.. _subscriber-and-user-synchronization: Introduction to user syncs ----------------------------------- .. _25.4|EKB-27139: Overview .......... Users pushed to Cisco Unified Communications Manager (Cisco UCM) are synced between Automate and Cisco UCM. Adding, updating, or deleting a user in one place is automatically reflected in the other. Users and default entitlement profiles .............................................. New users added to Automate using user management functionality are checked for entitlement against the nearest default entitlement profile, located above the site where you're adding the user. If no default entitlement profile exists, no restrictions apply to this user. If a default entitlement profile is found, and the user you're adding has devices or services to which this user is not entitled (based on the default entitlement profile), the user add will fail. .. _user-management-scenarios: User management scenarios .......................... .. _20.1.1|VOSS-551: This section provides details on the actions that are carried out when a user is managed, given the absence or presence of the same user in Automate applications or LDAP. .. _add-user-sync-scenarios: Add user sync scenarios '''''''''''''''''''''''' The table below details add and update scenarios when a user is added that may exist on Automate, applications or LDAP and the *default* Sync Source precedences apply. The cases are: * if either the user exists or does not exist on LDAP * if either the user exists or does not exist on any application that is a sync source (APP SOURCE) Field sync takes place according to: * Sync Source - see :ref:`user-sync-source`. * The User Field Mapping that applies - see: :ref:`user-field-mapping`. .. important:: Sync Source precedence may override user input. If you update a user on Automate: * that exists on a sync source * has mapped fields * has a higher precedence than LOCAL (Automate) data the data of these fields will be updated from the sync source and not the user input added in Automate. The Admin Portal would typically render these fields read-only. The detailed scenarios for the operation: *adding a user* (model: ``relation/User``) are: +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | ``data/User`` | ``device/ldap/User`` | ``device//User`` | | | User | | exists | exists | exists | Hierarchy | Action | Sync | | | | | | | Source | +===============+======================+=======================+===========+=========================+========+ | | | | same as | Error: | | | Y | | | user | user exists | | | | | | | | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | | | | current | Create ``data/User`` | LOCAL | | | | | | | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | | | | | Create ``data/User``, | | | | | | | Update ``data/User``, | | | | Y | | same as | based on sync | LDAP | | | | | LDAP user | source | | | | | | | | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | | | | | Create ``data/User``, | | | | | | | Update ``data/User``, | APP | | | | Y | same as | based on sync | SOURCE | | | | | APP user | source | | | | | | | | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | | | | | Create ``data/User``, | | | | | | | Update ``data/User``, | | | | Y | Y | same as | based on sync | LDAP | | | | | APP user | source | | | | | | | | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | | | | | Create ``data/User``, | | | | | | | Update ``data/User``, | | | | Y | | below | based on sync | LDAP | | | | | LDAP user | source, | | | | | | hierarchy | Move LDAP user to | | | | | | | ``data/User`` hierarchy | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | | | | | Create ``data/User`` | | | | | | | Update ``data/User`` | | | | | | | based on sync | APP | | | | Y | below | source | SOURCE | | | | | APP user | Move App user to | | | | | | hierarchy | ``data/User`` hierarchy | | | | | | | | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | | | | | | | | | | | | Create ``data/User`` | | | | | | | Update ``data/User`` | | | | | | | based on sync | | | | Y | Y | below | source | LDAP | | | | | APP user | Move LDAP user to | | | | | | hierarchy | ``data/User`` hierarchy | | | | | | | | | | | | | | | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | | | | | | | | | | | | | | | | | | | Error: | | | | Y | | above | Create User Log | LDAP | | | | | LDAP user | entry with message | | | | | | hierarchy | | | | | | | | | | | | | | | | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | | | | | | | | | | | | | | | | | | | Error: | | | | | Y | above | Create User Log | APP | | | | | APP user | entry with message | SOURCE | | | | | hierarchy | | | | | | | | | | | | | | | | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ | | | | | | | | | | | | | | | | | | | Error: | | | | Y | Y | above | Create User Log | LDAP | | | | | APP user | entry with message | | | | | | hierarchy | | | | | | | | | | | | | | | | | +---------------+----------------------+-----------------------+-----------+-------------------------+--------+ .. _update-user-sync-scenarios: Update user sync scenarios '''''''''''''''''''''''''''' The table below details data sync sources and update actions when a user is updated and the *default* Sync Source precedence applies. The cases are: * if either the user exists or does not exist on LDAP * if either the user exists or does not exist on any application that is a sync source Field sync takes place according to: * the User Field Mapping that applies - see: :ref:`user-field-mapping`. .. important:: Sync Source precedence may override user input. If you update a user on Automate: * that exists on a sync source * has mapped fields * has a higher precedence than LOCAL (Automate) data the data of these fields will be updated from the sync source and not the user input added in Automate. The Admin Portal would typically render these fields read-only. The table lists detailed scenarios for the operation *updating a user* (model: ``relation/User``): .. note:: Application updates described in the scenarios below may be intentionally skipped when an external system is configured as the authoritative source. For Cisco Webex, if Control Hub is configured for LDAP Directory Sync and a user has been top-down LDAP synced, updates triggered by LDAP synchronization do not update the Webex user record (``device/spark/User``). This prevents LDAP data from overwriting Webex users managed by Control Hub. Updates triggered from other sources (for example, administrator actions, ``relation/User`` updates, or subscriber workflows) continue to update the Webex user record as normal. +---------------+----------------------+-----------------------+-------------+----------------------+--------+ | ``data/User`` | ``device/ldap/User`` | ``device//User`` | | | User | | exists | exists | exists | Hierarchy | Action | Sync | | | | | | | Source | +===============+======================+=======================+=============+======================+========+ | Y | | | same as | Update ``data/User`` | LOCAL | | | | | user | | | +---------------+----------------------+-----------------------+-------------+----------------------+--------+ | | | | | Update ``data/User`` | | | | | | | Non Mapped Fields | | | Y | Y | | same as | only | LDAP | | | | | user or | | | | | | | LDAP user | | | | | | | | Update ``data/User`` | | | | | | | based on sync | | | | | | | source | | +---------------+----------------------+-----------------------+-------------+----------------------+--------+ | | | | | Update ``data/User`` | | | Y | | Y | same as | | | | | | | user or | | | | | | | APP user | Update App/User | APP | | | | | | using reverse App | SOURCE | | | | | | map | | +---------------+----------------------+-----------------------+-------------+----------------------+--------+ | | | | | Update ``data/User`` | | | | | | | Non Mapped Fields | | | | | | | only | | | | | | | | | | | | | | Update ``data/User`` | | | Y | Y | Y | same as | based on sync | LDAP | | | | | any of | source | | | | | | user, APP | | | | | | | LDAP user | Update App/User | | | | | | | using reverse App | | | | | | | map | | +---------------+----------------------+-----------------------+-------------+----------------------+--------+ | | | | | | | | | | | | Update ``data/User`` | | | | | | | Non Mapped Fields | | | Y | Y | | below user | only | LDAP | | | | | or LDAP | | | | | | | user | | | | | | | | Update ``data/User`` | | | | | | | based on sync | | | | | | | source | | | | | | | | | +---------------+----------------------+-----------------------+-------------+----------------------+--------+ | | | | | | | | | | | | Error: | APP | | Y | | Y | below user | Create User Log | SOURCE | | | | | or APP user | entry with message | | | | | | | RBAC issue | | | | | | | | | +---------------+----------------------+-----------------------+-------------+----------------------+--------+ | | | | | | | | | | | | Error: | LDAP | | Y | Y | Y | below any | Create User Log | | | | | | of user, | entry with message | | | | | | LDAP, APP | RBAC issue | | | | | | user | | | +---------------+----------------------+-----------------------+-------------+----------------------+--------+ | | | | | | | | | | | | Error: | | | Y | Y | | above user | Create User Log | LDAP | | | | | or LDAP | entry with message | | | | | | user | | | | | | | | | | +---------------+----------------------+-----------------------+-------------+----------------------+--------+ | | | | | | | | | | | | Error: | | | Y | | Y | above user | Create User Log | APP | | | | | or APP user | entry with message | SOURCE | | | | | | | | | | | | | | | +---------------+----------------------+-----------------------+-------------+----------------------+--------+ | | | | | | | | | | | | Error: | LDAP | | Y | Y | Y | above any | Create User Log | | | | | | of user, | entry with message | | | | | | LDAP, APP | | | | | | | user | | | +---------------+----------------------+-----------------------+-------------+----------------------+--------+ .. _ldap-add-sync-scenarios: LDAP add sync scenarios '''''''''''''''''''''''' The table below details data sync sources and update actions when an LDAP user is added and the *default* Sync Source precendences apply. The cases are: * if either the user exists or does not exist on LDAP * if either the user exists or does not exist on Automate or any application that is a sync source Field sync takes place according to: * the User Field Mapping that applies - see: :ref:`user-field-mapping`. .. important:: Sync Source precedence may override user input. If you update a user on Automate: * that exists on a sync source * has mapped fields * has a higher precedence than LOCAL (Automate) data the data of these fields will be updated from the sync source and not the user input added in Automate. The Admin Portal would typically render these fields read-only. The detailed scenarios and actions for the operation: *syncing an LDAP user* (sync source is always LDAP) are: +---------------+----------------------+-----------------------+--------------+-------------------------+ | ``data/User`` | ``device/ldap/User`` | ``device//User`` | | | | exists | exists | exists | Hierarchy | Action | | | | | | | +===============+======================+=======================+==============+=========================+ | Y | | | same as user | Update ``data/User`` | | | | | | | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Create ``data/User`` | | | | | | | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Error | | | | | | Create User Log | | | Y | | same as | entry with message | | | | | LDAP user | | | | | | | Purge current LDAP | | | | | | user | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Create ``data/User`` | | | | | | | | | | | | Update ``data/User`` | | | | | | based on sync | | | | Y | same as | source | | | | | APP user | | | | | | | Update APP data | | | | | | based on sync | | | | | | source | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Error | | | | | | Create User Log | | | Y | Y | same as | entry with message | | | | | LDAP or APP | | | | | | user | Purge current LDAP | | | | | | user | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Update ``data/User`` | | | | | | | | Y | | | below | Move LDAP user to | | | | | user | ``data/User`` hierarchy | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Error | | | | | | Create User Log | | | Y | | below LDAP | entry with message | | | | | user | | | | | | | Purge current LDAP | | | | | | user | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Create ``data/User`` | | | | | | | | | | | | Update ``data/User`` | | | | | | based on sync | | | | | | source | | | | | | | | | | Y | below APP | Update APP data | | | | | user | based on sync | | | | | | source | | | | | | | | | | | | Move ``data/User`` and | | | | | | LDAP user to APP | | | | | | hierarchy | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Error | | | | | | Create User Log | | | Y | Y | below LDAP | entry with message | | | | | or APP user | | | | | | | Purge current LDAP | | | | | | user | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Error | | | | | | Create User Log | | Y | | | above | entry with message | | | | | user | | | | | | | Purge current LDAP | | | | | | user | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Error | | | | | | Create User Log | | | Y | | above LDAP | entry with message | | | | | user | | | | | | | Purge current LDAP | | | | | | user | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Create ``data/User`` | | | | | | | | | | | | Update ``data/User`` | | | | | | based on sync | | | | Y | above APP | source | | | | | user | | | | | | | Update APP data | | | | | | based on sync | | | | | | source | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Error | | | | | | Create User Log | | | Y | Y | above LDAP | entry with message | | | | | or APP user | | | | | | | Purge current LDAP | | | | | | user | +---------------+----------------------+-----------------------+--------------+-------------------------+ | | | | | Create ``data/User`` | | | | | | | | | | | | Update ``data/User`` | | | | | | based on sync | | Y | | Y | above user | source | | | | | or APP user | | | | | | | Update APP data | | | | | | based on sync | | | | | | source | +---------------+----------------------+-----------------------+--------------+-------------------------+ .. _ldap-update-delete-sync-scenarios: LDAP update and delete sync scenarios ''''''''''''''''''''''''''''''''''''''' The table below details data sync sources and update actions when an LDAP user is added and the *default* Sync Source precendences apply. The cases are: * if either the user exists or does not exist on LDAP * if either the user exists or does not exist on Automate or any application that is a sync source Field sync takes place according to: * the User Field Mapping that applies - see: :ref:`user-field-mapping`. .. important:: Sync Source precedence may override user input. If you update a user on Automate: * that exists on a sync source * has mapped fields * has a higher precedence than LOCAL (Automate) data the data of these fields will be updated from the sync source and not the user input added in Automate. The Admin Portal would typically render these fields read-only. The detailed scenarios and actions for the operation: *deleting an LDAP sync* - manually (M) or automatically (A) - are: +-----------+---------------+----------------------+-----------------------+-------------------------+--------+ | | ``data/User`` | ``device/ldap/User`` | ``device//User`` | | User | | Operation | exists | exists | exists | Action | Sync | | | | | | | Source | +===========+===============+======================+=======================+=========================+========+ | LDAP | | | | | | | DELETE | Y | Y | | Update ``data/User`` | LOCAL | | SYNC (M) | | | | | | +-----------+---------------+----------------------+-----------------------+-------------------------+--------+ | LDAP | | | | | | | DELETE | | Y | | | | | SYNC (M) | | | | | | +-----------+---------------+----------------------+-----------------------+-------------------------+--------+ | | | | | Update ``data/User`` | | | | | | | based on sync | | | | | | | source | | | LDAP | | | | | | | DELETE | Y | Y | Y | Update APP data | LOCAL | | SYNC (M) | | | | based on sync | | | | | | | source | | | | | | | | | | | | | | Convert UCM user | | | | | | | to local user | | +-----------+---------------+----------------------+-----------------------+-------------------------+--------+ | LDAP | | | | | | | DELETE | Y | Y | | Delete ``data/User`` | | | SYNC (A) | | | | | | +-----------+---------------+----------------------+-----------------------+-------------------------+--------+ | LDAP | | | | | | | DELETE | | Y | | | | | SYNC (A) | | | | | | +-----------+---------------+----------------------+-----------------------+-------------------------+--------+ | | | | | Delete ``data/User`` | | | | | | | source | | | LDAP | | | | | | | DELETE | Y | Y | Y | Delete | | | SYNC (A) | | | | ``relation/Subscriber`` | | +-----------+---------------+----------------------+-----------------------+-------------------------+--------+ The detailed scenarios and actions for the operation: *updating an LDAP sync* (sync source is always LDAP) are: +---------------+----------------------+-----------------------+----------------------+ | ``data/User`` | ``device/ldap/User`` | ``device//User`` | | | exists | exists | exists | Action | | | | | | +===============+======================+=======================+======================+ | | | | | | Y | Y | | Update ``data/User`` | | | | | | +---------------+----------------------+-----------------------+----------------------+ | | | | | | | Y | | Create ``data/User`` | | | | | | +---------------+----------------------+-----------------------+----------------------+ | | | | Update ``data/User`` | | | | | based on sync | | Y | Y | Y | source | | | | | | | | | | Update APP data | | | | | based on sync | | | | | source | +---------------+----------------------+-----------------------+----------------------+