Sync Identy Director users based on...

The RES ONE Identity Director (formerly known as the RES ONE Service Store) is the only RES product with its own Users (People) database. This is because the RES ONE Identity Director (ROID) can have all kinds of different sources for users, like SaaS applications or even a CSV file. But what if you do use it with Active Directory? Well, by default it will sync all the users in your Active Directory. This might not be ideal in some cases, especially if you have a large Active Directory and a limited number of ROID licenses. Then syncing just one group of users might be easier. So how do we do that ? I will explain how to do this.

First I want to point out this great article by Chris Jeucken (ITStore-Guru): Sync a Specific user. This article got me inspired for writing this article but instead of syncing a specific user as a service, I want to sync a hole Active Directory group and do this automatically . To do this we first need to add something to the users in the group to make them filterable within ROID sync tool. For this I use the extensionAttribute10 of the user and fill it with IdentiyDirector. To do this I created a script: Function fill-roid-group { Param ( [Parameter(Mandatory)] $Group )

Write-Progress -Activity "Loading AD module"
Import-Module ActiveDirectory

Write-Progress -Activity "Getting group members"
$users = get-ADgroupmember -Identity "$group" -Recursive | get-aduser | Where { $_.Enabled -eq $True }

foreach ($user in $users)
{
	Write-Progress -Activity "Filling extensionAttribute 10 for $user"
	$usersam = $user.samaccountname
	Set-ADUser -Identity $usersam -Replace @{ extensionAttribute10 = "IdentityDirector" }
}

} fill-roid-group -Group "Enter-your-security-group"

This script will do the following things:

It gets all the users from the group
Fills extensionAttribute 10 with IdentityDirector for all users

The only thing you need to do before running the script is change the Enter-your-security-group. So now that the extensionAttribute10 is filled we can filter these users in the Setup and Sync tool. Setting up filtering in the RES ONE Identity Director Setup & Sync Tool

Once you started the RES ONE Identity Director Setup & Sync Tool click on Data Model in the menu and click on Data Sources.. Now double click on your Users sync

Click on the Columns Tab and click at the bottom on Add…

Make sure to check Show all advanced properties in the bottom and under advanced find the ms-Exch-Extension-Attribute-10 property, select it and click on OK.

Now go to the Filter Tab and click on Add… select the ms-Exch-Extension-Attribute-10 colomn. The operator is LIKE and the value is IdentityDirector.

And thats it ! Now when you sync your Users again it will only sync User with Attribute 10 filled with IdentityDirector. Automation

Of course we want to automate the sync process well, we can do this in two ways. One, use the windows task scheduler to run the script above and to run the ROID sync automatically (check this article how to run the ROID sync automatically). Or two, use RES ONE Automation to automate the task. I created a module named ROID Sync. This module will do the following:

Runs the script to fill extensionAttribute10
Starts all the sync connections in your Setup and Sync tool

Now you can schedule this task multiple times a day and when you add a new user to the security group it will be automatically synced to RES ONE Identity Director People database. The module must be run on an agent with the setup and sync tool and the AD Powershell module installed and you still need to manually setup the filtering.

Info

Provided By

Community

Tags

Sync Identy Director users based on...