Introduction

As of DirX Audit 7.2, the new DirX Audit History Synchronization jobs replace the DirX Identity synchronization workflows for the DirX Audit History Database.

The DirX Audit History Synchronization jobs run on the DirX Audit Server and operate between a DirX Identity domain and the DirX Audit History Database. The jobs regularly synchronize important domain entries from the DirX Identity domain into the DirX Audit History Database for historical auditing purposes. They do not change anything in the DirX Identity domain.

The DirX Audit History Synchronization jobs maintain snapshots of the DirX Identity domain entries in the DirX Audit History Database. The jobs associate a validity time range (valid from - valid to) with each entry and each attribute. When an attribute value is changed in the DirX Identity domain, the DirX Audit History Synchronization jobs:

  • Close the validity period for the original attribute value in the DirX Audit History Database with the entry modification date and time in the DirX Identity domain (modifyTimestamp LDAP operational attribute) stored in valid to.

  • Create a new database record for the current attribute value with the entry modification date and time in the DirX Identity domain (modifyTimestamp LDAP operational attribute) stored in valid from and an empty valid to.

When more entry modifications are performed in a DirX Identity domain between two executions of DirX Audit History Synchronization jobs, only the most recent modification timestamp is reflected.

When an entry is deleted in the DirX Identity domain, the DirX Audit History Synchronization jobs:

  • Close the validity period for the deleted entry and all its attribute values in the DirX Audit History Database with the synchronization date and time stored into the valid to.

About the History Synchronization Architecture

The following figure illustrates the architecture of DirX Audit History Synchronization jobs. It shows how the jobs interact with DirX Audit History Database and DirX Identity Store containing an DirX Identity domain:

History Synchronization Architecture
Figure 1. History Synchronization Architecture

As shown in the figure:

  • DirX Audit History Synchronization Modify and Delete jobs are components of the DirX Audit Server. Both are configurable scheduled jobs and run on the DirX Audit Server. You can read more about the DirX Audit Server components in section “DirX Audit Components” in the DirX Audit Introduction.
    The jobs use the LDAP connector to read DirX Identity domain entries from the audited system. This connector is included in DirX Audit Server. The jobs use a JDBC driver that is integrated with the DirX Audit Server to read and update audit data in the DirX Audit History Database.

  • The DirX Audit History Database contains snapshots of DirX Identity domain. It can be set up as a relational database with Microsoft SQL Server or Oracle Database. You can read more about the DirX Audit History Database in the DirX Audit Administration Guide.

About the History Synchronization Jobs Design

The DirX Audit History Synchronization Modify and Delete jobs share the same configuration and a similar design; the difference is only in the operations they perform on synchronized data. The jobs are designed to run effectively and therefore use parallel data processing.

The DirX Audit History Synchronization Modify and Delete jobs use the tenant configuration.cfg file to represent the necessary parameters for synchronization: the definition of the DirX Identity domain connection, the DirX Audit History Database connection and the entry type and attribute-specific configuration; for example, for attribute processing or mapping to the DirX Audit History Database.

The most basic synchronized unit is an entry type represented in DirX Audit History Database. The entry type configuration is included in the tenant configuration.cfg file. It contains a description of the synchronized DirX Identity entry type, a specific mapping of DirX Identity domain attributes, and the definitions of virtual attributes. The source of the virtual attributes is not the DirX Identity domain; they are created dynamically during the synchronization process and stored in the DirX Audit History Database. There is also a list of attributes excluded from synchronization. You can read more about configuration in the “Configuring and Customizing DirX Audit History Synchronization Jobs” section of this guide. You can also customize the jobs: you can set up your own custom entry types to synchronize custom DirX Identity domain entries.

The default tenant configuration already contains predefined standard entry types for all important entry type categories, one DirX Audit History Database entry type for each entry type in DirX Identity domain:

  • Users and their assignments

  • Roles and role parameters

  • Permissions

  • Groups

  • Accounts

  • Target systems

  • Request workflow and activity definitions

  • Request workflow and activity instances

  • Business objects: Countries, Organizations, Locations, Organizational Units, Projects, and Cost Units

  • Audit policies

  • Policies: several kinds of policies like Access, Attribute, Event, Delete, Rules and Operations, Password, Risk, and SoD

  • Delegations and access rights

  • Tickets

  • Certification campaigns, entries, assignment changes, and notifications

  • Role parameters

  • Domain object, configuration objects, and target system configuration objects

The DirX Audit History Synchronization Modify job synchronizes recently-added or modified entries and all their attributes together with validity periods from the DirX Identity domain to the DirX Audit History Database. The job processes entry types and uses the entry type configuration to read a specified set of entries from the DirX Identity domain. The job can also detect relationship changes between entries in the DirX Identity domain and reflect them in the DirX Audit History Database. The DirX Audit History Synchronization Modify job also provides LDAP schema synchronization to the DirX Audit History Database. DirX Audit Manager uses this information to correctly display non-string values.

The DirX Audit History Synchronization Delete job detects entries deleted from the DirX Identity domain and closes the validity of entries and their attributes in the DirX Audit History Database in the valid to field with the date and time of the job execution. The entry type configuration in the tenant configuration.cfg file is used to filter only entries related to synchronized entry type from the DirX Identity domain. This job also maintains relationships between entries in the DirX Audit History Database.

The DirX Audit History Synchronization jobs are designed as scheduled jobs on the DirX Audit Server. They are intended to be run at regular intervals according to a schedule that you set up using the DirX Audit Tenant Configuration Wizard. You can read more about jobs scheduling in the “Configuring and Customizing DirX Audit History Synchronization Jobs” section. Jobs can synchronize one or more predefined entry types or your own custom entry types. If the job is scheduled to synchronize multiple entry types, they are synchronized sequentially one by one to avoid overloading the DirX Audit History Database.

The remainder of this document describes how to prepare the DirX Identity domain and the DirX Audit History Database for DirX Audit History Synchronization jobs, how to configure and customize the DirX Audit History Synchronization jobs, and best practices to follow when setting up the jobs.