Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
In this section, we will provide you with detailed information about the types of applications and connectors supported by Cymmetri
Cymmetri seamlessly integrates with various cloud-based applications to help you efficiently manage user access and entitlements. The following are the pre-configured cloud-based applications that Cymmetri supports:
Azure: Manage user access and entitlements within your Microsoft Azure environment effortlessly.
Google Workplace: Simplify access management for Google Workspace applications, including Gmail, Google Drive, and more.
ServiceNow: Effectively control access to your ServiceNow instance to enhance security and compliance.
Salesforce: Streamline Salesforce user access management for better control and auditing.
SCIM v2.0 (Salesforce): Utilize the System for Cross-domain Identity Management (SCIM) 2.0 protocol specifically for Salesforce integration.
Github (Using SCIM 2.0 connector): Manage user access to GitHub repositories efficiently through our SCIM 2.0 connector.
Cymmetri extends its support beyond cloud-based applications to include various on-premises applications. Here are the on-premises applications supported by Cymmetri:
Active Directory: Efficiently manage user access to your Windows Active Directory resources.
OpenLDAP: Simplify access control for your LDAP directory services with Cymmetri's integration.
Lotus Notes: Streamline user access management for Lotus Notes applications.
Powershell: Integrate and manage access to PowerShell scripts and resources seamlessly.
CSV Directory: Effectively manage user access within CSV-based directory services.
Cymmetri offers versatile connector support to ensure seamless integration with a wide range of applications. Here are the supported connectors categorized by deployment type:
Cymmetri's Cloud Connectors are designed to simplify access management for various cloud-based applications. Supported cloud connectors include:
Azure: Easily manage access to Microsoft Azure resources with our cloud connector.
Google Workplace: Streamline access management for Google Workspace applications using our cloud connector.
ServiceNow: Control access to your ServiceNow instance efficiently with our cloud connector.
Salesforce: Seamlessly manage user access to Salesforce through our cloud connector.
SCIM 1.1: Leverage the SCIM 1.1 protocol for connector support, ensuring compatibility with various cloud services.
SCIM 2.0 (Basic, Bearer, Fixed Bearer): Our platform supports multiple SCIM 2.0 authentication methods to accommodate diverse integration needs.
For on-premises applications and custom integration scenarios, Cymmetri offers locally deployed connectors, providing flexibility and control. Supported locally deployed connectors include:
Active Directory: Manage access to Windows Active Directory resources seamlessly using our connector.
Custom Script for Databases: Custom Script based connectors using groovy scripts for database applications, tailored to your specific requirements.
LDAP: Integrate and manage access to LDAP-based directory services through our connector.
Lotus Notes: Simplify user access management for Lotus Notes applications with our connector.
Powershell: Seamlessly integrate and manage access to PowerShell resources using our connector.
REST API: Extend your integration capabilities with Cymmetri's support for RESTful API connectors leveraging the flexibility of Groovy and UI based scripts.
Cymmetri's comprehensive support for both pre-configured applications and versatile connectors ensures that you have the tools needed to efficiently manage user access and entitlements across a diverse range of applications and environments. For detailed setup instructions and configuration guidelines, please refer to the specific documentation for each application and connector.
Understand how to add and manage your cloud and on-premise applications through your Cymmetri Identity platform deployment. Your Cymmetri Identity deployment allows you to manage your cloud-based applications and on-premise applications from a single administration console.
Understand how to add the applications used by your organization, to be managed your Cymmetri Identity platform deployment. Use the FAQ to learn how to add applications to be managed in the deployment.
Single Sign On is the process of ensuring that once an end user is logged onto the Cymmetri Identity platform, they should be able to seamlessly move their session to any of your applications managed by your Cymmetri Identity platform deployment. Use the FAQ to learn how to configure Single Sign On for your application.
Modern IAM deployments wishing to have progressive authentication may require some critical application integrations within your deployment to perform additional authentication while performing Single Sign On for the end user. Use the FAQ to learn how to configure the Application Sign On Policy.
Provisioning refers to the process of creating, modifying, and in general pushing the user account information stored on the Cymmetri Identity platform to the applications managed by your Cymmetri Identity platform deployment. Use the FAQ to learn how to configure User Account Provisioning.
Reconciliation of User accounts is a primary activity in Identity Governance, which allows for synchronisation between the user account information on the managed application and the Cymmetri Identity platform deployments, including provisioning, modifying, deprovisioning, and modifying user account attributes based on various synchronisation states. Use the FAQ to learn how to configure the Identity Reconciliation Process.
Once an application has been added to the Cymmetri Identity platform deployment and the necessary configurations for Single Sign On, Provisioning and Reconciliation have been performed, an application may be assigned to an individual user or to a group of users. Use the FAQ to learn how to assign application to a user.
Dynamic Forms enable administrators to request additional fields from either administrators or end-users when assigning applications. These additional user fields are then collected and used for provisioning the user into the managed application. It is a feature in Cymmetri's application details sections which enables administrators to ask necessary questions at time of application assignment. The form filled will be saved and reviewed by the approver.
For creating a dynamic form the administrator needs to configure the managed application. For eg. Identity Hub->Applications->Service Now(Application may change )->Forms
Load the default form by clicking on the “Load Sample Data” button
Edit the default form in the JSON Schema section, In the JSON Schema section the administrator can define the form structure with the type of element, and its various properties like type, title, default value etc, a preview of the form is shown on the right hand side.
Let us create a simple form that can capture
“Preferred Username” [text field] and
“Request Additional Modules” [Radio] with two options “Administrator” and “Read Only”.
The code below shows how to create a simple form described above:
The UI Schema is like a set of json properties that are used to configure how the form should look and behave. It lets you tweak things like the length of a text box or whether a choice should be shown as radio buttons or checkboxes. In the example code, we're using the UI Schema to make the "preferredName" field have a placeholder and also set a maximum length. For "additionalModules," we're using widget property to make it show up as a radio button.
The Preview Form Data displays how the data entered in the UI will be gathered and shows the structure in which the data will be sent to the API.
The preview of the form looks as below after making the changes:
Once configured the administrator can Click on the Save button.
Once saved a confirm box appears to enable the form; the administrator needs to click on the Confirm button in the popup to enable the form for the application.
The Form View and Form Edit options allow the administrator and user to view and edit the form
When the Form View button is enabled it allows the administrator to view the form in the user's Application Page
On clicking the View Form button the form appears as below:
Similarly when the Form Edit button is enabled it allows the administrator to edit the form in the user's Application Page
On clicking the Edit Form button the form appears as below, The administrator may change the details mentioned in the form.
The user to whom the application is assigned can also view or edit the form based on whether the form edit is enabled or not. The figure below shows the Edit Form option for a user in the MyAccess -> Applications section:
If the user clicks on Edit Form it shows the form to edit:
Applications menu in the administration page displays the various options pertaining to the Application Management Process.
Applications menu can be accessed in two ways:
Identity Hub
Login as either an Organization Administrator, Domain Administrator, or Application Administrator.
Click on the Identity Hub icon on the left side bar.
Click on the Applications text on the slide out bar.
Single Sign On Module
Login as either an Organization Administrator, Domain Administrator, or Application Administrator.
Click on the Products menu icon on the left side bar.
Click on the Single SignOn Module icon in the popup list.
4. Click on the Applications text on the slide out bar.
Applications supported by the Cymmetri platform fall majorly into three categories -
Pre-configured Applications These are the applications that have already been configured by the Cymmetri platform for provisioning on cloud or on-premises.
Custom Applications for Provisioning These are the applications that you wish to manage through Cymmetri and support the generic connectors that the Cymmetri platform provides.
Custom Applications for Single SignOn only When you need to add an application for the sole purpose of enabling Single Sign-On (SSO), Cymmetri offers the capability to add a custom application that can be configured for SSO using the supported mechanisms.
Once you have chosen the application to be added from the above categories, you are ready to add a new application.
1. Click on the “Add New” button on the top-right corner in the Applications page.
2. In the Add New Application screen, you may search for your desired application (e.g., Active Directory), or your desired connector (e.g., REST) or choose the “Custom” application type from the available application catalogue.
3. Now click on the tile shown in the list below to open the right slide out menu for renaming application as shown below.
4. Add your custom label (if you wish) in the text box and click on the “Add Application” button.
Application has been successfully added to your listing now. You may click on the configure now button to start configuring the application.
Azure provisioning in Cymmetri involves setting up configurations to automate the creation and management of user accounts in Microsoft Entra ID. This allows for seamless user onboarding and offboarding processes.
To implement Azure provisioning in Cymmetri, follow these general steps:
The administrator needs to login to Azure Portal: https://portal.azure.com
Once logged in click on More services-> button
In the next screen click on Identity -> App registrations inside the Identity management section
Next click on New registration to register a new App. Registering your application establishes a trust relationship between your app and the Microsoft identity platform. The trust is unidirectional: your app trusts the Microsoft identity platform, and not the other way around. Once created, the application object cannot be moved between different tenants.
Next enter the Application Name and select the Supported account types to organizational directory only : Accounts in this organizational directory only (Cymmetri Organization only - Single tenant) and then click on Register
Once registered next click on Authentication menu and +Add a platform.
On the next screen select Mobile and desktop applications
Enter a Custom redirect URIs: http://localhost and click on Configure
Further enable the Public Client flows and click on Save button
Next go to Certificates and secrets menu and create a new client secret:
Next enter a Description for the and select the duration after which the secret would Expire -Recommended is 180 days (6 months) but can be changed as per the need. Once both the details are entered click on Add button
Next copy and save the Client Secret ID and Client Secret Value in a safe and accessible place. Client secret values cannot be viewed, except for immediately after creation. Be sure to save the secret when created before leaving the page.
Once the client secret details are stored next click on API permissions menu and then + Add a permission
On this page select Microsoft Graph
On the next page we require permissions for both Delegated and Application permissions. Select each type of permission and in that Search and select the following permissions/scopes:
APIConnectors.Read.All
Directory.ReadWrite.All
OpenID (Not available for Application Permissions)
PrivilegedAccess.Read.AzureAD
User.ReadWrite.All
Directory.Read.All
Once all the permissions are added a warning is shown: "You are editing permission(s) to your application, users will have to consent even if they’ve already done so previously." The administrator needs to click on the "Grant admin consent for Cymmetri Organization" link
On the click of the link a popup appears to grant admin consent, click on Yes
Next click on Expose an API and then click on Add to add an Application ID URI: The Application ID URI, also called identifier URI, is a globally unique URI used to identify the web API. This URI is the prefix for scopes in the Oauth protocol. You can either use the default value in the form of api://, or specify a more readable URI.
On the next page keep the default values intact and click on Save button
Finally you can see the Overview page that contains all the information you need to configure Azure in Cymmetri.
Also the User config Application Authority can be obtained from the endpoint section in the Overview page:
This completes the Azure side of the configuration, next the administrator needs to need to move to Cymmetri and configure the Azure application. Mentioned below are the steps required to configure Azure in Cymmetri:
Add a new Azure application Identity Hub->Applications and then click on the +Add New button
Once added the administrator needs to go to Policy Attribute section and ensure all the below mentioned attributes are present (Add if not already present):
mailNickname
displayName
__PASSWORD__
__NAME__
userPrincipalName
givenName
surname
usageLocation
Next the administrator needs to go to the Policy Map section and ensure a mapping shown as below is created:
Once the policy map is created next the administrator needs to go to Provisioning section and then to Server Configuration and need to configure the connector server as shown below:
Once the Server Configuration is done next the administrator needs to implement User Configuration with the below mentioned fields:
User config Application Authority: This is the authority under which the application operates. For example, if you're using Azure AD, the application authority might be https://login.microsoftonline.com/<tenant_id>/oauth2/authorize
User config application client id: This is the unique identifier for your application. It is provided by Azure when you register your application. For example, e9a5a8b6-8af7-4719-9821-0deef255f68e.
Client Secret: This is a secret key used by the application to prove its identity when requesting access tokens. It should be kept confidential. For example, 7f7df45a-251e-49d3-a396-748bf8e05a3c.
User config domain: This is the domain associated with your Azure AD. For example, contoso.onmicrosoft.com.
User config base password: This is the base password used for your application. For example, MyBasePassword123.
Redirect URI: This is the URI to which Azure AD will redirect the user after authentication. For example, api://05b765c3-d64f-7704-b0d8-5c4c6bc674df
User config resource URI: This is the URI of the resource (API, web app, etc.) that the application wants to access. For example, https://graph.microsoft.com.
Azure Tenant ID: This is the identifier for your Azure AD tenant. For example, 72f988bf-86f1-41af-91ab-2d7cd011db47.
User config base username: This is the base username used for your application. For example, MyUsername@contoso.onmicrosoft.com.
Once the configuration is done and saved, Next click on TEST CONFIGURATION to test if Cymmetri is able to connect to Azure Server.
For assigning any sort of licenses to a user of various products two main policy map entries need to done as shown below:
azureLicense: Need to provide license key for the product you wish to assign to the user
usageLocation: This field needs a two-letter country code (ISO standard 3166). Required for users that are assigned licenses due to legal requirements to check for availability of services in countries. Examples include: US, JP, and IN.
The value for azureLicense can be obtained as explained below:
Once you click that it opens the page from which we can copy the product id from URL as shown below:
Once all the above configuration is done, on the same page in Cymmetri go to Assignments section and assign users to the application and ensure that these users are created in Azure's Microsoft Entra ID along with the Microsoft Teams license.
| Application Field | Field | User Principal | Create Only | Update Only |
|---|
Go to and login using the admin credentials. Once logged in go to Billing->Licenses->Microsoft Teams Exploratory
displayName | displayName | - | True | True |
__NAME__ | login | - | True | True |
__PASSWORD__ | password | - | True | True |
mailNickname | mailNickName | - | True | True |
userPrincipalName | login | True | True | True |
givenName | firstName | - | True | True |
surname | lastName | - | True | True |
- | True | True |
usageLocation | country | True | True |
azureLicense | azureLicense | <actual license key> | True | True |
Connectors can be deployed in two ways:
Local connectors are deployed to a Cymmetri instance. This is the usual way how connectors are used. The connector is executed inside a Cymmetri instance, has the same lifecycle (start/stop), etc. Cymmetri can detect local connectors automatically and overall the connector management is easier.
Remote connectors are executed in a different process or on a different node than Cymmetri instance. Remote connectors are deployed to a connector server. There may be need to use a remote connector e.g. to access a file on a remote system (e.g. in case of CSV connector) or because of platform incompatibilities (e.g. .NET connectors)
Connector is not developed as local or remote. The placement of the connector is a deployment-time decision. There is just one connector package that can be deployed locally or remotely.
A connector server is required when a connector bundle is not directly executed within your application. By using one or more connector servers, the connector architecture thus permits your application to communicate with externally deployed bundles.
Connector servers are available for both Java and .NET.
A Java connector server is useful when you do not wish to execute a Java connector bundle in the same VM as your application. It may be beneficial to run a Java connector on a different host for performance improvements if the bundle works faster when deployed on the same host as the native managed resource. Additionally, one may wish to use a Java connector server under a Java remote connector server in order to eliminate the possibility of an application VM crash due to a fault in a JNI-based connector.
The use of .NET connector server is especially useful when an application is written in Java, but a connector bundle is written using C#. Since a Java application (e.g. J2EE application) cannot load C# classes, it is necessary to instead deploy the C# bundles under a .NET connector server. The Java application can communicate with the C# connector server over the network, and the C# connector server serves as a proxy to provide to any authenticated application access to the C# bundles deployed within the C# connector server.
Minimum Requirements:
Java 1.6 or later for 1.4.X.Y / Java 1.8 for 1.5.X.Y
Refer to your Java connectors to determine if there are any additional requirements
Unzip it in a directory of your choice (e.g. /usr/jconnserv) on the host where you wish to run the Java connector server
From the directory created above, run the Java connector server with no arguments to see the list of command-line options:
Linux / MacOS: ./bin/ConnectorServer.sh
Windows: \bin\ConnectorServer.bat
You should see the following output:
Run the connector server with the setkey option as described below to set your desired key into your properties file
Linux/ MacOS: ./bin/ConnectorServer.sh -setkey <key> -properties conf/ConnectorServer.properties
Windows: bin\ConnectorServer.bat /setkey <key> /properties conf\ConnectorServer.properties
For all other properties (e.g. port), edit the conf/connectorserver.properties manually. The available properties are described in the connectorserver.properties file.
Run the server by launching with the -run option:
Linux / MacOS: ./bin/ConnectorServer.sh -run -properties conf/ConnectorServer.properties
Windows: bin\ConnectorServer.bat /run -properties conf\ConnectorServer.properties
To deploy a Java connector:
Copy the Java connector bundle jar file into the bundles directory in your Java connector server directory
If necessary, add to the classpath any 3rd party jars required by any Java connector
Restart the Java connector server
The following steps are necessary to successfully communicate with a connector server using SSL:
Deploy an SSL certificate to the connector server's system.
Configure your connector server to provide SSL sockets.
Configure your application to communicate with the communicate with the connector server via SSL.
Refer to your application manual for specific notes on how to configure connections to connector servers. You will need to indicate to your application that an SSL connection is required when establishing a connection for each SSL-enabled connector server.
Additionally, if any of the SSL certificates used by your connector servers is issued by a non-standard certificate authority, your application must be configured to respect the additional authorities. Refer to your application manual for notes regarding certificate authorities.
Java applications may solve the non-standard certificate authority issue by expecting that the following Java system properties are passed when launching the application:
javax.net.ssl.trustStorePassword
For example, -Djavax.net.ssl.trustStorePassword=changeit
javax.net.ssl.trustStore
For example, -Djavax.net.ssl.trustStore=/usr/myApp_cacerts
Or, instead, the non-standard certificate authorities may be imported to the standard ${JAVA_HOME}/lib/security/cacerts.
Minimum Requirements:
Windows Server 2003 or 2008
.NET Framework 3.5 or higher
Refer to your .NET connector to determine if there are any additional requirements
Execute ServiceInstall.msi. Just follow the wizard. It will walk you through the whole process step by step. Upon completion, the Connector Server will be installed as a windows service.
Start the Microsoft Services Console. Check to see if the Connector Server is currently running. If so, stop it. From a command prompt, set the key for the connector Server. This is done by changing to the directory where the connector server was installed (by default: \Program Files\Identity Connectors\Connector Server) and executing the following command:
where <newkey> is the value for the new key. This key is required by any client that connects to this Connector Server.
Look through the configuration file and inspect all settings. The most common things to change would be the port, trace, and ssl settings.
The port, address, and SSL settings are in the tag called AppSettings, and look like this:
The port can be set by changing the value of connectorserver.port. The listening socket can be bound to a particular address, or can be left as 0.0.0.0. To setup to use SSL, you must set the value of connectorserver.usessl to true, and then set the value ofconnectorserver.certifacatestorename to your the certificate store name.
You will need to record for use later the following information regarding your connector server installation:
Host name or IP address
Connector server port
Connector server key
Whether SSL is enabled
Trace settings are in the configuration file. The settings look like this:
The Connector Server uses the the standard .NET trace mechanism. For more information about the tracing options, see Microsoft's .NET documentation for System.Diagnostics.
The default settings are a good starting point, but for less tracing, you can change the EventTypeFilter's initializeData to "Warning" or "Error". For very verbose logging you can set the value to "Verbose" or "All". The amount of logging performed has a direct effect on the performance of the Connector Servers, so be careful of the setting.
Any configuration changes will require the connector server to be stopped and restarted.
The best way to run the Connector Server is as a Windows service. When installing, the Connector Server is installed as a Windows service. This should be fine for most installations.
If for some reason, this is not adequate, the connector server may be installed or uninstalled as a Windows service by using the /install or /uninstall arguments on the command line. To run the Connector Server interactively, issue the command:
To install new connectors, change to the directory where the Connector Server was installed, and unzip the zip file containing the connector there. Restart the Connector Server.
To install additional Connector Servers on the same machine, download the Connector Server zip file from the downloads section. Create a directory to install to, and unzip the file there. Edit the configuration file as described above ensuring that you have a unique port. You may also want to make sure that the trace file is different as well. You can then run the additional Connector Server interactively or as a service.
Pre-requisites:
Make sure you have the following information before you proceed further:
Cymmetri login credentials
Access to IIS (Internet Information Services) to install certificates.
Access to Windows Certificate Services
Active Directory Essentials:
Server hostname and password
OU (Organisation Unit) name, if any
SSL ports need to be enabled on your side
Export the CA Certificate from Active Directory and import it into the Connector Server.
Make sure the certificate is installed on the Connector Server
Exporting your Active Directory certificate to the Connector Server is a necessary and crucial step. This ensures that the Active Directory and Cymmetri Identity Server can communicate over LDAPS (LDAP over SSL). For this to happen, LDAPS requires a properly formatted certificate installed in your Active Directory Domain Controllers. Please refer to this link and follow the same steps: https://www.manageengine.com/products/active-directory-audit/kb/how-to/how-to-install-ssl-certificates-in-active-directory.html
Once the certificate has been imported per the above instructions, you must restart the application to apply the changes made.
Navigate to the Identity Hub on the left navigation bar and click the Applications tab. You will see a list of existing applications.
Click 'Add New', and you will find the entire list of all available applications.
Search for Active Directory on the top right and click on it. You should see the Active Directory application sidebar on the right.
The Application Label has a default name for the Active Directory application and can be changed according to your choice. Click 'Add Application' from the bottom right to add the Active Directory application to your Cymmetri profile.
You have now added an Active Directory application to Cymmetri.
After adding the Active Directory, the 'Configure Now' button is enabled. Click this button to start setting up your Active Directory application.
Define which attributes should be fetched from your Active Directory. You can do that by going to the Policy Attribute section.
Here below are shown some Active Directory attribute descriptions
Policy Attributes - Policy attributes are user attributes (field names) in the Active Directory.
The policy attribute table is prefilled with standard Active Directory Attributes by default. Please verify if it works for you. If not, follow the below mappings for the provisioning to work.
telephoneNumber - mobile
sAMAccountName - login
givenName - firstName
mail - email
sn- lastName
cn - firstName
2.1 Adding new attributes
If the standard list does not contain the attributes you want to include, you can add new attributes by clicking the 'Add new' button on the right.
Fill in the attribute name, and description and click Save.
Also, toggle the Active switch to enable this new attribute.
Besides the present policy attributes, you need to add a custom attribute in case you're going for group provisioning, i.e. memberOf attribute.
Now that you've defined what attributes to fetch from Active Directory, you will map these to Cymmetri user attributes.
On the same window, navigate to the policy map in the left navigation bar.
Policy Map - Mapping of Cymmetri and Active Directory attributes.
You will see that the attributes are set to False by default. Our first step in the mapping process is to enable the attributes for syncing.
Click on the edit button next to the 'Application Field' name.
The 'Application Field' indicates the Active Directory field name, and the 'Cymmetri Field' indicates the Cymmetri field name.
To map the attributes, we need to sync the attributes on create and update only. Hence, these checkboxes need to be checked.
The 'Set default value' field accepts the default value you enter here if the field is empty in Active Directory.
Next, click on the 'Update' button.
Similarly, repeat this for all attributes.
One exception is the sAMAccountName field. The 'Is User Principal' checkbox is enabled by default because it is the primary key (unique data) on the Active Directory side, and login is the primary key on Cymmetri side; leave it checked.
Some important policy map fields which need to be declared in the policy map are as follows.
If any attribute is missing from the policy map but present in your policy attribute. Add it by clicking the 'Add Cymmetri Field' and follow the same steps to map it to the appropriate field.
If you want to add a new field that is not present even in Cymmetri, click on the 'Add Custom Field' button. For group provisioning, the memberOf attribute must be configured with the memberOf attribute from the custom attribute.
The connector server is a tool that provides different connectors that enable various provisioning operations from different sources to Cymmetri. In our case, we will prepare the connector server to work with the Active Directory source.
Click Provisioning from the left navigation bar and enable application provisioning by sliding the slider button.
Once you enable the application provisioning, you must take care of two configurations to successfully provision Active Directory data to Cymmetri.
Server Configuration - Consists of configuring the connector server.
Enter the IP address of the host server and its password. The rest of the fields come pre-filled with default values; you can change them according to your use case. Next, click on the save configuration button.
User Configuration - Consists of all user settings like domain name, search filter, etc. We can also configure an OU (Organisational Unit) in this window.
Note - You would need to change the below fields as per your organisation:
Root suffix - Add your domain name here.
Principal Password - Add your server password here.
Server Hostname - Add your server name here.
Principal - Add your admin Display Name of the Active Directory.
The base context for user search - You can add your Organisation Unit here.
The base context for group search - Add the base context to enable group search
Server port - Ensure that it is set to 636 for push
Page size- Define pageable result count for users
SSL - True is SSL is configured
Trust all certs - True.
Disable User OU Movement - Provide the path for disabling OU movement here.
Click on the save configuration button. Next, click on test configuration to see a successful toast message if your configuration is successful.
While configuring, you might encounter errors like:
Authentication exception - Failure due to incorrect username and password.
Solution - Keep all your necessary credentials handy and enter the details carefully
Socket timeout - Connection refusal by the target system
Solution - Please ensure your network connections are accurate to avoid socket timeout errors.
SSL issue - SSL issue occurs mainly if certificates are not configured correctly.
Solution - Follow the steps mentioned in Step 1 rigorously to import the Active Directory certificate to avoid SSL-related errors.
The last step of onboarding users is to add the users from Active Directory to Cymmetri by Reconciliation.
Pull users from your Active Directory to Cymmetri.
Click the 'Reconciliation' tab on the left navigation bar on the same page.
Next, click the 'Add New' button under the pull tab.
Add the field name details, and give a name to the pull reconciliation.
The modes field is prefilled with 'FILTERED_RECONCILIATION'; keep it as it is. It specifies the mode of Reconciliation.
The Sync fields are a drop-down menu with Cymmetri attributes that need to be mapped with the Source attributes, that is, your Active Directory attributes. Choose the correct mappings for these fields.
Keep the Status as Active.
Types are prefilled with the User. Keep it as it is.
You can define the conditions for the Pull Reconciliation. It specifies the different scenarios of the Reconciliation. All the tabs have the same options in the dropdown: IGNORE, UPDATE, DEPROVISION, PROVISION, UNLINK, LINK, ASSIGN, UNASSIGN.
Here is an example scenario:
The options to choose in a Reconciliation operation depend on your use case and change accordingly.
In this case, we have chosen to IGNORE the users that do not exist in your Active Directory but exist in Cymmetri. Also, IGNORE users who are present in both the systems. PROVISION the users that exist in your Active Directory but do not exist in Cymmetri.
Hit the save button on the top left and click the 'Run now' button. The status of the recon changes to active.
You can head to the users tab and check if users are synced. If the reconciliation is successful, the users start appearing in this tab.
Sync your user data to Active Directory.
Navigate to the push tab and click on 'Add New'.
Repeat Steps 2 and 3 from Pull Reconciliation.
Move towards the Search Filter and Add Criteria section on the page.
Fill in all the user details like Department, Designation, User Type, Location, Manager, Group, if any, email and mobile number. Keep the account status slider in the unlocked option. Choose user status as 'Active'.
Set the conditions for the Push Reconciliation.
Click on Save at the top-right corner of the page.
Click on 'Run-now' to start the Push Reconciliation. You can check the status on the Reconciliation page.
Navigate to the users page to check the new users added to Cymmetri.
Navigate to the History tab to check and track the pull and push Reconciliation of the past.
Click on the eye icon to view the Push/Pull reconciliation operation.
All the details configured in the Push/Pull Reconciliation can be seen here. It also displays the Summary of Pending, Synced and Error records.
If, in any case, you're facing issues, head to the Logs->Audit Log to check for error logs.
Click on the eye icon to check the event attributes in the audit log for errors.
Google Workspace is a software-as-a-service platform (SAAS) that provides email, calendar, documents and other services. This connector uses the Google Workspace provisioning APIs to create, add, delete and modify user accounts and email aliases.
Note: 1. Only the Premium (paid) or Educational versions of Google Workspace provide access to the provisioning APIs. 2. Connector will not work on the free Google Workspace Domain
For Configuring Google Workspace for provisioning we need to first obtain the client_secret.json file from the Google Workspace instance.
Go To https://console.developers.google.com/ and create a new Project if not already created. A new project needs to be created because it allows you to manage the credentials required to access Google APIs and services securely. A new project can be created by clicking on the New Project on top right or by clicking on the the Resource Dropdown
And the on the NEW PROJECT link on top right
Next enter the Project name and select Organisation and Location as shown below and click on CREATE button
The Admin SDK API is needed to programmatically manage and interact with various aspects of a Google Workspace domain, such as users, groups, organizational units, and settings. Here are some key reasons why the Admin SDK API is essential:
User Management: The Admin SDK API allows you to create, retrieve, update, and delete user accounts in your Google Workspace domain. You can manage user details such as name, email address, password, and organizational unit.
Group Management: You can create, retrieve, update, and delete groups within your Google Workspace domain using the Admin SDK API. This includes managing group members and settings.
Organizational Unit Management: The API enables you to manage organizational units (OUs) within your Google Workspace domain. You can create, retrieve, update, and delete OUs, as well as move users and groups between OUs.
User Reports: The Admin SDK API provides access to various reports about user activity, such as login activity, email sending/receiving activity, and more. These reports can help you monitor and analyze user behavior within your domain.
Settings Management: You can manage various domain-wide settings, such as email routing, calendar sharing settings, and device management settings, using the Admin SDK API.
Security and Compliance: The API provides features for managing security and compliance settings within your Google Workspace domain, such as 2-step verification, password policies, and audit logs.
To enable ADMIN SDK API click on Enabled API & Services and Search for Admin SDK API:
Click on Admin SDK API and then click on the Enable button
Once enabled, Click on CREDENTIALS tab
Now click on Credentials section and click on CREATE CREDENTIALS button and in that select OAuth client ID option
Select Desktop app as Application type, provide a name for the OAuth 2.0 client and then click on the CREATE button
A response screen is visible that shows that the "OAuth client created" It also displays Your Client ID and Your Client Secret. You may download the JSON here using the DOWNLOAD JSON option.
Click on OAuth consent screen and then Click on EDIT APP. Enter the required details and Click on SAVE AND CONTINUE button
Select Internal as User Type if you want to restrict access only to the users of your organization.
Search for Admin SDK API on the Scopes screen and select scope for user: .../auth/admin.directory.user
Select the scope for group: .../auth/admin.directory.group
Next Click on Credentials section and downlaod OAuth client json file on your local machine by clicking on the Download OAuth client button.
Next download thenet.tirasa.connid.bundles.googleapps-1.4.2.jarbundle for Google Workspace from the Connector Server website. Once downloaded open a new command prompt and change to the directory where you have downloaded the bundle and run the following command on the client_secrets.json file that you obtained earlier step:
This command opens the default browser, and loads a screen on which you authorize consent to access the Google Apps account. When you have authorized consent, the browser returns a code. Copy and paste the code into the terminal from which you ran the original command
A response similar to the following is returned.
Once the above information is obtained we need to configure the Google Workspace in Cymmetri with Server Configuration and User Configuration as shown below:
Once the configuration is done click on TEST CONFIGURATION button to check if the configuration is working.
Once the test is successful next go to the Assigments section and assign the application to a user as shown below:
Once assigned ensure that the user is created in Google Workspace.
Integration SCIM v2.0 with Basic
Any application which supports SCIM v2.0 with basic authentication is workable for application.
Following are configuration which is used for SCIM with basic authenticator.
Base address - It is the endpoint of the target system which supports SCIM v2 API’s.
Username - Username to authenticate SCIM API endpoint.
Password - Password to authenticate SCIM API endpoint.
Authentication type - It is Fixed Bearer compulsory.
Update method - Patch or Put method.
Accept - Http header which accepts (application/json etc).
Content Type - Http header which accepts (application/json etc).
For LDAP connector integration we need an LDAP server with the following detail sample.
Host/IP
LDAP Base Context
service user (Manager Username)
password (Manager User password)
After configure LDAP server we need to configure the Ldap application into the Cymmetri.
Check policy map to add proper attributes as needed by LDAP schema.
For the powershell connector we need a windows server machine with a connId server on it.
Configure powershell connector with following properties
Must configure powershell script with valid data using the reference below
Reference: https://drive.google.com/drive/folders/1XHt6aNmPzs7V7OKesk31FwqLxGf3u2ST?usp=sharing
In any Identity and Access Management (IAM) system, provisioning rules are predefined instructions or policies that dictate how user accounts and access privileges are automatically created, modified, or deactivated across various IT systems and applications.
These rules streamline the process of managing user identities and access rights throughout their lifecycle within an organization.
In Cymmetri, administrators have the ability to establish these rules within the "Rules" tab under the Lifecycle Management module. To do so, the administrator navigates to the "Provision" section, where the following page will be displayed.
On this page, administrators can view a comprehensive list of all the currently established rules within Cymmetri, along with an "Edit" button that allows them to make modifications to these rules.
On the top right corner of the page the admin can find the Add new button to add a new provisioning rule in Cymmetri.
To add a new rule you must do the following:
Add the name of the rule
Add Description of the rule
Select whether any condition should be applied to the rule
Activate the rule and save
Once the rule is saved, it will be included in the main listing. To define or modify the rule, click on the "Edit" button corresponding to the record.
The initial step involves defining the rule by specifying the application and the corresponding roles that will activate the rule.
If necessary, roles can be created for the application directly within the provisioning rule before adding them.
Note: Multiple application and roles can be added in a single provisioning rule
The next step is to add the condition upon which the rule will be activated within the system.
To add a condition navigate to the conditions section and click on Add new condition button.
You can set up multiple conditions for the rule. For example, in the rule below, the conditions are that the user must be an "employee," and their department should be "Sales."
Note: Only the active conditions will be executed for the rule to trigger while provisioning.
If required these conditions can be added, deleted or modified.
These rules automate and streamline the process of managing user accounts and access privileges across various systems and applications within an organization.
Once the managed application has been added to your Cymmetri Identity platform tenant, you will be able to assign applications to your end-users.
There are four ways in which applications can be assigned to users:
Admin may assign an application directly to a user.
Admin may map an application to a group; and the user is added to the group or is already part of the group.
End User may request an application and is granted access to the application.
Bulk Assignment of application to a set of users
Let us understand the flow for each of the above mentioned scenarios:
Users with admin roles such as Organization Admin, Domain Admin, or Application Admin on the Cymmetri platform can assign managed applications to end-users .
First, we need to add the application to the Cymmetri platform
Next, we move to configure the application to assign it to an end user.
Click on the application tile to configure it.
The flow for assignment goes as follows -
Description:
Admin clicks on the application tile, and starts the configuration.
Click on the Assignments tab on the left hand side menu.
Click on the “Assign New” button on the Users menu.
Here we need to decide whether we want to provide a Lifetime Access or a Time Based Access
Lifetime Access: Users have access to the application without any time restrictions.
Time Based Access: Users have access to the application only for the specified range of time. We need to provide a Start Date & Time and an End Date & Time for Time Based Access.
Now click on Save to register a request for the application assignment. If no Workflow is configured for the said application the application is immediately assigned to the user.
If a workflow for application provisioning is configured then the workflow is been initiated.
The workflow approver will then receive a request to approve the user assignment in their inbox.
Now the approver may approve or reject the user assignment
The approver may change the start and end date, if required; refer to the dynamic form attributes passed during the application assignment.
To continue the flow click on Accept button.
Now the next level of approver will be able to see the previous levels of approval, and similar to the previous level of approval, the approver may change the start and end date, if required; refer to the dynamic form attributes passed during the application assignment.
Click “Accept” to proceed.
After the last level approver has also approved the assignment, the backend processes will run the application provisioning flow.
Once the user has been provisioned in the application, they will be able to see it in their list of applications.
Users with admin roles, such as Organization Admin, Domain Admin, or Application Admin, in a Cymmetri Identity platform deployment, will have the ability to assign entire groups of users to managed applications.
First, we need to add the application to the Cymmetri platform
Next, we move to configure the application to assign it to a group.
Click on the application tile to configure it.
The flow for assigning a group to an application goes as follows:
Click on the application tile, and start the configuration.
Click on the Assignments tab on the left hand side menu.
3. Click on the “Assign New” button in the Groups section.
4. Search for the group you wish to assign the application to and click on the assign button.
5. Checking for the users who belong to the group, we can see that the application has been assigned.
6. Viewing the application tiles, we can see if the user was directly assigned the application or received access by the virtue of being part of a group.
Users on the Cymmetri platform can request access to a managed applications as a Self-Service feature.
The flow for an end-user to request for an application is as follows:
Visit the “My Workspace” menu.
Click on the “My Access” left-hand side menu.
3. Now Click on the “+ Request” button on the top-right button.
Here we need to decide whether we want to provide a Lifetime Access or a Time Based Access
Lifetime Access: Users have access to the application without any time restrictions.
Time Based Access: Users have access to the application only for the specified range of time. We need to provide a Start Date & Time and an End Date & Time for Time Based Access.
Now click on Save to register a request for the application assignment. If no Workflow is configured for the said application the application is immediately assigned to the user.
If a workflow for application provisioning is configured then the workflow is been initiated.
The workflow approver will then receive a request to approve the user assignment in their inbox.
Now the approver may approve or reject the user assignment
The approver may change the start and end date, if required; refer to the dynamic form attributes passed during the application assignment.
To continue the flow click on Accept button.
Now the next level of approver will be able to see the previous levels of approval, and similar to the previous level of approval, the approver may change the start and end date, if required; refer to the dynamic form attributes passed during the application assignment.
Click “Accept” to proceed.
After the last level approver has also approved the assignment, the backend processes will run the application provisioning flow.
Once the user has been provisioned in the application, they will be able to see it in their list of applications.
An administrator can bulk assign an application to a set of users. This an be achieved by uploading a .csv file which contains user information like., loginId, appUserId and roleId. For bulk assigning applications to users in Cymmetri platform administrator needs to
Click on Identity Hub > Applications menu and then click on the Applications Assignments button.
A screen pops up that lets you select the csv file you want to upload that contains the list of users to whom the application needs to be assigned, Upload the csv file, you may also use the sample data file available and modify it to match your user details.
Click on the Upload File button and select the file you wish to import
Once the file is selected ensure that the default parameters select match your requirement else you may change these parameters as per your requirement.
Once you have ensured the parameters are correct next select the application that needs to be assigned and click on Next button.
Match the Column names from the CSV file with the corresponding attributes using this File Info dialog box and click on the Import button.
Note: The "Link Application" check box is available to provision the user in the target application
Once Imported results of successfully Imported Users, Duplicate Users or any error that occurred during import can be see in Logs > Import History page
If any workflow is configured on the application provisioning then the corresponding workflow is triggered after the successful completeion of assignment as shown below:
Any application which supports SCIM v2.0 with bearer token is workable for application.
Following are configuration which is used for SCIM with bearer.
Base address - It is the endpoint of the target system which supports SCIM v2 API’s.
Username - Username to authenticate SCIM API endpoint.
Password - Password to authenticate SCIM API endpoint.
Security Token - It is a token which is used to authenticate.
Grant Type - It is grant type which is used to grant access for API’s.
Client Id - client id for authentication
Client Secret - client secret for authentication
Authentication type - It is Fixed Bearer compulsory.
Update method - Patch or Put method.
Accept - Http header which accepts (application/json etc).
Content Type - Http header which accepts (application/json etc).
Access Token Base Address - base address for access token
Access Token Node Id - node id for access token
Access Token Content Type - content type for access token.
Integration REST Application
The REST connector is designed to manage provisioning by relying on RESTful service.
For REST applications we need target applications which support REST API’s.
Following configuration is tested for felicity application.
We need REST API’s to integrate with cymmetri.
Following are the cymmetri configuration which need to configure in user configuration in cymmetri.
It is Basic REST configuration which need to configure in application.
We need to provide Groovy code to run create user, update user, delete user and also recon pull and push (for recon pull we need to add sync script and for recon push we need to add search script)
For sample script please validate following link
https://drive.google.com/drive/folders/1Vs8y1ZHXV3AjqsPkQSnwUoVppL-yc8Vl?usp=sharing
Note: Please Configure script step by step
Configure test script at initial step and then test configuration for provided script (If configure successfully then only go for step b).
Configure create script and test configuration (If successfully configured then only go for step c).
Configure update script and test configuration (If successfully configured then only go for step d).
Configure delete script and test configuration (If successfully configured then only go for step e).
Configure sync(pull) script and test configuration (If successfully configured then only go for step f).
Configure search(push) script and test configuration (If successfully configured then only go to the next step).
Once the applications have been configured to allow that the end-users have been provisioned into the managed application. We may now start configuring the reconciliation process for an application. The reconciliation process involves identifying the user attributes as stored in the Identity hub (Cymmetri platform) and their attributes as a user or a group account in the managed application; and the ensuring that the synchronization of the user and group accounts takes place either one-way or both ways between the managed application and the Identity hub, to ensure that there no discrepancies in the accounts stored by both the systems.
The reconciliation process may follow two strategies -
Full Reconciliation Full reconciliation is typically carried out when the managed application is first introduced into an organization’s Cymmetri platform. This involves ensuring all user accounts (and group accounts, wherever applicable) from the Cymmetri platform, are synchronized with the account information on the managed application. This type of reconciliation often takes a longer time, and is often only used as a one-time activity.
Filtered Reconciliation The Cymmetri platform and the managed application might lose synchronization due to a number of reasons, including backend changes to the user or group account information on the managed application or failure of communication between the identity platform and the managed application. In such cases, filtered reconciliation is employed on a regular, scheduled basis. This includes filters for a particular set of users, or to choose only the users that have been modified on either platforms, this is known as filtered reconciliation.
Cymmetri platform allows for both types of reconciliation phases, by allowing administrator to define an optional user filter during the reconciliation process.
The reconciliation process involves two major processes:
Pull In this mechanism, the Cymmetri platform allows for user and group account information to be pulled from the managed application.
Push In this mechanism, the Cymmetri platform pushes the user and group account information to be pushed to the managed application.
Regardless of the process employed, the configuration for the most part remains the same. Let us explore the reconciliation configurations on the Cymmetri Platform:
You may access the reconciliation menu by clicking on the application tile, and then clicking on the “Reconciliation” left-hand side menu.
Proceed to configure by clicking on the “+ Add New” button.
Name: Refers to the name of the Reconciliation process
Modes: FILTERED_RECONCILIATION (Currently the only mode supported by Cymmetri)
Sync Fields: The field from the user/group’s account information as available on the Cymmetri platform that must be used as a basis to identify the corresponding account on the managed application database.
Source Attributes: The field from the user/group’s account information as available on the managed application database that must be used as a basis to match with the “Sync fields”.
Status: Whether to run the reconciliation for Active/Inactive users.
Type: Some applications allow GROUP reconciliation, but most will have USER reconciliation only.
Filled Reconciliation basic configuration looks as above.
Let us assume we are synchronizing the Cymmetri Platform with a cloud provider using email or mail attribute as the Sync field. As such users on both platforms having the same email address will be matched/un-matched.
User does not exist in Target system & exists in Cymmetri: This indicates a situation during a pull phase or a push phase, where the user account exists on the Cymmetri platform, but not in the managed application. This typically occurs when the users have been pulled into the Cymmetri platform, but the managed application is yet to be synchronized with these users.
User exists in Cymmetri & Target system: This indicates a situation during a pull phase or a push phase, where the user account exists on the Cymmetri platform and in the managed application, but they may or may not have the same attributes or the same values of the attributes.
User exists in Target system & does not exist in Cymmetri: This indicates a situation during a pull phase or a push phase, where the user account exists in the managed application database but not on the Cymmetri Identity platform. This typically occurs when the users have been pulled into the managed application through its backend and the users have not been centrally managed through the Cymmetri platform.
User does not exist in Target system & exists in Cymmetri:
PROVISION: User is created in the target system with the attributes as present in their Cymmetri user profile.
IGNORE: User is not modified in either system.
UPDATE: Not relevant for this scenario.
DEPROVISION: User is removed from the Cymmetri platform to be consistent with the managed application user database.
UNASSIGN: Not relevant for this scenario.
ASSIGN: User is assigned access to this system in Cymmetri, this option may be used in the case of options like JIT being available to generate user profile in the managed application.
UNLINK: Not relevant for this scenario.
LINK: Not relevant for this scenario.
User exists in Cymmetri & Target system:
PROVISION: User is created in the target system with the attributes as present in their Cymmetri user profile.
IGNORE: User is not modified in either system.
UPDATE: User information from the Cymmetri Identity platform is updated using the account information from the managed application and vice versa.
DEPROVISION: Not relevant for this scenario.
UNASSIGN: Not relevant for this scenario.
ASSIGN: User is assigned the managed application on the Cymmetri platform in case they are already not assigned.
UNLINK: Not relevant for this scenario.
LINK: Not relevant for this scenario.
User exists in Target system & does not exist in Cymmetri:
PROVISION: User is created in the Cymmetri Identity platform deployment using the account information from the managed application.
IGNORE: User is not modified in either system.
UPDATE: Not relevant for this scenario.
DEPROVISION: User is removed from the managed application user database.
UNASSIGN: Not relevant for this scenario.
ASSIGN: Not relevant for this scenario.
UNLINK: Not relevant for this scenario.
LINK: Not relevant for this scenario.
Scheduling the reconciliation process:
Next Execution Date: This indicates the base date to start the execution date and time of the reconciliation process.
Cron Expression: This indicates the frequency with which the further reconciliation events will be run. There are 6 fields here - * * * * * * (e.g., 5 15 0 1 8 *) ; they refer to seconds, minutes, hours, days, months, and year after the first execution date.
Deprovisioning rules in any IAM system define the automated processes for managing the removal or deactivation of user accounts and access privileges when certain conditions are met.
These rules play a critical role in ensuring that access rights are promptly revoked when users no longer require them, enhancing security and compliance.
In Cymmetri, to establish deprovisioning rules, navigate to the "Deprovisioning" section within the rules under the User Lifecycle Management module.
Deprovisioning configuration includes the following:
Deprovisioning the user based on the Status or End Date of the user retrieved from the source system. Additionally, administrators can also choose to define provisioning based on any Hook Rule that provides users with the ability to insert custom logic for deprovisioning event.
Exclusion Application: This feature enables administrators to specify which applications should be exempt from the deprovisioning event in Cymmetri. Consequently, whenever deprovisioning is initiated, these selected applications will not be removed from a user's access.
Grace Period: The grace period allows you to set the number of days before the application is removed from the user's access.
Process Allocation Size: It refers to the number of simultaneous threads or parallel processes that Cymmetri allocates for executing the deprovisioning tasks. It determines how many user accounts or access revocations can be processed concurrently.
In Cymmetri, administrators can create a custom scheduler for a Deprovisioning rule to promptly eliminate unauthorized user access as per a specified timetable. This involves defining the scheduler using a cron expression, activating it, and saving the configured settings.
Github Enterprise provides provisioning using SCIM 2.0
Pre-requisites
Create an account in Github (Enterprise).
Enable SAML for the Github tenant to be used with Cymmetri.
Step 1. Configure SSO in Cymmetri
Note the application URL received from the Git SAML configuration
Continue the configuration by logging into Cymmetri using at least Application Administrator role
Note: Public certificate gets from SSO metadata(cymmetri) and format it using following
Note: Make sure when you test SAML then in cymmetri login with github admin users loginid which is added in cymmetri.
Configure Profile Mapping
Create User in Cymmetri and make sure login id of Cymmetri is same as gitHub Admin user login id.
Test SSO with the Cymmetri user.
Configure SCIM v2.0 (Github) application from master (cymmetri).
Basic provisioning policy attribute and policy map already aaded in default schema.
Github Application is run using Fixed Bearer token.
To get Fixed bearer token following steps used.
Step 1: Go to user settings in github
Step 2: Go to developer settings
Step 3: Go to personal access token and generate new token
Step4: Click on Configure SSO
Step 5: Click on Authorize
Use following cymmetri provision configuration and change according to github account.
Fixed Bearer Value copy from personal access token
Click on save
Click on Test Configuration with success message.
Check Policy map
Disable default for the respective attribute
Any application which supports SCIM v2.0 with fixed bearer is workable for application.
Following are configuration which is used for SCIM with fixed bearer
Base address - It is the endpoint of the target system which supports SCIM v2 API’s.
Username - Username to authenticate SCIM API endpoint.
Password - Password to authenticate SCIM API endpoint.
Authentication type - It is Fixed Bearer compulsory.
Fixed Bearer Value - The value for fixed bearer.
Update method - Patch or Put method.
Accept - Http header which accepts (application/json etc).
Content Type - Http header which accepts (application/json etc).
| Attribute Name | Description |
|---|---|
| Active Directory attribute | Cymmetri Attribute |
|---|---|
| Field Name | Description |
|---|---|
| Field Name | Description |
|---|---|
| Options | Usage |
|---|---|
| User exists in target system, not in Cymmetri | User exists in both systems | User does not exist in target system, but in Cymmetri | Result |
|---|---|---|---|
Search for a user in the search text box, and once the user is found, click on the “Assign” button.
4. Click on the Application Icon to start the request process
CN
Common Name/ Display Name
RDN
Relative Distinguished Name - An RDN is the relative portion of a Display Name (DN).
SN
Surname
__NAME__
Users Display Name
__PASSWORD__
Users password
sAMAccountName
Unique login attribute
cn
Unique login attribute (specific to user)
rdn
Used to pass the OU (Organization Unit) path
Host server
The IP address of the host server
Server port
Port of the host server
Server Password
Host Server password
Server connector bundle version
Version number of the connector server bundle
Server connector bundle name
Name of the connector server bundle
Server connector name
Given name of the connector server
Server Connector Timeout
Timeout of the connector server in milliseconds
Server Connector UseSSL
Connector server SSL configuration
Entry object classes
Object classes to which the Account class is mapped
Root suffixes
Display names used for Active Directory synchronisation to Cymmetri, such as domain controller name
Principal password
Admin password to connect to Active Directory
Default id Attribute
Default attribute Id
Custom user search filter
Search filter used to search accounts
Connector messages
Custom connector messages
Default group container
Default group container can be used during create operation in case of entry DisplayName is not explicitly mentioned
Default people container
Default people container can be used during create operation in case of entry DisplayName is not explicitly mentioned
Group owner reference attribute
Group attribute referencing (by DisplayName) the users members of a group
Custom group search filter
User search filter for groups
Group search scope
Choose object, onlevel or subtree
Server hostname
Active Directory server hostname that would connect to Cymmetri
Conservative membership policy
Conservative management of assigned groups. The groups already assigned to an user on Active Directory will not be removed.
Memberships
Groups to identify users to synchronize. The connector ignores any changes about users not member of indicated groups.
Verify memberships in OR
Indicate if specified memberships must be verified using 'OR' logical operator.
Object classes to synchronise
User object classes to synchronise. The connector ignores any changes if it cannot find modified entry object classes in this property.
Page size
Get users from Active Directory with the provided size
Pageable result
Get users from Active Directory with the provided size pageable result
Server port
Port of the Active Directory connector server
Principal
Admin username of the Active Directory
Permit password update only
Permit password update only.
Create/delete operation will be denied, while other attributes update requests will be ignored.
Retrieve deleted groups
Indicate if deleted groups must be synchronized also.
Retrieve deleted users
Indicate if deleted users must be synchronised also.
SSL
True if the SSL certificate is configured
Trust all certs
Indicative if all server certificates can be trusted
UID attribute
Unique Identifier Attribute
Base context for user entry searches
Display the Name of OU (Organization Unit), Root domain or Root controller required for user entry search
User search scope
The scope could be a subtree or object for user search
IGNORE
You can skip the process by choosing this option.
UPDATE
It can be used when you want to modify or reflect new changes.
PROVISION
You can use this option to onboard the users.
DEPROVISION
You can use this option to remove the users.
LINK
You can use this option to link the users to Cymmetri
UNLINK
You can use this option to unlink the users to Cymmetri
ASSIGN
You can use this option to assign the users to Cymmetri
UNASSIGN
You can use this option to unassign the users to Cymmetri
UPDATE
IGNORE
PROVISION
Update user details in the target system, ignore if a user is present in both systems and provision users that do not exist in the target system.
