Synchronize Users and Roles
Due to various factors, users go out-of-sync with the provisioning roles that are assigned to them.
cim143
Due to various factors, users go out-of-sync with the provisioning roles that are assigned to them.
Few possible reasons for out-of-sync are:
- Earlier attempts to create necessary accounts failed due to hardware or software problems in your network, causing missing accounts.
- Provisioning roles and account templates change, and this creates extra or missing accounts.
- Administrators use native tools on an endpoint to add or delete accounts. If you have not explored the endpoint again to update the provisioning directory, users end up having extra or missing accounts.
As a result, an administrator synchronizes users and provisioning roles to ensure that each user has the necessary account on the managed endpoints as defined in the provisioning role.
Follow the given methods to synchronize users and provisioning roles:
Check Role Synchronization
By using
Check Role Synchronization
task, an administrator can check if the user accounts comply with the provisioning roles, and accordingly perform synchronize operation.An administrator can check the extra and missing accounts of a user. If the user is out-of-sync with the provisioning roles, the administrator can perform
Synchronize
operation so that the user has the necessary accounts on the managed endpoints. This task also ensures that each account belongs to the correct account templates.Note:
Using this task, you can synchronize only one user at a time with the provisioning roles. Follow these steps:
- Log in to theIdentity ManagerUser Console.
- Navigate toUsers,Synchronization,Check Role Synchronization.
- Select a user.A screen appears showing the expected accounts, extra accounts, and missing accounts of a user.
- If the user accounts are out-of-sync, clickSynchronizeto make the accounts match the account templates in the provisioning role.
- Add missing accounts:Select this option to create missing accounts on the endpoint. If more than one account template for the user prescribes the same account, the account is created by merging all relevant account templates. This account is assigned to those account templates, which are currently not synchronized with the account.
- Remove extra accounts:Select this option to delete extra user accounts. However, users can have legitimate reasons for having these accounts. If that is the case, leave this option unchecked.On certain endpoints, the account deletion function is disabled; therefore, the account is not deleted.
- ClickYes.
Note:
Synchronization does not happen when a template is removed from the provisioning role by using the Modify Provisioning Role
task.Synchronize User with Roles
By using
Synchronize User with Roles
task, an administrator can synchronize out-of-sync users with the provisioning roles that are assigned to them.Note:
You can check the extra or missing accounts of a user with Check Role Synchronization task. However, this task allows you to check and synchronize only one user at a time with its assigned roles.Follow these steps:
- Log in to theIdentity ManagerUser Console.
- Navigate toUsers,Synchronization,Synchronize User with Roles.
- Select user(s).
- Add missing accounts:Select this option to create missing accounts on the endpoint. If more than one account template for the user prescribes the same account, the account is created by merging all relevant account templates. This account is assigned to those account templates, which are currently not synchronized with the account.
- Remove extra accounts:Select this option to delete extra user accounts. However, users can have legitimate reasons for having these accounts. If that is the case, leave this option unchecked.On certain endpoints, the account deletion function is disabled; therefore, the account is not deleted.
Note:When you modify these properties in theSynchronize User with Rolesadmin task, the same values reflect here too. - ClickYes.
Synchronize User with Roles in Bulk
An administrator can synchronize users with provisioning roles in bulk. To perform bulk synchronization, you must first enable
Remove extra accounts
and Add missing accounts
properties in the Synchronize User with Roles
admin task and then perform a bulk loader operation.Follow these steps:
- Log in to theIdentity ManagerUser Console.
- ModifySynchronize User with Rolesadmin task to configure properties that let you add missing accounts and remove extra accounts on endpoints.
- Navigate toRoles and Tasks,Admin Tasks,Modify Admin Task.
- Search forSynchronize User with Rolesadmin task.
- In theProfiletab, clickConfiguration Properties.
- In theTask Configuration Propertiesscreen, configure the following properties:
- Remove extra accounts:By default, this property is set tofalse. Set this property totrueto delete extra accounts on the endpoints.
- Add missing accounts: By default, this property is set tofalse. Set this property totrueto create missing accounts on the endpoints.
Note:The values that you set for these properties here impacts the same properties that are used in Synchronize User with Roles task.
- ClickOK.
- Synchronize users with roles in bulk using Bulk Loader.
- Navigate toSystem,Bulk Loader.
- Upload a file (.csv). This file contains all users that must be synchronized with the provisioning roles.Note:Theactioncolumn in the .csv file can have any value other than Create, Modify, and Delete.
- In theLoader Record Detailsscreen, configure the following fields:
- What field represents the action to perform on the object?: Selectactionfrom the drop-down.
- What field will be used to uniquely identify the object?: Select a field from the drop-down on which an action must be performed.
- ClickNext
- In theLoader Actions Mappingscreen, configure the following fields:
- What is the Primary Object?: SelectUSERfrom the drop-down.
- Select a task to execute for action '<action>': SelectSynchronize User with Rolesfrom the drop-down.
- ClickFinish.
Check Role with Users Synchronization
By using
Check Role with Users Synchronization
task, an administrator can check if the provisioning role is synchronized with all its assigned users, and accordingly perform synchronize operation to ensure that users have necessary accounts on endpoints.Few points to consider:
- UsingCheck Role with Users Synchronizationtask, you can synchronize only one role at a time with its assigned users.
- Check Role with Users Synchronizationtask from TEWS is not supported.
Follow these steps:
- Log in to theIdentity ManagerUser Console.
- Navigate toUsers,Synchronization,Check Role with UsersSynchronization.
- Select a role.A screen appears showing the missing accounts for the selected role, if any.
- ClickSynchronizeto create missing accounts on endpoints.
Synchronize Role with Users
By using
Synchronize Role with Users
task, an administrator can synchronize provisioning roles with its assigned users. Few points to consider:
- You can check the missing accounts for a role with Check Role with Users Synchronization task. However, this task allows you to check and synchronize only one role at a time with its assigned users.
- In a nested roles scenario, even the included roles are considered for synchronization with users.
- TheSynchronize Role with Userstask is supported only for endpoints that are reachable.
- TheSynchronize Role with Userstask does not support removal of extra accounts. This is not supported because a user who is assigned to multiple provisioning roles with account templates mapped to the same endpoints lead to out-of-sync condition.
- Synchronization of multiple provisioning roles with account templates mapped to the same endpoints fails.
- Synchronization of multiple provisioning roles with users from TEWS is not supported.
- To experience good performance, avoid synchronizing multiple roles at a time.
Follow these steps:
- Log in to theIdentity ManagerUser Console.
- Navigate toUsers,Synchronization,Synchronize Role with Users.
- Select a role(s) that needs to be synchronized with users.
- ClickSelect.
- ClickYesto confirm synchronization operation.