via a flag on the groups) while still remaining in partial control over all other groups.

Full control:
- If a user is added directly in AD and not in OneIM, this membership is removed in the next sync

Partial control:
- If a user is added directly in AD and not in OneIM, this membership is synced into OneIM

I'm thinking that I can create a new mapping/workflow in the sync-project for the full control groups, but I'm not sure how to solve this.

  • Hi,
    I hope that you have already managed to find a solution, if this is not the case here are a couple of tips. The goal is to have different synchronizing for the same type of objects that these two don't interfere with each other it is needed to create new schema classes on the One Identity side and on the target system side. These schema classes need a scope based on the flag. On the One Identity side the scope needs to based on the column that the flag is mapped against. Then create two mappings for the partial control and the full control. Then create the workflows for the mappings. For the Full control the correct way is to have a sync that has the direction to the target system.

  • Hi Tomi,

    Thank you for the reply. I created new schema classes on both sides with a defined scope. I duplicated the original group-mapping and changed the schemas to be used and created a new workflow in the direction of the target system connected to a new start up configuration.

    When i simulate the start up configuration, everything seems right. One group will be updated (my test group with modified properties from AD). When i run the actual synchronization, it fails with the message: The synchronization step (group (master) - Phase #2) cannot be executed because not all of the mandatory parameters (distinguishedName, objectClass) of method (Insert object) are mapped through the active rules.

    In the Execution plan, Phase #2 it trying to synchronize several colums (vrtSecretary, UID_ADSGroup, DistingushedName, XObjectKey) from OneIM to one column (secretary) in AD

  • The simulation doesn't execute the Phase #2. This is the reason why there are different outcomes. 
    It is difficult to say why the synchronization is failing without seeing the system. It is trying to create a object, but doesn't have the mandatory properties. Try to find out which object it is trying to create.

  • I think I got it to work. Here is what I have done:

    1. Extended the ADSGroup table with a new Boolean column, "CCC_FullControl"
    2. Created two new schema classes for OneIM, one named "ADSGroup(OneIM as Master)" with select objects condition CCC_FullControl='True' and one named "ADSGroup(AD as Master)" with CCC_FullControl='False'
    3. Created two new schema classes for AD, one named "group(OneIM as Master)" with select objects condition extensionAttribute1='True' and one named "group(AD as Master)"  with extensionAttribute1<>'True'
    4. Edited the default group-mapping to map between "ADSGroup(AD as Master)" and "group(AD as Master)" and added mapping between CCC_FullControl and extensionAttribute1
    5. Added a new mapping to map between "ADSGroup(OneIM as Master)" and "group(OneIM as Master)" based on the previous mapping, with mapping direction: Target system. Some of the mapping rules (such as Members_OUT) are set to correct rouge modifications. The Members_IN mapping is removed.
    6. Added a new workflow called "Group Sync (OneIM as Master)" with sync-direction One Identity Manager. This is responsible for overwriting changes done directly in AD. Contains only one step, group (OneIM as Master), that updates modified objects when synchronizing from target system to One Identity Manager
    7. Edited the default Provisioning workflow to add a step for "group (OneIM as Master)"
    8. Added a Start up configuration for Group Sync (OneIM as master)

    Thank you for pointing me in the right direction, Tomi