I am using Aris Connect SR18 and have SSO working from our Active Directory Aris Groups.
My question is around maintenance of Users in Aris Connect when a User is REMOVED from the Aris AD Group (e.g. when they leave the Company). The User in Aris Connect STILL REMAINS and I have to MANUALLY go in and DELETE the specific User.
I may be missing something, but is there some way to "SYNC" from our Aris AD Group to Aris Connect to update the Users in Aris Connect rather than having to know specifically which Users need to be removed/deleted? If there is a way to perform this sync, can it be automated to say run "weekly" or "monthly"?
Also, if there is a way to perform this type of sync would Aris Connect Users that already exist, but are NOT actually part of the AD Aris Group STILL REMAIN?
Sorry, lots of questions in there, but hoping somebody in the Aris Community can help. I am just hoping that I don't have to regually do a manual reconcile between Aris Connect Users and our Aris AD Group.
Many thanks in advance.
1
465
4
by Martin Schröder
Posted on Fri, 10/21/2022 - 18:22
Hello Michael,
if your UMC user groups were imported from your Active Directory the button "Synchronize with LDAP" above each UMC user group should work for you (cf. online doc SR18). Please check the UMC LDAP configuration because it also depends on search paths, filters and more behavioural settings.
And be careful to try it first in a test environment.
When synchronizing single users I had the unexpected effect, that some were deleted from UMC only because they had moved to other departments, i.e. the OU= part of a distinguished name had changed. I assume that Aris always requests the full DN for comparison, not ony the user id (common name, CN).
Another tool for LDAP synchronization is y-ldapsync.bat/.sh for a scheduled task on the server. But please verify the command line syntax first, because help contains obvious errors:
syncUsers Synchronizes existing users with an LDAP system, the spelling is case sensitive. * -au, --affectedUser User name of affected user
affectedUser does not make sense for syncUsers, only for the command syncUser.
Unfortunately, I guess I neglected to state 1 important point. We are using SAML SSO to Aris 10 SR18 via our Active Directory. So there is no LDAP configuration in play here and I don't even see that "synchronize with LDAP" button in the UMC screen in Aris. Therefore, this solution won't work for me. Thanks again though for responding.
Sorry Jon, I haven't logged on in a while. No solution to this point. I have just created a recurring task in my Outlook to perform the Manual Reconciliation quarterly.
