Synchronization Rules

This topic provides details on how the user synchronization works between the Microsoft Active Directory (LDAP for short) and the Automation Engine via LDAP Sync.

Notes:

  • The following concepts will help you better understand the synchronization rules:

    • The concepts of user and user group exist in both the AE and LDAP.
    • Users can be assigned to user groups.
    • One or more user groups in the AE can be mapped to one or more user groups in LDAP. If an AE user group is not mapped to an LDAP user group, no synchronization occurs.
    • Users in the AE can be tagged as existing users in LDAP.
  • You must administer AE user groups manually in the Administration perspective.
  • In addition to synchronization to AE, LDAP Sync also manages CDA user entities.
Select the option that applies to your configuration

image depicting scenario

image showing LDAP connection checkbox

image depicting scenario

image depicting scenario

graphic depicting scenario

image depicting scenario

image depicting scenario

Outcome:

No synchronization occurs.

Outcome:

No synchronization occurs.

Does the user exist in the AE?

Does the user exist in LDAP?

The user does not exist in the AE, but is assigned to the GroupLDAP.

Outcome: the corresponding AE user is created and assigned to the GroupAE. Additionally, the user data is retrieved from the LDAP user and the user is tagged as LDAP user in the AE.

Does the user exist in both AE user groups?

The user exists in the AE but does not exist in LDAP and the "autoDeactivateUsers" parameter is set to "true".

Outcome: the user is deactivated in the AE. AE user data is never updated.

The user exists in both user groups.

Outcome: the AE user data (first name, last name, e-mail, etc) is updated.

Note: If the user exists in the GroupAE and is tagged as LDAP user in another LDAP group (for example, GroupLDAP_B), the user is removed from the AE group GroupAE.

The user exists in the AE and in the GroupLDAP but it is not assigned to the GroupAE.

Outcome: the AE user is added to the GroupAE and the AE user data (first name, last name, e-mail, etc) is updated.

Does the user exist in the AE?

Note: The rules of scenario 3 also apply.

Does the user exist in both AE user groups?

The user does not exist in the AE, but it is in the GroupLDAP, in the GroupLDAP_B or in both.

Outcome: the AE user is created and assigned to the corresponding group: GroupAE, GroupAE_B or both. Additionally, the user data is retrieved from the LDAP user and the user is tagged as LDAP user in the AE.

Outcome

The AE user data (first name, last name, e-mail, etc) is updated.

Outcome

The AE user is removed from the AE group GroupAE_B (because it is not in the LDAP group GroupLDAP_B). Additionally, the AE user data (first name, last name, e-mail, etc) is updated.

Outcome

The AE user is removed from the GroupAE and added to the group GroupAE_B. Additionally, the AE user data (first name, last name, e-mail, etc) is updated.

Outcome

The AE user is also added to the AE group GroupAE_B. Additionally, the AE user data (first name, last name, e-mail) is updated.

Outcome

The AE user is removed from the AE group GroupAE.

Note: If the user does not exist in the LDAP and the "autoDeactivateUsers" parameter is set to "true", the user will be deactivated in the AE. AE user data is never updated.

Does the user exist in the AE?

Note: The rules of scenario 3 also apply.

Does the user exist in at least one LDAP user group?

The user does not exist in the AE, but it is in both LDAP groups (GroupLDAP and GroupLDAP_B).

Outcome: the corresponding AE user is created and assigned to the AE group GroupAE. Additionally, the user data is retrieved from the LDAP user and the user is tagged as LDAP user in the AE.

Does the user exist in both AE User groups?

The user does not exist in the AE, but it is in both LDAP groups (GroupLDAP and GroupLDAP_B).

Outcome: the corresponding AE user is created and assigned to AE group GroupAE. Additionally, the user data is retrieved from the LDAP user and the user is tagged as LDAP user in the AE.

Outcome:

The AE user data (first name, last name, e-mail, etc) is updated.

Outcome:

The user is removed from the AE group GroupAE. The AE user data is never updated, even when different.

Outcome:

The AE user data (first name, last name, e-mail, etc) is updated.

Outcome:

The AE user data (first name, last name, e-mail, etc) is updated.

Outcome:

The AE user is removed from the GroupAE. The AE user data is never updated, even when different.

Outcome:

The AE user is assigned to the AE group. Additionally, the AE user data (first name, last name, e-mail, etc) is updated.

Does the user exist in the AE?

Note: The rules of scenario 3 also apply.

Does the user exist in at least one LDAP user group?

The user does not exist in the AE, but it exists in the LDAP group.

Outcome: the corresponding AE user is created and assigned to the AE groups GroupAE and GroupAE_B. Additionally, the user data is retrieved from the LDAP user and the user is tagged as LDAP user in the AE.

The user exists at least in one of the AE groups (GroupAE, GroupAE_B or both) and in the GroupLDAP

Outcome:The user is in both AE groups (GroupAE and GroupAE_B) and the data for both AE users is updated.

The user exists at least in one of the AE groups (GroupAE, GroupAE_B or both), and it does not exist in the LDAP group.

Outcome:The AE user is removed from the AE groups.

Note: If the user does not exist in the LDAP and the "autoDeactivateUsers" parameter is se to "true", the user will be deactivated in the AE. AE user data is never updated.

Outcome:

This scenario is not supported by LDAP Sync.