Synchronization Rules

This topic provides details on how the user synchronization works between the Microsoft Active Directory (LDAP for short) and the Automation Engine via LDAP Sync.

Notes:

  • The following concepts will help you better understand the synchronization rules:

    • The concepts of user and user group exist in both the AE and LDAP.
    • Users can be assigned to user groups.
    • One or more user groups in the AE can be mapped to one or more user groups in LDAP. If an AE user group is not mapped to an LDAP user group, no synchronization occurs.
    • Users in the AE can be tagged as existing users in LDAP.
  • You must administer AE user groups manually in the Administration perspective.
  • In addition to synchronization to AE, LDAP Sync also manages CDA user entities.

This page includes the following:

Scenarios Where no Synchronization Occurs

If at least one of the following cases is true, no synchronization occurs:

  • The AE user group to which the user belongs is not mapped to an LDAP user group.

    image depicting scenario

  • The AE user is not tagged as LDAP user (the "LDAP connection" checkbox is cleared).

    image showing LDAP connection checkbox

Note: Manual update of users and user groups is required.

Scenario I: One AE User Group is Mapped to One LDAP User Group

The following statements are true:

  • The user group in the AE is mapped to the user group in LDAP.
  • You have created one user in the AE. The user is tagged as an LDAP user in the AE (the "LDAP connection" checkbox is checked).

Rules

graphic depicting decision tree for scenario 1

Important! In all other cases, no synchronization takes place.

Scenario II: Two User Groups in AE and LDAP: Both AE User Groups are Mapped to the Corresponding LDAP User Groups (1:1 Relation)

The following statements are true:

  • The AE user group "GrpAE" is mapped to the LDAP group "GrpLDAP"
  • The AE user group "GrpAE_B" is mapped to LDAP group "GrpLDAP_B"
  • The user is tagged as LDAP user (the "LDAP connection" checkbox is checked).

image depicting scenario

Rules

The basic rules of Scenario I apply.

Additionally:

graphic depicting decision tree for scenario 2

Scenario III: Two User Groups in AE and LDAP - Only One AE User Group is Mapped to the Corresponding LDAP User Group

The following statements are true:

  • The AE user group "GrpAE" is mapped to the LDAP group "GrpLDAP".
  • The AE user group "GrpAE_B" is not mapped to LDAP group "GrpLDAP_B" (but can contain relevant users).
  • The user is tagged as LDAP user (the "LDAP connection" checkbox is checked).

graphic depicting scenario

Rules

The basic rules of Scenario I apply.

Additionally:

graphic depicting decision tree for scenario 3

Scenario IV: Two User Groups in AE and one in LDAP - Two AE User Groups are Mapped to a Single LDAP User Group

The following statements are true:

  • The AE user group "GrpAE" is mapped to the LDAP group "GrpLDAP"
  • The AE user group "GrpAE_B" is mapped to the same LDAP group "GrpLDAP"
  • The user is tagged as LDAP user (the "LDAP connection" checkbox is checked).

graphic depicting scenario

Rules

The basic rules of Scenario I apply.

Additionally:

graphic depicting decision tree for scenario 4

Scenario V: Two User Groups in LDAP and one in AE - Two LDAP User Groups are Mapped to a Single AE User Group

graphic depicting scenario

This scenario is not supported by LDAP Sync.