Introduction

The primary purpose of identity management systems is to manage data belonging to users; it is common practice in such systems to define as well entities called roles that helps in defining and enforcing security policies. In addition to this, Syncope explicitly represents the fact that users can be assigned to roles by mean of memberships.

...

• key is a string label (i.e. Surname)unmigrated-wiki-markup
• _values_ is a (possibly singleton) collection of data (i.e. \ [Doe\] but also \ [john.doe@syncope.apache.org, jdoe@gmail.com\])

The type of values that can be assigned to each attribute is defined via schemas.

...

A virtual attribute can be mapped among several resources.
The values of a virtual attribute is are the composition (in a distinct way) of values coming from each resource it the virtual attribute is mapped on.

Virtual attribute values are always retrieved from an external resource either in case of SYNCHRONIZATION, PROPAGATION or BOTH mapping purpose.
The only way to avoid virtual attribute values retrieving from a certain resource is to remove SEARCH capability from the resource connector itself.

...

One of most important features is about to link such attributes to external resources (LDAP server, Database, ...) so that propagation and synchronization can take place effectively.

Image Modified

Mapping purposes

Each mapping item can be configured for a specific purpose:

• SYNCHRONIZATION - mapping item will be considered just during synchronization.
• PROPAGATION - mapping item will be considered just during propagation.
• BOTH - mapping item will be considered always.