Synchronization and provisioning rules
Synchronization rules
|
Rule |
Description |
|---|---|
|
One-way synchronization |
The tool synchronizes changes from Microsoft Active Directory groups to Universal Device Service groups. Changes made to Universal Device Service groups using the Administration Console do not affect the membership of Microsoft Active Directory groups. |
|
Does not manage local user accounts |
The tool does not synchronize, add, or remove local user accounts. The tool can synchronize, add, and remove directory user accounts only. |
|
Does not manage user accounts that are not integrated with Microsoft Active Directory |
The tool does not manage user accounts that have no Microsoft Active Directory identifiers, for example, default system accounts like system administrator. |
|
Does not add groups |
The tool does not create new groups on the Universal Device Service. |
|
One-to-one mappings |
The tool supports one-to-one mappings of Microsoft Active Directory groups to Universal Device Service groups. You can configure as many one-to-one mappings as required. For example, if you want to map both Group A and Group B in Microsoft Active Directory to Group 1 on the Universal Device Service, you can configure two mappings: Group A to Group 1 and Group B to Group 1. |
|
Nested subgroups |
You can configure the tool to synchronize nested groups in Microsoft Active Directory with Universal Device Service groups. The tool does not create new subgroups on the Universal Device Service. For example, Group 1 in Microsoft Active Directory has a nested subgroup called Group 2. You create Group A with no members on the Universal Device Service. You map Group 1 to Group A and you permit the tool to synchronize nested groups. When you run the tool, the user accounts in Group 1 and the nested Group 2 are assigned to Group A. |
|
Synchronization outcomes |
When you map a Microsoft Active
Directory group to a Universal Device Service group and run the synchronization process, the following
occurs:
|
|
Users restricted to one Universal Device Service group |
A user account can be a member of one Universal Device Service group only. After the synchronization process adds a user to a Universal Device Service group (or identifies that the user already exists in a Universal Device Service group), the tool ignores any changes that would add the user to another group. Details are written to the report and log file for any changes that are not performed. |
|
Force synchronization option |
If the tool cannot find the Microsoft Active
Directory group, or the group is no longer valid, one of the
following occurs:
If you select this option, always preview the provisioning and synchronization process so that you can verify that the changes will occur as expected. |
|
Provisioning resolves before synchronization |
If you configured mappings of Microsoft Active Directory groups to virtual provisioning groups and mappings of Microsoft Active Directory groups to Universal Device Service groups, the synchronization process resolves the provisioning tasks first (adding or removing user accounts), then performs the synchronization tasks. |
Rules when the provisioning feature is disabled
|
Rule |
Description |
|---|---|
|
Does not add user accounts |
If the tool identifies a Microsoft Active Directory user account that does not have a matching user account on the Universal Device Service, the tool does not add the user to the Universal Device Service, and cannot synchronize the user account to a Universal Device Service group. The tool writes details to the report and log file. |
Rules when the provisioning feature is enabled
|
Rule |
Description |
|---|---|
|
Adds user accounts |
You map a Microsoft Active Directory group to a virtual provisioning group and start the synchronization process. If the tool identifies a Microsoft Active Directory user account that does not have a matching user account on the Universal Device Service, the tool adds the required user account to the Universal Device Service (this is a directory user account). If the Microsoft Active Directory group is mapped to the Provision User as Device Enabled virtual provisioning group, the tool adds a device-enabled user account. If the Microsoft Active Directory group is mapped to the Provision User virtual provisioning group, the tool adds an administrator account that is not device-enabled. When the tool adds a device-enabled user account to the Universal Device Service, the user account can be activated using Microsoft Active Directory credentials. The Universal Device Service does not send an activation email to users. You must send the activation information to users. |
|
Does not assign roles |
When the tool adds an administrator account that is not device-enabled to the Universal Device Service, it does not assign an administrative role to the account. It is a best practice to assign roles to administrator accounts by mapping the accounts to Universal Device Service groups that are already associated with roles. You can also assign roles to administrator accounts using the Administration Console. |
|
Deprovisioning |
If you enable deprovisioning, every directory user account on the Universal Device Service must have a matching user account in a Microsoft Active Directory group that is mapped to one of the virtual provisioning groups. If the tool identifies a user account that does not exist in a provisioning mapping, the tool removes the user account from the Universal Device Service (if the De-provisioning action is set to Delete users). The tool does not remove local user accounts. |
|
Deprovisioning options |
If the tool identifies a Universal Device Service user account that does not exist in a provisioning
mapping, one of the following occurs:
|
|
Provisioning priority |
If a Microsoft Active Directory user account is mapped to both types of virtual provisioning groups, and the user does not currently have a matching user account on the Universal Device Service, the tool adds the user to the Universal Device Service as a device-enabled user account. |
|
Provisioning conflicts |
If you add an administrator account to the Universal Device Service that is not device-enabled, and you later try to add the user to the Universal Device Service again as a device-enabled user account, the tool does not complete the task and writes details to the report and log file. You can remove and add the user again using the Administration Console, or you can configure mappings to remove the user account and add the user account again. If you add a device-enabled user account to the Universal Device Service, and you later try to add the user to the Universal Device Service again as an administrator account that is not device-enabled, the tool does not complete the task and writes details to the report and log file. You can remove and add the user again using the Administration Console, or you can configure mappings to remove the user account and add the user account again. |
Was this information helpful? Send us your comments.