Review the existing cloud data structure, specifically the structure of users, groups, and policies. Go to Account > End Users and Account > Groups to view groups and users. (See Groups). Make sure the structure is still as you require. This is a good opportunity to review and amend the structure. Review the exceptions in the policy. (See Defining Web Policies) and exceptions. (See Exceptions.)

Configure the Directory Synchronization Client to search the LDAP directory and extract groups and users to a local file. (See the Directory Synchronization Client Administrator's Guide for instructions.) Compare the results against the cloud data, old CSV files, and/or expectations. Modify the search as necessary to ensure it returns expected results.

Decide whether to allow overwriting of groups of the same names. In the cloud manager, set Overwrite groups as necessary. (See Configure identity management for information.) If you allow overwriting, LDAP groups then take over existing groups but retaining their structure in policies and exceptions. If you do not overwrite groups, make sure that all groups being synchronized from LDAP have different names than those in the cloud, then change any group-based notification in the cloud manager to the new LDAP names as required.

Then on the Identity Management screen, assign users to a default policy and for User policy assignment, select Follow group membership. With this setting, as users are moved to a different LDAP group, their policy assignment changes in step.

In the cloud manager, set up a contact with Directory Synchronization permissions. (See Set up authentication (Directory Synchronization only).) This will be the username/logon used for the Directory Synchronization Client logs into the cloud manager.

Now you are ready! In the cloud manager, enable Directory Synchronization. (See Configure identity management.)

In the Directory Synchronization Client, set up portal settings in the configuration established above, changing the output type to portal (not file) and using the contact with Directory Synchronization permissions created above. (See the Directory Synchronization Client Administrator's Guide.)

During a slow period, select Replace on the client. Data is synchronized to the cloud manager. Note the number of additions.This is visible in the Synchronization page and also from the notification email messages.

Log onto the cloud manager. Using Account > End Users and Account > Groups, check that users' and groups' policies are as expected. (See View and manage user data.)

On the Identity Management page, view Recent Synchronizations and compare the totals of additions against those noted in the Directory Synchronization Client. They should match. (See View recent synchronizations.)

The system is now live. If you are unhappy with the user/groups data you have synchronized then you can use Restore to undo the synchronization data, and try again. (See Restore directories.)

Review the existing cloud data structure, specifically the structure of users, groups, and policies. Go to Account > End Users and Account > Groups to view groups and users. (See Groups). Make sure the structure is still as you require. This is a good opportunity to review and amend the structure.

Configure the Directory Synchronization Client to search the LDAP directory and extract groups, users, and email addresses to a local file. (See the Directory Synchronization Client Administrator's Guide for instructions.) Compare the results against the cloud data, old CSV files, and/or expectations. Modify the search as necessary to ensure it returns expected results.

Decide whether to allow overwriting of groups of the same names. In the cloud manager, set Overwrite groups as necessary. (See Configure identity management for information.) If you allow overwriting, LDAP groups then take over existing groups but retaining their structure in policies and exceptions. If you do not overwrite groups, make sure that all groups being synchronized from LDAP have different names than those in the portal, then change any group-based notification on the portal to the new LDAP names as required.

If you have more than one web policy, go to each policy and assign groups to it.

Then on the Identity Management screen, assign users to a default policy and for User policy assignment, select Fixed. With this setting, new web users are assigned to the web policy when first synchronized into the service. After that you must manage all movement of users between policies in the cloud manager using the Manage Users page. (Group membership is ignored.)

In the cloud manager, set up a contact with Directory Synchronization permissions. (See Set up authentication (Directory Synchronization only).) This will be the username/logon used for the Directory Synchronization Client logs into the cloud manager.

Now you are ready! In the cloud manager, enable Directory Synchronization. (See Configure identity management.)

In the Directory Synchronization Client, set up portal settings in the configuration established above, changing the output type to portal (not file) and using the contact with Directory Synchronization permissions created above. (See the Directory Synchronization Client Administrator's Guide.)

During a slow period, select Replace on the client. Data is synchronized to the cloud manager. Note the number of additions.This is visible in the Synchronization page and also from the notification email messages.

Log onto the cloud manager. Using Account > End Users and Account > Groups, check that users' and groups' policies are as expected. (See View and manage user data.)

On the Identity Management page, view Recent Synchronizations and compare the totals of additions against those noted in the Directory Synchronization Client. They should match. (See View recent synchronizations.)

The system is now live. If you are unhappy with the user/groups data you have synchronized then you can use Restore to undo the synchronization data, and try again. (See Restore directories.)