AX2576

How Active Directory user synchronization works

This topic describes how new users are created and how existing users are updated when an Active Directory Import job runs in Scheduler.

NOTE: The Active Directory domain name is always used to determine matching users for purposes of the Active Directory import. If a user name matches but the domain does not, that user is not considered to be a matching user.

Creating new users via Active Directory import

For each unique user name in the import, Axiom looks for a matching user name in Axiom Security. If no match is found, then a new user is created. If a match is found, then the user synchronization behavior applies as detailed in the following section.

New users are created with the following user properties:

• Login (from Active Directory)
• Domain (from Active Directory)
• First name (from Active Directory)
• Last name (from Active Directory)
• Email address (from Active Directory)
• License Type (from Scheduler task settings)
• Authentication (from Scheduler task settings)
• Enabled (from Scheduler task settings)
• Assigned Roles (from Scheduler task settings)
• Assigned Subsystems (from Scheduler task settings)
• Directory Sync Enabled (assumed as enabled)

NOTE: The imported user's domain does not display in the Security dialog, but it is stored in the database and can be reported upon by use of an Axiom query to the Axiom.Principals table. The relevant domain also displays before each user name when using Open Security in Spreadsheet. The domain is stored in case of a situation where two users with the same user name are imported from different domains.

Synchronizing users via Active Directory import

If a user name in the Active Directory import matches an existing user name in Axiom security, then that user will be updated ONLY if the Directory Sync Enabled check box remains selected for the matching user. Matching users are updated as follows:

• User Properties: If the first name, last name, or email address has changed in Active Directory, it is updated in Axiom.
• User License Type: If the assigned user license type for the Active Directory group has changed, then the license type is updated in Axiom.
• Authentication Type: If the assigned authentication type for the Active Directory group has changed, then the authentication type is updated in Axiom.
• Role and Subsystem Assignments: The user's role and subsystem assignments are updated as follows:
  • If a role or subsystem assignment has been added for the Active Directory group, the user is assigned to that role or subsystem.
  • If a role or subsystem assignment has been removed from the Active Directory group, the user is only removed from the role or subsystem if another group is mapped to that same role or subsystem (and the user does not also belong to that other group). If the previously assigned role or subsystem is not present in the mappings at all, then the user is not removed from the role or subsystem.
  • If the user no longer belongs to the Active Directory group, and that group's role or subsystem mappings still exist, then the user is removed from those roles and subsystems (unless the user belongs to another Active Directory group in the import that is mapped to the same roles and subsystems).
• Disabled Users: If the user is disabled in Active Directory, then the user is disabled in Axiom. If the user is disabled in Axiom but enabled in Active Directory, then the user will either be re-enabled or left as disabled depending on whether Never Enable Users is checked in the Scheduler task settings.

If the Directory Sync Enabled check box is cleared for the matching user, then that user will be ignored by the Active Directory synchronization process and left as is.

If the Directory Sync Enabled check box is selected for a user and that user does NOT match a user name in the Active Directory import, then the user is disabled. If you still need the user account, you can re-enable the user and clear the Directory Sync Enabled check box so that the user will be ignored by future imports.

Editing imported users

Once an imported user has been created in Axiom, you can edit the user's permissions in Security as appropriate.

You can assign the user to additional roles and/or subsystems, and those additional assignments will persist through subsequent imports. However, if the user is part of an import that contains a mapping with those roles or subsystems, and the user is not in the group affected by that mapping, then the user will be removed from those roles or subsystems.

You can edit user properties such as name, email, and authentication type, however, these changes will be overwritten the next time the Active Directory import task is run, assuming that Directory Sync Enabled is still checked for the user.

If you do not want the user to be synchronized with Active Directory anymore, but you still want the user to be active in Axiom, then you should clear the Directory Sync Enabled check box for the user. Once this option is disabled, the user will be ignored by the import and will be treated like a manually created user.

Treatment of manually created users

If Active Directory Import is enabled for your system, you can still manually create users and exclude them from the Active Directory import and synchronization process by clearing the Directory Sync Enabled check box for the user. The user will be ignored by any future Active Directory Import jobs.

If you manually create a user and leave the Directory Sync Enabled check box selected, then the user will be treated as follows the next time an Active Directory Import job is run:

• If the user matches a user name in the Active Directory import, then the user will remain active and will be synchronized with Active Directory.
• If the user does not match a user name in the Active Directory import, then the user will be disabled.