Active Directory Integration Active Directory Integration
Creating
an Active Directory Source Definition
The Active Directory Integration feature enables an agent that updates and synchronizes iSupport Customer Profile, Support Representative Profile, and Asset records with the information in one or more Active Directory sources. This synchronizes iSupport data with the data in Active Directory.
You’ll use the Data Source Integration screen to create a data source integration definition to specify the server and related settings, field mappings, and exclusions, and use sync definitions to specify the type of record you are synchronizing and the directory node and filters for the data to be synchronized. You can utilize both filtering and exclusions to specify the values that should not be synchronized; what you use will depend on how much you need to prevent from synchronizing for the level in the targeted source. You can also set default values based upon the AD sync setting entry from which a record was created. Exclusions target everything under a node in a directory and apply to all sync definitions of the same record type within a data source integration definition. Filters use syntax that can target multiple nodes in a tree, and apply to a specified base directory node in a sync definition.
If enabled, the following occurs when the agent runs:
If there is an entry in Active Directory that does not exist in the applicable iSupport table (Customer Profile, Support Representative Profile, or Asset), the entry is created in iSupport. In order for an entry to be added from Active Directory, it must contain:
For Customer Profiles: a first name, last name, and email address. If mySupport access is configured, the Approved to Access mySupport field will be enabled on the automatically-created Customer Profile record.
For Support Representative Profiles, a first name, last name, and email address.
For assets, a name.
If an email address matches an email address in Customer Profiles and the record was directly entered via Customer Profiles, depending on the configured order of precedence, the Customer Profiles record is updated with the latest information from Active Directory. If a Customer Profile entry has already been synchronized with Active Directory, the Last Modified dates are compared and the Customer Profile is updated with the latest information.
If an entry is deleted in the Active Directory, the record will be flagged for deletion and:
If work items or assets are not associated with that name, the entry will be deleted from Customer Profiles when the Database Maintenance agent runs.
If work items or assets are associated with the name, the entry will remain flagged for deletion in Customer Profiles until those incident records no longer exist.
The initial synchronization process will populate the Secondary User Name field if the iSupport Services user account is a domain level user account. For ease of entry, it is approximated by retrieving the text between the @ symbol and the next period from the user’s principal name and converting it to upper case (for example, LBLSOFT would be retrieved from [email protected]) and adding a backslash, and then retrieving the username portion from the samAccountName field of an AD user entry.
Because this login may be different if there are multiple domains, this field will be editable and will not be synchronized again after the initial synchronization. If your environment consists of multiple domains, you’ll need to verify that the approximated Secondary User Name entry is correct.
If a record in Active Directory has a value in the Manager field, and an existing Customer Profile record contains that manager, the manager will be inserted in the Approver field in the Customer Profile record; otherwise, the Approver field will be blank.
Note: If a Customer Profile record has been synchronized with Active Directory, the synchronized fields (except for Secondary User Name) cannot be edited in the Customer Profiles screen. These fields can only be edited via Active Directory. The primary company cannot be changed on Customer Profile records with an active synchronization source.
When the feature is enabled, the agent runs immediately and then as specified according to the defined schedule. The Active Directory Integration feature does not modify the contents in Active Directory in any way.