5.4 Synchronizing the Identity Vault the First Time

After you have imported the driver and tested it, you need to decide how to handle synchronizing the Identity Vault user accounts with user data in the Student Information System the first time.

When you configure the driver, you specify either Yes or No for the Manage preexisting eDirectory users field as described in Section 5.1, Creating and Configuring the Driver. This setting determines whether the driver tries to synchronize existing users in the Identity Vault, or ignores them and only manages new students and staff. You specify this setting on the Global ConfigValues page for the driver.

The Identity Manager Driver for SIF gives you three options for synchronizing existing accounts. Regardless of the option you choose, the driver provisions and manages any new accounts entered into the Student Information System in the future.

This section describes the three options, the reasons why you might choose one, and how to set them up.

To help you set up these options, this section also provides instructions for the following task:

5.4.1 Option 1: Populate the Identity Vault Using Migrate into Identity Vault

For this option, you remove all existing accounts and home directories, and re-create them “from scratch,” using the Migrate into Identity Vault option to populate the Identity Vault.

Why Would You Use This Option?

  • You want the driver to manage all accounts.

  • You have decided you want to “start from scratch” by removing existing users from the Identity Vault, or you have not yet put any users into the Identity Vault.

  • You don’t need to preserve the files that are currently in the home directories.

For example, if you were implementing the driver before the beginning of the school year, and you didn’t need to keep home directories from the previous year, you could get a fresh start in the Identity Vault using this option.

How To Set It Up

  1. Remove existing user accounts (User objects) from the Identity Vault.

  2. Remove the home directories from the server.

    IMPORTANT:If existing home directories are not deleted along with existing user accounts, the users who are migrated won’t have a home directory. Identity Manager must create the home directory at the same time it creates a user. It can’t grant the newly created user rights to an existing home directory; instead, it gives an error.

    If you had existing user accounts with home directories and you didn’t delete them before using Migrate into Identity Vault, you need to delete them and repeat the migration.

  3. Set Manage preexisting eDirectory users to Yes.

    You set this on the Global Config Values page for the driver.

  4. Populate the Identity Vault by using Migrate into Identity Vault to request all user data from the Student Information System.

    See Using Migrate into Identity Vault to Populate or Update the Identity Vault.

    You should use Migrate into Identity Vault when demand for the server is low, such as on a weekend. If you have more than one Zone configured, we recommend you perform the migration one Zone at a time. The migration can take approximately 20 seconds per user and places a load on the server.

Identity Manager creates all students and staff in the Student Information System as User objects in the Identity Vault. As they are created, the objects are automatically associated with the ID in the Student Information System, so Identity Manager can manage them.

5.4.2 Option 2: Manage Existing Identity Vault User Accounts

For this option, you leave existing accounts in the Identity Vault. You manually put the student or staff ID from the Student Information System into the DirXML-sifSISID attribute of each existing Identity Vault user object, so the driver can match it with the corresponding individual in the Student Information System. After you put in the Student Information System ID, the driver can manage existing user accounts, so any new changes to those individuals in the Student Information System are reflected in the Identity Vault.

If you want current data from the Student Information System to be synchronized to the Identity Vault (for example, because you are concerned that existing user account data doesn’t currently match the Student Information System), use Migrate into Identity Vault after you add the Student Information System ID to the DirXML-sifSISID attribute.

If you choose this option, you need to fill in the DirXML-sifSISID immediately. If you don’t, and a change comes through for an account, the driver cannot to find the matching User object and a duplicate is created.

Why Would You Use This Option?

  • You already have User objects in the Identity Vault, and you don’t want to delete them, but you do want the driver to manage them.

  • You want to preserve the files that are currently in the home directories.

For example, if you were implementing the driver during the school year, and you wanted to keep home directories intact and minimize the risk of any problems with accounts, you might decide to keep existing accounts in place. With this option, you could keep accounts that are currently working and take the time to manually add the Student Information System ID to each of them, so the driver can recognize and manage them.

How To Set It Up

  1. For all existing Identity Vault User objects, manually enter the Student Information System ID into the DirXML-sifSISID attribute. Make sure it is correct.

    This is a one-time effort.

    IMPORTANT:If the ID is not entered or is not correct, Migrate into Identity Vault creates duplicate User objects instead of updating existing User objects. There is no command to “undo” Migrate into Identity Vault, so you would need to remove the duplicates manually.

  2. Set Manage preexisting eDirectory users to Yes.

    You set this on the Global Config Values page for the driver.

  3. (Optional) If you want to synchronize existing accounts in the Identity Vault with all data from the Student Information System, you can use Migrate into Identity Vault.

    See Using Migrate into Identity Vault to Populate or Update the Identity Vault.

    If you are only concerned about synchronizing new changes that occur, you don’t need to do this step.

    You should use Migrate into Identity Vault when demand for the server is low, such as on a weekend. If you have more than one Zone configured, we recommend you perform the migration one Zone at a time. The migration can take approximately 20 seconds per user and places a load on the server.

After following these steps, Identity Manager can manage existing Identity Vault user accounts because you have manually made the association with the Student Information System ID. New users are also managed because Identity Manager automatically creates the association when it creates a new user.

5.4.3 Option 3: Don’t Manage Existing Identity Vault User Accounts

For this option, you set the driver to ignore existing accounts and manage only new students who are entered in the Student Information System. You don’t use Migrate into Identity Vault as part of setting up this option.

Existing student accounts in the Identity Vault are not affected by the driver; changes that occur for these accounts in the Student Information System are ignored by the driver.

New students added to the Student Information System after the driver is started are provisioned in the Identity Vault and are thereafter managed by the driver. The Identity Vault users created by the driver are always kept current with changes from the Student Information System.

Don’t run Migrate into Identity Vault if you are using this option.

Why Would You Use This Option?

  • You don’t want the driver to affect existing student accounts.

  • You only want the driver to provision and manage new students who are added to the Student Information System.

  • You need to preserve the files that are currently in home directories.

For example, you could use this option if you were deploying the driver during the middle of the school year, and you wanted to eliminate risk to any existing accounts. Perhaps you don’t have time to manually create the association with the Student Information System for each existing object. With this option, you can keep existing accounts as they are but take advantage of the driver’s functionality to provision any new students.

How To Set It Up

  1. Set Manage preexisting eDirectory users to No.

    You set this on the Global Config Values page.

  2. Don’t use Migrate into Identity Vault.

    If Manage preexisting eDirectory users is set to No, Migrate into Identity Vault is ignored.

Should I use Migrate into Identity Vault or Synchronize Options?

The Migrate into Identity Vault option requests all student and staff records from the Student Information System and tries to match each record with an user account in the Identity Vault. If a match is found, the Identity Vault user account is updated with the information from the Student Information System. If a match is not found, a new user account is created in the Identity Vault.

For each user account in the Identity Vault, the Synchronize option queries the Student Information System for its attribute values and updates the Identity Vault user account with the received information.

Migrate into Identity Vault is more efficient. Only one query is sent to the SIS. Synchronize sends a separate query for each user account in the Identity Vault. Migrate into Identity Vault updates existing the Identity Vault user accounts and creates new Identity Vault user accounts. Synchronize only updates existing Identity Vault user accounts.

5.4.4 Using Migrate into Identity Vault to Populate or Update the Identity Vault

Migrate into Identity Vault lets you request records for all individuals from the Student Information System. If a matching user is not found in the Identity Vault, a new account is created. If an account already exists in the Identity Vault for the student, and the DirXML-sifSISID attribute contains the correct Student Information System ID, the driver updates the account to match the information in the Student Information System.

You can run Migrate into Identity Vault at the start of a school year to initially populate the Identity Vault. You can also run it any time you want to ensure the Identity Vault is synchronized with the Student Information System.

You should use this option only if the following two conditions are met:

  • If you have any users in the Identity Vault, they must either have been created by the driver (which means they have an Identity Manager association created by the driver), or they must have the correct ID manually entered in the DirXML-sifSISID attribute.

    This allows the driver to match an individual in the Student Information System with an existing User object.

    IMPORTANT:If this condition is not met, Migrate into Identity Vault creates duplicate User objects instead of updating existing User objects. There is no command to “undo” Migrate into Identity Vault, so you would need to remove the duplicates manually.

  • The Driver object’s Manage preexisting eDirectory users parameter is set to Yes.

    If it is set to No, Migrate into Identity Vault is ignored.

You should use Migrate into Identity Vault when demand for the server is low, such as on a weekend. If you have more than one Zone configured, we recommend you perform the migration one Zone at a time. The migration can take approximately 20 seconds per user and places a load on the server.

  1. In iManager, click Identity Manager > Identity Manager Overview, and search for the driver set.

  2. Click the driver icon for the driver.

  3. If the driver is not running, click the icon in the upper-right corner of the driver icon, then select Start Driver.

  4. Click the Migrate into Identity Vault button.

  5. In the Migrate Data into the Identity Vault dialog box, click Edit List.

    The Edit Migration Criteria dialog box appears.

  6. In the left column, select User, then click OK.

  7. On the Migrate Data into the Identity Vault dialog box, click OK.

    The driver continues to run the migration, even if you close iManager.