Synchronizing users/groups with more than one policy, and planning to manage policy assignment through an LDAP directory

Steps

  1. Plan the cloud data structure: users and groups (See Groups), policies (See Defining Web Policies) and exceptions. (See Exceptions). Create an extra policy or policies as required.
  2. Review the existing LDAP/Active Directory data structure and decide whether restructuring of LDAP is necessary to match the proposed cloud data structure more closely.
  3. Download the client and install it on the target client machine.
  4. Configure the Directory Synchronization Client to search the LDAP directory and extract groups and users to a local file (ensure NTLM ID is included). (See the Directory Synchronization Client Administrator’s Guide for instructions). Review the results and modify the search as necessary to ensure it returns expected results.
  5. In the cloud manager, set up a contact with Directory Synchronization permissions. (See Set up authentication (Directory Synchronization only)). This will be the username/logon used for the Directory Synchronization Client logs into the cloud manager.
  6. Decide whether email will be sent after new users are synchronized from LDAP.
  7. Now you are ready! In the cloud manager, enable Directory Synchronization. (See Configure identity management).
  8. In the Directory Synchronization Client, set up portal settings in the configuration established above, changing the output type to portal (not file) and using the contact with Directory Synchronization permissions created above. (See the Directory Synchronization Client Administrator’s Guide).
  9. During a slow period, select Replace on the client. Data is synchronized to the cloud manager. Note the number of additions. This is visible in the Synchronization page and also from the notification email messages.
  10. Log onto the cloud manager. Using Account > End Users and Account > Groups, check that users’ and groups’ policies are as expected. (See View and manage user data).
  11. On the Identity Management page, view Recent Directory Synchronizations and compare the totals of additions against those noted in the Directory Synchronization Client. They should match. (See View recent directory synchronizations).
  12. Go to each policy in turn, and set up the group/policy assignments. This moves users to the appropriate policies. (See Assign a group to a different policy).
  13. Go to the Identity Management configuration page and check that the default policy setting is correct.
  14. Return to the Account > End Users page and check that users are in the correct policies.
  15. If you are planning to set up exceptions based on group membership, do this now in the cloud manager. (See Exceptions).
  16. The system is now live. If you are unhappy with the user/groups data you have synchronized then you can use Restore to undo the synchronization data, and try again. (See Restore directories).
  17. If everything appears to be working, set up a schedule time in the Directory Synchronization Client for the background task to run. Close the client tool.