beautypg.com

HP Identity Driven Manager Software Series User Manual

Page 66

background image

2-46

Getting Started
User Session Information

6.

Select the Active Directory Groups you want to Synchronize to IDM, then
click the

>> button to move the groups to the "Groups to Synchronize" list.

Use the Filter field to locate a group easily.

To remove groups from the synchronization, select the group in the
"Groups to Synchronize" and click the

<< button to move it to the "Groups

in Active Directory" list.

7.

Click OK to save the Groups to Synchronize and return to the User
Directory Settings window.

8.

To accommodate users who are members of multiple groups, ensure the
listed groups are in the desired order. To reorder a group, select the group
and click the

Move up or Move down button.

A user can belong to only one Access Policy Group. IDM associates users
with the first group in the group list that the user is a member of.
Therefore, order is important.

9.

Click Apply to save the settings without exiting the window.

Click OK to save the settings and close the window.

An Access Policy Group is created for each selected Active Directory
group, and all users that belong to the selected groups will be imported
from the Active Directory server. into the appropriate Access Policy
Group. Changes to users in the selected groups will be imported (synchro-
nized) as long as the Active Directory Synchronization is enabled.

Operating Notes:

If a user belongs to more than one Active Directory group, the user is
imported into the IDM Access Policy Group with the highest priority
(set in User Directory Settings Preferences).

If an Active Directory group is deleted while Active Directory
synchronization is enabled, the associated Access Policy Group is
deleted. If that group is the priority IDM Access Policy Group for a
user who belongs to more than one Active Directory group, the user
is automatically reassigned to the next highest priority Access Policy
Group. Users who do not belong to more than one Active Directory
group are reassigned to the default Access Policy Group for the
Realm.

If an Active Directory group is deleted while Active Directory
synchronization is disabled, the associated Access Policy Group is
NOT deleted when synchronization is enabled. However, all users will
be reassigned to other groups (next highest priority or default Access
Policy Group for the Realm) as part of the resynchronization process.

This manual is related to the following products: