User synchronizer (
UserSynchronizer) is a heart of the IDM Model Subsystem. It takes care of synchronizing users and accounts in any situation. Therefore it is responsible for ordinary provisioning, live sync, reconciliation and even import. User synchronizer takes care of executing user template, computing assignments and RBAC, outbound expressions, credentials, etc. It is a place through which any modification of user object must pass.
The goal of user synchronizer is to correctly propagate changes of accounts to the user (inbound), apply policies (user template, assignments, RBAC) and propagate user changes to accounts (outbound). User synchronizer is doing that in several steps that are described below.
User synchronizer is not applying the changes by invoking provisioning or repository services. It is only computing the changes. This has several advantages. Firstly, if there is any critical error while the changes are being computed the whole operation can be safely aborted as no changes were done yet. Secondly, user synchronizer can be used to create a "preview" of changes before really applying them.
User synchronizer is storing all the changes in a data structure called synchronization context (
SyncContext). Synchronization context describes user and all accounts that are linked to it (or accounts that are going to be linked). User always contain exactly one user and may contain any number of accounts. Each account is identified by resource account type (RAT) which is a combination of resource OID and account type (e.g.
The context maintains several structures for the user and accounts:
- Old object (
accountOld): State of the object before the change. May be null if there was no such object before the change. Also note that in case of accounts it may not contain full account, but just a repository account shadow (depends whether reconciliation was requested or not).
- New object (
accountNew): State of the object after the change. This is in fact "old object" with all the relevant deltas applied to it. It may be null if there is no object after the change (e.g. user or account is deleted).
- Primary delta: Change of user or account that was explicitly requested. E.g. a change that the IDM admin initiated from the GUI. This is considered to be immutable by the user synchronizer. Synchronizer will never change it.
- Secondary delta: Changes that are caused by setting of expressions and policies. This is usually computed from the primary delta and various expressions (inbound, outbound, assignments, etc). Secondary delta is empty when user synchronizer is started and it may be updated in every step of synchronizer execution.
- Synchronization delta: Changes that already happened before the synchronizer was invoked. This is the set of changes that the synchronizer may react to but it cannot change it in any way because it has already happened.
Synchronizer executes in several sequential steps. Each step has a clear responsibility which part of synchronization policy it incorporates into the context. Each step usually transforms changes of user object to account objects or vice versa.
The sequence of the steps can be observed by looking at system logs:
MODEL subsystem or
com.evolveum.midpoint.model.synchronizer package to the
DEBUG level will produce short description of changes after every step:
MODEL subsystem or
com.evolveum.midpoint.model.synchronizer package to the
TRACE level will produce following dumps after every step:
The dump shows the state of the synchronization context after a load step. See Diagnostics Abbreviations for explanation of the acronyms.
There is an explicit recompute after each step. It means that if (secondary) deltas were changed during the step such change in deltas will be reflected to the
accountNew objects after the step.
Load step loads the missing parts of the context from the respository or provisioning. This is currently limited to the accounts. The load step will scan for any
linkRef references in the user or user deltas, locate appropriate accounts and load the shadows from repository (usual case) or full accounts from provisioning (reconciliation case).
Inbound step is processing the changes on accounts and reflects that to the user as specified by inbound expressions. Both primary and synchronization changes are processed in this step.
User Policy Step
User policy step currently applies user template to the user. It only works on user, not accounts. The goal is to maintain internal integrity of the user object as defined by the user template. This step is processing all user changes (both primary and secondary), recomputes them using user template and adds any extra changes to user secondary delta.
Assignments step is processing all user assignments. It considers both existing user assignments and deltas of user assignments (added or removed assignments). It is also indirectly triggering the processing of RBAC roles. RBAC roles and direct assignments are all reduced to account construction structures (
AccountConstruction) that describe how a particular account type (RAT) should be constructed. Account constructions usually contain value constructions (
ValueConstruction) that describe how a particular account attribute should be constructed.
Assignment step is not reflecting the changes to the deltas. It does not have enough information to do it yet. In particular the information about processing of outbound expression is missing at the very least. Assignments step is therefore storing the intermediate results in the
accountConstructionDeltaSetTriple property of account context. This is used later in the values step.
Outbound step is projecting user changes to accounts. It is following the outboud expressions defined in schema handling. It is also representing the results in a form of account construction. Similarly to the previous step the outbound step is not changing the deltas yet. Resluts of outbound step are stored in the
outboundAccountConstruction property of account context.
Values consolidation step is merging together the results of assignments and outbound steps and it is also validating the result. Values step determines the correct attribute values from (pre-computed) assignments, roles and outbound expressions stored in account context. It is processing the
authoritative flags, enforces access limitations (e.g. read only attributes), etc.
The values step also checks for account uniqueness. In case that the uniqueness check fails, the values steps updates the iteration counter (and token), clears temporary computation results and restarts all the steps that deal with account attribute values (assignment and outbound). The iteration count and token are recorded in the account context. They are also displayed in the dumps but only during second and subsequent iterations.
Credentials step replicates user credentials to the account. It deals with initial account credentials as well as credentials change.
Activation steps deals with account activation. It replicates user activation status to the account.
Reconciliation step is an optional step that compares real account values with the computed values. This step creates "correction" deltas for values that do not match, adding missing values and removing surplus values. Reconciliation step expects that a full account was loaded into an account context in the load step.
Reconciliation step is only executed if account reconciliation was requested (by a flag in account context).