Active Directory
Standard Active Directory service, also referred to as Active Directory "on premises", has a configuration window for synchronizing users with the Active Directory source. This window is split into four tabs, each of which is described below.
Settings
The tab allows you to select a domain or a specific organizational unit from which information about users, groups, and organizational structure is retrieved.
1. Domain/Organizational unit
The field specifies the domain or organizational unit (you can provide more than one) which is to be synchronized. The list of domains and organizational units is available after clicking the button. With the , you can delete the selected domain or organizational unit.
Synchronization of data with the Active Directory source occurs within the context of the user defined in the Credentials tab. This means that the list of domains or organizational units available for synchronization is also retrieved within the context of such a user.
2. Database column
The BPS cache database column that stores potential additional information (properties) regarding the synchronized object that has been specified in the Columns mapping column.
3. Columns mapping
Additional information (properties) stored in the BPS database columns specified in the Database column field. The aforementioned information can include country code (countrycode), account expiry date (accountexpires), or object GUID identifier (objectguid).
Credentials
The tab enables defining a user within the context of whom the BPS users list will be synchronized with the Active Directory source. The user used for synchronization must hold required permissions allowing them to read the date from the domains and organizational units defined in the configuration.
The minimum permissions required for synchronization are:
- read account restrictions,
- read general information,
- read public information.
1. Connect using BPS service user data
The user within the context of whom the synchronization will be executed is by default the user whose account hosts WEBCON Workflow Service.
2. Connect using given data
Selecting the checkbox activates fields below it, allowing for the specification of a user different from the one in the context of whom the BPS service operates. Additionally, checking the Use SSL/TLS connection checkbox enables encryption for connecting with Active Directory.
Schedule
The tab allows you to specify when the synchronization is to be executed. To maintain an optimal level of data currency within the WEBCON BPS platform, it is recommended to perform synchronization several times a day.
1. Hours during which full user synchronization is activated
The field allows you to define the time at which full user synchronization is executed. This involves retrieving and updating all the data pertaining to groups and users, regardless of whether the data has changed since the last synchronization.
Full synchronization may require significantly more time compared to the incremental method. It is advised to employ this mode only when it is duly justified.
2. Hours during which incremental user synchronization is activated
The field enables you to specify the timing for incremental synchronization. In this mode, data related to groups and users is updated differentially, meaning only the data of objects (users and groups) whose properties have been modified since the last synchronization is updated. The incremental synchronization also updates the status of added or deleted objects. For optimal performance, it's advised to set this mode as the default one.
Advanced
The tab offers the choice of two synchronization types: Synchronize the user list and Synchronize the user list in Debug mode (both in full and incremental manner) and enables filtering searching results and defining error codes that interrupt synchronization.
1. Additional search filter to use during synchronization
By setting up a filter, only users and groups that meet its criteria are synchronized. Additionally, dependent objects of these users and groups (such as groups to which a user or their superior belongs) are also synchronized. In the case of dependent objects, the filter is not applied.
The filter applies to every synchronization type. When limiting synchronization to the selected organizational units, the filter is added to the filter for the specified unit.
2. Interrupt synchronization on any Active Directory error
This checkbox cancels the entire synchronization if an error related to the connection or data retrieval from AD occurs in any Organizational Unit.
3. Error codes causing synchronization interruption
The list of error codes that interrupt user synchronization.
The full list of codes is available here. All other error codes do not result in interrupting the user synchronization (the synchronization is completed with an error and the respective information is registered in the log).
4. Add JSON data from Active Directory to data logs in Debug mode
Selecting this checkbox causes the diagnostic information to be supplemented with .json files downloaded from AD when users are synchronized in Debug mode.
5. Synchronize the user list
The section provides two buttons:
- Incremental synchronization – the user and group data is updated differentially. This means that the system synchronizes only the data of those objects (users and groups) whose properties have been changed since the last synchronization. The incremental synchronization also updates the status of added and removed objects. For optimal performance, it is advised to use this mode as the default one.
- Full synchronization – the system retrieves and updates full data on all groups and users, regardless of whether it has changed since the last synchronization or not. The full synchronization requires much more time than the incremental one. For this reason, it is recommended to select this mode only in duly justified cases.
6. Synchronize the user list in Debug mode
The synchronization in the Debug mode allows you to collect additional information on the progress of synchronization. During the synchronization the log registers detailed diagnostic information due to which the synchronization can take more time. The Debug mode enables detailed analysis of individual synchronization steps and should be applied only for diagnostic purposes. Like in the case of standard synchronization mode, there are buttons provided for executing full and incremental synchronization. Furthermore, the Selected users synchronization – Debug button enables synchronization of a single user by entering their BPS ID.
For more information on form fields visit the following WEBCON Community websites: