Syncing users based on their access rights

When you map a user directory to an application in Crowd, you can choose which users are synced with the application based on their access rights to it. It might be useful to limit the synced users to only those who can actually access the application, as syncing anyone else is redundant in most cases.

To choose which users will be synced with your application:

  1. Log in to the Crowd Administration Console.

  2. In the top navigation bar, click Applications, and choose your application.

  3. Select the Directories & groups tab.

  4. Scroll down to Access-based synchronization, and choose one of the options. 

Good to know

Here’s some additional details:

  • Your settings will apply to all Crowd APIs used by your applications

  • Membership aggregation and nested groups are supported.

  • If a user exists in multiple directories, their access rights in the first one will decide whether they’re synced or not.

  • You can only use full synchronization, the incremental one isn’t supported.

  • When All groups, but only users with access rights is enabled, applications will not be able to create users in Crowd.
  • When Only users and groups with access rights is enabled, applications will not be able to create users and groups in Crowd.

How syncing works with aggregated group memberships

You might encounter some confusing cases if you’re using aggregated group memberships. If something isn’t synced the way you expect it, have a look at the use cases we’ve described below.

Sample scenario

You have two directories mapped to an application. In Directory 1, the user john belongs to group A, while in Directory 2 — group B. You also have the Determine the users' group memberships using all directories option enabled.

How it will work...

Here's some use cases to show you which groups the user will belong to after syncing. Note that we're changing syncing and authentication options for each case:

  1. Syncing: All users and groups
    Who can authenticate: N/A
    In this case, john will be a member of group A and group B, as everything is synchronized.

  2. Syncing: All groups, but only users with access rights
    Who can authenticate: Directory 1: group A; Directory 2: group B.
    In this case, john will be a member of group A and group B. Both of these groups are allowed to authenticate, so he’s treated as a user with access rights in both directories, keeping all of his group memberships.

  3. Syncing: All groups, but only users with access rights
    Who can authenticate: Directory 1: group A; Directory 2: group C (some other group john doesn’t belong to)
    In this case, group A and group B will be synchronized, but john will be a member of group A only. That’s because group B isn’t allowed to authenticate so john from Directory 2 is treated as a user without access rights – he’s a member of group B, but not group C that’s allowed for this directory.

  4. Syncing: Only users and groups with access rights
    Who can authenticate: Directory 1: group A; Directory 2: group B
    In this case, john will be a member of group A and group B. Both of these groups are allowed to authenticate, so he’s treated as a user with access rights in both directories, keeping all of his group memberships.

  5. Syncing: Only users and groups with access rights
    Who can authenticate: Directory 1: group A; Directory 2: group C (some other group john doesn’t belong to)
    In this case, group B won’t be synchronized at all, because it doesn’t have access rights. Likewise, john from Directory 2 is treated as a user without access rights, similarly to Case 3 above. Group A will be synchronized and john will be a member of it.

We want to bring your attention to Case 3 that might appear confusing. In this case, the users should be treated as separate – one with access rights, and one without them. As john from Directory 2 doesn’t have access rights (group B can’t authenticate for this directory), he isn’t synced and his group memberships aren’t taken into account.

Troubleshooting

Having problems? Check the details below:

I don't see these options in Crowd...

This might be because of the following reasons:

  • You have a Server license. This feature is only in Data Center.

  • You allow all groups from all directories to authenticate. In this case, there’s no reason to limit synced users as all of them need access.

A user, group, or group membership hasn't been synced...

Missing users:

  • Make sure the user belong to at least one of the groups with access rights.

  • Make sure it’s not a shadowed user (see Limitations)

Missing groups and group memberships:

  • If you chose Only users and groups with access rights, make sure the group actually have access rights.

Last modified on May 17, 2022

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.