Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Use Cases for Setting up User Provisioning > Existing Web and/or email customers (LDAP)
Existing Web and/or email customers (LDAP)
For existing cloud web and/or email customers, see the following:
*
*
Wanting to manage users/groups from an LDAP directory
*
Review the existing cloud data structure, specifically the structure of users, groups, and policies. Go to Account > End Users and Account > Groups to view groups and users. (See Groups). Make sure the structure is still as you require. This is a good opportunity to review and amend the structure. Review the exceptions in the policy. (See Defining Web Policies) and exceptions. (See Exceptions.)
*
*
*
*
Configure the Directory Synchronization Client to search the LDAP directory and extract groups and users to a local file. (See the Directory Synchronization Client Administrator's Guide for instructions.) Compare the results against the cloud data, old CSV files, and/or expectations. Modify the search as necessary to ensure it returns expected results.
*
Decide whether to allow overwriting of groups of the same names. In the cloud manager, set Overwrite groups as necessary. (See Configure identity management for information.) If you allow overwriting, LDAP groups then take over existing groups but retaining their structure in policies and exceptions. If you do not overwrite groups, make sure that all groups being synchronized from LDAP have different names than those in the cloud, then change any group-based notification in the cloud manager to the new LDAP names as required.
*
*
Then on the Identity Management screen, assign users to a default policy and for User policy assignment, select Follow group membership. With this setting, as users are moved to a different LDAP group, their policy assignment changes in step.
*
*
In the cloud manager, set up a contact with Directory Synchronization permissions. (See Set up authentication (Directory Synchronization only).) This will be the username/logon used for the Directory Synchronization Client logs into the cloud manager.
*
*
*
During a slow period, select Replace on the client. Data is synchronized to the cloud manager. Note the number of additions.This is visible in the Synchronization page and also from the notification email messages.
*
Log onto the cloud manager. Using Account > End Users and Account > Groups, check that users' and groups' policies are as expected. (See View and manage user data.)
*
*
*
Wanting to manage users/groups from an LDAP directory but Web policy assignment from the portal
*
Review the existing cloud data structure, specifically the structure of users, groups, and policies. Go to Account > End Users and Account > Groups to view groups and users. (See Groups). Make sure the structure is still as you require. This is a good opportunity to review and amend the structure.
*
*
*
*
Configure the Directory Synchronization Client to search the LDAP directory and extract groups, users, and email addresses to a local file. (See the Directory Synchronization Client Administrator's Guide for instructions.) Compare the results against the cloud data, old CSV files, and/or expectations. Modify the search as necessary to ensure it returns expected results.
*
Decide whether to allow overwriting of groups of the same names. In the cloud manager, set Overwrite groups as necessary. (See Configure identity management for information.) If you allow overwriting, LDAP groups then take over existing groups but retaining their structure in policies and exceptions. If you do not overwrite groups, make sure that all groups being synchronized from LDAP have different names than those in the portal, then change any group-based notification on the portal to the new LDAP names as required.
*
*
Then on the Identity Management screen, assign users to a default policy and for User policy assignment, select Fixed. With this setting, new web users are assigned to the web policy when first synchronized into the service. After that you must manage all movement of users between policies in the cloud manager using the Manage Users page. (Group membership is ignored.)
*
*
In the cloud manager, set up a contact with Directory Synchronization permissions. (See Set up authentication (Directory Synchronization only).) This will be the username/logon used for the Directory Synchronization Client logs into the cloud manager.
*
*
*
During a slow period, select Replace on the client. Data is synchronized to the cloud manager. Note the number of additions.This is visible in the Synchronization page and also from the notification email messages.
*
Log onto the cloud manager. Using Account > End Users and Account > Groups, check that users' and groups' policies are as expected. (See View and manage user data.)
*
*
*

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Use Cases for Setting up User Provisioning > Existing Web and/or email customers (LDAP)
Copyright 2023 Forcepoint. All rights reserved.