Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

There are many different types of synchronization in midPoint. Live synchronization is supposed to provide quick response to changes and good chance that the data in IDM are is up-to-date. The synchronization works with description of relative changes to the data. However, the synchronization cannot be made 100% reliable. Some changes may be missed, changes may arrive out of order, and therefore delayed changes may became inapplicable and so on. This may be caused by a resource or IDM being down or it may be an inherent property of the communication protocol that we use to connect to the resource. Therefore a functionality similar to synchronization is needed that will provide better reliability: reconciliation. The reconciliation compares absolute states of a resource and IDM, resolving the discovered inconsistencies. However, reconciliation is quite a demanding and long task, therefore it cannot be executed frequently. Change can also be detected by executing an unrelated operation, e.g. it may be discovered during account creation that an account already exists. The reaction to this situation is called discovery.

...

The most common place that the data are is synchronized is common provisioning operation. When the user data are is changed, the outbound expressions are executed and the change is reflected to accounts. Roles and assignments are also recomputed, which may result in creation, deletion or modification of an account.

...

Live synchronization is almost-realtime reaction to changes of the resource accounts. MidPoint polls for changes in the systems that can provide information about recent changes (changelogs). The polling is usually executed in rapid cycles every few seconds. Any detected changes are processed by the synchronization routines. The inbound expressions are executed, reflecting the account changes to the user . Then then the changes from user are reflected to other accounts (outbound). Therefore the change from the resource is therefore propagated to midPoint and other system shortly after it was detected.

...

Reconciliation is comparing the real attributes of the accounts (what is) with the user properties and assignments in midPoint (what should be). Reconciliation is iterating over all the accounts and can to find accounts that should not be on the resource, accounts that are not yet in the midPoint and should be linked to their owners, etc. It is a kind of a "safety net" mechanism as it can reliably detect all the changes. However, it is also the least efficient of all the synchronization mechanisms. Reconciliation is usually executed as a scheduled task.

...

The synchronization may be also used by other parts of the system. For example the import from resource is also using  also uses synchronization routines. The import is pretending that all accounts on the resource were just created and executes synchronization routines. This assures that the new users are created for each new accounts and existing user records are properly matched (given appropriate setup of synchronization policies). More mechanisms may be be added in the future (such as password synchronization).

...