Data Sync Allow list and Deny list#
sys-admin
Administrators with permissions to access the Global instance of the settings in
the data/Settings model (sysadmin), can create lists of device attributes
affected by data sync under the Data Sync Workflow Execution Control section:
Allowlist Attributes
When this list contains a field, then only a change in that field and not any other field will trigger data sync workflows, regardless of the list of the Denylist Attributes. In other words, this list takes precedence over the existing list of Denylist Attributes.
Refer to the allow lists below.
Denylist Attributes
Items in this list will not trigger any update workflows that may have been defined to execute during the data sync. These attributes are therefore excluded from data sync considerations.
The reason for this list of attributes is that while data sync operations can have a performance impact, some data sync attribute changes do not require data sync workflows to be carried out.
Note however that the local device cache will still be updated with the updated attribute data. No update workflows will be run, though. The transaction logs will indicate the updated device cache, but the transactions for these attributes instances will show as:
"Device changes on denylisted attributes only. Updating cache, skipping workflows."Note
After release 20.1.1 or applying patch
EKB-4362-19.2.1_patch, the previously denylisted LDAP attributes are no longer imported during LDAP synchronization:For
device/ldap/user:logonCountadminCountlastLogonTimestampwhenCreateduSNCreatedbadPasswordTimepwdLastSetlastLogonwhenChangedbadPwdCountaccountExpiresuSNChangedlastLogofflastLogoff
Refer to the deny lists below.
From release 21.4-PB2, the following allowlist model attributes have been added:
Allowlist device/msteamsonline/CsOnlineUser#
For
device/msteamsonline/CsOnlineUser:UserPrincipalNameDisplayNameDepartmentCityFeatureTypeEnterpriseVoiceEnabledLineURI
Allowlist device/msgraph/MsolUser#
For
device/msgraph/MsolUser:UserPrincipalNameFirstNameLastNameDepartmentOfficeCity
A number of denylist attributes have been added by default:
Denylist device/ldap/user#
For
device/ldap/user:logonCountadminCountlastLogonTimestampwhenCreateduSNCreatedbadPasswordTimepwdLastSetlastLogonwhenChangedbadPwdCountaccountExpiresuSNChangedlastLogoffuserPassword
Denylist device/cucm/User#
For
device/cucm/User:statusprimaryDeviceattendeesAccessCodedisplayNameenableUserToHostConferenceNowpinCredentialspasswordCredentialsassociatedRemoteDestinationProfiles
Denylist device/cucm/Phone#
For
device/cucm/Phone:keyOrderelinGroupecKeySize
Denylist device/ldap/userProxy#
For
device/ldap/userProxy:accountExpiresadminCountbadPasswordTimebadPwdCountbind_dndSCorePropagationDatadistinguishedNameemployeeIDhomeMDBinstanceTypelastLogonlastLogofflastLogonTimestamplegacyExchangeDNlogonCountmDBUseDefaultsmailNicknamemanagermsExchArchiveQuotamsExchArchiveWarnQuotamsExchBlockedSendersHashmsExchCalendarLoggingQuotamsExchDumpsterQuotamsExchDumpsterWarningQuotamsExchELCMailboxFlagsmsExchHomeServerNamemsExchMailboxGuidmsExchMailboxSecurityDescriptormsExchMobileAllowedDeviceIDsmsExchMobileBlockedDeviceIDsmsExchMobileMailboxFlagsmsExchPoliciesIncludedmsExchRBACPolicyLinkmsExchRecipientDisplayTypemsExchRecipientTypeDetailsmsExchSafeSendersHashmsExchTextMessagingStatemsExchUMDtmfMapmsExchUserAccountControlmsExchVersionmsExchWhenMailboxCreatedobjectCategoryobjectClassobjectGUIDobjectSidphysicalDeliveryOfficeNameprimaryGroupIDprotocolSettingsproxyAddressespwdLastSetsAMAccountTypeshowInAddressBooktextEncodedORAddressuSNChangeduSNCreateduserAccountControlwhenChangedwhenCreateduserPassword
Related Topics