Data Sync Allow list and Deny list#
sys-admin
Administrators with permissions to access the Global instance of the settings in
the data/Settings
model (sysadmin), can create lists of device attributes
affected by data sync under the Data Sync Workflow Execution Control section:
Allowlist Attributes
When this list contains a field, then only a change in that field and not any other field will trigger data sync workflows, regardless of the list of the Denylist Attributes. In other words, this list takes precedence over the existing list of Denylist Attributes.
Refer to the allow lists below.
Denylist Attributes
Items in this list will not trigger any update workflows that may have been defined to execute during the data sync. These attributes are therefore excluded from data sync considerations.
The reason for this list of attributes is that while data sync operations can have a performance impact, some data sync attribute changes do not require data sync workflows to be carried out.
Note however that the local device cache will still be updated with the updated attribute data. No update workflows will be run, though. The transaction logs will indicate the updated device cache, but the transactions for these attributes instances will show as:
"Device changes on denylisted attributes only. Updating cache, skipping workflows."
Note
After release 20.1.1 or applying patch
EKB-4362-19.2.1_patch
, the previously denylisted LDAP attributes are no longer imported during LDAP synchronization:For
device/ldap/user
:logonCount
adminCount
lastLogonTimestamp
whenCreated
uSNCreated
badPasswordTime
pwdLastSet
lastLogon
whenChanged
badPwdCount
accountExpires
uSNChanged
lastLogofflastLogoff
Refer to the deny lists below.
From release 24.1, the following allowlist model attributes have been added and the previous denylist has been removed:
Allowlist device/cucm/Phone
#
For
device/cucm/Phone
:lines
ownerUserName
From release 21.4-PB2, the following allowlist model attributes have been added:
Allowlist device/msteamsonline/CsOnlineUser
#
For
device/msteamsonline/CsOnlineUser
:UserPrincipalName
DisplayName
Department
City
FeatureType
EnterpriseVoiceEnabled
LineURI
Allowlist device/msgraph/MsolUser
#
For
device/msgraph/MsolUser
:UserPrincipalName
FirstName
LastName
Department
Office
City
A number of denylist attributes have been added by default:
Denylist device/ldap/user
#
For
device/ldap/user
:logonCount
adminCount
lastLogonTimestamp
whenCreated
uSNCreated
badPasswordTime
pwdLastSet
lastLogon
whenChanged
badPwdCount
accountExpires
uSNChanged
lastLogoff
userPassword
Denylist device/cucm/User
#
For
device/cucm/User
:status
primaryDevice
attendeesAccessCode
displayName
enableUserToHostConferenceNow
pinCredentials
passwordCredentials
associatedRemoteDestinationProfiles
Denylist device/ldap/userProxy
#
For
device/ldap/userProxy
:accountExpires
adminCount
badPasswordTime
badPwdCount
bind_dn
dSCorePropagationData
distinguishedName
employeeID
homeMDB
instanceType
lastLogon
lastLogoff
lastLogonTimestamp
legacyExchangeDN
logonCount
mDBUseDefaults
mailNickname
manager
msExchArchiveQuota
msExchArchiveWarnQuota
msExchBlockedSendersHash
msExchCalendarLoggingQuota
msExchDumpsterQuota
msExchDumpsterWarningQuota
msExchELCMailboxFlags
msExchHomeServerName
msExchMailboxGuid
msExchMailboxSecurityDescriptor
msExchMobileAllowedDeviceIDs
msExchMobileBlockedDeviceIDs
msExchMobileMailboxFlags
msExchPoliciesIncluded
msExchRBACPolicyLink
msExchRecipientDisplayType
msExchRecipientTypeDetails
msExchSafeSendersHash
msExchTextMessagingState
msExchUMDtmfMap
msExchUserAccountControl
msExchVersion
msExchWhenMailboxCreated
objectCategory
objectClass
objectGUID
objectSid
physicalDeliveryOfficeName
primaryGroupID
protocolSettings
proxyAddresses
pwdLastSet
sAMAccountType
showInAddressBook
textEncodedORAddress
uSNChanged
uSNCreated
userAccountControl
whenChanged
whenCreated
userPassword
Related Topics