Re: Synchronize task does not remove users from syncope?

Thu, 10 Mar 2016 08:56:29 -0800 

On 10/03/2016 17:23, Kettunen, Juhani wrote:


Hello,


I have two external resources working fine (AD and PostgreSQL 
database) as well as a synchronize task from the AD.



The sync task does create and update all users in syncope and in the 
database, but it does not remove any users (deprovision). For example 
if I delete a user in AD it doesn’t get deleted from Syncope’s 
internal users and therefore not from the external resource either.



This same applies when I edit a previously synchronized user in Active 
Directory so that it doesn’t meet connectors membership or 
accountSearchFilter rules anymore – it does not get removed from 
Syncope and other resources.


What am I missing?


The Synchronization Task has only Matching (update) and Unmatching 
(provision). Should it have at least a third matching rule: Source 
Missing Rule – which would most likely always be used for deprovisioning?




Hi,

synchronization from Syncope either relies on ConnId's SEARCH [1] or 
SYNC [2], depending on whether you've set the the "Full reconciliation" 
flag on the related SyncTask.



With that option flagged, Syncope will barely ask the external resource 
for all users available at the moment; without such flag, Syncope will 
ask for all the changes occurred since previous synchronization.
Only the latter is the capable of instructing Syncope about to delete 
users (or roles).

More information on this topic is available at [3].


Please consider that not all ConnId connectors implement SYNC - but 
either Active Directory [4], Database table [5] and Scripted SQL [6] do.
In any case, SYNC might required additional configuration options on the 
related connector instance.


Hope this helps.
Regards.


[1] 
http://connid.tirasa.net/apidocs/1.4/org/identityconnectors/framework/api/operations/SearchApiOp.html
[2] 
http://connid.tirasa.net/apidocs/1.4/org/identityconnectors/framework/api/operations/SyncApiOp.html

[3] https://cwiki.apache.org/confluence/display/SYNCOPE/Synchronization
[4] https://connid.atlassian.net/wiki/pages/viewpage.action?pageId=360482
[5] https://connid.atlassian.net/wiki/display/BASE/Database+Table
[6] https://connid.atlassian.net/wiki/display/BASE/Scripted+SQL

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC, CXF committer
http://home.apache.org/~ilgrosso/























					Reply via email to