.. _allowlists-denylists:

Allowlists and denylists
--------------------------

.. _25.2|EKB-25697:

:bdg-info-line:`sys-admin`


.. tip:: 

   :ref:`use-action-search-to-navigate-automate`


Overview 
..........  

Automate supports allowlists and denylists to specify parameters that cause the workflows
attached to your data sync to run. These are defined via the system **Global Settings**; typically
available to sysadmin users in the system. 

Allowlists and denylists specify the fields on the device model that 
trigger workflows attached to a sync, when they change. The allowlist defines the fields 
that will trigger the workflow when they change, while all other fields are ignored. The denylist 
indicates the fields that will be ignored if they change, and won't trigger the workflow.

.. note:: 

   Allowlists and denylists affect "Update" workflows only, and are used to 
   prevent unnecessary "Update" workflows from triggering on data syncs. 
   
   Workflows for "Add" or "Delete" are triggered regardless of any allowlist or denylist entries. 


The allowlist takes priority over the denylist if both are defined for the model; thus, choose one 
approach or the other. The recommendation is to use allowlists, as
these are more explicit regarding the fields that will trigger the change. Regardless if a workflow is
running or not, the model is updated in Automate, so the changed field is pulled in -
it just will not initiate a workflow to do anything further (e.g update ``data/User``).

The system ships with a number of predefined allowlists and denylists, which provide 
a starting point for optimized syncs. See the Best Practices Guide for more guidance on using the lists for
given technologies and the default behavior. 

Allowlists and denylists are typically used to keep syncs efficient, particularly for high volume elements 
(such as users).
There are a number of fields pulled in from the devices that are useful to view, but do not require any specific
processing (for instance fields like last login time, etc). So the default lists are based on a typical setup and
help provide out-of-the-box optimization. For the most part, these will not need to be adjusted, but can be if required
to meet a specific need in a deployment. 


.. rubric:: Related topics

* 
  .. raw:: latex

     Settings (Data Sync Workflow Execution Control) in the Advanced Configuration Guide.

  .. raw:: html

     <p>See <a href="data-settings.html">Settings (Data Sync Workflow Execution Control)</a></p>

*
  .. raw:: latex
  
     Microsoft syncs in the Best Practices Guide.

  .. raw:: html

     <a href="best-practices/microsoft-syncs.html">Microsoft syncs</a>


Global allowlist and denylist attributes 
...........................................

A ``sysadmin`` user can review the default system-level allowlist and denylist attributes 
currently set up for their environment via the ``data/Settings`` model (**Settings** page). 

.. image:: /src/images/data-sync-workflow-execution-control-attributes.png 

.. note:: 

   Allowlist and denylist attributes for any of these model types may be 
   added or removed in future releases. For example: 

   * At release 20.1.1, or after applying patch EKB-4362-19.2.1_patch, the previously denylisted LDAP 
     attributes were no longer imported during LDAP synchronization:

     Model type: ``device/ldap/user``

     Denylist attributes: 

     * ``logonCount``
     * ``adminCount``
     * ``lastLogonTimestamp``
     * ``whenCreated``
     * ``uSNCreated``
     * ``badPasswordTime``
     * ``pwdLastSet``
     * ``lastLogon``
     * ``whenChanged``
     * ``badPwdCount``
     * ``accountExpires``
     * ``uSNChanged``
     * ``lastLogoff``

   * At 21.4-PB2, the following allowlist model attributes were added:

     Model type: ``device/msteamsonline/CsOnlineUser`` 
     
     Allowlist attributes: 

     * ``UserPrincipalName``
     * ``DisplayName``
     * ``Department``
     * ``City``
     * ``FeatureType``
     * ``EnterpriseVoiceEnabled``
     * ``LineURI``




Default allowlist and denylist attributes 
'''''''''''''''''''''''''''''''''''''''''' 

.. note:: 

   The attributes listed in this section of the guide are correct at the time of writing 
   (for Automate 25.4). 


* ``device/ldap/user``

  * Denylist:

    * ``logonCount``
    * ``adminCount``
    * ``lastLogonTimestamp``
    * ``whenCreated``
    * ``uSNCreated``
    * ``badPasswordTime``
    * ``pwdLastSet``
    * ``lastLogon``
    * ``whenChanged``
    * ``badPwdCount``
    * ``accountExpires``
    * ``uSNChanged``
    * ``lastLogoff``
    * ``userPassword``


* ``device/cucm/User``

  * Denylist:

    * ``primaryDevice``
    * ``attendeesAccessCode``
    * ``displayName``
    * ``enableUserToHostConferenceNow``
    * ``pinCredentials``
    * ``passwordCredentials``
    * ``associatedRemoteDestinationProfiles``


* ``device/cucm/Phone``

  * Allowlist:

    * ``lines``
    * ``ownerUserName``


* ``device/ldap/inetOrgPerson``

  * Denylist:

    * ``userPassword``


* ``device/ldap/userProxy``

  * Denylist:

    * ``accountExpires``
    * ``adminCount``
    * ``badPasswordTime``
    * ``badPwdCount``
    * ``bind_dn``
    * ``dSCorePropagationData``
    * ``distinguishedName``
    * ``employeeID``
    * ``homeMDB``
    * ``instanceType``
    * ``lastLogon``
    * ``lastLogoff``
    * ``lastLogonTimestamp``
    * ``legacyExchangeDN``
    * ``logonCount``
    * ``mDBUseDefaults``
    * ``mailNickname``
    * ``manager``
    * ``msExchArchiveQuota``
    * ``msExchArchiveWarnQuota``
    * ``msExchBlockedSendersHash``
    * ``msExchCalendarLoggingQuota``
    * ``msExchDumpsterQuota``
    * ``msExchDumpsterWarningQuota``
    * ``msExchELCMailboxFlags``
    * ``msExchHomeServerName``
    * ``msExchMailboxGuid``
    * ``msExchMailboxSecurityDescriptor``
    * ``msExchMobileAllowedDeviceIDs``
    * ``msExchMobileBlockedDeviceIDs``
    * ``msExchMobileMailboxFlags``
    * ``msExchPoliciesIncluded``
    * ``msExchRBACPolicyLink``
    * ``msExchRecipientDisplayType``
    * ``msExchRecipientTypeDetails``
    * ``msExchSafeSendersHash``
    * ``msExchTextMessagingState``
    * ``msExchUMDtmfMap``
    * ``msExchUserAccountControl``
    * ``msExchVersion``
    * ``msExchWhenMailboxCreated``
    * ``objectCategory``
    * ``objectClass``
    * ``objectGUID``
    * ``objectSid``
    * ``physicalDeliveryOfficeName``
    * ``primaryGroupID``
    * ``protocolSettings``
    * ``proxyAddresses``
    * ``pwdLastSet``
    * ``sAMAccountType``
    * ``showInAddressBook``
    * ``textEncodedORAddress``
    * ``uSNChanged``
    * ``uSNCreated``
    * ``userAccountControl``
    * ``whenChanged``
    * ``whenCreated``
    * ``userPassword``


* ``device/msgraph/MsolUser``

  * Allowlist:

    * ``UserPrincipalName``
    * ``Title``
    * ``PhoneNumber``
    * ``StreetAddress``
    * ``State``
    * ``PostalCode``
    * ``Office``
    * ``MobilePhone``
    * ``LastName``
    * ``FirstName``
    * ``DisplayName``
    * ``Department``
    * ``Country``
    * ``City``
    * ``PrimarySmtpAddress``


* ``device/msteamsonline/CsOnlineUser``

  * Allowlist:

    * ``UserPrincipalName``
    * ``LineURI``


* ``device/spark/User``

  * Allowlist:

    * ``department``
    * ``email``
    * ``firstName``
    * ``lastName``
    * ``locationId``
    * ``manager``
    * ``phoneNumbers``
    * ``title``