Allowlists and Denylists#

sys-admin

Overview#

VOSS Automate supports allowlists and denylists to specify parameters that cause the workflows attached to your data sync to run. These are defined via the system Global Settings; typically available to sysadmin users in the system.

Allowlists and denylists specify the fields on the device model that trigger workflows attached to a sync, when they change. The allowlist defines the fields that will trigger the workflow when they change, while all other fields are ignored. The denylist indicates the fields that will be ignored if they change, and won’t trigger the workflow.

Note

Allowlists and denylists affect “Update” workflows only, and are used to prevent unnecessary “Update” workflows from triggering on data syncs.

Workflows for “Add” or “Delete” are triggered regardless of any allowlist or denylist entries.

The allowlist takes priority over the denylist if both are defined for the model; thus, choose one approach or the other. The recommendation is to use allowlists, as these are more explicit regarding the fields that will trigger the change. Regardless if a workflow is running or not, the model is updated in Automate, so the changed field is pulled in - it just will not initiate a workflow to do anything further (e.g update data/User).

The system ships with a number of predefined allowlists and denylists, which provide a starting point for optimized syncs. See the Best Practices Guide for more guidance on using the lists for given technologies and the default behavior.

Allowlists and denylists are typically used to keep syncs efficient, particularly for high volume elements (such as users). There are a number of fields pulled in from the devices that are useful to view, but do not require any specific processing (for instance fields like last login time, etc). So the default lists are based on a typical setup and help provide out-of-the-box optimization. For the most part, these will not need to be adjusted, but can be if required to meet a specific need in a deployment.

Global Allowlist and Denylist Attributes#

A sysadmin user can review the default system-level allowlist and denylist attributes currently set up for their environment via the data/Settings model (default menus, Administration Tools > Settings).

../../_images/data-sync-workflow-execution-control-attributes.png

Note

Allowlist and denylist attributes for any of these model types may be added or removed in future releases. For example:

At release 20.1.1, or after applying patch EKB-4362-19.2.1_patch, the previously denylisted LDAP attributes were no longer imported during LDAP synchronization:

Model type: device/ldap/user

Denylist attributes:
- logonCount
- adminCount
- lastLogonTimestamp
- whenCreated
- uSNCreated
- badPasswordTime
- pwdLastSet
- lastLogon
- whenChanged
- badPwdCount
- accountExpires
- uSNChanged
- lastLogofflastLogoff
At 21.4-PB2, the following allowlist model attributes were added:

Model type: device/msteamsonline/CsOnlineUser

Allowlist attributes:
- UserPrincipalName
- DisplayName
- Department
- City
- FeatureType
- EnterpriseVoiceEnabled
- LineURI

Default Allowlist and Denylist Attributes#

Note

The attributes listed in this section of the guide are correct at the time of writing (for Automate 24.1-PB2).

device/ldap/user
- Denylist:
  - logonCount
  - adminCount
  - lastLogonTimestamp
  - whenCreated
  - uSNCreated
  - badPasswordTime
  - pwdLastSet
  - lastLogon
  - whenChanged
  - badPwdCount
  - accountExpires
  - uSNChanged
  - lastLogoff
  - userPassword
device/cucm/User
- Denylist:
  - status
  - primaryDevice
  - attendeesAccessCode
  - displayName
  - enableUserToHostConferenceNow
  - pinCredentials
  - passwordCredentials
  - associatedRemoteDestinationProfiles
device/cucm/Phone
- Allowlist:
  - lines
  - ownerUserName
device/ldap/inetOrgPerson
- Denylist:
  - userPassword
device/ldap/userProxy
- Denylist:
  - accountExpires
  - adminCount
  - badPasswordTime
  - badPwdCount
  - bind_dn
  - dSCorePropagationData
  - distinguishedName
  - employeeID
  - homeMDB
  - instanceType
  - lastLogon
  - lastLogoff
  - lastLogonTimestamp
  - legacyExchangeDN
  - logonCount
  - mDBUseDefaults
  - mailNickname
  - manager
  - msExchArchiveQuota
  - msExchArchiveWarnQuota
  - msExchBlockedSendersHash
  - msExchCalendarLoggingQuota
  - msExchDumpsterQuota
  - msExchDumpsterWarningQuota
  - msExchELCMailboxFlags
  - msExchHomeServerName
  - msExchMailboxGuid
  - msExchMailboxSecurityDescriptor
  - msExchMobileAllowedDeviceIDs
  - msExchMobileBlockedDeviceIDs
  - msExchMobileMailboxFlags
  - msExchPoliciesIncluded
  - msExchRBACPolicyLink
  - msExchRecipientDisplayType
  - msExchRecipientTypeDetails
  - msExchSafeSendersHash
  - msExchTextMessagingState
  - msExchUMDtmfMap
  - msExchUserAccountControl
  - msExchVersion
  - msExchWhenMailboxCreated
  - objectCategory
  - objectClass
  - objectGUID
  - objectSid
  - physicalDeliveryOfficeName
  - primaryGroupID
  - protocolSettings
  - proxyAddresses
  - pwdLastSet
  - sAMAccountType
  - showInAddressBook
  - textEncodedORAddress
  - uSNChanged
  - uSNCreated
  - userAccountControl
  - whenChanged
  - whenCreated
  - userPassword
device/msgraph/MsolUser
- Allowlist:
  - UserPrincipalName
  - Title
  - PhoneNumber
  - StreetAddress
  - State
  - PostalCode
  - Office
  - MobilePhone
  - LastName
  - FirstName
  - DisplayName
  - Department
  - Country
  - City
device/msteamsonline/CsOnlineUser
- Allowlist:
  - UserPrincipalName
  - LineURI
device/spark/User
- Allowlist:
  - department
  - email
  - firstName
  - lastName
  - locationId
  - manager
  - phoneNumbers
  - title

Allowlists and Denylists

On this page

Allowlists and Denylists#

Overview#

Global Allowlist and Denylist Attributes#

Default Allowlist and Denylist Attributes#