Synchronize users using Active Directory import

If a username in the Active Directory import matches an existing username in Axiom Budget Planning and Performance Reporting security, the user is updated only if the Directory Sync Enabled checkbox remains selected for the matching user. Matching users are updated as follows:

Field Description
User Properties If the first name, last name, or email address changed in Active Directory, it is updated in Axiom Budget Planning and Performance Reporting
User License Type If the assigned user license type for the Active Directory group changed, the license type is updated in Axiom Budget Planning and Performance Reporting
Authentication Type If the assigned authentication type for the Active Directory group changed, the authentication type is updated in Axiom Budget Planning and Performance Reporting
Role and Subsystem Assignments

The user's role and subsystem assignments are updated as follows:

  • If a role or subsystem assignment was added for the Active Directory group, the user is assigned to that role or subsystem.

  • If a role or subsystem assignment was removed from the Active Directory group, the user is only removed from the role or subsystem if another group is mapped to that same role or subsystem (and the user does not also belong to that other group). If the previously assigned role or subsystem is not present in the mappings, the user is not removed from the role or subsystem.

  • If the user no longer belongs to the Active Directory group, and that group's role or subsystem mappings still exist, the user is removed from those roles and subsystems unless the user belongs to another Active Directory group in the import that is mapped to the same roles and subsystems.
Disabled Users If the user is disabled in Active Directory, the user is disabled in Axiom Budget Planning and Performance Reporting. If the user is disabled in Axiom Budget Planning and Performance Reporting but enabled in Active Directory, the user is re-enabled or left as disabled, depending on whether Never Enable Users is selected in the Scheduler task settings.

If the Directory Sync Enabled checkbox is cleared for the matching user, that user is ignored by the Active Directory synchronization process.

If the Directory Sync Enabled checkbox is selected for a user and that user does not match a username in the Active Directory import, the user is disabled. If you still need the user account, you can re-enable the user and clear the Directory Sync Enabled checkbox so that the user is ignored by future imports.

NOTES:

  • Role mappings are processed in role ID order. If a group has multiple mappings and the user license type or authentication type does not match all of the mappings, users in the group are assigned to the license type and authentication type associated with the last-processed role.

  • If a role mapping uses a subsystem-specific role, users are assigned to that role regardless of whether they also belong to the associated subsystem. This issue creates an invalid security configuration that must be corrected after the import.