Introduction
The UpdateIdentityTask
tasks main responsibility is to keep identities in sync with the relating entities and the configuration. It resolves the attribute mappings, checks if the identity should be active or not and performs anonymization.
Value | |||
---|---|---|---|
GUID |
| ||
Scheduled by default | |||
Interval in seconds | 600 | ||
Concurrent | |||
Parameters |
|
...
Action Performed
Task loops throught Identities.There are 3 processes involvedthrough Identities and performes three main actions:
Task Details
Base Update / Anonymization WorkItems
All three sub-actions are based on a base configuration:
Base Update/Anonymization | Condition |
---|---|
Identity Type Feature | UpdateIdentity (5) has to be active |
System Type Feature | UpdateIdentity (9c2349cf25db4366b28541efbe374492) has to be active |
(optional) CoreIdentity Ids | Identity has to belong to one of the Core Identities |
And at least one of the following condition set: | |
Active identities: | |
Core Identity | State = Active (1) OR AnonymizationStatus = PendingAnonymization (2) |
Identity | CreationState = Ready (2) |
To anonymize: | |
Core Identity | State = Deleted (2) AND AnonymizationStatus = PendingAnonymization (2) |
Inactive but with update enabled: | |
Identity Type Feature | UpdateIdentityWhenCoreIdentityIsDisabled (13) has to be active |
Core Identity | State = Deleted (2) |
Deactivate because CoreIdentity is suspended: | |
Core Identity | State = Suspended (3) |
Identity | Active |
Reactivate because CoreIdentity no longer suspended: | |
Core Identity | State = Active (1) |
Identity | NOT Active AND DeactivatedBy IS EMPTY |
And does not match below condition set (ignore because they are suspended): | |
Core Identity | State = Suspended (3) |
Identity | NOT Active |
Update Identity
Update Identity - Filter
Actions performed
write about subfilters
Anonymization
For identites found in Update/Anonymization
Changes
Condition
Identity has to be in state PendingAnonymization (2)
Update Identity Workitems | Condition |
---|
(update subfilter)
(anonymization subfilter)
Deactivate identities with inactive core identity Workitems
...
Deactivate identities with inactive core identity
...
Condition
...
Identity Type Feature
...
UpdateIdentity (5) has to be active
...
System Type Feature
...
UpdateIdentity (9c2349cf25db4366b28541efbe374492) has to be active
...
Core Identity
...
State = Deleted (2)
...
Identity
...
Active
All conditions from Base Update/Anonymization has to be met | |
IdentityType → Target System Feature | UpdateIdentity (9c2349cf25db4366b28541efbe374492) has to be active |
Update Identity - Action
Works on identities found in Update Identity - Filter.
Calculates new attribute value based on identity provisioning mapping
.
Only for attribute values where attribute exists in identity provisioning mapping
and that does NOT have BindingMode
OneWayToSource (1).
Attribute has to be updatable (on identity provisioning mapping
).
Column | Changes | |
---|---|---|
Identity Attribute Value | SerializedValue | Value calculated based on |
Identity Attribute Value | HasChanged | Set to true if attribute values |
Identity Attribute Value | ToDelete | Set to true if attribute values should be deleted on target system |
Identity Attribute Value | OldSerializedValue | Previous value that was calculated and provisioned in target system (no provisioning is done in this task but looking at HasChanged flag we can assume what happend) |
There is logic that calculates if identity should still be active or not.
It will be calculated to should-be non-active when any of following conditions is fulfilled:
Identity is not active was deactivated manually (there is no DeactivatedBy),
Core Identity is in State Suspended (3)
Identity Type Feature SetInactiveIfNoActiveAssignment (7) is not active
AND Core Identity is not in State Active (1)
Identity Type Feature SetInactiveIfNoActiveAssignment (7) is active
AND there is no valid Resource Assignment for Identity (valid by ValidFrom/ValidTo dates)
OR CoreIdentity is not in State Active (1)
If the Identity activity flag is changed there is a event thrown. It may be UserAccountActivated or UserAccountDeactivationRequested event.
If any attribute value was changed the ProvisionIdentityChangesTask will be fasttracked for this Identity. It will be run only when OnCreateFastTrackEnabled (42) global setting is enabled
Anonymization
Anonymization - Filter
Anonymization Workitems | Condition |
---|---|
All conditions from Base Update/Anonymization has to be met | |
Identity | State = PendingAnonymization (2) |
Anonymization - Action
Works on identites found in Anonymization Filter.
Changes | Condition | |
---|---|---|
Identity | AnonymizationStatus set to AnonymizationStarted (3) | There were changes of attribute values |
Identity | AnonymizationStatus set to HistoryAnonymizationNeeded (4) | There were NO changes of attribute values |
Deactivate identities with inactive core identity
...
Deactivate identities - Filter
Deactivate identities with inactive core identity | Condition |
---|---|
Identity Type Feature | UpdateIdentity (5) has to be active |
System Type Feature | UpdateIdentity (9c2349cf25db4366b28541efbe374492) has to be active |
Core Identity | State = Deleted (2) |
Identity | Active |
Deactivate identities - Action
Works on identities found in Deactivate identities - Filter.
Changes | |
---|---|
Identity | Active set to false |
Identity | HasActiveChanged set to true |
Involved in processes
provisioning changes
anonymization
deactivation
...
Large processes
This task is involved in larger multi-task processes that are documented below:
provisioning/propagating changes (separate page with simple diagram how change is flowing from task to task)
anonymization AnonymizationTask
identity lifecycle (deactivation)