AX2576

How Active Directory user synchronization works

This topic describes how new users are created and how existing users are updated when an Active Directory Import job runs in Scheduler.

NOTE: The Active Directory domain name is always used to determine matching users for purposes of the Active Directory import. If a user name matches but the domain does not, that user is not considered to be a matching user.

Creating new users via Active Directory import

For each unique user name in the import, Axiom Software looks for a matching user name in Axiom Software Security. If no match is found, then a new user is created. If a match is found, then the user synchronization behavior applies as detailed in the following section.

New users are created with the following user properties:

  • Login (from Active Directory)
  • Domain (from Active Directory)
  • First name (from Active Directory)
  • Last name (from Active Directory)
  • Email address (from Active Directory)
  • License Type (from Scheduler task settings)
  • Authentication (set to Windows User)
  • Enabled (from Scheduler task settings)
  • Assigned Roles (from Scheduler task settings)
  • Directory Sync Enabled (assumed as enabled)

NOTE: The imported user's domain does not display in the Security dialog, but it is stored in the database and can be reported upon by use of an Axiom query to the Axiom.Principals table. The relevant domain also displays before each user name when using Open Security in Spreadsheet. The domain is stored in case of a situation where two users with the same user name are imported from different domains.

IMPORTANT: If you are using subsystems, newly created users are not assigned to a subsystem. These users must be assigned to a subsystem before they can log in.

Synchronizing users via Active Directory import

If a user name in the Active Directory import matches an existing user name in Axiom Software security, then that user will be updated ONLY if the Directory Sync Enabled check box remains selected for the matching user. Matching users are is updated as follows:

  • User Properties: If the first name, last name, or email address has changed in Active Directory, it is updated in Axiom Software.
  • License Type: If the assigned license type for the Active Directory group has changed, then the license type is updated in Axiom Software.
  • Role Assignments: The user's role assignments are updated as follows:
    • If a role mapping has been added for the Active Directory group, the user is assigned to that role.
    • If a role mapping has been removed from the Active Directory group, the user is not removed from the role. If the user should no longer belong to the role, it must be removed manually.
    • If the user no longer belongs to the Active Directory group, and that group's role mappings still exist, then the user is removed from those mapped roles (unless the user belongs to another Active Directory group in the import that is mapped to the same roles).
  • Disabled Users: If the user is disabled in Active Directory, then the user is disabled in Axiom Software. If the user is disabled in Axiom Software but enabled in Active Directory, then the user will either be re-enabled or left as disabled depending on whether Never Enable Users is checked in the Scheduler task settings.

If the Directory Sync Enabled check box is cleared for the matching user, then that user will be ignored by the Active Directory synchronization process and left as is.

If the Directory Sync Enabled check box is selected for a user and that user does NOT match a user name in the Active Directory import, then the user is disabled. If you still need the user account, you can re-enable the user and clear the Directory Sync Enabled check box so that the user will be ignored by future imports.

Editing imported users

Once an imported user has been created in Axiom Software, you can edit the user's permissions in Security as appropriate.

You can assign the user to additional roles, and those additional roles will persist through subsequent imports. Note that if you change a mapped role, that assignment will be overwritten the next time the import is run.

You can edit user properties such as name, email, and authentication type, however, these changes will be overwritten the next time the Active Directory import task is run, assuming that Directory Sync Enabled is still checked for the user.

If you do not want the user to be synchronized with Active Directory anymore, but you still want the user to be active in Axiom Software, then you should clear the Directory Sync Enabled check box for the user. Once this option is disabled, the user will be ignored by the import and will be treated like a manually created user.

Treatment of manually created users

If Active Directory Import is enabled for your system, you can still manually create users and exclude them from the Active Directory import and synchronization process by clearing the Directory Sync Enabled check box for the user. The user will be ignored by any future Active Directory Import jobs.

If you manually create a user and leave the Directory Sync Enabled check box selected, then the user will be treated as follows the next time an Active Directory Import job is run:

  • If the user matches a user name in the Active Directory import, then the user will remain active and will be synchronized with Active Directory.
  • If the user does not match a user name in the Active Directory import, then the user will be disabled.