.. _user-management-scenarios: .. rst-class:: chapter-with-expand User Management Scenarios -------------------------- .. _20.1.1|VOSS-551: This section provides details on the actions that are carried out when a user is managed, given the absence or presence of the same user in VOSS Automate applications or LDAP. .. _add-user-sync-scenarios: Add User Sync Scenarios ....................... The table below details add and update scenarios when a user is added that may exist on VOSS Automate, applications or LDAP and the *default* Sync Source precendences apply. The cases are: * if either the user exists or does not exist on LDAP * if either the user exists or does not exist on any application that is a sync source (APP SOURCE) Field sync takes place according to: * Sync Source precedence - see :ref:`user-sync-source`. * the User Field Mapping that applies - see: :ref:`user-field-mapping`. .. important:: Sync Source precedence may override user input. If you update a user on VOSS Automate: * that exists on a sync source * has mapped fields * has a higher precedence than LOCAL (VOSS Automate) data the data of these fields will be updated from the sync source and not the user input added in VOSS Automate. The Admin Portal would typically render these fields read-only. The detailed scenarios for the operation: *adding a user* (model: ``relation/User``) are: +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | ``data/User`` | ``device/ldap/User`` | ``device//User`` | | | User | | exists | exists | exists | Hierarchy | Action | Sync | | | | | | | Source | +===============+======================+=======================+===========+=========================+========+ | | | | same as | Error: | | | Y | | | user | user exists | | | | | | | | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | | | | current | Create ``data/User`` | LOCAL | | | | | | | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | | | | | Create ``data/User``, | | | | | | | Update ``data/User``, | | | | Y | | same as | based on sync | LDAP | | | | | LDAP user | source | | | | | | | | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | | | | | Create ``data/User``, | | | | | | | Update ``data/User``, | APP | | | | Y | same as | based on sync | SOURCE | | | | | APP user | source | | | | | | | | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | | | | | Create ``data/User``, | | | | | | | Update ``data/User``, | | | | Y | Y | same as | based on sync | LDAP | | | | | APP user | source | | | | | | | | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | | | | | Create ``data/User``, | | | | | | | Update ``data/User``, | | | | Y | | below | based on sync | LDAP | | | | | LDAP user | source, | | | | | | hierarchy | Move LDAP user to | | | | | | | ``data/User`` hierarchy | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | | | | | Create ``data/User`` | | | | | | | Update ``data/User`` | | | | | | | based on sync | APP | | | | Y | below | source | SOURCE | | | | | APP user | Move App user to | | | | | | hierarchy | ``data/User`` hierarchy | | | | | | | | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | | | | | | | | | | | | Create ``data/User`` | | | | | | | Update ``data/User`` | | | | | | | based on sync | | | | Y | Y | below | source | LDAP | | | | | APP user | Move LDAP user to | | | | | | hierarchy | ``data/User`` hierarchy | | | | | | | | | | | | | | | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | | | | | | | | | | | | | | | | | | | Error: | | | | Y | | above | Create User Log | LDAP | | | | | LDAP user | entry with message | | | | | | hierarchy | | | | | | | | | | | | | | | | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | | | | | | | | | | | | | | | | | | | Error: | | | | | Y | above | Create User Log | APP | | | | | APP user | entry with message | SOURCE | | | | | hierarchy | | | | | | | | | | | | | | | | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | | | | | | | | | | | | | | | | | | | Error: | | | | Y | Y | above | Create User Log | LDAP | | | | | APP user | entry with message | | | | | | hierarchy | | | | | | | | | | | | | | | | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ .. _update-user-sync-scenarios: Update User Sync Scenarios .......................... The table below details data sync sources and update actions when a user is updated and the *default* Sync Source precendences apply. The cases are: * if either the user exists or does not exist on LDAP * if either the user exists or does not exist on any application that is a sync source Field sync takes place according to: * Sync Source precedence - see :ref:`user-sync-source`. * the User Field Mapping that applies - see: :ref:`user-field-mapping`. .. important:: Sync Source precedence may override user input. If you update a user on VOSS Automate: * that exists on a sync source * has mapped fields * has a higher precedence than LOCAL (VOSS Automate) data the data of these fields will be updated from the sync source and not the user input added in VOSS Automate. The Admin Portal would typically render these fields read-only. The detailed scenarios for the operation: *updating a user* (model: ``relation/User``) are: +---------------+----------------------+-----------------------+-------------+----------------------+--------+ | ``data/User`` | ``device/ldap/User`` | ``device//User`` | | | User | | exists | exists | exists | Hierarchy | Action | Sync | | | | | | | Source | +===============+======================+=======================+=============+======================+========+ | Y | | | same as | Update ``data/User`` | LOCAL | | | | | user | | | +---------------+----------------------+-----------------------+-------------+----------------------+--------+ | | | | | Update ``data/User`` | | | | | | | Non Mapped Fields | | | Y | Y | | same as | only | LDAP | | | | | user or | | | | | | | LDAP user | | | | | | | | Update ``data/User`` | | | | | | | based on sync | | | | | | | source | | +---------------+----------------------+-----------------------+-------------+----------------------+--------+ | | | | | Update ``data/User`` | | | Y | | Y | same as | | | | | | | user or | | | | | | | APP user | Update App/User | APP | | | | | | using reverse App | SOURCE | | | | | | map | | +---------------+----------------------+-----------------------+-------------+----------------------+--------+ | | | | | Update ``data/User`` | | | | | | | Non Mapped Fields | | | | | | | only | | | | | | | | | | | | | | Update ``data/User`` | | | Y | Y | Y | same as | based on sync | LDAP | | | | | any of | source | | | | | | user, APP | | | | | | | LDAP user | Update App/User | | | | | | | using reverse App | | | | | | | map | | +---------------+----------------------+-----------------------+-------------+----------------------+--------+ | | | | | | | | | | | | Update ``data/User`` | | | | | | | Non Mapped Fields | | | Y | Y | | below user | only | LDAP | | | | | or LDAP | | | | | | | user | | | | | | | | Update ``data/User`` | | | | | | | based on sync | | | | | | | source | | | | | | | | | +---------------+----------------------+-----------------------+-------------+----------------------+--------+ | | | | | | | | | | | | Error: | APP | | Y | | Y | below user | Create User Log | SOURCE | | | | | or APP user | entry with message | | | | | | | RBAC issue | | | | | | | | | +---------------+----------------------+-----------------------+-------------+----------------------+--------+ | | | | | | | | | | | | Error: | LDAP | | Y | Y | Y | below any | Create User Log | | | | | | of user, | entry with message | | | | | | LDAP, APP | RBAC issue | | | | | | user | | | +---------------+----------------------+-----------------------+-------------+----------------------+--------+ | | | | | | | | | | | | Error: | | | Y | Y | | above user | Create User Log | LDAP | | | | | or LDAP | entry with message | | | | | | user | | | | | | | | | | +---------------+----------------------+-----------------------+-------------+----------------------+--------+ | | | | | | | | | | | | Error: | | | Y | | Y | above user | Create User Log | APP | | | | | or APP user | entry with message | SOURCE | | | | | | | | | | | | | | | +---------------+----------------------+-----------------------+-------------+----------------------+--------+ | | | | | | | | | | | | Error: | LDAP | | Y | Y | Y | above any | Create User Log | | | | | | of user, | entry with message | | | | | | LDAP, APP | | | | | | | user | | | +---------------+----------------------+-----------------------+-------------+----------------------+--------+ .. _ldap-add-sync-scenarios: LDAP Add Sync Scenarios ......................... The table below details data sync sources and update actions when an LDAP user is added and the *default* Sync Source precendences apply. The cases are: * if either the user exists or does not exist on LDAP * if either the user exists or does not exist on VOSS Automate or any application that is a sync source Field sync takes place according to: * Sync Source precedence - see :ref:`user-sync-source`. * the User Field Mapping that applies - see: :ref:`user-field-mapping`. .. important:: Sync Source precedence may override user input. If you update a user on VOSS Automate: * that exists on a sync source * has mapped fields * has a higher precedence than LOCAL (VOSS Automate) data the data of these fields will be updated from the sync source and not the user input added in VOSS Automate. The Admin Portal would typically render these fields read-only. The detailed scenarios and actions for the operation: *syncing an LDAP user* (sync source is always LDAP) are: +---------------+----------------------+-----------------------+--------------+-------------------------+ | ``data/User`` | ``device/ldap/User`` | ``device//User`` | | | | exists | exists | exists | Hierarchy | Action | | | | | | | +===============+======================+=======================+==============+=========================+ | Y | | | same as user | Update ``data/User`` | | | | | | | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Create ``data/User`` | | | | | | | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Error | | | | | | Create User Log | | | Y | | same as | entry with message | | | | | LDAP user | | | | | | | Purge current LDAP | | | | | | user | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Create ``data/User`` | | | | | | | | | | | | Update ``data/User`` | | | | | | based on sync | | | | Y | same as | source | | | | | APP user | | | | | | | Update APP data | | | | | | based on sync | | | | | | source | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Error | | | | | | Create User Log | | | Y | Y | same as | entry with message | | | | | LDAP or APP | | | | | | user | Purge current LDAP | | | | | | user | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Update ``data/User`` | | | | | | | | Y | | | below | Move LDAP user to | | | | | user | ``data/User`` hierarchy | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Error | | | | | | Create User Log | | | Y | | below LDAP | entry with message | | | | | user | | | | | | | Purge current LDAP | | | | | | user | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Create ``data/User`` | | | | | | | | | | | | Update ``data/User`` | | | | | | based on sync | | | | | | source | | | | | | | | | | Y | below APP | Update APP data | | | | | user | based on sync | | | | | | source | | | | | | | | | | | | Move ``data/User`` and | | | | | | LDAP user to APP | | | | | | hierarchy | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Error | | | | | | Create User Log | | | Y | Y | below LDAP | entry with message | | | | | or APP user | | | | | | | Purge current LDAP | | | | | | user | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Error | | | | | | Create User Log | | Y | | | above | entry with message | | | | | user | | | | | | | Purge current LDAP | | | | | | user | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Error | | | | | | Create User Log | | | Y | | above LDAP | entry with message | | | | | user | | | | | | | Purge current LDAP | | | | | | user | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Create ``data/User`` | | | | | | | | | | | | Update ``data/User`` | | | | | | based on sync | | | | Y | above APP | source | | | | | user | | | | | | | Update APP data | | | | | | based on sync | | | | | | source | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Error | | | | | | Create User Log | | | Y | Y | above LDAP | entry with message | | | | | or APP user | | | | | | | Purge current LDAP | | | | | | user | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Create ``data/User`` | | | | | | | | | | | | Update ``data/User`` | | | | | | based on sync | | Y | | Y | above user | source | | | | | or APP user | | | | | | | Update APP data | | | | | | based on sync | | | | | | source | +---------------+----------------------+-----------------------+--------------+-------------------------+ .. _ldap-update-delete-sync-scenarios: LDAP Update and Delete Sync Scenarios ...................................... The table below details data sync sources and update actions when an LDAP user is added and the *default* Sync Source precendences apply. The cases are: * if either the user exists or does not exist on LDAP * if either the user exists or does not exist on VOSS Automate or any application that is a sync source Field sync takes place according to: * Sync Source precedence - see :ref:`user-sync-source`. * the User Field Mapping that applies - see: :ref:`user-field-mapping`. .. important:: Sync Source precedence may override user input. If you update a user on VOSS Automate: * that exists on a sync source * has mapped fields * has a higher precedence than LOCAL (VOSS Automate) data the data of these fields will be updated from the sync source and not the user input added in VOSS Automate. The Admin Portal would typically render these fields read-only. The detailed scenarios and actions for the operation: *deleting an LDAP sync* - manually (M) or automatically (A) - are: +-----------+---------------+----------------------+-----------------------+-------------------------+--------+ | | ``data/User`` | ``device/ldap/User`` | ``device//User`` | | User | | Operation | exists | exists | exists | Action | Sync | | | | | | | Source | +===========+===============+======================+=======================+=========================+========+ | LDAP | | | | | | | DELETE | Y | Y | | Update ``data/User`` | LOCAL | | SYNC (M) | | | | | | +-----------+---------------+----------------------+-----------------------+-------------------------+--------+ | LDAP | | | | | | | DELETE | | Y | | | | | SYNC (M) | | | | | | +-----------+---------------+----------------------+-----------------------+-------------------------+--------+ | | | | | Update ``data/User`` | | | | | | | based on sync | | | | | | | source | | | LDAP | | | | | | | DELETE | Y | Y | Y | Update APP data | LOCAL | | SYNC (M) | | | | based on sync | | | | | | | source | | | | | | | | | | | | | | Convert CUCM user | | | | | | | to local user | | +-----------+---------------+----------------------+-----------------------+-------------------------+--------+ | LDAP | | | | | | | DELETE | Y | Y | | Delete ``data/User`` | | | SYNC (A) | | | | | | +-----------+---------------+----------------------+-----------------------+-------------------------+--------+ | LDAP | | | | | | | DELETE | | Y | | | | | SYNC (A) | | | | | | +-----------+---------------+----------------------+-----------------------+-------------------------+--------+ | | | | | Delete ``data/User`` | | | | | | | source | | | LDAP | | | | | | | DELETE | Y | Y | Y | Delete | | | SYNC (A) | | | | ``relation/Subscriber`` | | +-----------+---------------+----------------------+-----------------------+-------------------------+--------+ The detailed scenarios and actions for the operation: *updating an LDAP sync* (sync source is always LDAP) are: +---------------+----------------------+-----------------------+----------------------+ | ``data/User`` | ``device/ldap/User`` | ``device//User`` | | | exists | exists | exists | Action | | | | | | +===============+======================+=======================+======================+ | | | | | | Y | Y | | Update ``data/User`` | | | | | | +---------------+----------------------+-----------------------+----------------------+ | | | | | | | Y | | Create ``data/User`` | | | | | | +---------------+----------------------+-----------------------+----------------------+ | | | | Update ``data/User`` | | | | | based on sync | | Y | Y | Y | source | | | | | | | | | | Update APP data | | | | | based on sync | | | | | source | +---------------+----------------------+-----------------------+----------------------+