.. _user-management-scenarios: .. rst-class:: chapter-with-expand User Management Scenarios -------------------------- .. _20.1.1|VOSS-551: This section provides details on the actions that are carried out when a user is managed, given the absence or presence of the same user in VOSS-4-UC applications or LDAP. .. _add-user-sync-scenarios: Add User Sync Scenarios ....................... The table below details add and update scenarios when a user is added that may exist on VOSS-4-UC, applications or LDAP and the *default* Sync Source precendences apply. The cases are: * if either the user exists or does not exist on LDAP * if either the user exists or does not exist on any application that is a sync source (APP SOURCE) Field sync takes place according to: * Sync Source precedence - see :ref:`user-sync-source`. * the User Field Mapping that applies - see: :ref:`user-field-mapping`. .. important:: Sync Source precedence may override user input. If you update a user on VOSS-4-UC: * that exists on a sync source * has mapped fields * has a higher precedence than LOCAL (VOSS-4-UC) data the data of these fields will be updated from the sync source and not the user input added in VOSS-4-UC. The Admin Portal would typically render these fields read-only. The detailed scenarios for the operation: *adding a user* (model: ``relation/User``) are: +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | ``data/User`` | ``device/ldap/User`` | ``device/<APP>/User`` | | | User | | exists | exists | exists | Hierarchy | Action | Sync | | | | | | | Source | +===============+======================+=======================+===========+=========================+========+ | | | | same as | Error: | | | Y | | | user | user exists | | | | | | | | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | | | | current | Create ``data/User`` | LOCAL | | | | | | | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | | | | | Create ``data/User``, | | | | | | | Update ``data/User``, | | | | Y | | same as | based on sync | LDAP | | | | | LDAP user | source | | | | | | | | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | | | | | Create ``data/User``, | | | | | | | Update ``data/User``, | APP | | | | Y | same as | based on sync | SOURCE | | | | | APP user | source | | | | | | | | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | | | | | Create ``data/User``, | | | | | | | Update ``data/User``, | | | | Y | Y | same as | based on sync | LDAP | | | | | APP user | source | | | | | | | | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | | | | | Create ``data/User``, | | | | | | | Update ``data/User``, | | | | Y | | below | based on sync | LDAP | | | | | LDAP user | source, | | | | | | hierarchy | Move LDAP user to | | | | | | | ``data/User`` hierarchy | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | | | | | Create ``data/User`` | | | | | | | Update ``data/User`` | | | | | | | based on sync | APP | | | | Y | below | source | SOURCE | | | | | APP user | Move App user to | | | | | | hierarchy | ``data/User`` hierarchy | | | | | | | | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | | | | | | | | | | | | Create ``data/User`` | | | | | | | Update ``data/User`` | | | | | | | based on sync | | | | Y | Y | below | source | LDAP | | | | | APP user | Move LDAP user to | | | | | | hierarchy | ``data/User`` hierarchy | | | | | | | | | | | | | | | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | | | | | | | | | | | | | | | | | | | Error: | | | | Y | | above | Create User Log | LDAP | | | | | LDAP user | entry with message | | | | | | hierarchy | | | | | | | | | | | | | | | | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | | | | | | | | | | | | | | | | | | | Error: | | | | | Y | above | Create User Log | APP | | | | | APP user | entry with message | SOURCE | | | | | hierarchy | | | | | | | | | | | | | | | | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | | | | | | | | | | | | | | | | | | | Error: | | | | Y | Y | above | Create User Log | LDAP | | | | | APP user | entry with message | | | | | | hierarchy | | | | | | | | | | | | | | | | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ .. _update-user-sync-scenarios: Update User Sync Scenarios .......................... The table below details data sync sources and update actions when a user is updated and the *default* Sync Source precendences apply. The cases are: * if either the user exists or does not exist on LDAP * if either the user exists or does not exist on any application that is a sync source Field sync takes place according to: * Sync Source precedence - see :ref:`user-sync-source`. * the User Field Mapping that applies - see: :ref:`user-field-mapping`. .. important:: Sync Source precedence may override user input. If you update a user on VOSS-4-UC: * that exists on a sync source * has mapped fields * has a higher precedence than LOCAL (VOSS-4-UC) data the data of these fields will be updated from the sync source and not the user input added in VOSS-4-UC. The Admin Portal would typically render these fields read-only. The detailed scenarios for the operation: *updating a user* (model: ``relation/User``) are: +---------------+----------------------+-----------------------+-------------+----------------------+--------+ | ``data/User`` | ``device/ldap/User`` | ``device/<APP>/User`` | | | User | | exists | exists | exists | Hierarchy | Action | Sync | | | | | | | Source | +===============+======================+=======================+=============+======================+========+ | Y | | | same as | Update ``data/User`` | LOCAL | | | | | user | | | +---------------+----------------------+-----------------------+-------------+----------------------+--------+ | | | | | Update ``data/User`` | | | | | | | Non Mapped Fields | | | Y | Y | | same as | only | LDAP | | | | | user or | | | | | | | LDAP user | | | | | | | | Update ``data/User`` | | | | | | | based on sync | | | | | | | source | | +---------------+----------------------+-----------------------+-------------+----------------------+--------+ | | | | | Update ``data/User`` | | | Y | | Y | same as | | | | | | | user or | | | | | | | APP user | Update App/User | APP | | | | | | using reverse App | SOURCE | | | | | | map | | +---------------+----------------------+-----------------------+-------------+----------------------+--------+ | | | | | Update ``data/User`` | | | | | | | Non Mapped Fields | | | | | | | only | | | | | | | | | | | | | | Update ``data/User`` | | | Y | Y | Y | same as | based on sync | LDAP | | | | | any of | source | | | | | | user, APP | | | | | | | LDAP user | Update App/User | | | | | | | using reverse App | | | | | | | map | | +---------------+----------------------+-----------------------+-------------+----------------------+--------+ | | | | | | | | | | | | Update ``data/User`` | | | | | | | Non Mapped Fields | | | Y | Y | | below user | only | LDAP | | | | | or LDAP | | | | | | | user | | | | | | | | Update ``data/User`` | | | | | | | based on sync | | | | | | | source | | | | | | | | | +---------------+----------------------+-----------------------+-------------+----------------------+--------+ | | | | | | | | | | | | Error: | APP | | Y | | Y | below user | Create User Log | SOURCE | | | | | or APP user | entry with message | | | | | | | RBAC issue | | | | | | | | | +---------------+----------------------+-----------------------+-------------+----------------------+--------+ | | | | | | | | | | | | Error: | LDAP | | Y | Y | Y | below any | Create User Log | | | | | | of user, | entry with message | | | | | | LDAP, APP | RBAC issue | | | | | | user | | | +---------------+----------------------+-----------------------+-------------+----------------------+--------+ | | | | | | | | | | | | Error: | | | Y | Y | | above user | Create User Log | LDAP | | | | | or LDAP | entry with message | | | | | | user | | | | | | | | | | +---------------+----------------------+-----------------------+-------------+----------------------+--------+ | | | | | | | | | | | | Error: | | | Y | | Y | above user | Create User Log | APP | | | | | or APP user | entry with message | SOURCE | | | | | | | | | | | | | | | +---------------+----------------------+-----------------------+-------------+----------------------+--------+ | | | | | | | | | | | | Error: | LDAP | | Y | Y | Y | above any | Create User Log | | | | | | of user, | entry with message | | | | | | LDAP, APP | | | | | | | user | | | +---------------+----------------------+-----------------------+-------------+----------------------+--------+ .. _ldap-add-sync-scenarios: LDAP Add Sync Scenarios ......................... The table below details data sync sources and update actions when an LDAP user is added and the *default* Sync Source precendences apply. The cases are: * if either the user exists or does not exist on LDAP * if either the user exists or does not exist on VOSS-4-UC or any application that is a sync source Field sync takes place according to: * Sync Source precedence - see :ref:`user-sync-source`. * the User Field Mapping that applies - see: :ref:`user-field-mapping`. .. important:: Sync Source precedence may override user input. If you update a user on VOSS-4-UC: * that exists on a sync source * has mapped fields * has a higher precedence than LOCAL (VOSS-4-UC) data the data of these fields will be updated from the sync source and not the user input added in VOSS-4-UC. The Admin Portal would typically render these fields read-only. The detailed scenarios and actions for the operation: *syncing an LDAP user* (sync source is always LDAP) are: +---------------+----------------------+-----------------------+--------------+-------------------------+ | ``data/User`` | ``device/ldap/User`` | ``device/<APP>/User`` | | | | exists | exists | exists | Hierarchy | Action | | | | | | | +===============+======================+=======================+==============+=========================+ | Y | | | same as user | Update ``data/User`` | | | | | | | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Create ``data/User`` | | | | | | | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Error | | | | | | Create User Log | | | Y | | same as | entry with message | | | | | LDAP user | | | | | | | Purge current LDAP | | | | | | user | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Create ``data/User`` | | | | | | | | | | | | Update ``data/User`` | | | | | | based on sync | | | | Y | same as | source | | | | | APP user | | | | | | | Update APP data | | | | | | based on sync | | | | | | source | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Error | | | | | | Create User Log | | | Y | Y | same as | entry with message | | | | | LDAP or APP | | | | | | user | Purge current LDAP | | | | | | user | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Update ``data/User`` | | | | | | | | Y | | | below | Move LDAP user to | | | | | user | ``data/User`` hierarchy | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Error | | | | | | Create User Log | | | Y | | below LDAP | entry with message | | | | | user | | | | | | | Purge current LDAP | | | | | | user | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Create ``data/User`` | | | | | | | | | | | | Update ``data/User`` | | | | | | based on sync | | | | | | source | | | | | | | | | | Y | below APP | Update APP data | | | | | user | based on sync | | | | | | source | | | | | | | | | | | | Move ``data/User`` and | | | | | | LDAP user to APP | | | | | | hierarchy | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Error | | | | | | Create User Log | | | Y | Y | below LDAP | entry with message | | | | | or APP user | | | | | | | Purge current LDAP | | | | | | user | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Error | | | | | | Create User Log | | Y | | | above | entry with message | | | | | user | | | | | | | Purge current LDAP | | | | | | user | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Error | | | | | | Create User Log | | | Y | | above LDAP | entry with message | | | | | user | | | | | | | Purge current LDAP | | | | | | user | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Create ``data/User`` | | | | | | | | | | | | Update ``data/User`` | | | | | | based on sync | | | | Y | above APP | source | | | | | user | | | | | | | Update APP data | | | | | | based on sync | | | | | | source | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Error | | | | | | Create User Log | | | Y | Y | above LDAP | entry with message | | | | | or APP user | | | | | | | Purge current LDAP | | | | | | user | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Create ``data/User`` | | | | | | | | | | | | Update ``data/User`` | | | | | | based on sync | | Y | | Y | above user | source | | | | | or APP user | | | | | | | Update APP data | | | | | | based on sync | | | | | | source | +---------------+----------------------+-----------------------+--------------+-------------------------+ .. _ldap-update-delete-sync-scenarios: LDAP Update and Delete Sync Scenarios ...................................... The table below details data sync sources and update actions when an LDAP user is added and the *default* Sync Source precendences apply. The cases are: * if either the user exists or does not exist on LDAP * if either the user exists or does not exist on VOSS-4-UC or any application that is a sync source Field sync takes place according to: * Sync Source precedence - see :ref:`user-sync-source`. * the User Field Mapping that applies - see: :ref:`user-field-mapping`. .. important:: Sync Source precedence may override user input. If you update a user on VOSS-4-UC: * that exists on a sync source * has mapped fields * has a higher precedence than LOCAL (VOSS-4-UC) data the data of these fields will be updated from the sync source and not the user input added in VOSS-4-UC. The Admin Portal would typically render these fields read-only. The detailed scenarios and actions for the operation: *deleting an LDAP sync* - manually (M) or automatically (A) - are: +-----------+---------------+----------------------+-----------------------+-------------------------+--------+ | | ``data/User`` | ``device/ldap/User`` | ``device/<APP>/User`` | | User | | Operation | exists | exists | exists | Action | Sync | | | | | | | Source | +===========+===============+======================+=======================+=========================+========+ | LDAP | | | | | | | DELETE | Y | Y | | Update ``data/User`` | LOCAL | | SYNC (M) | | | | | | +-----------+---------------+----------------------+-----------------------+-------------------------+--------+ | LDAP | | | | | | | DELETE | | Y | | | | | SYNC (M) | | | | | | +-----------+---------------+----------------------+-----------------------+-------------------------+--------+ | | | | | Update ``data/User`` | | | | | | | based on sync | | | | | | | source | | | LDAP | | | | | | | DELETE | Y | Y | Y | Update APP data | LOCAL | | SYNC (M) | | | | based on sync | | | | | | | source | | | | | | | | | | | | | | Convert CUCM user | | | | | | | to local user | | +-----------+---------------+----------------------+-----------------------+-------------------------+--------+ | LDAP | | | | | | | DELETE | Y | Y | | Delete ``data/User`` | | | SYNC (A) | | | | | | +-----------+---------------+----------------------+-----------------------+-------------------------+--------+ | LDAP | | | | | | | DELETE | | Y | | | | | SYNC (A) | | | | | | +-----------+---------------+----------------------+-----------------------+-------------------------+--------+ | | | | | Delete ``data/User`` | | | | | | | source | | | LDAP | | | | | | | DELETE | Y | Y | Y | Delete | | | SYNC (A) | | | | ``relation/Subscriber`` | | +-----------+---------------+----------------------+-----------------------+-------------------------+--------+ The detailed scenarios and actions for the operation: *updating an LDAP sync* (sync source is always LDAP) are: +---------------+----------------------+-----------------------+----------------------+ | ``data/User`` | ``device/ldap/User`` | ``device/<APP>/User`` | | | exists | exists | exists | Action | | | | | | +===============+======================+=======================+======================+ | | | | | | Y | Y | | Update ``data/User`` | | | | | | +---------------+----------------------+-----------------------+----------------------+ | | | | | | | Y | | Create ``data/User`` | | | | | | +---------------+----------------------+-----------------------+----------------------+ | | | | Update ``data/User`` | | | | | based on sync | | Y | Y | Y | source | | | | | | | | | | Update APP data | | | | | based on sync | | | | | source | +---------------+----------------------+-----------------------+----------------------+