This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Active Directory sync - OneIM as master on specific groups

Hi,

Is it possible to configure One Identity as master on a subset of all AD-groups? We want to be able to take full control over specific groups (preferably via a flag on the groups) while still remaining in partial control over all other groups.

Full control:
- If a user is added directly in AD and not in OneIM, this membership is removed in the next sync

Partial control:
- If a user is added directly in AD and not in OneIM, this membership is synced into OneIM

I'm thinking that I can create a new mapping/workflow in the sync-project for the full control groups, but I'm not sure how to solve this.

Parents
  • Hi,
    I hope that you have already managed to find a solution, if this is not the case here are a couple of tips. The goal is to have different synchronizing for the same type of objects that these two don't interfere with each other it is needed to create new schema classes on the One Identity side and on the target system side. These schema classes need a scope based on the flag. On the One Identity side the scope needs to based on the column that the flag is mapped against. Then create two mappings for the partial control and the full control. Then create the workflows for the mappings. For the Full control the correct way is to have a sync that has the direction to the target system.

  • Hi Tomi,

    Thank you for the reply. I created new schema classes on both sides with a defined scope. I duplicated the original group-mapping and changed the schemas to be used and created a new workflow in the direction of the target system connected to a new start up configuration.

    When i simulate the start up configuration, everything seems right. One group will be updated (my test group with modified properties from AD). When i run the actual synchronization, it fails with the message: The synchronization step (group (master) - Phase #2) cannot be executed because not all of the mandatory parameters (distinguishedName, objectClass) of method (Insert object) are mapped through the active rules.

    In the Execution plan, Phase #2 it trying to synchronize several colums (vrtSecretary, UID_ADSGroup, DistingushedName, XObjectKey) from OneIM to one column (secretary) in AD

  • The simulation doesn't execute the Phase #2. This is the reason why there are different outcomes. 
    It is difficult to say why the synchronization is failing without seeing the system. It is trying to create a object, but doesn't have the mandatory properties. Try to find out which object it is trying to create.

Reply
  • The simulation doesn't execute the Phase #2. This is the reason why there are different outcomes. 
    It is difficult to say why the synchronization is failing without seeing the system. It is trying to create a object, but doesn't have the mandatory properties. Try to find out which object it is trying to create.

Children
No Data