Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Introduction

The UpdateIdentityTask tasks main responsibility is to keep identities in sync with the relating entities and the configuration. It resolves the attribute mappings, checks if the identity should be active or not and performs anonymization.

Value

GUID

9c2349cf25db4366b28541efbe374492

Scheduled by default

(tick)

Interval in seconds

600

Concurrent

(tick)

Parameters

Code Block
uint[] with CoreIdentity Ids

...

Action Performed

Task loops throught Identities.There are 3 processes involvedthrough Identities and performes three main actions:

Task Details

Base Update / Anonymization WorkItems

All three sub-actions are based on a base configuration:

Base Update/Anonymization

Condition

Identity Type Feature

UpdateIdentity (5) has to be active

System Type Feature

UpdateIdentity (9c2349cf25db4366b28541efbe374492) has to be active

(optional) CoreIdentity Ids uint[] from task parameter

Identity has to belong to one of the Core Identities

And at least one of the following condition set:

Active identities:

Core Identity

State = Active (1) OR AnonymizationStatus = PendingAnonymization (2)

Identity

CreationState = Ready (2)

To anonymize:

Core Identity

State = Deleted (2) AND AnonymizationStatus = PendingAnonymization (2)

Inactive but with update enabled:

Identity Type Feature

UpdateIdentityWhenCoreIdentityIsDisabled (13) has to be active

Core Identity

State = Deleted (2)

Deactivate because CoreIdentity is suspended:

Core Identity

State = Suspended (3)

Identity

Active

Reactivate because CoreIdentity no longer suspended:

Core Identity

State = Active (1)

Identity

NOT Active AND DeactivatedBy IS EMPTY

And does not match below condition set (ignore because they are suspended):

Core Identity

State = Suspended (3)

Identity

NOT Active

Update Identity

Update Identity - Filter

Actions performed

write about subfilters

Anonymization

For identites found in Update/Anonymization

Changes

Condition

Identity has to be in state PendingAnonymization (2)

Update Identity Workitems

Condition

(update subfilter)

(anonymization subfilter)

Deactivate identities with inactive core identity Workitems

...

Deactivate identities with inactive core identity

...

Condition

...

Identity Type Feature

...

UpdateIdentity (5) has to be active

...

System Type Feature

...

UpdateIdentity (9c2349cf25db4366b28541efbe374492) has to be active

...

Core Identity

...

State = Deleted (2)

...

Identity

...

Active

All conditions from Base Update/Anonymization has to be met

IdentityType → Target System Feature

UpdateIdentity (9c2349cf25db4366b28541efbe374492) has to be active

Update Identity - Action

Works on identities found in Update Identity - Filter.

Calculates new attribute value based on identity provisioning mapping.

Only for attribute values where attribute exists in identity provisioning mapping and that does NOT have BindingMode OneWayToSource (1).

Attribute has to be updatable (on identity provisioning mapping).

Column

Changes

Identity Attribute Value

SerializedValue

Value calculated based on identity provisioning mapping

Identity Attribute Value

HasChanged

Set to true if attribute values

Identity Attribute Value

ToDelete

Set to true if attribute values should be deleted on target system

Identity Attribute Value

OldSerializedValue

Previous value that was calculated and provisioned in target system (no provisioning is done in this task but looking at HasChanged flag we can assume what happend)

There is logic that calculates if identity should still be active or not.

It will be calculated to should-be non-active when any of following conditions is fulfilled:

  • Identity is not active was deactivated manually (there is no DeactivatedBy),

  • Core Identity is in State Suspended (3)

  • Identity Type Feature SetInactiveIfNoActiveAssignment (7) is not active

    • AND Core Identity is not in State Active (1)

  • Identity Type Feature SetInactiveIfNoActiveAssignment (7) is active

    • AND there is no valid Resource Assignment for Identity (valid by ValidFrom/ValidTo dates)

      • OR CoreIdentity is not in State Active (1)

If the Identity activity flag is changed there is a event thrown. It may be UserAccountActivated or UserAccountDeactivationRequested event.

If any attribute value was changed the ProvisionIdentityChangesTask will be fasttracked for this Identity. It will be run only when OnCreateFastTrackEnabled (42) global setting is enabled

Anonymization

Anonymization - Filter

Anonymization Workitems

Condition

All conditions from Base Update/Anonymization has to be met

Identity

State = PendingAnonymization (2)

Anonymization - Action

Works on identites found in Anonymization Filter.

Changes

Condition

Identity

AnonymizationStatus set to AnonymizationStarted (3)

There were changes of attribute values

Identity

AnonymizationStatus set to HistoryAnonymizationNeeded (4)

There were NO changes of attribute values

Deactivate identities with inactive core identity

...

Deactivate identities - Filter

Deactivate identities with inactive core identity

Condition

Identity Type Feature

UpdateIdentity (5) has to be active

System Type Feature

UpdateIdentity (9c2349cf25db4366b28541efbe374492) has to be active

Core Identity

State = Deleted (2)

Identity

Active

Deactivate identities - Action

Works on identities found in Deactivate identities - Filter.

Changes

Identity

Active set to false

Identity

HasActiveChanged set to true

Involved in processes

provisioning changes

anonymization

deactivation

...

Large processes

This task is involved in larger multi-task processes that are documented below:

  • provisioning/propagating changes (separate page with simple diagram how change is flowing from task to task)

  • anonymization AnonymizationTask

  • identity lifecycle (deactivation)