The content below is for Apache Syncope <= 1.2 - for later versions the Reference Guide is available.
The main purpose of identity management systems is to manage user and role provisioning.
User and role provisioning refers to the creation, maintenance, activation and deactivation of user and role objects and their attributes.
Provisioning operations can act on Apache Syncope only or be propagated towards external resources as well.
The provisioning operation can be initiated by an authorized user (for instance, working on Apache Syncope administration console) or by an internal task like a synchronization task.
A synchronization task can be used to perform a bulk provisioning operation involving either Syncope and one or more external resources.
External resource provisioning
The propagation implements the provisioning on external resources. It depends on the assignment, directly or indirectly (via memberships), of users/roles to external resources.
Users and roles can be assigned or linked to an external resource in three different ways: with a soft link, with a hard link, without any link (see below for more details).
Each provisioning operation involving a certain user/role will be propagated (if permitted by resource connector instance capabilities) towards each resource linked by the user/role object itself.
In general, the provisioning won't occur on a certain external resource if any direct/indirect link exists with that resource.
Manage external resource provisioning directly
Provisioning will occur on a certain external resource every time the operation involves users or roles assigned to that resource.
Users and roles can be assigned to an external resource by defining a direct or indirect link between objects.
By the way, Apache Syncope empowers the possibility to control the existence of users/roles on external resources giving the possibility to manage remote provisioning directly.
In fact, an authorized user (or an internal task - a sync task, for instance) can ask for
- link / unlink users/roles to/from specific resources (soft link),
- assign / unassign users/roles to/from specific resources (hard link),
- provision / de-provision users/roles on/from specific resources (maybe, without any link).
Apache Syncope gives the possibility to create and remove a sort of soft linking between users/roles and resources.
This kind of link doesn't imply any propagation at link creation/deletion time.
Apache Syncope gives the possibility to directly provision and de-provision users/roles on/from resources, without any link in place.
This provisioning feature (disjoint from the resource link mechanisms) is often very useful in case of reclaims.
Apache Syncope gives the possibility to create and remove a sort of hard linking between users/roles and resources.
This kind of link implies propagation at link creation/deletion time: it is the composition between link/unlink and provision/de-provision operations.