Identity Broker Forum
Welcome to the community forum for Identity Broker.
Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.
 
        
            
            
	
		
		
		
			 How to achieve continuous compliance (target system value reversion) at the same time as responding quickly to urgent data updates (e.g. user suspension)
		
		
	
              
            
            
            How to achieve continuous compliance (target system value reversion) at the same time as responding quickly to urgent data updates (e.g. user suspension)
        
    
    
    
    I have a solution with ~7000 managed AD user accounts. To ensure any unauthorised changes to those accounts are reverted (continuous compliance) I run regular Baseline Sync operations on the outgoing link.
These Baseline Syncs take approximately 25 minutes to run, and during that time no other link synchonisations run. This means urgent updates (such as SPOL user suspension functionality) is delayed.
What can I do to ensure fast response for urgent operations, while also having continuous compliance with a reasonable turn-around time (i.e. checked every hour or so - keeping in mind that an import all for my AD users only takes around 50 seconds to run).
 
This has been implemented and is available in the release of UNIFYConnect V6, which will be made available shortly.
Performance is significantly improved, with baseline syncs on pages of 5000 entities taking ~30 seconds.
 
        
            
            
	
		
		
		
			 UNIFYConnect UI shows DataTables error for Remove Joins
		
		
	
              
            
            
            UNIFYConnect UI shows DataTables error for Remove Joins
        
    
    
    
    The Remove Joines screen shows an error when invoked, in all dev/test UNIFYConnect environments.

 
        
            
            
	
		
		
		
			 Locker change not synchronising to outgoing adapter entity
		
		
	
              
            
            
            Locker change not synchronising to outgoing adapter entity
        
    
    
    
    An update to a locker field value is not resulting in a pending outgoing change on to an adapter entity.
The adapter entity should be joined, but the Remove Joins screen shows a DataTables Error so I can't confirm that.
Locker Entity Id = c7e8a490-6cfb-4ec1-9067-42906411aed0
Adapter Entity Id = 0645e285-577e-4218-afb6-745f1ee08600
The issue is urgent since the customer's UAT is failing due to this error.
 
Closing as root cause has been found.
The locker uses information from the incoming and outgoing mappings and their sources to determine the entities that need syncing during a Changes Sync.
In this case, the Synchronisation powershell task was being used to read a value from the adapter and inserted into a locker schema field without being mapped in the link schema mappings. In this case, the locker doesn't know that the value has been changed. It was also then being mapped back out to another adapter in the same manner.
If there's an implementation need to map the items in powershell rather than using the normal mappings (while we would encourage considering why this is necessary), a possible workaround is to map the field through a normal mapping to the locker and back out the other side of the link. That allows the link processing to determine when the value has changed, and correctly queue an outgoing change for this item.
We've added an item to our backlog to see if there's anything we can add to the product to improve this process - such as being able to better calculate changes that may not have come in through a link mapping, or to allow sync tasks access to pre and post joined value sets so operations can be run on value changes without the script needing to also map the value.
 
        
            
            
	
		
		
		
			 Configuration guidance required
		
		
	
              
            
            
            Configuration guidance required
        
    
    
    
    In a UNIFYConnect ABAC solution we use appointment information (i.e. a user's Employee ID, Position, Department, Team, Location and Start Date) along with customer-managed rules in order to determine which access packages the user should be automatically assign to.
My customer has two sources of appointment information: one is directly on the employee, and the other is via a separate feed of secondary appointments. Each employee has one primary appointment and zero or more secondary appointments.
In order to combine the appointments into one data source, I use the following paths into the Appointment locker:
Employee connector/adapter -> link -> Appointment locker
Secondary appointment connector/adapter -> link -> Appointment locker
The employee connector is keyed solely on Employee ID, but the Secondary appointment connector is keyed on Employee ID, Position, Department, Team, Location and Start Date, to guarantee uniqueness.
On the outgoing side the following path writes the combined Appointments to a CSV file for processing outside of UNIFYBroker:
Appointment locker -> link -> Appointments CSV connector/adapter
The Appointments CSV connector is keyed on Employee ID, Position, Department, Team, Location and Start Date, to guarantee uniqueness.
All links use connection-oriented join resolution.
When an existing Employee connector entity changes Department, Team (etc) the existing Appointment locker record is updated with new values for those fields.  For the export to the Appointments CSV connector, this causes a problem because that update is processed as an anchor modification, which is not supported for CSV connector types.
This problem doesn't occur on the Secondary appointments connector, because the multi-part key ensures that changes to any key field results in a delete/add operation instead of an update.
How can I configure UNIFYBroker to make this scenario work correctly?
 
Hi Adrian
Creating a derived key generated from adapter transformations might help.
For the secondary appointment entities, use a PowerShell transformation to generate a unique value based on the Position, Department, Team, Location and Start Date fields that persists their uniqueness quality, but reduces them to a single field. A hash of some kind of their combined values should  be sufficient. I'd also add a static prefix for a further uniqueness guarantee. The resulting value may look something like like sec_c9uQNFGLgC.
On the primary adapter, use a constant value transformation to add a derived key field to differentiate primary appointments from secondary ones. The value set can by anything, but shouldn't be anything that could be generated by the transformation on the secondary appointment adapter, ie: primary_appointment.
Use the derived key in conjunction with the EmployeeId field for link joins and as key fields on the Appointments CSV connector. This should provide a stable, two-field anchor based on the immutable secondary appointment properties, but not the mutable properties of the  primary appointment. 
  
 
        
            
            
	
		
		
		
			 Adapter data not mapping to locker during baseline sync
		
		
	
              
            
            
            Adapter data not mapping to locker during baseline sync
        
    
    
    
    Some adapter field data isn't being updated in their locker entity when a baseline sync is run.
Screen snaps will be in a follow-up comment.
 
This has been implemented and is available in the release of UNIFYConnect V6, which will be made available shortly.
 
        
            
            
	
		
		
		
			 Exclusion group not stopping connector import/export operations from running in parallel
		
		
	
              
            
            
            Exclusion group not stopping connector import/export operations from running in parallel
        
    
    
    
    I have three connectors in an exclusion group, and yet imports on one connector in the group can run at the same time as exports on another connector in the group. Exclusion groups should stop this from happening, to avoid two operations (Aurion API calls in this case) from both taking place at the same time.
 
Hi Adrian,
Exclusion groups are only capable of blocking for import operations (see Connector Overview / UNIFYBroker knowledge / UNIFY Solutions for more details).
Connectors don't control the invocation of the export capability, as this is triggered by external processes (generally an identity management system through a Gateway, or more recently through UNIFYBroker/Plus Link operations).
Export operations are designed to provide immediate communication with the external system, due to the way Gateways are required to communicate the operation status rather than queuing it for a later execution.
If you'd like, we can have some discussions about the role an export exclusion capability would play in the UNIFYBroker/Plus ecosystem? It would require careful consideration to ensure we don't impact the correct function of gateways. In an ideal scenario you would line your import and link schedules up so they don't overlap, but I understand this can be difficult in complex configuration scenarios.
 
        
            
            
	
		
		
		
			 Change Polling sometimes doesn't run when there are pending changes
		
		
	
              
            
            
            Change Polling sometimes doesn't run when there are pending changes
        
    
    
    
    Occasionally Change Polling won't start, even though there are pending sync changes showing. Running a Baseline Sync clears the issue and subsequent changes make Change Polling work normally, so the workaround is to always have periodic Baseline Syncs scheduled in the solution.
Sadly, I have no idea what causes this or how to replicate it so it is likely to be quite difficult to track down.
 
Unable to reproduce, please re-open if this still persists
 
        
            
            
	
		
		
		
			 Entities keep reprovisioning for Simple Join Resolution links
		
		
	
              
            
            
            Entities keep reprovisioning for Simple Join Resolution links
        
    
    
    
    
    
    
    
	Using a link with Simple Join Resolution I see the same target entity being re-provisioned every time the Baseline Sync runs.


The problem continues until the duplicate detection algorithm fails to generate unique values for key fields like CN.
I'll put environment details and logs in the next comment.
 
        
            
            
	
		
		
		
			 UNIFYBroker/Plus attempting to join source to incorrect target
		
		
	
              
            
            
            UNIFYBroker/Plus attempting to join source to incorrect target
        
    
    
    
    Log says:
20221129,21:30:25,UNIFYBroker,Link,Error,"Request to sync changes on link failed. Request to sync changes on link Employee > AD User (ad53013b-b271-4ed6-a959-dc11aeaa5eca) in direction outgoing failed with message Source entity '0b5d5a72-fd60-4777-b1ef-f1d4a035c87d' cannot be joined to ambiguous join targets: [391e6395-a3c2-424c-9799-30a98508ac1f, 5a6e4486-75f8-4487-ab8f-4eeccf06a524]. Cannot proceed with join. [Count:4321]. Duration: 00:00:04.5645340
Link join criteria is:

Source entity is:

Target entities are:


Why would an attempt to join to 5a6e4486-75f8-4487-ab8f-4eeccf06a524 be happening, given it doesn't match the join criteria?
 
The root cause of this was staff from the customer's outsourced IT department updating employeeID values wrongly, in contravention of documented processes.
Please close this ticket and mark 'not a bug'.
 
        
            
            
	
		
		
		
			 Join calculation for source entity cannot be completed due to an invalid connection state. Reason: Source entity has multiple connections.
		
		
	
              
            
            
            Join calculation for source entity cannot be completed due to an invalid connection state. Reason: Source entity has multiple connections.
        
    
    
    
    After the customer remediated duplicate employee IDs in AD, UNIFYBroker is still unable to correctly join and process links. The error message has changed to:
Synchronization job failed syncing 4322 changes on the 'Employee > AD User' link from the adapter to locker with the reason Join calculation for source entity 'e892faf3-5c17-4e9c-9be9-f9ee33cc68fe' cannot be completed due to an invalid connection state. Reason: Source entity has multiple connections.. Job ID: bf3c52ec-49a2-4655-8f00-360a6ffce78c Duration: 00:00:04.2503352
I'll attach the email thread with the customer that provides background to the next message.
 
This has been implemented and is available in the release of UNIFYConnect V6, which will be made available shortly.
Customer support service by UserEcho
 
	
