Related Topics
If you are using an LDAP directory (e.g. Microsoft Active Directory) to authenticate your users, their User ID will be automatically added to the Process Director database when they first login. Process Director automatically synchronizes the user and group information when the login occurs. This happens transparently to the user. If you are using Windows Domain security to authenticate users you can still configure Process Director to synchronize user information with your LDAP server. This allows your users to authenticate against the Windows Domain, but still have their email address and user name (Alias) synchronized with the LDAP settings.
There are a couple of limitations to using this technique alone. It requires that a user logs into Process Director before it “knows” of that user and the groups the user belongs to. This means that you can't add users to a Timeline activity, or specify users in permissions until after that user logs into Process Director. Additionally, users or groups that are changed or removed in LDAP will still exist in the Process Director database.
To address these scenarios, there is a user directory synchronization utility that will synchronize your LDAP user information with Process Director. For Active Directory synchronization specifically, please see the Creating an Active Directory Sync Profile topic. For generic LDAP synchronization, please see the Creating an LDAP Sync Profile topic. The synchronization utility will only synchronize attributes such as the name and email address, but won't copy over any passwords. Passwords are only stored on your LDAP server – the LDAP server is responsible for authentication.
How Directory Synchronization Works #
In your LDAP or Active Directory database, each user account is assigned a unique value via a GUID. For example, in Active Directory, this value will be the SID for each account. This is the value that Process Director will use to uniquely identify each user account. Similarly, each synchronization profile you create in Process Director will also be assigned a unique GUID, known as the ADID. Finally, in each Process Director user account, another GUID, the UserUID will be assigned to the Process Director user account when it's created. These three, unique GUIDs govern how the synchronization process works.
Initial Provisioning
When you first provision users via a directory synchronization, which we'll simply call a "sync", a new Process Director user account will be created for each user contained in the sync. Inside Process Director, the new user account will be assigned a UserUID, Additionally, the SID (or other unique GUID) for each user account in your directory service will be stored as the External GUID, along with the ADID. So, each synced user account record will store all three of these unique identifiers.
Subsequent Synchs
For all subsequent synchs, three things will happen:
- Each existing user account will match the External GUID and Synchronization profile to the corresponding values returned by the running sync. If any changes have been made to the user's attributes in the directory service, those changes will be updated for the existing users.
- If the sync contains a user that does not exist in Process Director, a new user account will be created for that user.
- If an existing user has been removed from the Directory Service, and is no longer available for syncing, Process Director will mark that user as disabled, (assuming that you haven't configured the Synchronization Profile to prevent disabling users).
At the conclusion of each sync, the active users in Process Director will match the active users contained in your directory service.
Synchronization Issues
Because each Process Director user is specifically identified with both an AD/LDAP user and a Synchronization Profile, proper configuration is very important in ensuring that synchronization is accomplished correctly. Since that is so, there are some issues with synchronization about which you should be aware.
- If you sync the same AD user in two different synchronization profiles, the SID will be the same for the user, but the ADID will be different. In that case, Process Director will create two different user accounts for the same user. Thus, if you create multiple user sync profiles, you must ensure that each profile synchronizes a unique group of users.
- Similarly, once a user profile has been created, and users synced with it, the best practice, if changes need to be made, is to edit the existing sync profile. If you inactivate a user profile, and create a new profile that syncs the same users, new Process Director user accounts will be created for those users. Their original accounts, remember, are already associated with the sync Profile that originally created their Process Director accounts.
- It is possible, in AD, to have multiple SIDs for the same user. For instance, a user who has left and returned to your organization over time might have multiple AD SIDs for their original and new accounts. In AD, both of these SIDs can be unified into a single user identity via linking an attribute such as their network user name, e.g., Jane.Doe. Process Director, however, cannot perform this same type of account unification. Each SID uncovered during the sync will result in the creation of a separate user account. So, again, it's important to ensure that the sync profile only includes the AD account with the current SID to create a single account for that user.
- Every sync profile contains a property, Do Not Disable, that will, when checked, prevent users and/or groups from being disabled when a sync runs. When this property is checked, users removed from AD/LDAP will remain as active users in Process Director. It's important to ensure that this setting is unchecked if you want to ensure that your Process Director users correctly mirror your current AD/LDAP users.
- Inactive users are never deleted by a sync. Instead, inactive AD/LDAP users are disabled. BP Logix strongly recommends that you never delete a user account. User records are top-level records in the Process Director database, and cannot be deleted without removing all of the child records associated with the user record. Thus, deleting a user would delete all records of that user's activity in the system. Disabled users, on the other hand, do not count against your license, and cannot access Process Director. But their historical activity is maintained and is auditable in the system.
Documentation Feedback and Questions
If you notice some way that this document can be improved, we're happy to hear your suggestions. Similarly, if you can't find an answer you're looking for, ask it via feedback. Simply click on the button below to provide us with your feedback or ask a question. Please remember, though, that not every issue can be addressed through documentation. So, if you have a specific technical issue with Process Director, please open a support ticket.
