Non-account object support
Synchronize an identity
You can synchronize an identity in Identity Cloud with an identity that exists in a target system. To achieve this, Identity Cloud models the identity in the target system and makes it available for mapping as a series of objects and properties:
- Account object
-
The account object represents the user entity in the target system. Examples of account object properties are name and email.
For example, in a Salesforce application, the
account.emailobject property is mapped tomailin the Identity Cloud user identity. - Non-account object
-
Non-account objects represent entities linked to the user entity in the target system. Examples of non-account objects are roles, groups, departments, permissions, and licenses.
For example, in a Salesforce application, the
groupobject property is mapped to theGroupIdsfield in the Identity Cloud user identity.
Each templated application in Identity Cloud contains an account object may contain and one or more non-account objects that are modelled specifically to the target system.
Manually set non-account objects for an account object
After you create certain connectors and run reconciliation, you can start mapping the account object to various non-account objects. These non-account objects are predefined. For more information about connectors with predefined non-account objects, refer to Connectors with predefined non-account objects.
However, connectors for non-authoritative applications, such as a Scripted REST connector, a Scripted Groovy connector, or a Scripted Table connector, do not have predefined non-account objects. The reason is that these types of connectors can have different non-account objects. These non-account objects are nonpredefined objects.
For connectors for non-authoritative applications, you must manually select the non-account objects that map to specific properties for an account object.
-
Select the Provisioning tab.
-
Select the Properties tab.
-
Edit a property.
-
On the Edit Property screen, enable Constrain values for this property.
-
On the Edit Property screen, enable Application Object Type.
-
In the Select Object Type drop-down field, select a non-account object type to map to the current property.
-
On the Edit Property screen, enable Entitlement.
-
Click Save.
Connectors with predefined non-account objects
The following connectors have predefined non-account object types. After creating a connector that is listed in the table and running reconciliation, you can associate the account object in the second column with the non-account objects in the third column.
| Connector | Account object | Predefined non account objects |
|---|---|---|
Active Directory |
|
|
LDAP |
|
|
Azure AD |
|
|
SNOW |
|
|
GSuite |
|
|
Salesforce |
|
|
Powershell |
|
N/A |
SCIM |
|
|
Sripted REST |
|
N/A |
Sripted SQL |
|
N/A |
Sripted Groovy |
|
N/A |
SAP SuccessFactors |
GROUP |
|
Map target system object properties to Identity Cloud
To ensure all properties that are associated with a user account or role account synchronize during reconciliation, perform the following steps.
-
If your connector is not predefined, perform the steps in Manually set non-account objects for an account object.
-
Select the Provisioning tab.
-
Click Mapping.
-
Click Inbound.
-
Follow steps 3 to 6 in Add or edit a mapping.
Run a reconciliation
Before you perform the following steps, to ensure you synchronize all information for the identity, map all relevant object properties with the identity.
-
On the Reconciliation > Reconcile tab, click the ellipsis (...) to the right of a mapping.
-
Click Reconcile Identity.
-
Verify the information on the page, and click Reconcile Identity.
-
After the reconciliation process is complete, click Done.