System onboarding
Import settings
Here are changes introduced in the configuration of data import with the Horizons solution.
The legacy solution provides the following settings:
The Horizons solution implements the above settings in a following way:
-
Store data for reporting is moved to an event-driven process running in the background. It is responsible for storing data in ODW, and this action is no longer part of the data import from a source system.
-
Prepare data for processing is responsible for storing data in Enterprise Server, this setting has been renamed to Publish ingested data.
cautionOnce a system, with the Publish ingested data setting enabled, is onboarded you need to ensure that the setting remains enabled. Disabling the Publish ingested data setting, for an already onboarded system, may result in loss of data.
-
Automatically populate security resource business key provides the resource business key automatically.
-
Import errors per object is not required for the Horizons solution. This setting allows configuring a threshold for the number of import errors. Exceeding this threshold results in a data import error. When the threshold is not exceeded, the import continues with a warning for each of the relevant objects. With the Horizons solution, this setting is no longer required since all imports are continued in case of data issues and the failed objects are logged for further investigation.
During the staging phase, the number of entities that were fetched from the source system and sent for processing is shown in the progress window.
When inconsistencies are found, the query is marked with the completed with a warning status, and the number of rejected datagrams is shown. You can find more details on the rejected datagrams in import logs.
Enabling the Publish data to Portal and RoPE setting initiates the Staging and Processing stages while excluding the Adaptation stage.
Thresholds
Data Import>Configure thresholds
Depending on the system content type (Identity Data or Access right) the supported Data Object types used by thresholds will be different.
Example:
For the system in this example the Access rights content type applies.
If the value of the configured threshold is not greater than zero, the threshold is considered as disabled. The value fin the Interval field has the HH:MM:SS format.
In the legacy solution the thresholds logic is calculated as a percentage of changes compared to the previous import. Exceeding this percentage results in a rollback. During next import you need to decide whether to import these changes. The legacy thresholds configuration allow only to specify one value for all object types, instead of different values for each individual object type.
If the system uses Legacy thresholds, it will enter the migration mode after enabling Horizons. Imports from this system won't be possible until thresholds are migrated to the new format. It is indicated by the warning displayed on the system onboarding page:
Click Configure thresholds to enter the legacy thresholds view where you can add new thresholds:
Account rules
Changes to the Account rule are automatically applied during next import from the system.
Account ownership and classification, that were already assigned based on the previous configuration of the account rule, are updated.
With the Horizons solution enabled, the below settings are no longer available from the Account rules context menu.
With the primary and non-primary identities replaced by the Identity merge functionality, the account ownership is evaluated against the merged identities.
When migrating to Horizons ensure that the account ownership, set by a matching attribute on a non-primary identity, is copied into the merged identity.
Desired state account rule
By default a Desired state account rule is added to each new system onboarded in a new system category. With the Desired state account rule enabled, when requesting access or configuring assignment policies, it allows referencing directly the desired ownership with defined owner and account type. Obtaining the desired ownership is simplified, allowing to avoid the necessity to configure multiple rules to achieve the same result.
The Desired state rule replaces the DesiredStateAccountRule. When migrating to the Horizons solution, if the DesiredStateAccountRule was enabled, all system categories will have the Desired state rule added.
Data import
Initializing Start data import will be different depending if the import is performed for a Omada Identity system or other system.
Start Import settings Settings in this section are no longer available with the Horizons solution enabled. The SSIS is no longer supported in the Horizons data ingestion architecture.
Omada Identity system import
Other systems import
When importing data from system other than Omada Identity, you have an option to import the data from Enterprise Server (Omada Identity system). It is relevant if you've enriched data in the ES and you want to utilize it, for example for Account Join.
Import profiles
You can schedule your import by combining the Event definition and appropriate Timers.
Event definition
In the Event definition you can set it to be triggered when the timer is executed.
Cleanup import profile
You can access the Clean-up import profile in the Import Profiles to conduct a cleanup procedure.
By default, the cleanup procedure is configured to start automatically during the night. It is specified in the Run ODW cleanup that you can find in the Event definitions. Additionally, you can initiate the cleanup procedure manually.
To avoid suspension of the cleanup process configure the Stale import setting in the Clean-up import profile. By default, the setting value is set to 02:00:00, which equals to two minutes.
Adjust the Stale import setting value to address the volume of data. Increase the Stale import value for larger amount of data, to avoid aborting the cleanup process when it's unjustified.
To access logs, click on the Clean-up import profile.
For more information, go to ODW data clean-up import profile section.
Original Code Method
The Original Code Method (ImportProfile) includes:
PerformImportCheck
The PerformImportCheck code method send import check request to Import Service to check for queued imports.
New Code Method
The new code method (ImportProfileV15) consists of three methods:
StartImportProfile
StartFullImportProfile
CheckForPotentiallyStaleImports
Import queue
You can access and manage the queued imports in the Import queue pop-up.
You can access the Import queue from the following places:
- Import status in Operations Dashboard
You can access the Import queue by expanding the import status options and selecting the Show import queue option.
- Import profiles
You can access the Import queue by expanding the import profiles actions and selecting the Show import queue option.
The import queue lists all items from the isp.ImportQueueuItem, in OIS DB, sorted in the ascending priority order.
You can change the order of the list by ticking the item on the list and using the up or down button or delete the item. Selecting the OK button saves all of the changes in the isp database.
Before the changes are saved the import queue state check is conducted. If any changes are detected, changing the state of the queue, a warning is issued and the latest state of the queue is loaded.
Import history
The location of import logs are changed to the Azure Log Analytics with the Horizons solution. There are three ways you can access import logs:
- System Onboarding > Start data import > Last xxx import > log
- Import Profile > Import history > log
- Setup > System operation > Logs > Operations dashboard > Import Status >
<status>> log
The Horizons solution provides more detailed and relevant information in the import log, improving the search capabilities.
SAMPLE OF IMPORT LOG
During import, if there are adaptation errors or issues with any of the export mappings, click the Cancel adaptation button to stop the adaptation or resynchronization phase of the import process. The remaining entities that are either received/retried are no longer processed in the import attempt. Selecting the Cancel adaptation option does not affect the staging and processing phases of the import process and they are performed regardless.
Indirect assignments calculation
Indirect assignment is a type of assignments that is not explicitly defined, but is derived from a data cross-relationships, such as groups hierarchies. Indirect assignments calculation is a part of the post-import process, initiated after the imported data is prepared for further processing on the enterprise server (ES).
To perform indirect assignment calculation the SkipActualIndirectAssignments customer setting must be disabled.
Actual indirect assignments are not calculated for unresolved identities, disregarding the value of the SkipOrphanPermissions customer setting value.
Calculation of actual indirect assignments is relevant for:
- Resources that inherit security configuration from an another resource - accounts with access to a resource defining security for other resources.
- Nested groups - accounts with access to the parent group resulting from a membership of a nested group.
- Child roles - accounts with access to a child role resulting from a membership of a parent role.
- Group assignments - accounts with access to a resource resulting from a membership of a group or nested group with access to the resource
For systems with the PerformUnfolding customer setting enabled, the indirect assignments calculation helps to generate indirect parent-child relationships between resources and store them. During the unfolding process the resource hierarchic organization, based on direct connections and indirect dependencies and relationships, is ensured.
Operations dashboard
Setup>System operation>Logs>Operations dashboard
Here you can find several widgets providing information about different aspects of your system.
Import status
Provides basic information about the import state and status.
Analytic processing
The Analytic processing widget provides information about the synchronization of your dashboards and reports.
The Last update field shows the last data and time when the analytics and report functions were updated.
The Inconsistencies field shows the number of inconsistencies detected. To access more details, select the displayed value.
System overview
The System overview widget provides information about systems that might require attention. It segregates the systems under following categories.
- Errors - systems with the last import failing.
- Warning - systems with the last import generating warnings, for example adaptation errors or threshold violations.
- Threshold violation - systems with an exceeded threshold during the last import.
- OPS threshold violation - systems with the OPS threshold exceeded.
- Requires threshold migration - systems requiring the threshold to be migrated from an old format to a new one before the import.
Authoritative Source Policies
Setup > Administration > Connectivity Configuration > Auth. Source policies
In the Horizons solution, the Authoritative Source Policies are not used to determine which source system is authoritative for the property on the Identity, Context, or Resource objects in the ODW. It is now determined by the Identity Merge Rules.
Authoritative Source Policies are utilized to indicate if a property is allowed to be updated in the ES portal.
Account ownership review survey
In the Horizons solution, there is a new version of the Account ownership Review survey, enhancing the Account join process for more accurate matches between accounts and identities.
The changes in the Account ownership review survey include:
-
A new property added to the survey:
-
The account query updated in two places to include the
AccountBusinessKeycolumn in the results:
-
The new query column is mapped to the new property:
-
The new property has been added to both survey forms as a hidden field:
There are two Account ownership review surveys available. The survey with the lower number represents the older version. The old survey template can be safely removed, provided that any customizations are manually transferred to the new version. For information on how to generate the XML from the UI and compare survey templates, refer to the Survey templates documentation.
Any Account ownership review surveys that were started before enabling Horizons must be stopped and restarted to incorporate the new version.