Planning for your first synchronization

When you are setting up user provisioning, it is important that you review the data you are about to provision. The way that you structure user data in your identity provide or LDAP-compliant directory affects how you should structure groups and users in the portal for policies and exceptions. You should devise a strategy before you start.

To start, what data do you want to get out of your user data and what do you plan to do with it?

Second, how is that data organized?

Third, how do you need to structure users and groups in the portal to accommodate your security requirements?

In a typical directory, users are members of many groups. For example, users may be members of global groups like “All Sales;” they may be members of geographical groups like “London” or “New York;” and they may be members of a department such as “NY Telesales” and many others. When deciding on which groups to provision, select only groups that are going to be useful to the cloud service, typically for setting policy or group-based exceptions. See Deciding what to synchronize for more guidelines on this decision.

If you already have users and groups in the portal, then you’ll need to determine how and whether to adjust that structure to match the data that is to be provisioned (or vice versa).

For customers using LDAP, following are the most common use cases. Follow the links to review considerations and checklists designed just for you.

  • New customers:
    • Synchronizing users/groups with a single Web policy and exceptions
    • Synchronizing users/groups with more than one policy, and planning to manage policy assignment through an LDAP directory
    • New Web customers (SCIM)
  • New and existing email customers:
    • Synchronizing email addresses to provide a “allowlist” of valid email addresses
    • Synchronizing users/groups to provide per-user/per-group exceptions to email policies
  • Existing customers:
    • Wanting to manage users/groups from an LDAP directory
    • Wanting to manage users/groups from an LDAP directory but Web policy assignment from the portal
    • Existing Web customers (SCIM)