Adding and editing directory contexts for the hybrid service

Use the Settings > Hybrid Configuration > Shared User Data > Add Context page to refine the way that Directory Agent searches your user directory and packages user and group information for the hybrid service.

Warning:

There is a limit to how many groups the hybrid service can support. The limit is affected by a number of factors, but if it is exceeded, user requests are not handled properly.

If your organization has a large directory forest with thousands of groups, be sure to configure Directory Agent to upload only the users whose requests are sent to the hybrid service.

You can select multiple contexts within the directory. It is best to include contexts that include only users managed by the hybrid service: for example, you might have hybrid users in multiple OUs. Alternatively, if you want to synchronize all users in a number of specific groups, then you can select a context for each group where each context is the fully qualified group name.

By default, Directory Agent uses the user and group filters defined under Advanced directory settings on the Settings > General > Directory Services page. If required, you can customize these filters for each hybrid service context, for example to include only users that are members of a group managed by the hybrid service.

You can also choose to exclude certain contexts from the Directory Agent search. You might want to do this if you have a particular context that is not required or could cause problems with the hybrid service, such as an administrator group with multiple email addresses in a record. You can only set a context as an exclude context if it is within an included directory context.

Steps

Expand the Directory Entries tree to locate the context you want to use when gathering user and group data from the directory. Narrow the context to increase speed and efficiency.
Use the search field to locate the context name if required. You can search on OUs, groups, users, or all directory entries. If multiple contexts appear in the search results, select a context and click Show in Tree to see the context’s location in the Directory Entries tree.
Mark the context, then click Set as Include Context.
In the popup window that appears, indicate how far below the root context Directory Agent looks for users and groups.
- Select Context Only to limit searches to the root context only.
- Select One Level to limit searches to the root context and one level below.
- Select All Levels to expand searches to the root context and all levels below.
If you selected groups or OUs to Set as Include Context, and then selected One Level or All Levels for group searches, the Include all users in selected groups, regardless of context option is enabled. Check the box if you want to ensure that all users are included from the groups found in the directory search, even if some of those users are in a different context.
If you are using Windows Active directory, users can be synchronized inside nested groups and then identified for consistent policy enforcement if the nested groups feature is enabled. To enable the feature:
1. Use a text editor to edit the file das.ini (in C:\Program Files\Websense\Web Security\bin or /opt/Websense/bin/, by default, on the Directory Agent machine).
  Locate the section labeled "DAS" and set the EnableNestedGroup value to 1 (on).
2. Restart the Directory Agent service to reload the settings to use the new settings in das.ini.
  EnableNestedGroup works with any context configuration (Context Only, One Level, All Levels, Include all users).
To fine-tune the search filters that Directory Agent uses for this context, click Customize Search Filters.
Mark Customize search filters, and edit the user and group search filters as required.
Click OK to save the directory context.
When you specify that a context is included, by default any contexts below that context in the tree are also included. To exclude a context within an included context, mark the context that should not be sent to the hybrid service, and click Set/Edit/Remove Exclude Context. You can select multiple contexts if required.
In the popup window that appears, note that Set as exclude context is selected. The Remove exclude context option is available only when you select an existing excluded context and click Set/Edit/Remove Exclude Context to edit it.
Indicate how far below the excluded context Directory Agent looks for users and groups.
- Select Context Only to limit searches to the specified context only.
- Select One Level to limit searches to the specified context and one level below.
- Select All Levels to expand searches to the specified context and all levels below.
Note that the user and group levels for an excluded context cannot be greater than the defined levels for its root context. For example, if the root context’s Directory Search level for either users or groups is set to Context Only, the corresponding users or groups search level for the excluded context are also set to Context Only and cannot be changed.

If you select All Levels for both users and groups, everything below the selected context is excluded and you cannot browse further levels of the Directory Entries tree.
If only groups are specified as exclude contexts, and One or All levels have been selected for exclusion, use the Exclude all users in selected groups, regardless of context option to determine whether:
- (Check box marked) Users in exclude contexts are always excluded, regardless of whether they are also defined in other (included) contexts.
- (Check box cleared) Users in exclude contexts are not excluded when they are also defined in other (included) contexts.
Click OK to save the excluded context.

Next steps

When you are finished, click OK to close the Add Context page and update the Root Context for Hybrid Service Users table. You must also click OK on the Shared User Data page to cache the change.

Click a link on the Root Context for Hybrid Service Users table to access the Edit Context page for the selected context.