One Identity Active Roles 8.

0 LTS

Synchronization Service
Administration Guide
Copyright 2022 One Identity LLC.
ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described in this guide
is furnished under a software license or nondisclosure agreement. This software may be used or copied
only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced
or transmitted in any form or by any means, electronic or mechanical, including photocopying and
recording for any purpose other than the purchaser’s personal use without the written permission of
One Identity LLC .
The information in this document is provided in connection with One Identity products. No license,
express or implied, by estoppel or otherwise, to any intellectual property right is granted by this
document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE
TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,
ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR
STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-
INFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT,
CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT
LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF
INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF
ONE IDENTITY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity makes no
representations or warranties with respect to the accuracy or completeness of the contents of this
document and reserves the right to make changes to specifications and product descriptions at any
time without notice. One Identity does not make any commitment to update the information
contained in this document.
If you have any questions regarding your potential use of this material, contact:
One Identity LLC.
Attn: LEGAL Dept
4 Polaris Way
Aliso Viejo, CA 92656
Refer to our Web site (http://www.OneIdentity.com) for regional and international office information.
Patents
One Identity is proud of our advanced technology. Patents and pending patents may apply to this
product. For the most current information about applicable patents for this product, please visit our
website at http://www.OneIdentity.com/legal/patents.aspx.
Trademarks
One Identity and the One Identity logo are trademarks and registered trademarks of One Identity
LLC. in the U.S.A. and other countries. For a complete list of One Identity trademarks, please visit
our website at www.OneIdentity.com/legal. All other trademarks are the property of their
respective owners.
Legend

WARNING: A WARNING icon highlights a potential risk of bodily injury or property

damage, for which industry-standard safety precautions are advised. This icon is
often associated with electrical hazards related to hardware.

CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if

instructions are not followed.

Active Roles Synchronization Service Administration Guide

Updated - October 2022
Version - 8.0 LTS
Contents

Synchronization Service Overview 12

About Synchronization Service 12
Features and benefits 13
Bidirectional synchronization 13
Delta processing mode 13
Synchronization of group membership 14
Windows PowerShell scripting 14
Attribute synchronization rules 14
Rule-based generation of distinguished names 14
Scheduling capabilities 15
Extensibility 15
Azure Backsync Configuration 16
Technical overview 17
Synchronization Service 17
Capture Agent 17
Connectors and connected data systems 18
Synchronization workflows and steps 19

Deploying Synchronization Service 20

Deployment steps 20
Step 1: Install Synchronization Service 20
Step 2: Configure Synchronization Service 21
Step 3: Configuring Azure BackSync 23
Configuring automatic Azure BackSync 24
Configuring manual Azure BackSync 26
Settings updated after Azure backsync configuration operation 29
Finding the GUID (Tenant ID) of an Azure AD for Azure BackSync 31
Upgrade from Quick Connect and Synchronization Service 31
Limitations 32
Upgrade steps 32
Communication ports 33

Getting started 36

Active Roles 8.0 LTS Synchronization Service Administration Guide

3
Synchronization Service Administration Console 36
Sync Workflows tab 38
Sync History tab 39
Connections tab 39
Mapping tab 40
Password Sync tab 41
Configuring diagnostic logging 41
Steps to synchronize identity data 42
Management Shell 43
Cmdlet naming conventions 44
Getting help 44

Connections to external data systems 46

External data systems supported with built-in connectors 46
Working with Active Directory 47
Creating an Active Directory connection 49
Modifying an existing Active Directory connection 50
Communication ports required to synchronize data between two AD domains 51
Synchronizing user passwords between two AD domains 51
Synchronizing SID history of users or groups 52
Working with an AD LDS (ADAM) instance 53
Creating an AD LDS (ADAM) instance connection 54
Modifying an existing AD LDS (ADAM) instance connection 55
Working with Skype for Business Server 56
Creating a new Skype for Business Server connection 57
Modifying an existing Skype for Business Server connection 57
Skype for Business Server data supported out of the box 58
Attributes required to create a Skype for Business Server user 72
Getting or setting the Telephony option value in Skype for Business Server 72
Working with Oracle 73
Working with Oracle Database 73
Working with Oracle Database user accounts 77
Working with Exchange Server 81
Creating a new connection to Exchange Server 82
Modifying an existing connection to Exchange Server 84
Exchange Server data supported out of the box 85

Active Roles 8.0 LTS Synchronization Service Administration Guide

4
 Scenario: Migrate mailboxes from one Exchange Server to another 101
Working with Active Roles 103
Creating an Active Roles connection 104
Modifying an Active Roles connection 105
Working with One Identity Manager 106
Creating a One Identity Manager connection 107
Modifying a One Identity Manager connection 108
One Identity Manager Connector configuration file 108
Working with a delimited text file 109
Creating a delimited text file connection 110
Modifying an existing delimited text file connection 112
Working with Microsoft SQL Server 114
Creating a Microsoft SQL Server connection 115
Modifying an existing Microsoft SQL Server connection 116
Sample queries to modify SQL Server data 118
Working with Micro Focus NetIQ Directory 119
Creating a Micro Focus NetIQ Directory connection 120
Modifying an existing Micro Focus NetIQ Directory connection 121
Specify connection settings 122
Specify naming attributes 123
Working with Salesforce 124
Creating a Salesforce connection 125
Modifying an existing Salesforce connection 126
Salesforce data supported out of the box 126
Scenario: Provisioning users from an Active Directory domain to Salesforce 130
Working with ServiceNow 131
Creating a ServiceNow connection 132
Modifying an existing ServiceNow connection 134
ServiceNow data supported out of the box 134
Working with Oracle Unified Directory 135
Creating an Oracle Unified Directory connection 136
Modifying an existing Oracle Unified Directory Server connection 137
Specify naming attributes 139
Working with an LDAP directory service 139
Creating an LDAP directory service connection 140

Active Roles 8.0 LTS Synchronization Service Administration Guide

5
 Modifying an existing Generic LDAP directory service connection 143
Specify password sync parameters for LDAP directory service 145
Working with IBM DB2 146
Creating an IBM DB2 connection 147
Modifying an existing IBM DB2 connection 148
Working with IBM AS/400 150
Creating an IBM AS/400 connection 151
Modifying an existing IBM AS/400 connection 152
Specify connection settings 152
Additional considerations 152
Working with an OpenLDAP directory service 153
Creating an OpenLDAP directory service connection 154
Modifying an existing OpenLDAP directory service connection 156
Working with IBM RACF connector 158
Creating a IBM RACF connection 159
Modifying a IBM RACF connection 159
Example of Mapping for Dataset Information 160
Create SQL Database and Table 160
Provisioning Datasets 160
Updating datasets 161
Deprovisioning datasets 162
Running TSO command 163
Working with MySQL database 164
Creating a MySQL database connection 165
Modifying an existing MySQL database connection 167
Working with an OLE DB-compliant relational database 169
Creating an OLE DB-compliant relational database connection 169
Modifying an existing OLE DB-compliant data source connection 170
Working with SharePoint 172
Creating a SharePoint connection 173
SharePoint data supported out of the box 173
Considerations for creating objects in SharePoint 224
Configuring data synchronization with the Office 365 Connector 224
Creating a Microsoft 365 connection 225
Viewing or modifying a Microsoft 365 connection 227

Active Roles 8.0 LTS Synchronization Service Administration Guide

6
 Microsoft 365 data supported for data synchronization 228
Objects and attributes specific to Microsoft 365 services 330
How the Office 365 Connector works with data 331
Configuring data synchronization with the Microsoft Azure AD Connector 332
Configuring a Microsoft Azure AD connection 332
Viewing or modifying a Microsoft Azure AD connection 336
Microsoft Azure AD object types supported for data synchronization 336
Configuring data synchronization with the SCIM Connector 342
Creating a SCIM connection 343
Modifying a SCIM connection 344
Additional authentication parameters 344
Supported objects and operations 345
Configuring data synchronization with the Generic SCIM Connector 346
Configuring the Generic SCIM Connector for Starling Connect connections 347
Viewing or modifying the settings of a Generic SCIM Connector connection 352
Using connectors installed remotely 354
Steps to install Synchronization Service and built-in connectors remotely 354
Creating a connection using a remotely installed connector 355
Creating a connection 355
Renaming a connection 356
Deleting a connection 356
Modifying synchronization scope for a connection 356
Using connection handlers 357
Specifying password synchronization settings for a connection 359

Synchronizing identity data 361

Getting started with identity data synchronization 361
Managing sync workflows 363
Creating a sync workflow 363
Running a sync workflow 363
Running a sync workflow manually 364
Running a sync workflow on a recurring schedule 364
Disabling a sync workflow run schedule 365
Renaming a sync workflow 365
Deleting a sync workflow 365
Managing sync workflow steps 366

Active Roles 8.0 LTS Synchronization Service Administration Guide

7
 Adding a creating step 366
Creating an updating step 368
Creating a deprovisioning step 369
Modifying a step 370
General Options tab 371
Source tab 371
Target tab 372
Creation Rules tab 372
Deprovisioning Rules tab 373
Updating Rules Tab 373
Step Handlers tab 374
Deleting a step 374
Changing the order of steps in a sync workflow 375
Generating object names by using rules 375
Modifying attribute values by using rules 377
Configuring a forward sync rule 377
Configuring a reverse sync rule 379
Configuring a merge sync rule 380
Using value generation rules 381
Configuring a rule entry 382
Using sync workflow step handlers 383
Example: Synchronizing group memberships 384
Example: Synchronizing multivalued attributes 384
Using sync workflow alerts 385
Creating or editing a sync workflow alert 386
Deleting a sync workflow alert 387
Managing outgoing mail profiles 387

Mapping objects 389

About mapping objects 389
Steps to map objects 391
Step 1: Create mapping pairs 391
Step 2: Create mapping rules 391
Step 3 (optional): Change scope for mapping rules 392
Step 4: Run map operation 393
Steps to unmap objects 394

Active Roles 8.0 LTS Synchronization Service Administration Guide

8
Automated password synchronization 396
About automated password synchronization 396
Steps to automate password synchronization 397
Managing Capture Agent 398
Installing Capture Agent manually 399
Using Group Policy to install Capture Agent 400
Uninstalling Capture Agent 401
Managing password sync rules 401
Creating a password sync rule 402
Deleting a password sync rule 403
Modifying settings of a password sync rule 403
Fine-tuning automated password synchronization 404
Configuring Capture Agent 405
Step 1: Create and link a Group Policy object 406
Step 2: Add administrative template to Group Policy object 406
Step 3: Use Group Policy object to modify Capture Agent settings 407
Configuring Synchronization Service 407
Specifying a custom certificate for encrypting password sync traffic 409
Step 1: Obtain and install a certificate 409
Step 2: Export custom certificate to a file 410
Step 3: Import certificate into certificates store 411
Step 4: Copy certificate’s thumbprint 411
Step 5: Provide certificate’s thumbprint to Capture Agent 412
Step 6: Provide certificate’s thumbprint to Synchronization Service 413
Using PowerShell scripts with password synchronization 413
Example of a PowerShell script run after password synchronization 414

Synchronization history 415

About synchronization history 415
Viewing sync workflow history 416
Viewing mapping history 417
Searching synchronization history 418
Cleaning up synchronization history 418

Scenarios of use 420

About scenarios 420

Active Roles 8.0 LTS Synchronization Service Administration Guide

9
Scenario 1: Create users from a .csv file to an Active Directory domain 421
Step 1: Create a sync workflow 422
Step 2: Add a creating step 422
Step 3: Run the configured creating step 424
Step 4: Commit changes to Active Directory 424
Scenario 2: Use a .csv file to update user accounts in an Active Directory domain 425
Step 1: Create an updating step 425
Step 2: Run the created updating step 426
Step 3: Commit changes to Active Directory 426
Scenario 3: Synchronizing data between One Identity Manager Custom Target
Systems and an Active Directory domain 427
Step 1: Create connection to One Identity Manager 428
Step 2: Configure One Identity Manager modules, Custom Target System and
Container Information 428
Step 3: Create Workflow for Provisioning 429
Step 4: Create Provisioning 429
Step 5: Specify the synchronization rules 429
Step 6: Execute Workflow 430
Step 7: Commit changes to One Identity Manager 430
Step 8: Verify on One Identity Manager 430
Scenario 4: Deprovisioning between One Identity Manager Custom Target Systems
and an Active Directory domain 431
Scenario 5: Provisioning of Groups between One Identity Manager Custom Target
Systems and an Active Directory domain 432
Scenario 6: Enabling Delta Sync mode between One Identity Manager Custom Target
Systems and an Active Directory domain 433
Example of using the Generic SCIM Connector for data synchronization 434
Creating object mapping between a SCIM connection and an SQL connection 435
Creating a synchronization workflow for synchronizing data from a SCIM-based
Starling Connect connector 438
Synchronizing complex multi-value objects from a SCIM source system 444

Appendix A: Developing PowerShell scripts for attribute synchronization

rules 448
Accessing source and target objects using built-in hash tables 448
Example script 449

Appendix B: Using a PowerShell script to transform passwords 451

Active Roles 8.0 LTS Synchronization Service Administration Guide

10
Accessing source object password 451
Example script 451

About us 453
Contacting us 453
Technical support resources 453

Active Roles 8.0 LTS Synchronization Service Administration Guide

11
 1

Synchronization Service Overview

l About Synchronization Service

l Features and benefits
l Technical overview

About Synchronization Service

Within the same organization identity information can be stored in many different data
systems, such as directories, databases, or formatted dump files. To manage identity
information and synchronize it between these data systems, administrators sometimes
have to spend a considerable amount of time and effort. On top of that, performing the
data synchronization tasks manually is error-prone and can lead to the duplication of
information and incompatibility of data formats.
With Synchronization Service, a component of Active Roles (formerly known as
ActiveRoles®), you can completely automate the process of identity data synchronization
between the data systems used in your enterprise environment.
Synchronization Service increases the data management efficiency by allowing you to
automate the creation, deprovision, and update operations between the data systems you
use. For example, when an employee joins or leaves the organization, the related
information in the data systems managed by Synchronization Service is automatically
updated, thereby reducing your administrative workload and getting the new users up and
running faster.
The use of scripting capabilities provides a flexible way to automate day-to-day
administration tasks and integrate the administration of managed data systems with other
business processes. By automating regular synchronization tasks, Synchronization Service
allows administrators to concentrate on strategic issues, such as planning the directory,
increasing enterprise security, and supporting business-critical applications.
In order to synchronize identity data between external data systems, you must connect
Synchronization Service to these data systems through connectors. A connector enables
Synchronization Service to access specific data system to read and synchronize data in that
system according to your settings.

Active Roles 8.0 LTS Synchronization Service Administration Guide

12
Synchronization Service Overview
Out of the box, Synchronization Service includes a number of built-in connectors. The built-
in connectors do not require any license file.

Features and benefits

Synchronization Service offers the following major features:

l Bidirectional synchronization
l Delta processing mode
l Synchronization of group membership
l Windows PowerShell scripting
l Attribute synchronization rules
l Rule-based generation of distinguished names
l Scheduling capabilities
l Extensibility

Bidirectional synchronization
Bidirectional synchronization allows you to synchronize all changes occurred to identity
information between your data systems. Using this type of synchronization, you can
proactively prevent potential identity information conflicts between different data sources.
Note, that bidirectional synchronization is unavailable for some of the supported data
systems. For details, refer to the sections about the supported data systems.

Delta processing mode

Delta processing mode allows you to more quickly synchronize identities by processing
only the data that has changed in the source and target connected systems since their last
synchronization.
Both the full mode and the delta mode provide you with the flexibility of choosing the
appropriate method for your synchronization tasks.
Note, that delta processing mode is unavailable for some of the supported data systems.
For details, refer to the sections about the supported data systems.

Active Roles 8.0 LTS Synchronization Service Administration Guide

13
Synchronization Service Overview
Synchronization of group membership
Synchronization Service allows you to ensure that group membership information is in sync
in all connected data systems. For example, when creating a group object from an Active
Directory domain to an AD LDS (ADAM) instance, you can configure rules to synchronize
the Member attribute from the Active Directory domain to the AD LDS (ADAM) instance.

Windows PowerShell scripting

The Management Shell component of Synchronization Service is an automation and
scripting shell that provides a command-line management interface for synchronizing data
between connected systems via the Synchronization Service.
The Management Shell is implemented as a Windows PowerShell snap-in extending the
standard Windows PowerShell functionality. The cmdlets provided by the Management
Shell conform to the Windows PowerShell standards and are fully compatible with the
default command-line tools that come with Windows PowerShell.
The Management Shell lets administrators perform attribute or password synchronization
operations by using Windows PowerShell scripts. For example, you can compose and run a
Windows PowerShell script that assigns values to the target object attributes using the
values of the source object attributes. For more information, see Appendix B: Using a
PowerShell script to transform passwords.

Attribute synchronization rules

With Synchronization Service, you can create and configure synchronization rules to
generate values of target object attributes. These rules support the following types of
synchronization:

l Direct synchronization. Assigns the value of a source object attribute to the target
object attribute you specify.
l Script-based synchronization. Allows you to use a Windows PowerShell script to
generate the target object attribute value.
l Rule-based synchronization. Allows you to create and use rules to generate the
target object attribute value you want.

Rule-based generation of distinguished

names
Synchronization Service lets you create flexible rules for generating the distinguished
names (DNs) of objects being created. These rules allow you to ensure that created objects

Active Roles 8.0 LTS Synchronization Service Administration Guide

14
Synchronization Service Overview
are named in full compliance with the naming conventions existing in your organization.

Scheduling capabilities
You can schedule the execution of data synchronization operations and automatically
perform them on a regular basis to satisfy your company’s policy and save time and effort.

Extensibility
To access external data systems Synchronization Service employs special connectors. A
connector enables Synchronization Service to read and synchronize the identity data
contained in a particular data system. Out of the box, Synchronization Service includes
connectors that allow you to connect to the following data systems:

l Microsoft Active Directory Domain Services

l Microsoft Active Directory Lightweight Directory Services
l Microsoft Exchange Server
l Microsoft Skype for Business Server
l Microsoft Azure Active Directory
l Microsoft Office 365
l Microsoft SQL Server
l Microsoft SharePoint
l Active Roles version 7.4.x, 7.3, 7.2, 7.1, 7.0, or 6.9
l One Identity Manager version 8.1, 8.0, or 7.0
l Data sources accessible through an OLE DB provider
l Delimited text files
l Generic LDAP Directory service
l MYSQL Database
l OpenLDAP Directory service
l Salesforce
l ServiceNow
l IBM DB2 Database
l IBM RACF Connector
l IBM AS/400 Connector
l Oracle Database connector
l Oracle Database User Accounts connector

Active Roles 8.0 LTS Synchronization Service Administration Guide

15
Synchronization Service Overview
 l Micro Focus NetIQ Directory connector
l Oracle Unified Directory connector

Azure Backsync Configuration

In any hybrid environment, on-premises Active Directory objects are synchronized to
Azure AD using some means such as Azure AD Connect. When Active Roles is deployed in
such a hybrid environment, the existing users and groups' information, such as Azure
objectID, must be synchronized back from Azure AD to on-premises AD to continue using
the functionality. To synchronize existing AD users and groups from Azure AD to Active
Roles we must use the back-synchronization operation.
Back Synchronization is performed by leveraging the existing functionality of Active Roles
Synchronization Service. Synchronization workflows are configured to identify the Azure
AD unique users or groups and map them to the on-premises AD users or groups. After the
back-synchronization operation is completed, Active Roles displays the configured Azure
attributes for the synchronized objects.
The Azure Backsync Configuration feature allows you to configure the backsync operation
in Azure with on-premises Active Directory objects through the Synchronization Service
Web interface. The required connections, mappings, and sync workflow steps are created
automatically.
When you configure the back-synchronization, the Azure App registration is done
automatically with the default app ActiveRoles_AutocreatedAzureBackSyncApp_V2.

NOTE:

l In case of an application not found error, please try the configure back-
synchronization operation again after some time, since the Azure App synchron-
ization may take some time.
l If you use the existing back-synchronization configuration settings, then the
existing default app ActiveRoles_AutocreatedAzureBackSyncApp is used
to run the back-synchronization workflow. However, it is recommended to use
the default app ActiveRoles_AutocreatedAzureBackSyncApp_V2 since it
requires reduced administrator privileges. To use the latest Azure App,
configure the back-synchronization again. For information to configure the back-
synchronization, see Step 3: Configuring Azure BackSync.
l For the back-synchronization to work as expected, the user in ARS must have
write permissions for edsvaAzureOffice365Enabled, edsaAzureContactObjectId,
edsvaAzureObjectID, and edsvaAzureAssociatedTenantId. The user must also have
a local administrator privileges where the ARS synchronization service is
running.

Active Roles 8.0 LTS Synchronization Service Administration Guide

16
Synchronization Service Overview
Technical overview
The following illustration shows how Synchronization Service synchronizes data between
connected data systems.

Figure 1: Synchronization of data between connected systems

Synchronization Service uses Capture Agents, connected data systems, connectors,

connections, and sync workflows to synchronize identity data.

Synchronization Service
Synchronization Service performs data synchronization operations and include the
Administration Console that provides a graphical user interface for managing connections
to data systems and data synchronization operations.

Capture Agent
Synchronization Service Capture Agent allows you to synchronize user passwords between
Active Directory domains managed by Synchronization Service and other connected data
systems. The following diagram shows how the Password Synchronization feature of
Synchronization Service works:

Active Roles 8.0 LTS Synchronization Service Administration Guide

17
Synchronization Service Overview
Figure 2: Password synchronization

Capture Agent tracks changes to user passwords in the source Active Directory domain and
provides that information to Synchronization Service, which in turn synchronizes the
changes with target connected data systems by using the password synchronization rules
you specified. To synchronize passwords, you need to install Capture Agent on each domain
controller in the Active Directory domain you want to use as a source for the password
synchronization operations.

Connectors and connected data systems

Synchronization Service lets you synchronize identity information between a wide variety
of external data systems. To synchronize identities, you must connect Synchronization
Service to your data systems through special connectors. A connector enables
Synchronization Service to access a specific data system and read and synchronize identity
data in that system.
Out of the box, Synchronization Service supports the following data systems:

l Microsoft Active Directory Domain Services

l Microsoft Active Directory Lightweight Directory Services
l Microsoft Exchange Server
l Microsoft Skype for Business Server
l Microsoft Azure Active Directory
l Microsoft Office 365
l Microsoft SQL Server
l Microsoft SharePoint
l Active Roles version 7.4.x, 7.3, 7.2, 7.1, 7.0, or 6.9

Active Roles 8.0 LTS Synchronization Service Administration Guide

18
Synchronization Service Overview
 l One Identity Manager version 7.0 (D1IM 7.0)
l One Identity Manager version 8.1 or 8.0
l Data sources accessible through an OLE DB provider
l Delimited text files
l Generic LDAP Directory service
l MY SQL Database
l OpenLDAP Directory service
l Salesforce
l Service now
l IBM DB2 Database
l IBM RACF Connector

l Oracle Database connector

l Oracle Database User Accounts connector
l Micro Focus NetIQ Directory connector
l Oracle Unified Directory connector
l IBM AS/400

Synchronization workflows and steps

A synchronization workflow (sync workflow) is a set of synchronization steps (or
synchronization operations) that define how to synchronize objects between two connected
data systems. A sync workflow can comprise one or more synchronization steps. You can
use the Administration Console, a component of Synchronization Service, to configure as
many sync workflows as needed.
You can configure a synchronization step to perform one of the following operations:

l Creation. Creates objects in the target connected data systems based on the
changes made to specific objects in the source connected system. When creating a
new object, Synchronization Service assigns initial values to the object attributes
based on the attribute population rules you have configured.
l Update. Changes the attributes of objects in the target connected data systems
based on the changes made to specific objects in the source connected system. To
define the objects that will participate in the update operation you can use object
mapping rules. For more information, see Mapping objects.
l Deprovision. Modifies or removes objects in the target connected data systems
after their counterparts have been disconnected from the source connected system.
Synchronization Service can be configured to remove objects permanently or change
them to a specific state.

Active Roles 8.0 LTS Synchronization Service Administration Guide

19
Synchronization Service Overview
 2

Deploying Synchronization Service

l Deployment steps
l Upgrade from Quick Connect and Synchronization Service
l Communication ports

Deployment steps
Perform these steps to deploy Synchronization Service:

l Step 1: Install Synchronization Service

l Step 2: Configure Synchronization Service
l Step 3: Configuring Azure BackSync

Step 1: Install Synchronization Service

To install Synchronization Service

1. Make sure the system on which you wish to install Synchronization Service meets the
system requirements provided in the Active Roles Release Notes.
2. From the Active Roles installation package, run the Setup.exe file to launch the
Active Roles setup.
3. Follow the instructions in the setup wizard.
4. On the Component Selection page, select the Synchronization Service check
box and click Next to install Synchronization Service, console, built-in connectors,
and Management Shell. The console is a graphical user interface providing access to
the Synchronization Service functionality. Synchronization Service manages data
flows between connected data systems. Connectors enable Synchronization Service
to access specific data systems to read and synchronize identity data.

Active Roles 8.0 LTS Synchronization Service Administration Guide

20
Deploying Synchronization Service
 Management Shell is an automation and scripting shell that provides a command-line
management interface for synchronizing data between external data systems via
Synchronization Service. For more information, see Management Shell.

5. On the Ready to Install page, click Install.

6. Click Finish to exit the wizard.

To install Synchronization Service Management Shell

1. Open the command prompt with administrator privileges.

2. At the command prompt, navigate to <Installer Location> | Components |
ActiveRoles Synchronization Service folder.
3. Type SyncService.msi INSTALLSYNCSHELL=1 to install the Synchronization Service
Management Shell.
To uninstall, navigate to Add or remove programs and double click on the
installed Active Roles Synchronization shell component and click Uninstall to
remove the application.

NOTE:
l Running the SyncService.msi component with INSTALLSYNCSHELL=0 or double
clicking on the SyncService.msi directly installs both Synchronization Service
and Synchronization Service Management Shell component .
l When both the service and shell components for Synchronization Service are
required, One Identity recommends to use the standard method of installing
Synchronization service. For more information on installing Synchronization
service, see Step 1: Install Synchronization Service.
l To install only the Synchronization Service Management Shell component,
use the command prompt.

Step 2: Configure Synchronization Service

To configure Synchronization Service you installed in Step 1: Install Synchronization
Service, you can use one of the following methods:

l Specify new SQL Server or Azure SQL Server databases for storing the
Synchronization Service data.
With this method, you can select to store the configuration settings and
synchronization data either in a single new SQL Server database or in two
separate databases.
l Share existing configuration settings between two or more instances of
Synchronization Service.

Active Roles 8.0 LTS Synchronization Service Administration Guide

21
Deploying Synchronization Service
Prerequisite:

l If you are using an Azure SQL Server, set the db_owner database role to the user of
the Azure SQL Server.
l If you are using an SQL Server, set the dbcreator server role to the user of
the SQL Server.
dbcreator is the minimum role that the user of the SQL Server or Azure SQL Server
requires for the initial configuration of Synchronization Service.
After creating the new database, you can revoke the dbcreator role because the
db_owner role automatically assigned to the same user of the SQL Server is
sufficient for Synchronization Service database connection.

To configure Synchronization Service using a new database

1. Start the Synchronization Service Administration Console.

2. Follow the steps in the wizard that starts automatically to configure
Synchronization Service.
3. On the Service Account and Mode page, specify the following and click Next:
l The account under which you want Synchronization Service to run.
l The mode (local or remote) in which you want to use Synchronization Service.
Use the remote mode to work with connectors installed remotely. For more
information, see Using connectors installed remotely. If you select the remote
mode, click Finish to close the wizard.
4. Select Create a new configuration and click Next.
5. On the Database Connection page, specify an SQL Server database.
l SQL Server: Enter the name of the SQL Server computer that hosts the
database you want to participate in data synchronization operations.
l Database: Enter a name for the new SQL Server database.
6. (Optional)Select the Store sync data in a separate database check box.
l If you want to store the configuration settings and synchronization data in a
single SQL Server database, clear the checkbox.
l If you want to store the configuration settings and synchronization data in two
separate databases, select the check box, and then specify the database in
which you want to store the synchronization data.
7. On the Database Connection page, select an SQL Server authentication method,
and click Next.
NOTE: For all Azure SQL Server variants, select Use SQL Server authentication
because Windows authentication is not supported.
l Use Windows authentication: Allows you to access the SQL Server in
the security context of the account under which the Synchronization
Service is running.

Active Roles 8.0 LTS Synchronization Service Administration Guide

22
Deploying Synchronization Service
 l Use SQL Server authentication: Allows you to access the SQL Server in the
security context of the SQL Server user account whose user name and
password you specify.
8. On the Configuration File page, select the file for storing the created configuration
profile, protect the file with a password, and click Finish.

To configure Synchronization Service using an existing database

1. Start the Synchronization Service Administration Console.

2. Follow the steps in the wizard that starts automatically to configure
Synchronization Service.
3. On the Service Account and Mode page, specify the following and click Next:
l The account under which you want Synchronization Service to run.
l The mode (local or remote) in which you want to use Synchronization Service.
Use the remote mode to work with connectors installed remotely. For more
information, see Using connectors installed remotely. If you select the remote
mode, click Finish to close the wizard.
4. Select Use an existing configuration and click Next.
5. On the Configuration File page, select the I have the configuration file check
box to provide the configuration file you exported from an existing Synchronization
Service instance, enter the password if necessary, and click Next. If you do not have
the configuration file, after clicking Next you will need to enter the required settings.
6. If you provided the configuration file, specify the authentication method for
accessing the database. Otherwise, enter the required database name and select the
authentication method. Click Finish.

After you configure Synchronization Service, you can change its settings at any time using
this Configuration wizard. To start the wizard, start the Administration console and click the
gear icon in the upper right corner of the console.

Step 3: Configuring Azure BackSync

In hybrid environments, on-premises Active Directory objects are synchronized to Azure
AD, for example via Azure AD Connect. When you deploy Active Roles in such a hybrid
environment, this synchronization works only if existing user and group information
(such as the Azure objectID) are also synchronized back from Azure AD to the on-
premises AD. Active Roles uses Azure back-synchronization (also known as Azure
BackSync) for this purpose.

Prerequisites

The hybrid environment must meet the following requirements to configure Azure
BackSync:

Active Roles 8.0 LTS Synchronization Service Administration Guide

23
Deploying Synchronization Service
 l Azure AD Connect must be installed and configured.
l Azure Active Directory (Azure AD) module version 2.0.0.131 or later must be
installed and configured.
l The Directory Writers role must be enabled in Azure Active Directory. To enable the
role, use the following script:

$psCred=Get-Credential
Connect-AzureAD -Credential $psCred
$roleTemplate = Get-AzureADDirectoryRoleTemplate | ? { $_.DisplayName -eq
"Directory Writers" }

# Enable an instance of the DirectoryRole template

Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId

In addition, the user account you use to configure Azure BackSync must have the
following roles:

l User Administrator
l Exchange Administrator
l Application Administrator

Automatic and Manual Azure BackSync

You can perform Azure back-synchronization via the Active Roles Synchronization Service
Console, either automatically or manually:

l You can configure automatic Azure back-synchronization via the (Settings) >
Configure Azure BackSync option of the Active Roles Synchronization Service
Console. For more information, see Configuring automatic Azure BackSync.
l You can also configure manual Azure back synchronization, using existing Active
Roles Synchronization Service feature components. For more information, see
Configuring manual Azure BackSync.

Configuring automatic Azure BackSync

You can configure automatic Azure back-synchronization (Azure BackSync) via the
(Settings) > Configure Azure BackSync option of the Active Roles Synchronization
Service Console. After you finish configuration, the Azure BackSync registration, its
required connections, mappings and workflows will be created automatically by the Active
Roles Synchronization Service.
For more information on setting up manual Azure back-synchronization, see Configuring
automatic Azure BackSync.

Active Roles 8.0 LTS Synchronization Service Administration Guide

24
Deploying Synchronization Service
To configure an automatic Azure BackSync workflow in Active Roles
Synchronization Service

1. Open the Configure BackSync operation in Azure with on-prem Active

Directory objects window of the Active Roles Synchronization Service Console. To
do so, click (Settings) > Configure Azure BackSync.
2. Select the number of Azure AD services in your Azure tenant:
l If you have a single Azure AD in your Azure tenant, select I have one Azure
AD in my Azure tenant.
l If you have multiple Azure AD services in your Azure tenant, select I have
more than one Azure AD in my Azure tenant.
3. Authenticate your access to Azure AD:
a. If you have selected I have one Azure AD in my Azure tenant,
authenticate your access to Azure AD by clicking Log in to Azure.
b. If you have selected I have more than one Azure AD in my Azure
tenant, then in the Tenant ID text box, specify the GUID of the Azure AD for
which you want to set up synchronization.

TIP: For more information on how to find the GUID of an Azure AD service,
see Finding the GUID (Tenant ID) of an Azure AD for Azure BackSync.
After specifying the tenant ID, click Log in to Azure to authenticate your
access to Azure AD.
NOTE: If I have more than one Azure AD in my Azure tenant is
selected, the Log in to Azure button will be enabled only if you specify a
well-formed Azure AD GUID in the Tenant ID text box.
4. Specify whether you want to use a proxy server for the connection:
l Use WinHTTP settings: Configures the connector to use the proxy server
settings configured for Windows HTTP Services (WinHTTP).
l Automatically detect: Automatically detects and uses proxy server settings.
l Do not use proxy settings: Specifies to not use proxy server for the
connection.
5. Under Connect to, specify the domain name of the computer where the Active Roles
Synchronization Service Console is running.

Active Roles 8.0 LTS Synchronization Service Administration Guide

25
Deploying Synchronization Service
 6. Select the validation method used to access the Active Roles Administration Service.
Depending on how Active Roles has been deployed in your organization, you can
either use Synchronization Service account or Windows account-based
validation. If you have selected Windows account authentication, enter your
Windows user name and password.
7. To test the configured Active Roles connection, click Test Active Roles
Connection. Successful validation will be indicated by a success message.
8. To apply your changes, click Configure BackSync.
NOTE: If the Azure BackSync settings have already been configured previously,
Active Roles Synchronization Service will display a warning message to confirm if
you want to override the existing Azure BackSync settings with the new settings.
l To override the existing settings, click Override BackSync Settings.
l To keep the existing settings, click Cancel.
9. An Application Consent dialog will appear, prompting you for authentication. To
consent Active Roles, click OK.
Active Roles Synchronization Service will then automatically perform Azure
application registration, and will create the required connections, mappings, and
workflow steps for back-synchronization. For more information on the automatically
created Azure BackSync settings, see Settings updated after Azure backsync
configuration operation.
10. To make the new Azure BackSync workflow appear under Sync Workflows, close
and reopen the Active Roles Synchronization Service Console. The new Azure
BackSync workflow will appear with the following default name: AutoCreated_
AzureADBackSyncWorkFlow_<tenant-name>.

Configuring manual Azure BackSync

You can configure manual Azure back-synchronization (Azure BackSync) by using the
existing features of Active Roles Synchronization Service components. When setting up
manual Azure BackSync, you must configure synchronization workflows to identify Azure
AD-specific users or groups, and to map them to the corresponding on-premises AD users
or groups. After a manual Azure BackSync operation is completed, Active Roles will display
the configured Azure attributes for the synchronized objects.
For more information on setting up automatic Azure back-synchronization, see Configuring
automatic Azure BackSync.

Prerequisites

The hybrid environment must meet the following requirements to configure Azure
BackSync manually:

Active Roles 8.0 LTS Synchronization Service Administration Guide

26
Deploying Synchronization Service
 l Azure AD Connect must be installed and configured.
l Azure Active Directory (Azure AD) module version 2.0.0.131 or later must be
installed and configured.
l You must authenticate the Azure tenant of the Azure AD for which you configure
back-synchronization. Also, you must consent Active Roles as an Azure application.
For more information, see Configuring Active Roles to manage Azure AD using the
GUI in the Active Roles Administration Guide.
l For the container where Active Roles performs back-synchronization, you must
enforce the built-in Azure AD policy that automatically sets the attribute
edsvaazureOffice365enabled to true.
l Your Active Roles user must have write permissions for the following attributes:
l edsvaAzureOffice365Enabled
l edsaAzureContactObjectId
l edsvaAzureObjectID
l edsvaAzureAssociatedTenantId
l Your Active Roles user must also have local administrator privileges on the machine
where Active Roles Synchronization Service is running.

To configure a manual Azure BackSync workflow

1. Create a connection to Azure AD using the Azure AD Connector. The configuration

requires the following data:
l The Azure domain name.
l The Client ID in Azure AD.
l The Client Key to establish the connection to Azure AD.
2. Create an Azure Web Application (or use any relevant existing Azure Web
Application) under the Azure tenant of your Azure AD. The application must have
Application Permissions to read and write directory data in Azure AD.
TIP: You can assign the required permissions to the application by running a
Windows PowerShell script. For more information, see Configuring a Microsoft
Azure AD connection
3. Open the application properties and copy the following:
l Client ID
l The valid Client Key of the application.
4. Use the Client ID and Client Key when creating a new Azure AD connection or
modifying an existing one. For more information, see Configuring a Microsoft Azure
AD connection
NOTE: Two applications are required for Azure BackSync operations:
l The Web Application that you created in this step, or is already available for
the Synchronization Service Azure AD Connector.

Active Roles 8.0 LTS Synchronization Service Administration Guide

27
Deploying Synchronization Service
 l An Azure application that you created while configuring Azure AD in the
Active Roles Administration Service.
For details, see Configuring Active Roles to manage Azure AD using the GUI
in the Active Roles Administration Guide).
Both applications are required for Azure BackSync operations.
5. Create a connection to Active Roles using the Active Roles Connector. The
configuration requires the local domain details and the version of Active Roles you
use. Define the scope to select the container from which Active Roles will select the
objects for synchronization.
6. In the Active Roles Synchronization Service Console, create a new sync workflow
with Sync Workflows > Add sync workflow. Use the Azure AD and Active Roles
connections configured previously, and add a synchronization step to synchronize the
Azure AD users or groups with the on-premises users or groups in Active Roles.
7. In the on-premises Active Roles users or groups, set the
edsvaAzureAssociatedTenantIdattribute attribute to the value of the Azure tenant ID.
NOTE: If you did not configure edsvaAzureAssociatedTenantIdattribute, an error
will be logged for each object in the Event Viewer.
8. Configure the Forward Sync Rule to synchronize the following:
l The Azure Object ID property of the Azure AD user or group to the
edsvaAzureObjectID property of the corresponding on-premises Active
Roles user or group.
l Set the edsvaAzureOffice365Enabled attribute in the on-premises Active
Roles user or group to true.
l Set the edsvaAzureAssociatedTenantId attribute to the value of the
Azure tenant ID.
9. Create a Mapping Rule. A mapping rule has two functions:
l It uniquely identifies the synchronized users or groups both in Azure AD in the
on-premises AD.
l It maps the specified properties from Azure AD to Active Roles appropriately.
For example, the property userprincipalname can be used to map users between
the on-premises AD and Azure AD in a federated environment.

CAUTION: Based on the environment, make sure to create the correct

mapping rule to identify the user or group uniquely. Incorrect
mapping rules may create duplicate objects, resulting in Azure
BackSync not working as expected.

NOTE: Consider the following when configuring manual Azure back-synchron-

ization:
l You must perform the initial configuration and back-synchronization of Azure
AD user IDs only once.

Active Roles 8.0 LTS Synchronization Service Administration Guide

28
Deploying Synchronization Service
 l Azure AD groups cannot be created in Federated or Synchronized
environments. Instead, Azure AD groups are created in Active Roles and are
synchronized to Azure AD using native Microsoft tools, such as AAD Connect.
To manage the Azure AD group through Active Roles, you must perform
periodic back-synchronization to the on-premises AD.

Settings updated after Azure backsync

configuration operation
This section gives descriptions about the Azure App registration, connections, mappings,
and workflow steps that are created automatically as a result of the Azure backsync
configuration operation.

App registration
The Azure App is created automatically with the default name as ActiveRoles
AutocreatedAzureBackSyncApp_V2.
NOTE: After the Azure App is registered in Azure, you must not delete or modify the
application. The backsync operation will not work as expected in case you modify or
delete the registered Azure App.

Sync Workflows
On the Synchronization Service Administration Console, click Sync Workflows to view the
sync workflow named AutoCreated_AzureADBackSyncWorkflow_<tenant name>
that is created as a result of the Azure BackSync configuration. The workflow displays the
following synchronization update steps from Azure AD to Active Roles for users, groups,
and contacts.

l Step 1: AutoCreated_UpdateFromAzureToARSForBackSyncWorkFlowUser_
<tenant> for users.
l Step 2: AutoCreated_UpdateFromAzureToARSForBackSyncWorkFlowGroup_
<tenant> for groups.
l Step 3: AutoCreated_UpdateFromO365ToARSForBackSyncWorkFlowContact_
<tenant> for contacts.

NOTE:

l Multiple tenants are supported in back-sync. The workflows can be identified using
the name of the tenant.
l The Forward Sync Rules to synchronize the following are automatically configured
and displayed in the synchronization update steps for user and group:
l Azure ObjectID property of a user or group is mapped to the Active Roles
user or group edsvaAzureObjectID property.

Active Roles 8.0 LTS Synchronization Service Administration Guide

29
Deploying Synchronization Service
 l The edsvaAzureOffice365Enabled attribute in Active Roles user or group
is set to True.
l The edsvaAzureAssociatedTenantId attribute in Active Roles user or
group is set to Azure Tenant ID.
l The Forward Sync Rule to synchronize the following are automatically configured
and displayed in the synchronization update steps for contacts:
l Azure ExternalDirectoryObjectID property of a contact is mapped to the
Active Roles contact edsaAzureContactObjectId property.
l The edsvaAzureOffice365Enabled attribute in Active Roles user or group
is set to True.
l The edsvaAzureAssociatedTenantId attribute in Active Roles user or
group is set to Azure Tenant ID.

Connections
On the Synchronization Service Administration Console, click Connections to view the
connections from Active Roles, Azure AD, and Office 365 to external data systems. The
following connections are configured and displayed by default:

l AutoCreated_ARSConnectorForBackSyncWorkFlow_<tenant>
l AutoCreated_AzureADConnectorForBackSyncWorkFlow_<tenant>
l AutoCreated_O365ConnectorForBackSyncWorkFlow_<tenant>

NOTE: Multiple tenants are supported in back-sync. The connection name can be identi-
fied using the name of the tenant.

Mapping
On the Synchronization Service Administration Console, click Mapping to view the
Mapping rules which identify the users, groups, or contacts in Azure AD and on-premises
AD uniquely and map the specified properties from Azure AD to Active Roles appropriately.
On the Mapping tab, click a connection name to view or modify the mapping settings for the
corresponding connection. The user, group, and contact mapping pair information is
displayed by default as a result of the Azure BackSync configuration. For example, the
property userprincipalname can be used to map users between on-premises AD and
Azure AD in a federated environment.
NOTE:

l For more information to manage mapping pairs for the connections see the
Mapping Tab section.
l The mapping rules are created by default. Based on the environment, make sure
that the default mapping rules identify the user or group uniquely. Else, make sure
to correct the Mapping rule as required. In-correct mapping rules may create
duplicate objects and the back-sync operation may not work as expected.

Active Roles 8.0 LTS Synchronization Service Administration Guide

30
Deploying Synchronization Service
 l Initial configuration and execution of back-sync operation for Azure AD users ID
and group ID is a one-time activity. If required, you can re-configure the Azure
backsync settings which will override the previously configured backsync settings.

Finding the GUID (Tenant ID) of an Azure AD for

Azure BackSync
If the Azure tenant of your organization contains multiple Azure AD services, One Identity
highly recommends to specify its GUID (also known as Tenant ID) when configuring Azure
BackSync automatically.
For details on configuring Azure BackSync automatically, see Configuring automatic
Azure BackSync.
The GUID of each Azure AD service is listed on the Microsoft Azure Portal.

To find the GUID (Tenant ID) of an Azure AD

1. Log in to the Microsoft Azure Portal.

2. Click Show portal menu.
3. Click Azure Active Directory.
4. In the Overview tab, under the Basic information heading, the value of the
Tenant ID is the GUID (Tenant ID) of the Azure AD.
TIP: If you have access to multiple Azure AD services, you can switch between
them with Manage tenants.

Upgrade from Quick Connect and

Synchronization Service
If you have synchronization workflows configured and run by Quick Connect (predecessor
of Synchronization Service), or earlier versions of Synchronization Service, then you can
transfer those synchronization workflows to Active Roles and have them run by
Synchronization Service.
You can transfer synchronization workflows from the following Quick Connect or
Synchronization Service versions:

l Quick Connect Sync Engine 5.2.0, 5.3.0, 5.4.0, 5.4.1, 5.5.0, 6.1.0
l Quick Connect Express for Active Directory 5.3.0, 5.4.0, 5.4.1, 5.5.0, 5.6.0, or 6.1.0

Active Roles 8.0 LTS Synchronization Service Administration Guide

31
Deploying Synchronization Service
 l Quick Connect for Cloud Services 3.3.0, 3.4.0, 3.5.0, 3.6.0, 3.6.1, 3.6.2, or 3.7.0
l Quick Connect for Base Systems 2.2.0, 2.3.0, or 2.4.0
l Synchronization Service 7.0, 7.1, 7.2, 7.3, or 7.4.x

Limitations
Synchronization Service is unable to run synchronization workflows that employ
connections to the following systems:

l ActiveRoles Sever 6.5

l ODBC-compliant data source
l OpenDS directory service
l PeopleSoft HCM
l Red Hat Directory Server
l SAP Systems
l Workday

If you need to synchronize data held in these systems, then you should continue using
Quick Connect. This limitation is because not all connectors provided by Quick Connect are
included with Synchronization Service.
IMPORTANT: Google Postini Services, IBM Lotus Domino, IBM Lotus Notes, Google Apps
are removed as the mentioned systems reached End of Life.

Upgrade steps
Perform the following steps to transfer synchronization workflows from Quick Connect to
Synchronization Service:

1. Install Synchronization Service.

You can install Synchronization Service on the computer running Quick Connect or on
a different computer. For installation instructions, see Step 1: Install Synchronization
Service earlier in this document.

2. Configure Synchronization Service to use a new database for storing configuration

settings and synchronization data.
To perform this step, use the Configuration Wizard that appears when you start the
Synchronization Service Administration Console the first time after you install
Synchronization Service. For detailed instructions, see Step 2: Configure
Synchronization Service earlier in this document.

Active Roles 8.0 LTS Synchronization Service Administration Guide

32
Deploying Synchronization Service
 3. Import configuration settings from Quick Connect or Synchronization Service.
Before you proceed with this step, it is highly recommended to disable the scheduled
workflows and mapping operations in Quick Connect or earlier versions of
Synchronization Service. You can resume the scheduled workflows and mapping
operations after you complete this step.

To import configuration settings:

1. On the computer where you have installed Synchronization Service, start the
Synchronization Service Administration Console.
2. In the upper right corner of the Administration Console window, click the gear
icon, and then click Import Configuration.
3. In the wizard that appears, select the version of Quick Connect Sync Engine
used by your Quick Connect version or Active Roles Synchronization Service
from which you want to import the configuration settings.
Optionally, you can select the Import sync history check box to import the
sync history along with the configuration settings.
4. Follow the steps in the wizard to complete the import operation.
If the synchronization data you want to import is stored separately from the
configuration settings, then, on the Specify source SQL Server databases step,
select the Import sync data from the specified database check box, and
specify the database.

4. Retype access passwords in the connections that were imported from Quick Connect.
You need to retype access passwords in the imported connections because, for
security reasons, the import of configuration settings does not retrieve the encrypted
passwords from Quick Connect. Use the Synchronization Service Administration
Console to make changes to each connection as appropriate, depending upon the
data system to which the connection applies. For instructions on how to modify
connections, see External data systems supported with built-in connectors later in
this document.

5. If your synchronization workflows involve synchronization of passwords, then you

need to install the new version of Capture Agent on your domain controllers. For
installation instructions, see Managing Capture Agent later in this document.
The new version of Capture Agent replaces the old version. However, as the new
version supports both Synchronization Service and Quick Connect, you do not lose
the password synchronization functions of Quick Connect after you upgrade
Capture Agent.

Communication ports
The following table lists the default communication ports used by Synchronization Service:

Active Roles 8.0 LTS Synchronization Service Administration Guide

33
Deploying Synchronization Service
Table 1:
Default communication ports

Port Protocol Type of traffic Direction of

traffic

53 TCP/UDP DNS Inbound,

outbound

88 TCP/UDP Kerberos Inbound,

outbound

139 TCP SMB/CIFS Inbound,

outbound

445 TCP SMB/CIFS Inbound,

outbound

389 TCP/UDP LDAP Outbound

3268 TCP LDAP Outbound

636 TCP SSL Outbound

This port is only required if Synchronization
Service is configured to use SSL to connect to
an Active Directory domain.

3269 TCP SSL Outbound

This port is only required if Synchronization
Service is configured to use SSL to connect to
an Active Directory domain.

15173 TCP Synchronization Service Outbound

This port is used by Capture Agent to
communicate with Active Roles
Synchronization Service.

7148 TCP Capture Agent Inbound

(only if Synchronization Service is configured
to synchronize user passwords from an Active
Directory domain to other connected data
systems)
This port is used by Active Roles
Synchronization Service to communicate with
Capture Agent.

135 TCP RPC endpoint mapper Inbound,

outbound
Port 135 is a dynamically allocated TCP port
for RPC communication with Active Directory
domain controllers. For more information

Active Roles 8.0 LTS Synchronization Service Administration Guide

34
Deploying Synchronization Service
Port Protocol Type of traffic Direction of
traffic

about ports used for RPC communication, see

the following Microsoft Support Knowledge
Base articles at support.microsoft.com:

l Restricting Active Directory replication

traffic and client RPC traffic to a specific
port (article ID: 224196)
l How to configure RPC dynamic port
allocation to work with firewalls (article
ID: 154596)
l How to configure RPC to use certain
ports and how to help secure those
ports by using IPsec (article ID:
908472)
l The default dynamic port range for
TCP/IP has changed in Windows Vista
and in Windows Server 2008 (article ID:
929851)

Active Roles 8.0 LTS Synchronization Service Administration Guide

35
Deploying Synchronization Service
 3

Getting started

l Synchronization Service Administration Console

l Steps to synchronize identity data
l Management Shell

Synchronization Service Administration

Console
The Synchronization Service Administration Console is a graphical user interface that
provides access to the Synchronization Service functionality. You can use the
Administration Console to connect Synchronization Service to external data systems,
manage existing connections, and perform data synchronization operations between the
connected data systems. The Administration Console is installed as part of
Synchronization Service.

To start the Administration Console

To start the Active Roles Synchronization Console, depending upon the version of your
Windows operating system, click Active Roles 8.0 LTS Synchronization Service on the Apps
page or select All Programs | One Identity Active Roles 8.0 LTS | Active Roles 8.0
LTS Synchronization Service from the Start menu.
The Synchronization Service Administration Console looks similar to the following:

Active Roles 8.0 LTS Synchronization Service Administration Guide

36
Getting started
Figure 3: Administrator Console

In the upper right corner of the console, you can click the following items:

Table 2:

Item Description

The Gear icon Provides the following commands:

l Configure Sync Service Starts a wizard that helps you

change the configuration settings of the current Synchron-
ization Service instance.
l Import Configuration Starts a wizard that helps you to
import configuration settings from a configuration file created
by another instance of Synchronization Service.
l Export Configuration Starts a wizard that helps you to
save the configuration profile of the current Synchronization
Service instance to a file. You can use this file to apply the
saved configuration to other instances of Active Roles
Synchronization Service deployed in your environment.
l Mail Profiles Allows you to add, edit, or delete mail profiles
for sending notification emails about sync workflow runs. For
more information on how to use the email notification, see
Using sync workflow alerts.

Active Roles 8.0 LTS Synchronization Service Administration Guide

37
Getting started
Item Description

l Diagnostic Logging Allows you to specify settings for

writing Synchronization Service diagnostic data to the
Synchronization Service log file or Windows Event Log.
l Communication Port Allows you to change the commu-
nication port number used by the Synchronization Service.
l Configure Azure BackSync Allows you to configure
backsync operation in Azure with on-premises Active
Directory objects.

In this section:

l Sync Workflows tab

l Sync History tab
l Connections tab
l Mapping tab
l Password Sync tab
l Configuring diagnostic logging

For more information about the elements you can use on these tabs, see the next
subsections.

Sync Workflows tab

Allows you to manage data synchronization workflows for connected data systems. A sync
workflow can include a number of synchronization steps, each performing a specific data
synchronization operation (creation, deprovision, or update). For more information on sync
workflows and their steps, see Synchronizing identity data.
You can also use this tab to manage email notification settings for each existing sync
workflow. For more information, see Using sync workflow alerts.
On the Sync Workflows tab, you can use the following elements (some of these elements
become available only after you create at least one sync workflow with one or more
synchronization steps):

l Add sync workflow. Creates a new sync workflow.

l Filter by. Allows you to filter existing sync workflows by the letters or text you type
in the text box. The filter applies to the sync workflow names.
l Sort by. Allows you to sort existing sync workflows by workflow name, last run
time, or the number of synchronization steps.
l <Workflow Name>. Represents a sync workflow. You can click the workflow name
to view and add, delete, or modify synchronization steps in that workflow.
l Schedule. Allows you to create a schedule for running the sync workflow.

Active Roles 8.0 LTS Synchronization Service Administration Guide

38
Getting started
 l Manage alerts. Allows you to add, delete, or edit alerts for a sync workflow. An
alert allows you to automatically send notification emails about the completion of the
sync workflow run to specified recipients.
l Rename. Allows you to rename the sync workflow.
l Delete. Deletes the sync workflow.

Sync History tab

Allows you to view and selectively clean up the synchronization history. This is the history
of sync workflow runs and object mapping operations. For more information, see
Synchronization history.
On the Sync History tab, you can use the following elements:

l Clean up now. Allows you to selectively clean up sync history entries by specifying
the age of the entries that you want to clean up.
l Schedule cleanup. Allows you to schedule a recurring cleanup operation for the
sync history.
l Sync Workflow History. Allows you to view a list of completed sync workflow runs
and the details of objects that participated in a particular sync workflow run.
l Mapping History. Allows you to view a list of completed map and unmap operations
and the details of objects that participated in those operations.
l Search. Allows you to search the Synchronization Service synchronization history
for completed creation, deprovision, update, and sync passwords operations. You can
search by a number of criteria, such as the target connected data system and object
type on which the operation was performed and the time period during which the
operation completed.
l Usage Statistics. Allows you to view usage statistics for each connector i.e. a
number of processed objects, sync runs, etc.

Connections tab
Allows you to manage connections between the Synchronization Service and the external
data systems you want to use for data synchronization operations.
For instructions on creating connections to external data systems supported out of the box,
see External data systems supported with built-in connectors.
On the Connections tab, you can use the following elements (some of these elements
become available only after you create at least one connection):

l Add connection. Allows you to create a new connection to an external data system.
l Filter by. Allows you to filter existing connections by the letters or text you type in
the text box. The filter applies to the connection names.

Active Roles 8.0 LTS Synchronization Service Administration Guide

39
Getting started
 l Sort by. Allows you to sort existing connections by connection name, name of the
connector used, or the frequency of usage in sync workflow steps.
l <Connection Name>. Represents a connection to external data system. You can
click a connection name to view or modify the corresponding connection settings.
l Connection settings. Allows you to view or modify settings for the connection.
l Synchronization scope. Allows you to view or modify synchronization scope for
the connection.
l Delete connection. Deletes the connection.

Mapping tab
Allows you to manage mapping pairs and mapping rules for existing connections. To view
or modify mapping pairs or rules for a connection, click the name of that connection on the
Mapping tab. For more information on mapping pairs and rules, see Mapping objects.
On the Mapping tab, you can use the following elements (some of these elements become
available only after you create at least one connection to an external data system):

l Filter by. Allows you to filter existing connections by the letters or text you type in
the text box. The filter only applies to the connection names.
l Sort by. Allows you to sort existing connections by connection name, name of the
connector used, or the frequency of usage in the sync workflow steps.
l <Connection Name>. Displays the name of a connection. You can click a
connection name to view or modify the mapping settings for the corresponding
connection.

When you click a connection name on this tab, you can manage mapping pairs for the
connection by using the following elements (some of these elements become available
after you create at least one mapping pair for the connection):

l Add mapping pair. Allows you to specify the types of objects in two connected
systems for which you want to create a mapping pair.
l <ObjectType1> - <ObjectType2>. Represents a mapping pair and displays the
object types that belong to the same mapping pair. You can click a mapping pair
to view and change the scope of conditions where the object types belonging to
that mapping pair will be mapped. To define these conditions, you can create
mapping rules.
l Schedule. Allows you to schedule a recurring map operation for the current
pair of objects.
l Map now. Allows you to manually run the map operation on the current pair
of objects.
l Delete. Deletes the mapping pair on which you click this link.

When you click a mapping pair, you can manage mapping rules for the mapping pair by
using the following elements (some of these elements become available only after you
create at least one mapping rule for the mapping pair):

Active Roles 8.0 LTS Synchronization Service Administration Guide

40
Getting started
 l Map now. Allows you to manually run the map operation on the mapping pair by
using the conditions specified in the existing mapping rules.
l Unmap. Allows you to unmap the objects that were earlier mapped according to the
settings specified for the mapping pair.
l Schedule mapping. Allows you to schedule a recurring map operation for the
mapping pair.
l Add mapping rule. Allows you to create a rule that will define a condition for
mapping objects that belong to the mapping pair.
l Delete rule. Deletes the mapping rule on which you click this link.
l Move up. Moves the current mapping rule one position up in the list.
l Move down. Moves the current mapping rule one position down in the list.

Mapping rules are applied in the order they are listed.

Password Sync tab

Allows you to manage password sync rules to automate password synchronization from a
specified Active Directory domain to other connected data systems. For more information,
see Automated password synchronization.
On the Password Sync tab, you can use the following elements (some of these elements
become available only after you create at least one password sync rule):

l Add password sync rule. Allows you to create a rule for synchronizing passwords
from an Active Directory domain to another connected system.
l Password sync settings. Allows you to specify how many times you want to retry
the password synchronization operation in the event of a failure. Also allows you to
type a Windows PowerShell script to generate passwords for the target connected
system. For more information, see Appendix B: Using a PowerShell script to
transform passwords.
l Delete rule. Deletes the password sync rule on which you click this link.

Configuring diagnostic logging

In the Synchronization Service Administration Console, you can configure a number of
settings to write the Synchronization Service diagnostic data to a separate log file or to the
Windows Event Log.

To configure diagnostic logging

1. In the upper right corner of the Synchronization Service Administration Console,

select

Active Roles 8.0 LTS Synchronization Service Administration Guide

41
Getting started
 Settings | Diagnostic Logging.
2. In the dialog box that opens, use the following options:

Table 3: Diagnostic logging options

Option Description

Windows Event Log level Drag the slider to select one of the following
options to write Synchronization Service data to
the Windows Event Log:

l Error, Warning, and Information.

Records errors, warnings, and information
events generated by Synchronization
Service to the Windows Event Log.
l Error and Warning. Records error and
warning events generated by Synchron-
ization Service to the Windows Event Log.
l Error. Records error events generated by
Synchronization Service to the Windows
Event Log.
l Off. Disables writing Synchronization
Service data to the Windows Event Log.

Synchronization Service log Drag the slider to select one of the following
level logging levels for the Synchronization Service
log:

l All Possible Events. Writes detailed

diagnostic data to the Synchronization
Service log file.
l Important Events. Writes only essential
events to the Synchronization Service log
file.
l Off. Disables writing data to the Synchron-
ization Service log file.

3. When you are finished, click OK to apply your settings.

Steps to synchronize identity data

On a very high level, you need to complete the following steps to synchronize identity data
between two external data systems:

Active Roles 8.0 LTS Synchronization Service Administration Guide

42
Getting started
 1. Connect the Synchronization Service to the data systems between which you want to
synchronize identity data.
For more information, see Connections to external data systems.

2. Configure synchronization scope for the connected data systems.

For more information, see Modifying synchronization scope for a connection.

3. Create a sync workflow.

For more information, see Creating a sync workflow.

4. Create one or more steps in the sync workflow, and, if necessary, define
synchronization rules for these steps.
For more information, see Managing sync workflow steps.

5. Run the sync workflow you have created.

For more information, see Running a sync workflow.

You can also use the Synchronization Service to automatically synchronize passwords from
a specified Active Directory domain to other connected data systems. For more
information, see Automated password synchronization.

Management Shell
Management Shell is implemented as a Windows PowerShell module, providing an
extension to the Windows PowerShell environment. The commands provided by
Management Shell conform to the Windows PowerShell standards, and are fully compatible
with the default command-line tools that come with Windows PowerShell.
You can open Management Shell by using either of the following procedures. Each
procedure loads the Management Shell module into Windows PowerShell. If you do not load
the Management Shell module before you run a command (cmdlet) provided by that
module, you will receive an error.

To open Management Shell

l At the Windows PowerShell command prompt, run the following command:

Import-Module [-Name]
In the Name parameter specify the name of a file in the module and the file path. By
default, the following path to the SyncServiceManagementShell module is used:
C:\Program Files\One Identity\Active Roles\8.0
LTS\SyncService\SyncServiceShell\SyncServiceManagementShell.psd1.

Alternatively to start the Active Roles Synchronization Management Shell, depending upon
the version of your Windows operating system, click Active Roles 8.0 LTS Synchronization
Service Management Shell on the Apps page or select All Programs | One Identity
Active Roles 8.0 LTS | Active Roles 8.0 LTS Synchronization Service Management
Shell from the Start menu.

Active Roles 8.0 LTS Synchronization Service Administration Guide

43
Getting started
Upon the shell start, the console may display a message stating that a certain file published
by One Identity is not trusted on your system. This security message indicates that the
certificate the file is digitally signed with is not trusted on your computer, so the console
requires you to enable trust for the certificate issuer before the file can be run. Press either
R (Run once) or A (Always run). To prevent this message from appearing in the future, it is
advisable to choose the second option (A).

Cmdlet naming conventions

All cmdlets are presented in verb-noun pairs. The verb-noun pair is separated by a hyphen
(-) without spaces, and the cmdlet nouns are always singular. The verb refers to the action
that the cmdlet performs. The noun identifies the entity on which the action is performed.
For example, in the Get-QCObject cmdlet name, the verb is Get and the noun is
QCObject. All the Management Shell cmdlets have the nouns prefixed with QC, to
distinguish the Management Shell cmdlets from those provided by PowerShell itself or by
other PowerShell modules.

Getting help
This section provides instructions on how to get help information for the cmdlets added by
Management Shell to the Windows PowerShell environment.

Table 4: To view help

To view this Run this command

A list of all the Synchronization Service Get-QCCommand

Management Shell cmdlets available to the
shell.

Information about the parameters and Run one of the following:

other components of a Synchronization
l Get-QCCommand <CmdletName>
Service Management Shell cmdlet.
l Get-Command <CmdletName>

NOTE: You can use wildcard character

expansion. For example, to view inform-
ation about the cmdlets with the names
ending in Workflow, run this command:
Get-Command *Workflow.

Basic help information for a Get-Help <CmdletName>

Synchronization Service Management Shell
cmdlet.

Active Roles 8.0 LTS Synchronization Service Administration Guide

44
Getting started
To view this Run this command

Detailed help information for a Get-Help <CmdletName> -full

Synchronization Service Management Shell
cmdlet, including the descriptions of
available parameters and usage examples.

Basic information about how to use the help Get-Help

system in Windows PowerShell, including
Help for the Synchronization Service
Management Shell.

Active Roles 8.0 LTS Synchronization Service Administration Guide

45
Getting started
 4

Connections to external data

systems

l External data systems supported with built-in connectors

l Using connectors installed remotely
l Creating a connection
l Renaming a connection
l Deleting a connection
l Modifying synchronization scope for a connection
l Using connection handlers
l Specifying password synchronization settings for a connection

External data systems supported with

built-in connectors
Active Roles Synchronization Service supports the following external data systems with
built-in connectors:

l Delimited text files

l LDAP
l OLE DB
l SCIM for Starling Connect services
l IBM AS/400
l IBM DB2
l IBM RACF
l Micro Focus NetIQ Directory
l Microsoft Active Directory

Active Roles 8.0 LTS Synchronization Service Administration Guide

46
Connections to external data systems
 l Microsoft AD LDS (Adam)
l Microsoft Azure AD
l Microsoft Exchange Server
l Microsoft Office 365
l Microsoft SharePoint
l Microsoft SQL
l Microsoft Skype for Business
l MySQL
l One Identity Active Roles
l One Identity Manager
l OpenLDAP directory service
l Oracle
l Oracle Unified Directory
l Salesforce
l ServiceNow
l SCIM

For the general connection configuration steps, see the following chapters:

l Creating a connection
l Renaming a connection
l Deleting a connection
l Modifying synchronization scope for a connection
l Using connection handlers
l Specifying password synchronization settings for a connection

Working with Active Directory

This section describes how to create or modify a connection to Active Directory so that
Synchronization Service could work with data in that data system.
To create a connection to Active Directory domain, you need to use Synchronization
Service in conjunction with a special connector called Active Directory Connector. This
connector is included in the Synchronization Service package.
The Active Directory Connector supports the following features:

Active Roles 8.0 LTS Synchronization Service Administration Guide

47
Connections to external data systems
Table 5: Supported features

Feature Supported

Bidirectional synchronization Yes

Allows you to read and write data in the
connected data system.

Delta processing mode Yes

Allows you to process only the data that has
changed in the connected data system since
the last synchronization operation, thereby
reducing the overall synchronization
operation time.

Password synchronization Yes

Allows you to synchronize user passwords
from an Active Directory domain to the
connected data system.

The Active Directory Connector supports linked attributes existing in the Active Directory
schema. Linked attributes allow you to establish associations between two objects.
Linked attributes exist in pairs, as follows:

l Forward link attribute. This is a linked attribute that exists on a source object
(example: the member attribute on the Group object). Forward link attributes can
be single-valued or multivalued.
l Back link attribute. This is a linked attribute that can be specified on a target
object (example: the memberOf attribute on the User object). Back link attributes
are multivalued and they must have a corresponding forward link attribute. Back link
attributes are not stored in Active Directory. Rather, they are calculated based on the
corresponding forward link attribute each time a query is issued.

In this section:

l Creating an Active Directory connection

l Modifying an existing Active Directory connection
l Communication ports required to synchronize data between two AD domains
l Synchronizing user passwords between two AD domains
l Synchronizing SID history of users or groups

Active Roles 8.0 LTS Synchronization Service Administration Guide

48
Connections to external data systems
Creating an Active Directory connection
To create a new connection

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Add connection, and then use the following options:
l Connection name. Type a descriptive name for the connection.
l Use the specified connector. Select Active Directory Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l Any available domain controller in the specified domain. Allows you to
connect to an available domain controller in the Active Directory domain you
specify. In the Domain text box, type the fully qualified domain name of the
domain to which you want to connect.
l Specified domain controller. Allows you to connect to a specific domain
controller in a particular Active Directory domain. In the Domain controller
text box, type the fully qualified domain name of the domain controller to
which you want to connect.
l Active Directory forest. Allows you to connect to the Active Directory forest
you specify in this option. When synchronizing data to or from a connected
forest, Synchronization Service automatically selects the appropriate domain
controllers in the forest to read and write data according to the synchronization
scope configured for the connection.
l Secure Sockets Layer usage. Use this list to select one of the
following:
l None. Allows you to connect without using Secure Sockets
Layer (SSL).
l Use. Allows you to connect through SSL.
l Preferred. Allows you to attempt the connection through SSL
first. If this connection attempt fails, the Synchronization Service
tries to connect without using SSL.
l Access Active Directory using. Use this option to select one of
the following:
l Synchronization Service account. Allows you to access the
Active Directory domain in the security context of the account
under which the Synchronization Service is running.
l Windows account. Allows you to access Active Directory in the
security context of the account whose user name and password
you specify below this option.
l Test Connection. Click this button to verify the specified connection settings.
5. Click Finish to create a connection to Active Directory.

Active Roles 8.0 LTS Synchronization Service Administration Guide

49
Connections to external data systems
Modifying an existing Active Directory connection
To modify connection settings

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Connection settings below the existing Active Directory connection you
want to modify.
3. On the Connection Settings tab, click the Specify connection settings item to
expand it, and then use the following options:
l Any available domain controller in the specified domain. Allows you to
connect to any available domain controller in the Active Directory domain you
specify. In the Domain text box, type the fully qualified domain name of the
domain to which you want to connect.
l Specified domain controller. Allows you to connect to a specific domain
controller in a particular Active Directory domain. In the Domain controller
text box, type the fully qualified domain name of the domain controller to
which you want to connect.
l Active Directory forest. Allows you to connect to the Active Directory forest
you specify in this option. When synchronizing data to or from a connected
forest, Synchronization Service automatically selects the appropriate domain
controllers in the forest to read and write data according to the synchronization
scope configured for the connection.
l Secure Sockets Layer usage. Use this list to select one of the
following:
l None. Allows you to connect without using Secure Sockets
Layer (SSL).
l Use. Allows you to connect through SSL.
l Preferred. Allows you to attempt the connection through SSL
first. If this connection attempt fails, the Synchronization Service
tries to connect without using SSL.
l Access Active Directory using. Use this option to select one of the
following:
l Synchronization Service account. Allows you to access Active Directory
in the security context of the account under which the Synchronization
Service is running.
l Windows account. Allows you to access Active Directory in the security
context of the account whose user name and password you specify below
this option.
l Test Connection. Click this button to verify the specified connection settings.
4. Optionally, you can narrow the number of objects participating in the connection
scope by setting up filter conditions: on the Connection Settings tab, click the
Advanced item to expand it, and then use the following list columns:

Active Roles 8.0 LTS Synchronization Service Administration Guide

50
Connections to external data systems
 l Object type. Use this column to select the Active Directory object types for
which you want to configure filter conditions: click the Add Object Type
button to add an object type to the list. Once you have added an object type,
use the Filter condition column to specify a condition the objects of that type
must meet in order to participate in the connection scope.
l Filter condition. Use this column to specify a filter condition for the
corresponding Active Directory object type. To specify a filter condition, type
an LDAP query. The Active Directory objects that meet the specified filter
condition will participate in the connection scope. When no filter condition
specified for an object type, all objects that belong to that type participate in
the connection scope.
5. When you are finished, click Save.

Communication ports required to synchronize

data between two AD domains
When Synchronizing data between two Active Directory domains, Synchronization Service
uses the following ports to access domain controllers in the domains:

Table 6: Required communication ports

Port Protocol Type of traffic Direction of

traffic

53 TCP/UDP DNS Inbound

88 TCP/UDP Kerberos Outbound

389 TCP/UDP LDAP Outbound

636 TCP LDAP over SSL (LDAPS) Outbound

Synchronizing user passwords between two AD

domains
You can automatically synchronize user passwords from one Active Directory domain to the
other by using Synchronization Service. The next procedure assumes that Synchronization
Service is already connected to the source and target domains. For more information, see
Creating an Active Directory connection.

To synchronize user passwords between two AD domains

1. Install Capture Agent on all domain controllers in the source and target Active
Directory domains.

Active Roles 8.0 LTS Synchronization Service Administration Guide

51
Connections to external data systems
 2. Use the pwdHash attribute to perform an initial synchronization of user passwords
between the source and target domains:
a. Create a new or choose an existing creating or updating synchronization step
for the source and target domains.
b. If you use an updating synchronization step, ensure that user objects in the
source domain are properly mapped to their counterparts in the target domain.
For more information on mapping objects, see Mapping objects.
c. In the creating or updating synchronization step, configure a rule to
synchronize the pwdHash attribute value from the user objects in the source
domain to their counterparts in the target domain.
d. Run the creating or updating synchronization step to perform an initial
synchronization of user passwords from the source to the target domain.
Step 2 allows you to synchronize user passwords only once. If you want to
synchronize all subsequent password changes on a permanent basis, complete
step 3.

3. Create a recurring run schedule for the synchronization step you configured in
step 1 of this procedure. For instructions, see Running a sync workflow on a
recurring schedule.
l To synchronize all subsequent password changes from the source to the target
domain, do one of the following:
l Configure a password sync rule to automate the password synchronization
between the two Active Directory domains. For instructions, see Automated
password synchronization.

Synchronizing SID history of users or groups

You can use Synchronization Service to synchronize SID history between user or group
objects in two Active Directory domains. For example, you can synchronize SID history
when migrating users from one Active Directory domain to the other.
Before you start synchronizing SID history, consider the following:

l To read SID data in the source Active Directory domain, you can use the sIDHistory
or objectSid attribute.
l To write SID data to the target Active Directory domain, always use the
sIDHistory attribute.

To synchronize SID history of users or groups

1. Install Capture Agent on all domain controllers in the source and target Active
Directory domains you want to participate in the SID history synchronization.
For instructions on how to install Capture Agent, see Managing Capture Agent.

2. Use the Specified domain controller option to connect Synchronization Service to

the source and target domains.

Active Roles 8.0 LTS Synchronization Service Administration Guide

52
Connections to external data systems
 For instructions on how to connect Synchronization Service to an Active Directory
domain, see Creating an Active Directory connection.

3. Create a new or choose an existing creating or updating synchronization step for the
source and target domains.
If you use an updating synchronization step, ensure that user or group objects in the
source domain are properly mapped to their counterparts in the target domain. For
more information on mapping objects, see Mapping objects.

4. Configure the synchronization step to do the following:

l Read SID data in the source Active Directory domain. For this purpose, you can
use the sIDHistory attribute or the objectSid attribute, or both.
l Write SID data to the target Active Directory domain by using the
sIDHistory attribute.
To read attribute values in the source domain and write them to the target domain,
you can configure attribute modification rules in your sync workflow step. For
detailed instructions, see Modifying attribute values by using rules.

5. Run the created step to synchronize SID history.

Working with an AD LDS (ADAM) instance

This section explains how to create or modify a connection to an AD LDS (ADAM) instance
so that Synchronization Service could work with data in that data system.
To create a connection to an AD LDS (ADAM) instance, you need to use Synchronization
Service in conjunction with a special connector called AD LDS (ADAM) Connector. This
connector is included in the Synchronization Service package.
The AD LDS (ADAM) Connector supports the following features:

Table 7: Supported features

Feature Supported

Bidirectional synchronization Yes

Allows you to read and write data in the
connected data system.

Delta processing mode Yes

Allows you to process only the data that has
changed in the connected data system since
the last synchronization operation, thereby
reducing the overall synchronization
operation time.

Active Roles 8.0 LTS Synchronization Service Administration Guide

53
Connections to external data systems
Feature Supported

Password synchronization Yes

Allows you to synchronize user passwords
from an Active Directory domain to the
connected data system.

In this section:

l Creating an AD LDS (ADAM) instance connection

l Modifying an existing AD LDS (ADAM) instance connection

Creating an AD LDS (ADAM) instance connection

To create a new connection

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Add connection, and then use the following options:
l Connection name. Type a descriptive name for the connection.
l Use the specified connector. Select AD LDS (ADAM) Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l Server. Type the fully qualified domain name of the computer on which the AD
LDS (ADAM) instance to which you want to connect is running.
l Port. Type the LDAP communication port number used by the AD LDS
(ADAM) instance.
l Access AD LDS (ADAM) instance using. Use this option to select one
of the following:
l Synchronization Service account. Allows you to access the
target AD LDS (ADAM) instance in the security context of the
account under which the Synchronization Service is running.
l Windows account. Allows you to access the target AD LDS
(ADAM) instance in the security context of the account whose user
name and password you specify below this option.
l Advanced. Click to specify advanced settings for connecting to the AD LDS
(ADAM) instance.
l Test Connection. Click this button to verify the specified connection settings.
5. Click Finish to create a connection to the AD LDS (ADAM) instance.

Active Roles 8.0 LTS Synchronization Service Administration Guide

54
Connections to external data systems
Modifying an existing AD LDS (ADAM) instance
connection
To modify connection settings

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Connection settings below the existing AD LDS (ADAM) instance connection
you want to modify.
3. On the Connection Settings tab, click the Specify connection settings item to
expand it and use the following options:
l Server. Type the fully qualified domain name (FQDN) of the computer on
which the AD LDS (ADAM) instance to which you want to connect is running.
l Port. Type the LDAP communication port number used by the AD LDS
(ADAM) instance.
l Access AD LDS (ADAM) instance using. Use this option to select one
of the following:
l Synchronization Service account. Allows you to access the
target AD LDS (ADAM) instance in the security context of the
account under which the Synchronization Service is running.
l Windows account. Allows you to access the target AD LDS
(ADAM) instance in the security context of the account whose user
name and password you specify below this option.
l Advanced. Click to specify advanced settings for connecting to the AD LDS
(ADAM) instance.
l Test Connection. Click this button to verify the specified connection settings.
4. Optionally, you can narrow the number of AD LDS (ADAM) objects participating in the
connection scope by setting up filter conditions: on the Connection Settings tab,
click the Advanced item to expand it, and then use the following list columns:
l Object type. Use this column to select the AD LDS (ADAM) object types for
which you want to configure filter conditions: click the Add Object Type
button to add an object type to the list. Once you have added an object type to
the list, use the Filter condition column to specify a condition the objects of
that type must meet in order to participate in the connection scope.
l Filter condition. Use this column to specify a filter condition for the
corresponding AD LDS (ADAM) object type. To specify a filter condition, type
an LDAP query. The AD LDS (ADAM) objects that meet the specified filter
condition will participate in the connection scope. When no filter condition
specified for an object type, all objects that belong to that type participate in
the connection scope.
5. When you are finished, click Save.

Active Roles 8.0 LTS Synchronization Service Administration Guide

55
Connections to external data systems
Working with Skype for Business Server
This section describes how to create or modify a connection to Microsoft Skype for
Business Server so that Synchronization Service could read and write data in Skype for
Business Server. This section also describes what data you can read and/or write in Skype
for Business Server by using Synchronization Service.
To create a connection to Microsoft Skype for Business Server, you need to use
Synchronization Service in conjunction with a special connector called Skype for Business
Server Connector. This connector is included in the Synchronization Service package.
The Skype for Business Server Connector supports the following features:

Table 8: Supported features

Feature Supported

Bidirectional synchronization Yes

Allows you to read and write data in the For more information on what data you can
connected data system. read and write in Skype for Business
Server, see Skype for Business Server data
supported out of the box.

Delta processing mode No

Allows you to more quickly synchronize
identity data by processing only the data
that has changed in the source and target
systems since their last synchronization.

Password synchronization No
Allows you to synchronize user passwords
from an Active Directory domain to the
connected data system.

In this section:

l Creating a new Skype for Business Server connection

l Modifying an existing Skype for Business Server connection
l Skype for Business Server data supported out of the box
l Attributes required to create a Skype for Business Server user
l Getting or setting the Telephony option value in Skype for Business Server

Active Roles 8.0 LTS Synchronization Service Administration Guide

56
Connections to external data systems
Creating a new Skype for Business Server
connection
Before creating a new connection to Skype for Business Server, make sure that unsigned
Windows PowerShell scripts are allowed to run on the computer on which Synchronization
Service is installed. This is required because Synchronization Service uses Windows
PowerShell scripts to work with Microsoft Skype for Business Server.
NOTE: To view the current Windows PowerShell execution policy, you can use the Get-
ExecutionPolicy cmdlet supplied with Windows PowerShell. To change the Windows
PowerShell execution policy, you can use the Set-ExecutionPolicy cmdlet supplied with
Windows PowerShell.

To create a new connection

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Add connection, and then do the following:
a. In the Connection name box, type a descriptive name for the connection.
b. From the Use the specified connector list, select Skype for Business
Server Connector.
c. Click Next.
3. Use the following text boxes:
l Skype for Business Server computer name. Specify the fully qualified
domain name (FQDN) of the Skype for Business Server computer to which you
want to connect.
l User name. Specify a domain user account that has sufficient rights to
administer Skype for Business Server users. The account must be a member of
all of the following groups that Skype for Business Server creates in Active
Directory: CsAdministrator, CsUserAdministrator, and CsServerAdministrator.
l Password. Type the password of the specified user account.
When you are finished, you can click Test Connection to verify the specified
connection settings.

4. Click Finish.

Modifying an existing Skype for Business Server

connection
To modify connection settings

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Connection settings below the existing Skype for Business Server connection
you want to modify.

Active Roles 8.0 LTS Synchronization Service Administration Guide

57
Connections to external data systems
 3. Expand the Specify Skype for Business Server name and access account
element to modify the following settings:
l Skype for Business Server computer name. Specify the fully qualified
domain name (FQDN) of the Skype for Business Server computer to which you
want to connect.
l User name. Specify a domain user account that has sufficient rights to
administer Skype for Business Server users. The account must be a member of
all of the following groups that Skype for Business Server creates in Active
Directory: CsAdministrator, CsUserAdministrator, and CsServerAdministrator.
l Password. Type the password of the specified user account.
4. When you are finished, click Save.

Skype for Business Server data supported out

of the box
The next table lists the Skype for Business Server object types supported by the Skype for
Business Server Connector out of the box and the operations you can perform on these
objects by using the Skype for Business Server Connector.

Table 9: Supported objects and operations

Object Read Create Delete Update

User Yes Yes Yes Yes

Allows you to read and write
data related to users in Skype
for Business Server.

ArchivingPolicy Yes No No Yes

Allows you to read and write NOTE: You can only
data related to custom update one
archiving policies configured attribute provided
by user in Skype for Business for this object type.
Server. For details, see
ArchivingPolicy
object attributes.

ClientPolicy Yes No No Yes

Allows you to read and write NOTE: You can only
data related to custom client update one
policies configured by user in attribute provided
Skype for Business Server. for this object type.
For details, see
Client policies define which

Active Roles 8.0 LTS Synchronization Service Administration Guide

58
Connections to external data systems
Object Read Create Delete Update

Skype for Business Server ClientPolicy object

features are available to attributes.
users.

ClientVersionPolicy Yes No No Yes

Allows you to read and write NOTE: You can only
data related to custom client update one
version policies configured by attribute provided
user in Skype for Business for this object type.
Server. For details, see
ClientVersionPolicy
These policies define what
object attributes
clients (such as Microsoft
For details, see
Office Communicator 2007 R2)
ClientVersionPolicy
and their versions can be used
object attributes.
in conjunction with Skype for
Business Server.

ConferencingPolicy Yes No No Yes

Allows you to read and write NOTE: You can only
data related to custom update one
conferencing policies attribute provided
configured by user in Skype for this object type.
for Business Server. For details, see
ConferencingPolicy
object attributes.

DialPlanPolicy Yes No No Yes

Allows you to read and write NOTE: You can only
data related to custom dial update one
plan policies configured by attribute provided
user in Skype for Business for this object type.
Server. For details, see
DialPlanPolicy
object attributes.

ExternalAccessPolicy Yes No No Yes

Allows you to read and write NOTE: You can only
data related to custom update one
external access policies attribute provided
configured by user in Skype for this object type.
for Business Server. For details, see
Extern-
alAccessPolicy
object attributes.

LocationPolicy Yes No No Yes

Active Roles 8.0 LTS Synchronization Service Administration Guide

59
Connections to external data systems
Object Read Create Delete Update

Allows you to read and write NOTE: You can only

data related to custom update one
location policies configured by attribute provided
user in Skype for Business for this object type.
Server. For details, see
LocationPolicy
These policies determine the
object attributes.
configuration of the Enhanced
9-1-1 (E9-1-1) Location
Information service.

MobilityPolicy Yes No No Yes

Allows you to read and write NOTE: You can only
data related to custom update one
mobility policies configured by attribute provided
user in Skype for Business for this object type.
Server. For details, see
MobilityPolicy
These policies determine who
object attributes.
can use mobility features
(such as Call via Work, voice
over IP (VoIP), or video).

PersistentChatPolicy Yes No No Yes

Allows you to read and write NOTE: You can only
data related to custom update one
persistent chat policies attribute provided
configured by user in Skype for this object type.
for Business Server. For details, see
Persist-
entChatPolicy
object attributes.

PinPolicy Yes No No Yes

Allows you to read and write NOTE: You can only
data related to custom PIN update one
policies configured by user in attribute provided
Skype for Business Server. for this object type.
For details, see
PinPolicy object
attributes.

VoicePolicy Yes No No Yes

Allows you to read and write NOTE: You can only
data related to custom voice update one
policies configured by user in attribute provided
Skype for Business Server. for this object type.

Active Roles 8.0 LTS Synchronization Service Administration Guide

60
Connections to external data systems
Object Read Create Delete Update

For details, see

VoicePolicy object
attributes.

Skype for BusinessSettings Yes No No No

Allows you to read data
related to a number of Skype
for Business Server settings.
Skype for BusinessSettings is
not a native Skype for
BusinessServer object type
and only exists in the Skype
for Business Server Connector
schema.

For each of the above-listed Skype for Business Server object types Synchronization
Service provides special attributes that allow you to read or write data in Skype for
Business Server. You can access and use these attributes from the Synchronization Service
Administration Console (for example, when selecting the source and target attributes you
want to participate in the synchronization operation).
The next sections describe the attributes provided by Synchronization Service and
explain what data you can read or write in Skype for Business Server by using a
particular attribute.
In the next sections:

l User object attributes

l ArchivingPolicy object attributes
l ClientPolicy object attributes
l ClientVersionPolicy object attributes
l ConferencingPolicy object attributes
l ExternalAccessPolicy object attributes
l LocationPolicy object attributes
l MobilityPolicy object attributes
l PersistentChatPolicy object attributes
l PinPolicy object attributes
l VoicePolicy object attributes
l Skype for BusinessSettings object attributes

User object attributes

Active Roles 8.0 LTS Synchronization Service Administration Guide

61
Connections to external data systems
Table 10: User object attributes

Attribute Type Description Supported

operations

ArchivingPolicy Single- Gets or sets the value of the Read, write

valued, Archiving policy option for the
reference Skype for Business Server user.

AudioVideoDisabled Single- Allow you to get or set the Read, write

valued, Telephony option value for the
Boolean Skype for Business Server user.

EnterpriseVoice Single- For more information, see Read, write

Enabled valued, Getting or setting the Telephony
Boolean option value in Skype for
Business Server.
RemoteCallControl Single- Read, write
TelephonyEnabled valued,
Boolean

ClientPolicy Single- Gets or sets the value of the Read, write

valued, Client policy option for the
reference Skype for Business Server user.

ClientVersionPolicy Single- Gets or sets the value of the Read, write

valued, Client version policy option
reference for the Skype for Business
Server user.

ConferencingPolicy Single- Gets or sets the value of the Read, write

valued, Conferencing policy option for
reference the Skype for Business Server
user.

DialPlan Single- Gets or sets the dial plan for the Read, write
valued, Skype for Business Server user.
reference

DisplayName Single- Gets the value of the Display Read

valued, name attribute of the Skype for
string Business Server user.

DistinguishedName Single- Gets the distinguished name of Read

valued, the Skype for Business Server
string user.

EnabledForSkype for Single- Gets or sets whether or not the Read, write
BusinessServer valued, user account is enabled and can
Boolean log on to Skype for Business
Server.

ExternalAccessPolicy Single- Gets or sets the value of the Read, write

Active Roles 8.0 LTS Synchronization Service Administration Guide

62
Connections to external data systems
Attribute Type Description Supported
operations

valued, External access policy option for

reference the Skype for Business Server
user.

Identity Single- Gets the unique identifier of the Read

valued, User object.
string

LineServerURI Single- Gets or sets the value of the Read, write

valued, Line Server URI option for the
string Skype for Business Server user.

LineURI Single- Gets or sets the value of the Read, write

valued, Line URI option for the Skype
string for Business Server user.

LocationPolicy Single- Gets or sets the value of the Read, write

valued, Location policy option for the
reference Skype for Business Server user.

ObjectClass Single- Gets the type of the Skype for Read

valued, Business Server object. For
string possible Skype for Business
Server object types, see the
table at the beginning of the
section titled Skype for Business
Server data supported out of the
box.

PinPolicy Single- Gets or sets the value of the Read, write

valued, Pin policy option for the Skype
reference for Business Server user.

PrivateLine Single- Gets or sets phone number for Read, write

valued, the user’s private telephone line.
string This private phone number is not
published in Active Directory.

RegistrarPool Single- Gets or sets the value of the Read, write

valued, Registrar pool option for the
string Skype for Business Server user.

SipAddress Single- Gets or sets the value of the Read, write

valued, SIP address option for the
string Skype for Business Server user.
SIP address is a unique identifier
that allows the user to
communicate by using devices
that support Session Initiation
Protocol (SIP).

Active Roles 8.0 LTS Synchronization Service Administration Guide

63
Connections to external data systems
ArchivingPolicy object attributes

Table 11: ArchivingPolicy object attributes

Attribute Type Description Supported

operations

Description Single- Gets the policy description. Read

valued,
string

Identity Single- Gets the unique identifier of the Read

valued, policy.
string

Members Multivalued, Gets or sets the user accounts to Read, write

reference which the policy is applicable.

Name Single- Gets the name of the policy. Read

valued,
string

ObjectClass Single- Gets the type of the Skype for Read

valued, Business Server object.
string
For possible Skype for Business
Server object types, see the table
at the beginning of the section
titled Skype for Business Server
data supported out of the box.

ClientPolicy object attributes

Table 12: ClientPolicy object attributes

Attribute Type Description Supported

operations

Description Single- Gets the policy description. Read

valued,
string

Identity Single- Gets the unique identifier of the Read

valued, policy.
string

Members Multivalued, Gets or sets the user accounts to Read, write

Active Roles 8.0 LTS Synchronization Service Administration Guide

64
Connections to external data systems
Attribute Type Description Supported
operations

reference which the policy is applicable.

Name Single- Gets the name of the policy. Read

valued,
string

ObjectClass Single- Gets the type of the Skype for Read

valued, Business Server object.
string
For possible Skype for Business
Server object types, see the table
at the beginning of the section
titled Skype for Business Server
data supported out of the box.

ClientVersionPolicy object attributes

Table 13: ClientVersionPolicy attributes

Attribute Type Description Supported

operations

Description Single- Gets the policy description. Read

valued,
string

Identity Single- Gets the unique identifier of the Read

valued, policy.
string

Members Multivalued, Gets or sets the user accounts to Read, write

reference which the policy is applicable.

Name Single- Gets the name of the policy. Read

valued,
string

ObjectClass Single- Gets the type of the Skype for Read

valued, Business Server object.
string
For possible Skype for Business
Server object types, see the table
at the beginning of the section
titled Skype for Business Server
data supported out of the box.

Active Roles 8.0 LTS Synchronization Service Administration Guide

65
Connections to external data systems
ConferencingPolicy object attributes

Table 14: ConferencingPolicy object attributes

Attribute Type Description Supported

operations

Description Single- Gets the policy description. Read

valued,
string

Identity Single- Gets the unique identifier of the Read

valued, policy.
string

Members Multivalued, Gets or sets the user accounts to Read, write

reference which the policy is applicable.

Name Single- Gets the name of the policy. Read

valued,
string

ObjectClass Single- Gets the type of the Skype for Read

valued, Business Server object.
string
For possible Skype for Business
Server object types, see the table
at the beginning of the section
titled Skype for Business Server
data supported out of the box.

DialPlanPolicy object attributes

Table 15: DialPlanPolicy object attributes

Attribute Type Description Supported

operations

Description Single- Gets the policy description. Read

valued,
string

Identity Single- Gets the unique identifier of the Read

valued, policy.
string

Members Multivalued, Gets or sets the user accounts to Read, write

Active Roles 8.0 LTS Synchronization Service Administration Guide

66
Connections to external data systems
Attribute Type Description Supported
operations

reference which the policy is applicable.

Name Single- Gets the name of the policy. Read

valued,
string

ObjectClass Single- Gets the type of the Skype for Read

valued, Business Server object.
string
For possible Skype for Business
Server object types, see the table
at the beginning of the section
titled Skype for Business Server
data supported out of the box.

ExternalAccessPolicy object attributes

Table 16: ExternalAccessPolicy object attributes

Attribute Type Description Supported

operations

Description Single- Gets the policy description. Read

valued,
string

Identity Single- Gets the unique identifier of the Read

valued, policy.
string

Members Multivalued, Gets or sets the user accounts to Read, write

reference which the policy is applicable.

Name Single- Gets the name of the policy. Read

valued,
string

ObjectClass Single- Gets the type of the Skype for Read

valued, Business Server object.
string
For possible Skype for Business
Server object types, see the table
at the beginning of the section
titled Skype for Business Server
data supported out of the box.

Active Roles 8.0 LTS Synchronization Service Administration Guide

67
Connections to external data systems
LocationPolicy object attributes

Table 17: LocationPolicy object attributes

Attribute Type Description Supported

operations

Description Single- Gets the policy description. Read

valued,
string

Identity Single- Gets the unique identifier of the Read

valued, policy.
string

Members Multivalued, Gets or sets the user accounts to Read, write

reference which the policy is applicable.

Name Single- Gets the name of the policy. Read

valued,
string

ObjectClass Single- Gets the type of the Skype for Read

valued, Business Server object.
string
For possible Skype for Business
Server object types, see the table
at the beginning of the section
titled Skype for Business Server
data supported out of the box.

MobilityPolicy object attributes

Table 18: MobilityPolicy attributes

Attribute Type Description Supported

operations

Description Single- Gets the policy description. Read

valued,
string

Identity Single- Gets the unique identifier of the Read

valued, policy.
string

Members Multivalued, Gets or sets the user accounts to Read, write

Active Roles 8.0 LTS Synchronization Service Administration Guide

68
Connections to external data systems
Attribute Type Description Supported
operations

reference which the policy is applicable.

Name Single- Gets the name of the policy. Read

valued,
string

ObjectClass Single- Gets the type of the Skype for Read

valued, Business Server object.
string
For possible Skype for Business
Server object types, see the table
at the beginning of the section
titled Skype for Business Server
data supported out of the box.

PersistentChatPolicy object attributes

Table 19: PersistentChatPolicy attributes

Attribute Type Description Supported

operations

Description Single- Gets the policy description. Read

valued,
string

Identity Single- Gets the unique identifier of the Read

valued, policy.
string

Members Multivalued, Gets or sets the user accounts to Read, write

reference which the policy is applicable.

Name Single- Gets the name of the policy. Read

valued,
string

ObjectClass Single- Gets the type of the Skype for Read

valued, Business Server object.
string
For possible Skype for Business
Server object types, see the table
at the beginning of the section
titled Skype for Business Server
data supported out of the box.

Active Roles 8.0 LTS Synchronization Service Administration Guide

69
Connections to external data systems
PinPolicy object attributes

Table 20: PinPolicy attributes

Attribute Type Description Supported

operations

Description Single- Gets the policy description. Read

valued,
string

Identity Single- Gets the unique identifier of the Read

valued, policy.
string

Members Multivalued, Gets or sets the user accounts to Read, write

reference which the policy is applicable.

Name Single- Gets the name of the policy. Read

valued,
string

ObjectClass Single- Gets the type of the Skype for Read

valued, Business Server object.
string
For possible Skype for Business
Server object types, see the table
at the beginning of the section
titled Skype for Business Server
data supported out of the box.

VoicePolicy object attributes

Table 21: VoicePolicy attributes

Attribute Type Description Supported

operations

Description Single- Gets the policy description. Read

valued,
string

Identity Single- Gets the unique identifier of the Read

valued, policy.
string

Members Multivalued, Gets or sets the user accounts to Read, write

Active Roles 8.0 LTS Synchronization Service Administration Guide

70
Connections to external data systems
Attribute Type Description Supported
operations

reference which the policy is applicable.

Name Single- Gets the name of the policy. Read

valued,
string

ObjectClass Single- Gets the type of the Skype for Read

valued, Business Server object.
string
For possible Skype for Business
Server object types, see the table
at the beginning of the section
titled Skype for Business Server
data supported out of the box.

Skype for BusinessSettings object attributes

Table 22: Skype for BusinessSettings attributes

Attribute Type Description Supported

operations

Domains Multivalued, Gets information about Session Read

string Initiation Protocol (SIP) domains
existing in your organization.

Identity Single- Gets the unique identifier of the Read

valued, Skype for Business Server object.
string

ObjectClass Single- Gets the type of the Skype for Read

valued, Business Server object.
string
For possible Skype for Business
Server object types, see the table
at the beginning of the section
titled Skype for Business Server
data supported out of the box.

Pools Multivalued, Gets information about Skype for Read

string Business Server pools. A pool is a
collection of computers that all
run the same set of Skype for
Business Server services.

ServerVersion Single- Gets the Skype for Business Read

valued, Server version.
string

Active Roles 8.0 LTS Synchronization Service Administration Guide

71
Connections to external data systems
Attributes required to create a Skype for Business
Server user
To create a Skype for Business Server user, you must populate the following required
attributes provided by Synchronization Service:

l RegistrarPool
l SipAddress
l DistinguishedName, DisplayName, or Identity

For more information about the attributes listed above, see User object attributes.

Getting or setting the Telephony option value in

Skype for Business Server
To get or set the Telephony option value for a Skype for Business Server user object, you
need to use the following attributes provided by Synchronization Service:

l AudioVideoDisabled
l EnterpriseVoiceEnabled
l RemoteCallControlTelephonyEnabled

For more information about these and other attributes that Synchronization Service
provides for a Skype for Business Server user object, see User object attributes.
The next table describes the combinations of the attribute values that correspond to a
particular value in the Telephony option.

Table 23: Telephony option: Combinations of attribute values

Telephony option AudioVideo EnterpriseVoice RemoteCallControlTelephony

value in Skype Disabled Enabled Enabled
for Business
Server

Audio/video TRUE FALSE FALSE

disabled

PC-to-PC only FALSE FALSE FALSE

Enterprise voice FALSE TRUE FALSE

Remote call control FALSE FALSE TRUE

Remote call control TRUE FALSE TRUE

only

Active Roles 8.0 LTS Synchronization Service Administration Guide

72
Connections to external data systems
Working with Oracle
This section explains how to create or modify a connection to Oracle Database and Oracle
Database User Accounts so that Synchronization Service could work with database and
user accounts data in the system.

Working with Oracle Database

This section describes how to create or modify a connection to Oracle Database so that
Synchronization Service for Oracle Database could work with data in that data system. This
section also describes what data you can read and/or write in Oracle Database by using
Synchronization Service.
To create a connection to Oracle Database, you need to use Synchronization Service in
conjunction with a special connector called Oracle Database Connector. This connector is
included in the Synchronization Service.
The Oracle Database Connector supports the following features:

Table 24: Supported features

Feature Supported

Bidirectional synchronization Yes

Allows you to read and write data in the
connected data system.

Delta processing mode No

Allows you to more quickly synchronize
identity data by processing only the data
that has changed in the source and target
systems since their last synchronization.

Password synchronization No
Allows you to synchronize user passwords Password synchronization is only supported
from an Active Directory domain to the for user accounts that are authenticated
connected data system. entirely by Oracle Database. The Oracle
Database Connector does not support
password synchronization for Oracle
Database user accounts that use external
or global authentication in Oracle terms.

In this section:

l Creating an Oracle Database connection

l Modifying an existing Oracle Database connection

Active Roles 8.0 LTS Synchronization Service Administration Guide

73
Connections to external data systems
 l Sample SQL queries

Creating an Oracle Database connection

To create a new connection

1. Make sure that the Synchronization Service computer has the following
software installed:
l Oracle Client. Ensure Oracle Client is configured to connect to the Oracle
service that can be used to access Oracle Database that hosts the data you
want to work with.
l Oracle Net Services
l Oracle Data Provider for .NET
For supported versions of this software, see the System Requirements section in the
Active Roles Release Notes.
2. In the Synchronization Service Administrator console, open the Connections tab.
3. Click Add connection, and then use the following options:
l Connection name. Type a descriptive name for the connection.
l Use the specified connector. Select Oracle Database Connector.
4. Click Next.
5. On the Specify connection settings page, use the following options:
l Oracle service name. Specify the name of the Oracle service you want to
use to access Oracle Database. You can click Refresh to get a list of available
Oracle services.
l Access Oracle service with. Type the user name and password of the
account with which you want to access the Oracle service.
l Test Connection. Click this button to verify the specified connection settings.
6. Click Next.
7. On the Specify how to select and modify data page, use the following options:
l Use data from this table. Allows you to select a database table that includes
the data you want to participate in the synchronization operations. You can
click Preview to preview the database table you have selected.
l Use an SQL query to specify data. Allows you to compose an SQL query
that provides a more flexible way for specifying the data for synchronization.
For example, you can use this option to specify multiple database tables.
8. Click Next.
9. On the Specify attributes to identify objects page, use the following options:
l Available attributes. Lists the attributes that are available in the external
data system. Use this list to select the attributes whose values you want to use
to generate a unique identifier for each object in the external data system. You

Active Roles 8.0 LTS Synchronization Service Administration Guide

74
Connections to external data systems
 can filter attributes by typing in the text box at the top of this list. To select
multiple attributes, hold down CTRL and click to select attributes in the list.
l UniqueID attributes. Lists the attributes whose values are currently used to
generate a unique identifier for each object in the external data system.
l Add->. Moves the selected attributes from the Available attributes list to the
UniqueID attributes list.
l <-Remove. Moves the selected attributes from the UniqueID attributes list to
the Available attributes list.
l Constructed UniqueID. Displays a combination of the attributes whose
values will make up a unique identifier for each object in the external
data system.
10. Click Finish to create a connection to Oracle Database.

Modifying an existing Oracle Database connection

To modify connection settings

1. Make sure that the Synchronization Service computer has the following
software installed:
l Oracle Client. Ensure Oracle Client is configured to connect to the Oracle
service that can be used to access Oracle Database that hosts the data you
want to work with.
l Oracle Net Services
l Oracle Data Provider for .NET
For supported versions of this software, see the System Requirements section in the
Active Roles Release Notes.
2. In the Synchronization Service Administration Console, open the Connections tab.
3. Click Connection settings below the existing Oracle Database connection you
want to modify.
4. On the Connection Settings tab, click an appropriate item to expand it and use the
options it provides.
You can expand the following items:
l Specify connection settings
l Advanced
l Specify attributes to identify objects
5. Click Save.

Specify connection settings

This expandable item provides the following options that allow you to modify the
connection settings:

Active Roles 8.0 LTS Synchronization Service Administration Guide

75
Connections to external data systems
 l Oracle service name. Specify the name of the Oracle service you want to use
to access Oracle Database. You can click Refresh to get a list of available
Oracle services.
l Access Oracle service with. Type the user name and password of the account
with which you want to access the Oracle service.
l Test Connection. Click this button to verify the specified connection settings.

Advanced
This expandable item provides the following options that allow you to specify custom SQL
queries which will automatically run each time Synchronization Service has created,
updated, or deleted a user account in Oracle Database:

l SQL queries to run after user provisioned. Lists the SQL queries you
want to run each time Synchronization Service has created a user account in
Oracle Database.
l SQL queries to run after user updated. Lists the SQL queries you want to run
each time Synchronization Service has updated a user account in Oracle Database.
l SQL queries to run after user deprovisioned. Lists the SQL queries you
want to run each time Synchronization Service has deleted a user account in
Oracle Database.

Below each of these options you can use these buttons:

l Add. Adds a new SQL query to the list.

l Edit. Allows you to edit the SQL query selected in the list.
l Delete. Deletes the SQL query selected in the list.

SQL queries run in the order they are listed. If necessary, you can rearrange the SQL
queries in the lists: select an SQL query in the appropriate list, and then click the up or
down arrow button to move the query as necessary.

Specify attributes to identify objects

This expandable item provides the following options that allow you to specify the attributes
with which you want to uniquely identify each object in the connected data system:

l Available attributes. Lists the attributes that are available in the external data
system. Use this list to select the attributes whose values you want to use to
generate a unique identifier for each object in the external data system. You can
filter attributes by typing in the text box at the top of this list. To select multiple
attributes, hold down CTRL and click to select attributes in the list.
l UniqueID attributes. Lists the attributes whose values are currently used to
generate a unique identifier for each object in the external data system.

Active Roles 8.0 LTS Synchronization Service Administration Guide

76
Connections to external data systems
 l Add->. Moves the selected attributes from the Available attributes list to the
UniqueID attributes list.
l <-Remove. Moves the selected attributes from the UniqueID attributes list to the
Available attributes list.
l Constructed UniqueID. Displays a combination of the attributes whose values will
make up a unique identifier for each object in the external data system.

Sample SQL queries

The sample queries provided in this section are only applicable if Synchronization Service
is connected to the target Oracle Database through the Oracle Database Connector.

Sample SQL query 1

This SQL query illustrates how to add a new entry to the table named SQLConnTest1 in
Oracle Database to which you want to provision data from another connected system.

Table 25: Add a new entry to the SQLConnTest1 table

Database table structure Sample query

CREATE TABLE "SQLConnTest1"("Id" Insert into SQLConnTest1(attr1) values
number,"attr1" nchar(64), "attr2" nchar(64)) (:attr1) returning Id into :Id

In this sample query, Id stands for the attribute that uniquely identifies each object in
Oracle Database.

Sample SQLl query 2

This SQL query illustrates how to create a new user in Oracle Database:
call dbms_utility.exec_ddl_statement('CREATE USER ' || :USERNAME || ' IDENTIFIED BY '
|| :newPassword)
In this sample query:

l USERNAME refers to the name of the attribute that uniquely identifies a user in
Oracle Database.
l newPassword refers to the name of the attribute that will store the initial password
you want to set for the Oracle Database user being created.

Working with Oracle Database user accounts

This section describes how to create or modify a connection to Oracle Database user
accounts so that Synchronization Service could work with Oracle Database user accounts

Active Roles 8.0 LTS Synchronization Service Administration Guide

77
Connections to external data systems
data in that data system. This section also describes what data you can read and/or write in
Oracle Database user accounts by using Synchronization Service.
To create a connection to Oracle Database user accounts and work with the user accounts
in that data system, you need to use Synchronization Service in conjunction with a special
connector called Oracle Database User Account Connector. This connector is included in the
Synchronization Service.
The Oracle Database User Accounts Connector supports the following features:

Table 26: Supported features

Feature Supported

Bidirectional synchronization Yes

Allows you to read and write data in the
connected data system.

Delta processing mode No

Allows you to more quickly synchronize
identity data by processing only the data
that has changed in the source and target
systems since their last synchronization.

Password synchronization Yes

Allows you to synchronize user passwords Password synchronization is only supported
from an Active Directory domain to the for user accounts that are authenticated
connected data system. entirely by Oracle Database. The Oracle
Database User Accounts Connector does
not support password synchronization for
Oracle Database user accounts that use
external or global authentication in Oracle
terms.

In this section:

l Creating an Oracle Database user accounts connection

l Modifying an existing Oracle Database user account connection
l Sample SQL queries

Creating an Oracle Database user accounts connection

To create a new connection

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Add connection, and then use the following options:

Active Roles 8.0 LTS Synchronization Service Administration Guide

78
Connections to external data systems
 l Connection name. Type a descriptive name for the connection.
l Use the specified connector. Select Oracle Database User
Accounts Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l Oracle service name. Specify the name of the Oracle service you want to
use to access Oracle Database. You can click Refresh to get a list of available
Oracle services.
l Access Oracle service with. Type the user name and password of the
account with which you want to access the Oracle service.
l Test Connection. Click this button to verify the specified connection settings.
5. Click Next.
6. On the Specify how to select and modify data page, use the following options:
l Use data from this table. Allows you to select a database table that includes
the data you want to participate in the synchronization operations. You can
click Preview to preview the database table you have selected.
l Use an SQL query to specify data. Allows you to compose an SQL query
that provides a more flexible way for specifying the data for synchronization.
For example, you can use this option to specify multiple database tables.
7. Click Next.
8. On the Specify attributes to identify objects page, use the following options:
l Oracle service name. Specify the name of the Oracle service you want to
use to access Oracle Database. You can click Refresh to get a list of available
Oracle services.
l Access Oracle service with. Type the user name and password of the
account with which you want to access the Oracle service.
l Test Connection. Click this button to verify the specified connection settings.
9. Click Finish to create a connection to Oracle Database.

After connecting Synchronization Service to Oracle Database with the Oracle Database
User Accounts Connector, you can specify custom SQL queries you want to automatically
run each time after Synchronization Service has created, updated, or deleted a user
account in Oracle Database User Accounts. For more information, see Modifying an existing
Oracle Database user account connection.

Active Roles 8.0 LTS Synchronization Service Administration Guide

79
Connections to external data systems
Modifying an existing Oracle Database user account
connection
To modify connection settings

1. In the Synchronization Service Administration Console, open the Connections tab.

2. On the Connection Settings tab, click an appropriate item to expand it and use the
options it provides.
You can expand the following items:
l Specify connection settings
l Advanced
3. Click Save.

Specify connection settings

This expandable item provides the following options that allow you to modify the
connection settings:

l Oracle service name. Specify the name of the Oracle service you want to use to
access Oracle Database user account. You can click Refresh to get a list of available
Oracle services.
l Access Oracle service with. Type the user name and password of the account
with which you want to access the Oracle service.
l Test Connection. Click this button to verify the specified connection settings.

Advanced
This expandable item provides the following options that allow you to specify custom SQL
queries which will automatically run each time Synchronization Service has created,
updated, or deleted a user account in Oracle Database:

l SQL queries to run after user provisioned. Lists the SQL queries you
want to run each time Synchronization Service has created a user account in
Oracle Database.
l SQL queries to run after user updated. Lists the SQL queries you want to run
each time Synchronization Service has updated a user account in Oracle Database.
l SQL queries to run after user deprovisioned. Lists the SQL queries you
want to run each time Synchronization Service has deleted a user account in
Oracle Database.

Below each of these options you can use these buttons:

l Add. Adds a new SQL query to the list.

l Edit. Allows you to edit the SQL query selected in the list.

Active Roles 8.0 LTS Synchronization Service Administration Guide

80
Connections to external data systems
 l Delete. Deletes the SQL query selected in the list.

SQL queries run in the order they are listed. If necessary, you can rearrange the SQL
queries in the lists: select an SQL query in the appropriate list, and then click the up or
down arrow button to move the query as necessary.

Sample SQL queries

The sample queries provided in this section are only applicable if Synchronization Service
is connected to the target Oracle Database system through the Oracle Database User
Accounts Connector.

Sample SQL query 1

This SQL query illustrates how to call a specific Oracle stored procedure:
CALL "<ProcedureName>"('&USERNAME')
In this query:

l ProcedureName specifies the name of the Oracle stored procedure you want
to call.
l USERNAME refers to the name of the attribute that uniquely identifies a user in the
target Oracle Database system.

Sample SQL query 2

This SQL query illustrates how to create a new user in Oracle Database:
insert into DatabaseTable(ColumnName) values (upper('&USERNAME'))
In this sample query:

l DatabaseTable specifies the name of the table into which the entry will be added.
l USERNAME refers to the name of the attribute that uniquely identifies a user in the
target Oracle Database system.

Working with Exchange Server

This section describes how to create or modify a connection to Microsoft Exchange Server
so that Synchronization Service could read and write data in that data system. This section
also describes what data you can read and/or write in Exchange Server by using
Synchronization Service.
To create a connection to Microsoft Exchange Server, you need to use Synchronization
Service in conjunction with a special connector called Exchange Server Connector. This
connector is included in the Synchronization Service package.
The Exchange Server Connector supports the following features:

Active Roles 8.0 LTS Synchronization Service Administration Guide

81
Connections to external data systems
Table 27: Supported features

Feature Supported

Bidirectional synchronization Yes

Allows you to read and write data in the
connected data system.

Delta processing mode No

Allows you to more quickly synchronize
identity data by processing only the data
that has changed in the source and target
systems since their last synchronization.

Password synchronization No
Allows you to synchronize user passwords
from an Active Directory domain to the
connected data system.

In this section:

l Creating a new connection to Exchange Server

l Modifying an existing connection to Exchange Server
l Exchange Server data supported out of the box

Creating a new connection to Exchange Server

To create a new connection

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Add connection, and then do the following:
a. In the Connection name box, type a descriptive name for the connection.
b. From the Use the specified connector list, select Exchange Server
Connector.
c. Click Next.
3. On the Specify connection settings page, use the following options:
a. Select the Exchange Server version to which you want to connect.
Select the Exchange Server version to which you want to connect. If you select
the Automatically select latest version option, the connector searches
your environment for available Exchange Server 2019, 2016, 2013, or 2010,
and connects to the latest of these versions found. Use the Automatically
select latest version option only together with the Any available

Active Roles 8.0 LTS Synchronization Service Administration Guide

82
Connections to external data systems
 Exchange Server in the forest option.
b. Connect to. Choose how you want to connect to Exchange Server by selecting
one of the following:
l Any available Exchange Server in the forest. Allows you to connect
to any available Exchange Server computer residing in the Active
Directory forest you specify. In the Domain in the forest text box,
type the fully qualified domain name (FQDN) of any domain that belongs
to the forest that includes the Exchange Server you want to connect to. If
you select this option, make sure the account you specify under Access
Exchange Server using has sufficient permissions to read the Root
Directory Service Entry (rootDFS) and configuration naming context of
the forest.
l Specified Exchange Server. Allows you to connect to the Exchange
Server computer whose fully qualified domain name (FQDN) you type in
the provided text box.
l Advanced. Opens a dialog box that allows you to specify advanced options for
connecting to Exchange Server and reading and writing Exchange configuration
data in Active Directory.
l Options related to reading and writing Exchange configuration data in
Active Directory:
l Use default domain controller. Causes Synchronization Service
to read and write Exchange configuration data in Active Directory
by using the default domain controller defined on the Exchange
Server used for the connection.
l Use specified domain controller. Causes Synchronization
Service to read and write Exchange configuration data in Active
Directory by using the domain controller whose FQDN is specified
in the text box below this option.
l Options related to connecting to Exchange Server:
l Connect using HTTPS. Select this check box to connect to
Exchange Server by using HTTPS.
l Validate server certificate. Select this check box to validate
server certificate on the target Exchange Server.
l Authentication method. Select an authentication method to
access Exchange Server.
l Access Exchange Server using. Select one of the following access
options:
l Synchronization Service account. Allows you to access
Exchange Server in the security context of the account under which
the Synchronization Service is running.

Active Roles 8.0 LTS Synchronization Service Administration Guide

83
Connections to external data systems
 l Windows account. Allows you to access Exchange Server in the
security context of the account whose user name and password
you type in the provided text box.
l Test Connection. Click this button to verify the specified connection settings.
4. Click Finish.

Modifying an existing connection to Exchange

Server
To modify connection settings

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Connection settings below the existing Exchange Server connection you
want to modify.
3. Expand Specify connection settings option to modify the options it provides.
l Select the Exchange Server version to which you want to connect.
Select the Exchange Server version to which you want to connect.
l Connect to. Choose how you want to connect to Exchange Server by selecting
one of the following:
l Any available Exchange Server in the forest. Allows you to connect
to an Exchange Server computer residing in the Active Directory forest
you specify. In the Domain in the forest text box, type the fully
qualified domain name (FQDN) of any domain that belongs to the forest
that includes the Exchange Server you want to connect to. If you select
this option, make sure the account you specify under Access Exchange
Server using has sufficient permissions to read the Root Directory
Service Entry (rootDFS) and configuration naming context of the forest.
l Specified Exchange Server. Allows you to connect to the Exchange
Server computer whose fully qualified domain name (FQDN) you type in
the provided text box.
l Advanced. Opens a dialog box that allows you to specify advanced options for
connecting to Exchange Server and reading and writing Exchange configuration
data in Active Directory.
l Options related to reading and writing Exchange configuration data in Active
Directory:
l Use default domain controller. Causes Synchronization Service to
read and write Exchange configuration data in Active Directory by using
the default domain controller defined on the Exchange Server used for
the connection.
l Use specified domain controller. Causes Synchronization Service to
read and write Exchange configuration data in Active Directory by using

Active Roles 8.0 LTS Synchronization Service Administration Guide

84
Connections to external data systems
 the domain controller whose FQDN is specified in the text box below this
option.
Options related to connecting to Exchange Server:
l Connect using HTTPS. Select this check box to connect to Exchange
Server by using HTTPS.
l Validate server certificate. Select this check box to validate server
certificate on the target Exchange Server.
l Authentication method. Select an authentication method to access
Exchange Server.
l Access Exchange Server using. Select one of the following access options:
l Synchronization Service account. Allows you to access Exchange
Server in the security context of the account under which the
Synchronization Service is running.
l Windows account. Allows you to access Exchange Server in the
security context of the account whose user name and password you type
in the provided text box.
l Test Connection. Click this button to verify the specified connection settings.
4. When you are finished, click Save.

Exchange Server data supported out of the box

The next table lists the Exchange Server object types supported by the Exchange Server
Connector out of the box and the operations you can perform on these objects by using
the connector.

Table 28: Supported objects and operations

Object Read Create Delete Update

ActiveSyncMailboxPolicy Yes No No No
Allows you to read the Mobile
Device mailbox policy
settings for a specified Mobile
Device mailbox policy.
This object type is supported
for Exchange Server 2013,
2016, and 2019.

AddressBookPolicy Yes No No No
Allows you to read data
related to address book
policies.

Active Roles 8.0 LTS Synchronization Service Administration Guide

85
Connections to external data systems
Object Read Create Delete Update

This object type is supported

for Exchange Server 2013,
2016, and 2019.

AddressList Yes No No No
Allows you to read data
related to a specified address
list.
This object type is supported
for Exchange Server 2013,
2016, and 2019.

DistributionGroup Yes Yes Yes Yes

Allows you to read or write
data related to a specified
distribution group.
This object type is supported
for Exchange Server 2013,
2016, and 2019.

DynamicDistributionGroup Yes Yes Yes Yes

Allows you to read or write
data related to a specified
dynamic distribution group.
This object type is supported
for Exchange Server 2013,
2016, and 2019.

ExchangeServer Yes No No No
Allows you to read attribute
values of a specified
Exchange Server.
This object type is supported
for Exchange Server 2013,
2016, and 2019.

GlobalAddressList Yes No No No
Allows you to read data
related to a specified global
address list (GAL).
This object type is supported
for Exchange Server 2013,
2016, and 2019.

Active Roles 8.0 LTS Synchronization Service Administration Guide

86
Connections to external data systems
Object Read Create Delete Update

Mailbox Yes Yes Yes Yes

Allows you to read or write
data related to a specified
mailbox.
This object type is supported
for Exchange Server 2013,
2016, and 2019.

MailboxDatabase Yes No No No
Allows you to read a specified
mailbox database object.
This object type is supported
for Exchange Server 2013,
2016, and 2019.

MailContact Yes Yes Yes Yes

Allows you to read or write
data related to a specified
mail-enabled contact.
This object type is supported
for Exchange Server 2013,
2016, and 2019.
NOTE: The Exchange Server
Connector cannot create
new users in Active
Directory. You can create
new AD users with the
Active Directory Connector.

MailUser Yes Yes Yes Yes

Allows you to read or write
data related to a specified
mail-enabled user.
This object type is supported
for Exchange Server 2013,
2016, and 2019.
NOTE: The Exchange Server
Connector cannot create
new users in Active
Directory. You can create
new AD users with the
Active Directory Connector.

Active Roles 8.0 LTS Synchronization Service Administration Guide

87
Connections to external data systems
Object Read Create Delete Update

OfflineAddressBook Yes No No No
Allows you to read data
related to an offline address
book (OAB).
This object type is supported
for Exchange Server 2013,
2016, and 2019.

OrganizationConfig Yes No No No
Allows you to read
configuration data of an
Exchange organization.
This object type is supported
for Exchange Server 2013,
2016, and 2019.

OwaMailboxPolicy Yes No No No
Allows you to read data
related to Microsoft Office
Outlook Web App mailbox
policies in the Exchange
organization.
This object type is supported
for Exchange Server 2013,
2016, and 2019.

PublicFolder Yes No No No
Allows you to read data
related to a public folder.
This object type is supported
for Exchange Server 2013,
2016, and 2019.

RoleAssignmentPolicy Yes No No No
Allows you to read data
related to a management role
assignment policy.
This object type is only
supported for Exchange
Server 2013, 2016, and 2019.

UmDialPlan Yes No No No
Allows you to read data

Active Roles 8.0 LTS Synchronization Service Administration Guide

88
Connections to external data systems
Object Read Create Delete Update

related to a Unified
Messaging (UM) dial plan.
This object type is supported
for Exchange Server 2013,
2016, and 2019.

UmMailboxPolicy Yes No No No
Allows you to read data
related to a Unified
Messaging (UM) mailbox
policy.
This object type is supported
for Exchange Server 2013,
2016, and 2019.

For each of the above-listed Exchange Server object types Synchronization Service
provides a number of special attributes that allow you to read and/or write the data related
to that object type in Exchange Server. You can access and use these attributes from the
Synchronization Service Administration Console (for example, when selecting the source
and target attributes you want to participate in the synchronization operation).
The next sections describe the attributes provided by Synchronization Service and explain
what data you can read and/or write in Exchange Server by using a particular attribute.
In the next sections:

l ActiveSyncMailboxPolicy object attributes

l AddressBookPolicy object attributes
l AddressList object attributes
l DistributionGroup object attributes
l DynamicDistributionGroup object attributes
l ExchangeServer object attributes
l GlobalAddressList object attributes
l Mailbox object attributes
l MailContact object attributes
l MailboxDatabase object attributes
l MailUser object attributes
l OfflineAddressBook object attributes
l OrganizationConfig object attributes
l OwaMailboxPolicy object attributes
l PublicFolder object attributes
l PublicFolderDatabase object attributes

Active Roles 8.0 LTS Synchronization Service Administration Guide

89
Connections to external data systems
 l RoleAssignmentPolicy object attributes
l StorageGroup object attributes
l UmDialPlan object attributes
l UmMailboxPolicy object attributes

ActiveSyncMailboxPolicy object attributes

Table 29: ActiveSyncMailboxPolicy attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the globally unique object Read

valued, identifier (GUID) of the object.
string

Other attributes provided for the ActiveSyncMailboxPolicy object have the same names
and descriptions as parameters of the following Exchange Management Shell cmdlet:

l Get-ActiveSyncMailboxPolicy

For more information, see the Exchange Management Shell Help topic for this cmdlet.

AddressBookPolicy object attributes

Table 30: AddressBookPolicy attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the globally unique object Read

valued, identifier (GUID) of the object.
string

Other attributes provided for the AddressBookPolicy object have the same names and
descriptions as parameters of the following Exchange Management Shell cmdlet:

l Get-AddressBookPolicy

For more information, see the Exchange Management Shell Help topic for this cmdlet.

AddressList object attributes

Active Roles 8.0 LTS Synchronization Service Administration Guide

90
Connections to external data systems
Table 31: AddressList object attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the globally unique object Read

valued, identifier (GUID) of the object.
string

Other attributes provided for the AddressList object have the same names and
descriptions as parameters of the following Exchange Management Shell cmdlet:

l Get-AddressList

For more information, see the Exchange Management Shell Help topic for this cmdlet.

DistributionGroup object attributes

Table 32: DistributionGroup attributes

Attribute Type Description Supported

operations

Members Multivalued, Gets or sets the distribution group Read, Write

reference members.
For recipients, this attribute
accepts any of the following
values:

l Alias
l Canonical DN
l Display Name
l Distinguished Name (DN)
l Domain\Account
l GUID
l Immutable ID
l Legacy Exchange DN
l SMTP Address
l User Principal Name

For Active Directory users, this

attribute accepts any of the
following values:

l Distinquished Name (DN)

Active Roles 8.0 LTS Synchronization Service Administration Guide

91
Connections to external data systems
Attribute Type Description Supported
operations

l Domain\Account
l GUID
l User Principal Name (UPN)

ObjectID Single- Gets the globally unique object Read

valued, identifier (GUID) of the object.
string

Other attributes provided for the DistributionGroup object have the same names and
descriptions as parameters or return types of the following Exchange Management
Shell cmdlets:

l Enable-DistributionGroup
l Get-DistributionGroup
l Set-DistributionGroup

For more information, see the Exchange Management Shell Help topic for an
appropriate cmdlet.

DynamicDistributionGroup object attributes

Table 33: DynamicDistributionGroup attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the globally unique object Read

valued, identifier (GUID) of the object.
string

Other attributes provided for the DynamicDistributionGroup object have the same
names and descriptions as parameters or return types of the following Exchange
Management Shell cmdlets:

l Get-DynamicDistributionGroup
l New-DynamicDistributionGroup
l Set-DynamicDistributionGroup

For more information, see the Exchange Management Shell Help topic for an
appropriate cmdlet.

Active Roles 8.0 LTS Synchronization Service Administration Guide

92
Connections to external data systems
ExchangeServer object attributes

Table 34: ExchangeServer attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the globally unique object Read

valued, identifier (GUID) of the object.
string

Other attributes provided for the ExchangeServer object have the same names and
descriptions as parameters of the following Exchange Management Shell cmdlet:

l Get-ExchangeServer

For more information, see the Exchange Management Shell Help topic for this cmdlet.

GlobalAddressList object attributes

Table 35: GlobalAddressList attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the globally unique object Read

valued, identifier (GUID) of the object.
string

Other attributes provided for the GlobalAddressList object have the same names and
descriptions as parameters of the following Exchange Management Shell cmdlet:

l Get-GlobalAddressList

For more information, see the Exchange Management Shell Help topic for this cmdlet.

Mailbox object attributes

Active Roles 8.0 LTS Synchronization Service Administration Guide

93
Connections to external data systems
Table 36: Mailbox attributes

Attribute Type Description Supported

operations

LinkedCredentialLogin Single- Specifies the user name of the Write

valued, account with which you want to
string access the domain controller
specified in the
LinkedDomainController
attribute.

LinkedCredentialPassword Single- Specifies the password that Write

valued, matches the user name specified
string in the LinkedCredentialLogin
attribute.

MoveMailboxTo Single- Moves mailbox to the Exchange Write

valued, Server database whose name is
string specified in this attribute.

ObjectID Single- Gets the globally unique object Read

valued, identifier (GUID) of the object.
string

RecipientTypeDetails Single- Gets or sets a mailbox type. Read, Write

valued,
When you create a mailbox
string
object, this attribute supports the
following values:

l DiscoveryMailbox
l EquipmentMailbox
l RoomMailbox
l SharedMailbox
l UserMailbox

When you update a mailbox

object, this attribute supports the
following values:

l EquipmentMailbox
l RoomMailbox
l SharedMailbox
l UserMailbox

When you read data of a mailbox

object, this attribute supports the
following values:

Active Roles 8.0 LTS Synchronization Service Administration Guide

94
Connections to external data systems
Attribute Type Description Supported
operations

l DiscoveryMailbox
l EquipmentMailbox
l LegacyMailbox
l LinkedMailbox
l RoomMailbox
l SharedMailbox
l UserMailbox

Other attributes provided for the Mailbox object have the same names and descriptions as
parameters or return types of the Exchange Management Shell cmdlets listed in the next
table. Also, some attributes may perform actions by calling certain Exchange Management
Shell cmdlets, as noted in the table.
For more information, see the Exchange Management Shell Help topic for an
appropriate cmdlet.

Table 37: Exchange Management Shell

cmdlets

Exchange Server 2013

Set-CalendarProcessing
Get-CASMailbox
Set-CASMailbox
Disable-Mailbox (called by Archive and
RemoteArchive attributes)
Enable-Mailbox (called by Archive and
RemoteArchive attributes)
Get-Mailbox
Set-Mailbox
Get-MailboxAutoReplyConfiguration
Set-MailboxAutoReplyConfiguration
Get-MailboxStatistics
Get-MoveRequest
New-MoveRequest
Remove-MoveRequest
Set-MoveRequest

Active Roles 8.0 LTS Synchronization Service Administration Guide

95
Connections to external data systems
Exchange Server 2013

Disable-UMMailbox (called by UMEnabled

attribute)
Enable-UMMailbox (called by UMEnabled
attribute)
Get-UMMailbox
Set-UMMailbox
Get-UMMailboxPIN
Set-UMMailboxPIN

MailContact object attributes

Table 38: MailContact attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the globally unique object Read

valued, identifier (GUID) of the object.
string

Other attributes provided for the MailContact object have the same names and
descriptions as parameters or return types of the following Exchange Management
Shell cmdlets:

l Enable-MailContact
l Get-MailContact
l Set-MailContact

For more information, see the Exchange Management Shell Help topic for an
appropriate cmdlet.
Note that the Exchange Server Connector cannot create new users in Active Directory. You
can create new AD users with the Active Directory Connector.

MailboxDatabase object attributes

Active Roles 8.0 LTS Synchronization Service Administration Guide

96
Connections to external data systems
Table 39: MailboxDatabase attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the globally unique object Read

valued, identifier (GUID) of the object.
string

Other attributes provided for the MailboxDatabase object have the same names and
descriptions as parameters of the following Exchange Management Shell cmdlet:

l Get-MailboxDatabase

For more information, see the Exchange Management Shell Help topic for this cmdlet.

MailUser object attributes

Table 40: MailUser attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the globally unique object Read

valued, identifier (GUID) of the object.
string

Other attributes provided for the MailUser object have the same names and descriptions
as parameters or return types of the following Exchange Management Shell cmdlets:

l Enable-MailUser
l Get-MailUser
l Set-MailUser

For more information, see the Exchange Management Shell Help topic for an
appropriate cmdlet.
Note that the Exchange Server Connector cannot create new users in Active Directory. You
can create new AD users with the Active Directory Connector.

OfflineAddressBook object attributes

Active Roles 8.0 LTS Synchronization Service Administration Guide

97
Connections to external data systems
Table 41: OfflineAddressBook attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the globally unique object Read

valued, identifier (GUID) of the object.
string

Other attributes provided for the OfflineAddressBook object have the same names and
descriptions as parameters of the following Exchange Management Shell cmdlet:

l Get-OfflineAddressBook

For more information, see the Exchange Management Shell Help topic for this cmdlet.

OrganizationConfig object attributes

Table 42: OrganizationConfig attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the globally unique object Read

valued, identifier (GUID) of the object.
string

Other attributes provided for the OrganizationConfig object have the same names and
descriptions as parameters of the following Exchange Management Shell cmdlet:

l Get-OrganizationConfig

For more information, see the Exchange Management Shell Help topic for this cmdlet.

OwaMailboxPolicy object attributes

Table 43: OwaMailboxPolicy attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the globally unique object Read

valued, identifier (GUID) of the object.
string

Active Roles 8.0 LTS Synchronization Service Administration Guide

98
Connections to external data systems
Other attributes provided for the OwaMailboxPolicy object have the same names and
descriptions as parameters of the following Exchange Management Shell cmdlet:

l Get-OwaMailboxPolicy

For more information, see the Exchange Management Shell Help topic for this cmdlet.

PublicFolder object attributes

Table 44: PublicFolder attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the globally unique object Read

valued, identifier (GUID) of the object.
string

Other attributes provided for the PublicFolder object have the same names and
descriptions as parameters of the following Exchange Management Shell cmdlet:

l Get-PublicFolder

For more information, see the Exchange Management Shell Help topic for this cmdlet.

PublicFolderDatabase object attributes

Table 45: PublicFolderDatabase attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the globally unique object Read

valued, identifier (GUID) of the object.
string

Other attributes provided for the PublicFolderDatabase object have the same names and
descriptions as parameters of the following Exchange Management Shell cmdlet:

l Get-PublicFolderDatabase

For more information, see the Exchange Management Shell Help topic for this cmdlet.

RoleAssignmentPolicy object attributes

Active Roles 8.0 LTS Synchronization Service Administration Guide

99
Connections to external data systems
Table 46: RoleAssignmentPolicy attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the globally unique object Read

valued, identifier (GUID) of the object.
string

Other attributes provided for the RoleAssignmentPolicy object have the same names
and descriptions as parameters of the following Exchange Management Shell cmdlet:

l Get-RoleAssignmentPolicy

For more information, see the Exchange Management Shell Help topic for this cmdlet.

StorageGroup object attributes

Table 47: StorageGroup attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the globally unique object Read

valued, identifier (GUID) of the object.
string

Other attributes provided for the StorageGroup object have the same names and
descriptions as parameters of the following Exchange Management Shell cmdlet:

l Get-StorageGroup

For more information, see the Exchange Management Shell Help topic for this cmdlet.

UmDialPlan object attributes

Table 48: UmDialPlan attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the globally unique object Read

valued, identifier (GUID) of the object.
string

Active Roles 8.0 LTS Synchronization Service Administration Guide

100
Connections to external data systems
Other attributes provided for the UmDialPlan object have the same names and
descriptions as parameters of the following Exchange Management Shell cmdlet:

l Get-UMDialPlan

For more information, see the Exchange Management Shell Help topic for this cmdlet.

UmMailboxPolicy object attributes

Table 49: UmMailboxPolicy attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the globally unique object Read

valued, identifier (GUID) of the object.
string

Other attributes provided for the UmMailboxPolicy object have the same names and
descriptions as parameters of the following Exchange Management Shell cmdlet:

l Get-UMMailboxPolicy

For more information, see the Exchange Management Shell Help topic for this cmdlet.

Scenario: Migrate mailboxes from one Exchange

Server to another
To migrate a mailbox, you need to use the MoveMailboxTo attribute provided for the
Mailbox object. Update the value of the MoveMailboxTo attribute, so that it includes the
name or GUID of the Exchange Server database to which you want to move the mailbox.
As a result, the mailbox is migrated to the Exchange Server computer that hosts the
specified database.
Before migrating mailboxes, consider the following:

l You can only migrate mailboxes between Exchange Servers that belong to the same
Exchange organization.
l If the computers between which you want to migrate mailboxes run the same version
of Exchange Server, make sure they have either no or the same Exchange Server
Service Pack installed.

Migrating a mailbox includes the following steps:

l Step 1: Configure a connection to Exchange Server

l Step 2: Create a new sync workflow

Active Roles 8.0 LTS Synchronization Service Administration Guide

101
Connections to external data systems
 l Step 3: Configure a step to update MoveMailboxTo attribute value
l Step 4: Run your sync workflow

Step 1: Configure a connection to Exchange Server

Configure a connection to the Exchange Server you will use to move the mailbox object.
See the table below to determine which Exchange Server you must use to perform the
move operation in a particular migration scenario.

Table 50: Migration Scenarios

Source Target Configure connection to

Exchange Server Exchange Server 2013 Exchange Server 2013

2013
NOTE: The source and
target computers must
have either no or the same
Exchange Server Service
Pack installed.

For instructions on how to configure a connection to Exchange Server, see Creating a new
connection to Exchange Server.

Step 2: Create a new sync workflow

For instructions on how to create a new sync workflow, see Creating a sync workflow.

Step 3: Configure a step to update MoveMailboxTo

attribute value
1. In the sync workflow you created in Step 2: Create a new sync workflow, create a
new update step.
2. In the update step, select the target data system for the data synchronization
operation. This must be the Exchange Server to which you created connection in Step
1: Configure a connection to Exchange Server.
3. Configure the update step so that it updates the value of the MoveMailboxTo
attribute on the appropriate Mailbox objects. The new attribute value must
include the name or GUID of the Exchange Server database to which you want to
move the mailboxes.

For instructions on how to create and configure an update step, see Creating an
updating step.

Active Roles 8.0 LTS Synchronization Service Administration Guide

102
Connections to external data systems
Step 4: Run your sync workflow
For instructions on how to run a sync workflow, see Running a sync workflow.

Working with Active Roles

To create a connection to Active Roles, you need to use Synchronization Service in
conjunction with a special connector called Active Roles included in the Synchronization
Service package.
The Active Roles Connector supports the following Synchronization Service features:

Table 51: Supported features

Feature

Bidirectional synchronization Yes

Allows you to read and write data in the
connected data system.

Delta processing mode Yes

Allows you to process only the data that has
changed in the connected data system since
the last synchronization operation, thereby
reducing the overall synchronization
operation time.

Password synchronization Yes

Allows you to synchronize user passwords
from an Active Directory domain to the
connected data system.

The Active Roles Connector supports linked attributes in the Active Directory schema.
Linked attributes allow you to associate one object with another object. Linked attributes
exist in pairs:

l Forward link attribute. This is a linked attribute that exists on a source object
(example: the member attribute on the Group object). Forward link attributes can
be single-valued or multivalued.
l Back link attribute. This is a linked attribute that can be specified on a target
object (example: the memberOf attribute on the User object). Back link attributes
are multivalued and they must have a corresponding forward link attribute. Back link
attributes are not stored in Active Directory. Rather, they are calculated based on the
corresponding forward link attribute each time a query is issued.

In this section:

Active Roles 8.0 LTS Synchronization Service Administration Guide

103
Connections to external data systems
 l Creating an Active Roles connection
l Modifying an Active Roles connection

See also:

l Renaming a connection
l Deleting a connection
l Modifying synchronization scope for a connection
l Specifying password synchronization settings for a connection

Creating an Active Roles connection

You can create a connection to Active Roles right after you install Synchronization Service
on your computer.

To create a new connection

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Add connection, and then use the following options:
l Connection name. Type a descriptive name for the connection.
l Use the specified connector. Select Active Roles Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l Connect to. Allows you to specify the Active Roles Administration Service
to be used by the Synchronization Service. You can use one of the
following options:
l Administration Service on the specified computer. Type the name
of the computer running the Administration Service you want the
Synchronization Service to use.
l Any Administration Service of the same configuration. Specify
any Administration Service whose database holds the necessary
configuration: type the DNS name of the computer running that
Administration Service. If Active Roles replication is used to synchronize
configuration data, this must be any Administration Service whose
database server acts as the Publisher for the configuration database.
l Active Roles version. Prompts you to specify the version of the Active Roles
Administration Service to which you want to connect. You can choose to
connect either to version 7.0 or later or to version 6.9 or earlier. In the latter
case, you have to install the Active Roles ADSI Provider of the respective
legacy Active Roles version on the computer running the Synchronization
Service. For installation instructions, see the Quick Start Guide for Active Roles
version 6.9 or earlier.

Active Roles 8.0 LTS Synchronization Service Administration Guide

104
Connections to external data systems
 l Access Active Roles Administration Service using. Allows you to specify
an authentication option to access the Active Roles Administration Service. You
can use one of the following options:
l Synchronization Service account. Allows you to access the
Administration Service in the security context of the user account under
which the Synchronization Service is running.
l Windows account. Allows you to access the Administration Service in
the security context of the user account whose user name and password
you specify below this option.
l Test Connection. Allows you to verify the specified connection settings.
5. Click Finish to create a connection to Active Roles.

Modifying an Active Roles connection

To modify connection settings

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Connection settings below the existing Active Roles connection you
want to modify.
3. Expand Specify connection settings and modify settings as necessary.
4. You can use the following options:
l Connect to. Allows you to specify the Active Roles Administration Service
to be used by the Synchronization Service. You can use one of the
following options:
l Administration Service on the specified computer. Type the name
of the computer running the Administration Service you want the
Synchronization Service to use.
l Any Administration Service of the same configuration.
Specify any Administration Service whose database holds the
necessary configuration: type the DNS name of the computer
running that Administration Service. If Active Roles replication is
used to synchronize configuration data, this must be any
Administration Service whose database server acts as the
Publisher for the configuration database.
l Active Roles version. Prompts you to specify the version of the
Active Roles Administration Service to which you want to connect.
You can choose to connect either to version 7.0 or above or to
version 6.9 or earlier. In the latter case, you have to install the
Active Roles ADSI Provider of the respective legacy Active Roles
version on the computer running the Synchronization Service. For
installation instructions, see the Quick Start Guide for Active Roles
version 6.9 or earlier.

Active Roles 8.0 LTS Synchronization Service Administration Guide

105
Connections to external data systems
 l Access Active Roles Administration Service using. Allows you to
specify an authentication option to access the Active Roles
Administration Service. You can use one of the following options:
l Synchronization Service account. Allows you to access the
Administration Service in the security context of the user account
under which the Synchronization Service is running.
l Windows account. Allows you to access the Administration
Service in the security context of the user account whose user
name and password you specify below this option.
l Test Connection. Allows you to verify the specified connection settings.
5. Click Save.

Working with One Identity Manager

To create a connection to One Identity Manager, you need to use Synchronization Service
in conjunction with a special connector called One Identity Manager Connector. This
connector is included in the Synchronization Service package.
The One Identity Manager Connector supports the following Synchronization Service
features:

Table 52: Supported features

Feature

Bidirectional synchronization Yes

Allows you to read and write data in the
connected data system.

Delta processing mode Yes

Allows you to process only the data that has
changed in the connected data system since
the last synchronization operation, thereby
reducing the overall synchronization
operation time.

Password synchronization No
Allows you to synchronize user passwords
from One Identity Manager domain to the
connected data system.

In this section:

l Creating a One Identity Manager connection

l Modifying a One Identity Manager connection

Active Roles 8.0 LTS Synchronization Service Administration Guide

106
Connections to external data systems
 l One Identity Manager Connector configuration file

See also:

l Renaming a connection
l Deleting a connection
l Modifying synchronization scope for a connection
l Specifying password synchronization settings for a connection

Creating a One Identity Manager connection

Synchronization Service supports One Identity Manager out of the box, so you can create a
connection to Identity Manager just after you install Synchronization Service.

To create a new connection

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Add connection, and then use the following options:
l Connection name. Type a descriptive name for the connection.
l Use the specified connector. Select One Identity Manager Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l Application Server URL. Specify the address of the One Identity Manager
application server to which you want to connect.
l Authentication module. Identifies the One Identity Manager authentication
module that is to be used to verify the connection’s user ID and password.
l User name. Specify the user ID for this connection.
l Password. Specify the password of the user ID for this connection.
l Test Connection. Click to verify the specified connection settings.
5. Click Next.
The One Identity Manager modules, target systems, and containers are displayed.

6. Select the required One Identity Manager modules.

NOTE: The One Identity Manager target systems and One Identity Manager contain-
ers are applicable only for the Target System Base module (UNS..B tables).

7. Click Finish to create a connection to One Identity Manager.

Active Roles 8.0 LTS Synchronization Service Administration Guide

107
Connections to external data systems
Modifying a One Identity Manager connection
To modify connection settings

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Connection settings below the existing One Identity Manager connection you
want to modify.
3. Expand Specify connection settings and use the following options to modify the
settings as necessary:
l Application Server URL. View or change the address of the One Identity
Manager application server for this connection.
l Authentication module. Identifies the One Identity Manager authentication
module that is used to verify the connection’s user ID and password.
l User name. View or change the user ID for this connection.
l Password. Specify the password of the user ID for this connection.
l Test Connection. Click to verify the specified connection settings.
4. Click Next.
The One Identity Manager modules, target systems, and containers are displayed.

5. Select the required One Identity Manager modules.

NOTE: The One Identity Manager target systems and One Identity Manager contain-
ers are applicable only for the Target System Base module (UNS..B tables).

6. Click Finish to create a connection to One Identity Manager.

One Identity Manager Connector configuration file

One Identity Manager connector saves its configuration settings in the configuration file
(.xml file) located in the Active Roles Synchronization Service installation folder. You can
edit the XML elements in the file to configure the various parameters of the One Identity
Manager Connector. The table below describes the XML elements you can edit.

Table 53: XML elements

XML element Description

<ExcludeDeletedObjects> Specifies how Active Roles will treat objects marked as

deleted in Identity Manager. This element can take one of
the following values:

l TRUE. Specifies to ignore deleted objects during data

synchronization operations.
l FALSE. Specifies to process deleted objects during
data synchronization operations.

Active Roles 8.0 LTS Synchronization Service Administration Guide

108
Connections to external data systems
XML element Description

Example:
<ExcludeDeletedObjects>
TRUE
</ExcludeDeletedObjects>

<PasswordAttributes> Specifies the default Identity Manager attribute to be used

for storing passwords for objects of a particular type.
Specifying an attribute for storing passwords in the Active
Roles GUI overrides the value set in this XML element.
Example:
<PasswordAttributes>
<PasswordAttributeDefinitions>
<PasswordAttributeDefinition objectType="Person"
attribute="CentralPassword" />
</PasswordAttributeDefinitions>
</PasswordAttributes>

<ReadFullSync> Specifies a value of the FullSync variable for Read

operations performed in Identity Manager.

<CreateFullSync> Specifies a value of the FullSync variable for Create

operations performed in Identity Manager.

<ModifyFullSync> Specifies a value of the FullSync variable for Modify

operations performed in Identity Manager.

<DeleteFullSync> Specifies a value of the FullSync variable for Delete

operations performed in Identity Manager.

<ObjRefFullSync> Specifies a value of the FullSync variable for Modify Object

Reference operations performed in Identity Manager.

<SyncStatusFullSync> Specifies a value of the FullSync variable for Sync Status

operations performed in Identity Manager.

For more information about the FullSync variable and the values it can take, see the One
Identity Manager documentation.

Working with a delimited text file

This section describes how to create or modify a connection to a delimited text file so that
Synchronization Service could work with data in that file.
To create a connection to a delimited text file, you need to use Synchronization Service in
conjunction with a special connector called Delimited Text File Connector. This connector is
included in the Synchronization Service package.
The Delimited Text File Connector supports the following features:

Active Roles 8.0 LTS Synchronization Service Administration Guide

109
Connections to external data systems
Table 54: Supported features

Feature

Bidirectional synchronization No
Allows you to read and write data in the By using this connector, you can only read
connected data system. data in the connected data system.

Delta processing mode Yes

Allows you to process only the data that
has changed in the connected data system
since the last synchronization operation,
thereby reducing the overall
synchronization operation time.

Password synchronization No
Allows you to synchronize user passwords
from an Active Directory domain to the
connected data system.

In this section:

l Creating a delimited text file connection

l Modifying an existing delimited text file connection
l Modifying an existing Active Directory connection

Creating a delimited text file connection

To create a new connection

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Add connection, and then use the following options:
l Connection name. Type a descriptive name for the connection.
l Use the specified connector. Select Delimited Text File Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l Delimited text file. Click Browse to locate and select the delimited text file
to which you want to connect.
l Access delimited text file using. Select an access option:
l Synchronization Service account. Access the delimited text file in the
security context of the account under which the Synchronization Service

Active Roles 8.0 LTS Synchronization Service Administration Guide

110
Connections to external data systems
 is running.
l Windows account. Access the delimited text file in the security
context of the account whose user name and password you specify
below this option.
l Test Connection. Click this button to verify the specified connection settings.
5. Click Next.
6. On the Specify delimited text file format page, use the following options to
provide information about the delimited text file format:
l Delimiter. Select the delimiter used in the file you specified.
l Use first row for attribute names. Select this check box if the first line
of the specified file contains names of attributes. Otherwise, leave this check
box cleared.
l Advanced. Click this button to specify advanced options to access the
delimited text file, such as encoding, row delimiter, value delimiter, and
text qualifier.
7. Click Next.
8. On the Specify attributes to identify objects page, use the following options to
select the attributes with which you want to uniquely identify each object in the file:
l Available attributes. Lists the attributes that are available in the external
data system. Use this list to select the attributes whose values you want to use
to generate a unique identifier for each object in the external data system. You
can filter attributes by typing in the text box at the top of this list. To select
multiple attributes, hold down CTRL and click to select attributes in the list.
l UniqueID attributes. Lists the attributes whose values are currently used to
generate a unique identifier for each object in the external data system.
l Add->. Moves the selected attributes from the Available attributes list to
the UniqueID attributes list.
l <-Remove. Moves the selected attributes from the UniqueID attributes list
to the Available attributes list.
l Constructed UniqueID. Displays a combination of the attributes whose
values will make up a unique identifier for each object in the external
data system.
9. Click Finish to create a connection to the delimited text file.

Active Roles 8.0 LTS Synchronization Service Administration Guide

111
Connections to external data systems
Modifying an existing delimited text file
connection
To modify connection settings

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Connection settings below the existing delimited text file connection you
want to modify.
3. On the Connection Settings tab, click an appropriate item to expand it and use the
options it provides.
4. You can expand the following items:
l Specify connection settings
l Specify delimited text file format
l Schema
l Specify attributes to identify objects
See the next subsections for the descriptions of these items.

5. When you are finished, click Save.

Specify connection settings

In this expandable item, you can use the following options:

l Delimited text file. Click Browse to locate and select the delimited text file to
which you want to connect.
l Access delimited text file using. Select an access option:
l Synchronization Service account. Access the delimited text file in the
security context of the account under which the Synchronization Service
is running.
l Windows account. Access the delimited text file in the security context of the
account whose user name and password you specify below this option.
l Test Connection. Click this button to verify the specified connection settings.

Specify delimited text file format

This expandable item provides the following options:

l Delimiter. Select the delimiter used in the file you specified.

l Use first row for attribute names. Select this check box if the first line of the
specified file contains names of attributes. Otherwise, leave this check box cleared.
l Advanced. Specify advanced options to access the delimited text file, such as
encoding, row delimiter, value delimiter, and text qualifier.

Active Roles 8.0 LTS Synchronization Service Administration Guide

112
Connections to external data systems
Schema
You can use this expandable item to view and modify the delimited text file schema saved
in the Synchronization Service configuration database.
When you create a connection to a delimited text file, Synchronization Service reads the
schema in the file (that is, the fields or columns related to each record in the file), and then
saves the schema in the Synchronization Service configuration database. Synchronization
Service then uses the saved file schema to read and modify the data in the connected file.
Should the schema in the connected file change, you will need to reflect these changes in
the Schema option so that Synchronization Service could correctly handle (read and write)
the data in the changed file.
This expandable item provides the following options:

l Attributes. Lists the names of Synchronization Service attributes that correspond to

certain columns or fields in the connected file. Basically, these are the names of
attributes you can select and use in the Synchronization Service Administration
Console for each object in the connected delimited text file.
l Add. Allows you to add a new entry (for example, column or field) to the file
schema saved in the Synchronization Service configuration database. You can use
this button in case a new column or field was added to the connected file and you
want to reflect this change in the file schema saved in the Synchronization Service
configuration database.
l Edit. Allows you to edit the name of the selected Synchronization Service attribute
associated with a certain column or field in the connected file. For example, you can
use this button in case a field or column name was changed in the connected file and
you want to reflect this change in the file schema saved in the Synchronization
Service configuration database. Also you can use this button to edit the display name
of a Synchronization Service attribute associated with a certain column or field in the
connected file.
l Remove. Allows you to remove the selected attribute from the file schema saved in
the Synchronization Service configuration database. For example, you can use this
button in case a field or column name was deleted from the connected file and you
want to reflect this change in the file schema saved in the Synchronization Service
configuration database.
l Reload schema. Allows you to update the file schema saved in the
Synchronization Service configuration database by reloading the schema from the
file to the configuration database. As a result, the file schema saved in the
Synchronization Service configuration database will be completely rewritten with
new data from the file.
l Up arrow. Moves the selected attribute up.
l Down arrow. Moves the selected attribute down.

Specify attributes to identify objects

This expandable item provides the following options that allow you to specify the attributes
with which you wish to uniquely identify each object in the delimited text file:

Active Roles 8.0 LTS Synchronization Service Administration Guide

113
Connections to external data systems
 l Available attributes. Lists the attributes that are available in the external data
system. Use this list to select the attributes whose values you want to use to
generate a unique identifier for each object in the external data system. You can
filter attributes by typing in the text box at the top of this list. To select multiple
attributes, hold down CTRL and click to select attributes in the list.
l UniqueID attributes. Lists the attributes whose values are currently used to
generate a unique identifier for each object in the external data system.
l Add->. Moves the selected attributes from the Available attributes list to the
UniqueID attributes list.
l <-Remove. Moves the selected attributes from the UniqueID attributes list to the
Available attributes list.
l Constructed UniqueID. Displays a combination of the attributes whose values will
make up a unique identifier for each object in the external data system.

Working with Microsoft SQL Server

This section describes how to create or modify a connection to Microsoft SQL Server so that
Synchronization Service could work with data in that data system.
To create a connection to Microsoft SQL Server, you need to use Synchronization Service in
conjunction with a special connector called Microsoft SQL Server Connector. This connector
is included in the Synchronization Service package.
The Microsoft SQL Server Connector supports the following features:

Table 55: Supported features

Feature Supported

Bidirectional synchronization Yes

Allows you to read and write data in the
connected data system.

Delta processing mode No

Allows you to process only the data that
has changed in the connected data system
since the last synchronization operation,
thereby reducing the overall
synchronization operation time.

Password synchronization Yes

Allows you to synchronize user passwords
from an Active Directory domain to the
connected data system.

In this section:

Active Roles 8.0 LTS Synchronization Service Administration Guide

114
Connections to external data systems
 l Creating a Microsoft SQL Server connection
l Modifying an existing Microsoft SQL Server connection
l Sample queries to modify SQL Server data

Creating a Microsoft SQL Server connection

To create a new connection

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Add connection, and then use the following options:
l Connection name. Type a descriptive name for the connection.
l Use the specified connector. Select Microsoft SQL Server Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l SQL Server. Type or select the name of the SQL Server computer that hosts
the database you want to participate in data synchronization operations.
l Access SQL Server using. Select an access option:
l Use Windows authentication. Allows you to access the SQL Server in
the security context of the account under which the Synchronization
Service is running.
l Use SQL Server authentication. Allows you to access the SQL Server
in the security context of the SQL Server user account whose user name
and password you specify below this option.
l Connect to database. Type the name of the database to which you
want to connect.
l Test Connection. Click this button to verify the specified connection settings.
5. Click Next.
6. On the Specify how to select and modify data page, use the following options:
l Use data from this table. Allows you to select a database table that includes
the data you want to participate in the synchronization operations. You can
click Preview to preview the database table you have selected.
l Use an SQL query to specify data. Allows you to compose an SQL query
that provides a more flexible way for specifying the data for synchronization.
For example, you can use this option to specify multiple database tables.
l Configure Settings. Click this button to specify settings for modifying data in
the connected system during synchronization operations. For example, you can
specify the database tables in which you want to insert, update, or delete data
during synchronization operations.
7. Click Next.

Active Roles 8.0 LTS Synchronization Service Administration Guide

115
Connections to external data systems
 8. On the Specify attributes to identify objects page, use the following options:
l Available attributes. Lists the attributes that are available in the external
data system. Use this list to select the attributes whose values you want to use
to generate a unique identifier for each object in the external data system. You
can filter attributes by typing in the text box at the top of this list. To select
multiple attributes, hold down CTRL and click to select attributes in the list.
l UniqueID attributes. Lists the attributes whose values are currently used to
generate a unique identifier for each object in the external data system.
l Add->. Moves the selected attributes from the Available attributes list to
the UniqueID attributes list.
l <-Remove. Moves the selected attributes from the UniqueID attributes list
to the Available attributes list.
l Constructed UniqueID. Displays a combination of the attributes whose
values will make up a unique identifier for each object in the external
data system.
9. Click Finish to create a connection to the Microsoft SQL Server database.

Modifying an existing Microsoft SQL Server

connection
To modify connection settings

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Connection settings below the existing Microsoft SQL Server connection you
want to modify.
3. On the Connection Settings tab, click an appropriate item to expand it and use the
options it provides.
You can expand the following items:
l Specify connection settings
l Specify how to select and modify data
l Advanced
l Specify attributes to identify objects.
See the next subsections for the descriptions of these items.
4. When you are finished, click Save.

Specify connection settings

This expandable item provides the following options that allow you to modify the
connection settings:

Active Roles 8.0 LTS Synchronization Service Administration Guide

116
Connections to external data systems
 l SQL Server. Type or select the name of the SQL Server computer that hosts the
database you want to participate in data synchronization operations.
l Access SQL Server using. Select an access option:
l Use Windows authentication. Allows you to access the SQL Server in
the security context of the account under which the Synchronization
Service is running.
l Use SQL Server authentication. Allows you to access the SQL Server in the
security context of the SQL Server user account whose user name and
password you specify below this option.
l Connect to database. Type the name of the database to which you want to
connect.
l Test Connection. Click this button to verify the specified connection settings.

Specify how to select and modify data

This expandable item provides the following options that allow you to specify how to select
and modify the data you want to participate in the synchronization:

l Use data from this table. Allows you to select a database table that includes the
data you want to participate in the synchronization operations. You can click
Preview to preview the database table you have selected.
l Use an SQL query to specify data. Allows you to compose an SQL query that
provides a more flexible way for specifying the data for synchronization. For
example, you can use this option to specify multiple database tables.
l Configure Settings. Click this button to specify settings for modifying data in the
connected system during synchronization operations. For example, you can specify
the database tables in which you want to insert, update, or delete data during
synchronization operations.

Advanced
Allows you to configure the execution timeout for all SQL queries you specified in the
connection settings (for example, those specified in the Specify How to Select and
Modify Data option). Use the SQL query execution timeout box to type the timeout
value you want to use.

Specify attributes to identify objects

This expandable item provides the following options that allow you to specify the attributes
with which you want to uniquely identify each object in the connected data system:

l Available attributes. Lists the attributes that are available in the external data
system. Use this list to select the attributes whose values you want to use to
generate a unique identifier for each object in the external data system. You can

Active Roles 8.0 LTS Synchronization Service Administration Guide

117
Connections to external data systems
 filter attributes by typing in the text box at the top of this list. To select multiple
attributes, hold down CTRL and click to select attributes in the list.
l UniqueID attributes. Lists the attributes whose values are currently used to
generate a unique identifier for each object in the external data system.
l Add->. Moves the selected attributes from the Available attributes list to the
UniqueID attributes list.
l <-Remove. Moves the selected attributes from the UniqueID attributes list to the
Available attributes list.
l Constructed UniqueID. Displays a combination of the attributes whose values will
make up a unique identifier for each object in the external data system.

Sample queries to modify SQL Server data

This section provides some sample SQL queries illustrating how to modify SQL Server data
during synchronization operations. In the sample queries, Id refers to an attribute (a
column name in an SQL Server table) that uniquely identifies an object in your SQL
database. These examples can be used only for configuring connections to Microsoft SQL
Server 2005.

How to insert an object into a table

This sample illustrates how to create a query that inserts an object with specified attributes
into the table named SQLConnTest1.

Table 56: How to insert an object into a table

Database table structure Sample query

CREATE TABLE [SQLConnTest1]([Id] [bigint] INSERT into SQLConnTest1(Id) values(@Id)

IDENTITY(1,1),[attr1] [nchar](64),[attr2]
[nchar](64)))

How to create a SQL Server account

This sample illustrates how to create a SQL Server account, and then retrieve the UniqueID
attribute for that account.
To define the scope where to create the SQL Server account, insert the following query in
the Query Editor dialog box:
SELECT sid as Id,name as login from sys.server_principals
Insert the following SQL query into the Configure SQL Statements dialog box:
EXEC sp_addlogin @login, @newPassword;
EXEC sp_adduser @login,@login,'db_owner';

Active Roles 8.0 LTS Synchronization Service Administration Guide

118
Connections to external data systems
SELECT sid as Id from sys.server_principals where name=@login;
IMPORTANT: None of attribute names used in SQL queries can include white-space
characters. For example, you cannot use names such as "user password".

Working with Micro Focus NetIQ Directory

This section describes how to create or modify a connection to Micro Focus NetIQ Directory
so that Synchronization Service could work with Micro Focus NetIQ Directory data in that
data system.
To create a connection to Micro Focus NetIQ Directory, you need to use Synchronization
Service in conjunction with a special connector called Micro Focus NetIQ Directory
Connector. This connector is included in the Synchronization Service package.
NOTE: Micro Focus NetIQ Directory was formerly know as Novell eDirectory.
The Micro FocusNetIQ Directory Connector supports the following features:

Table 57: Supported features

Feature Supported

Bidirectional synchronization Yes

Allows you to read and write data in the
connected data system.

Delta processing mode No

Allows you to process only the data that has
changed in the connected data system since
the last synchronization operation, thereby
reducing the overall synchronization
operation time.

Password synchronization Yes

Allows you to synchronize user passwords
from an Active Directory domain to the
connected data system.

In this section:

l Creating a Micro Focus NetIQ Directory connection

l Modifying an existing Micro Focus NetIQ Directory connection

Active Roles 8.0 LTS Synchronization Service Administration Guide

119
Connections to external data systems
Creating a Micro Focus NetIQ Directory
connection
To create a new connection

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Add connection, and then use the following options:
l Connection name. Type a descriptive name for the connection.
l Use the specified connector. Select Micro Focus NetIQ Directory
Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l Server. Type the fully qualified domain name of the Micro Focus NetIQ
Directory server to which you want to connect.
l Port. Type the number of the communication port used by the Micro Focus
NetIQ Directory server.
l Access Micro Focus NetIQ Directory Service using. Type the user name
and password with which you want to access Micro Focus NetIQ Directory.
Ensure the account has sufficient permissions to perform operations (read,
write) on objects in Micro Focus NetIQ Directory.
l Advanced. Click this button to specify a number of advanced options to access
Micro Focus NetIQ Directory. For example, you can select an authentication
method, configure TLS/SSL usage for the connection, and select whether or not
you want to use paged search.
From this Authentication method list, select one of the following methods:
l Anonymous. Allows you to establish the connection without passing
credentials.
l Basic. Specifies to use basic authentication.
l Microsoft Negotiate. Specifies to use Microsoft Negotiate
authentication.
l NTLM. Specifies to use Windows NT Challenge/Response authentication.
l Digest. Specifies to use Digest Access authentication.
l Sicily. Employs a negotiation mechanism (Sicily) to choose the Microsoft
Network Authentication Service, Distributed Password Authentication, or
NTLM method.
l Distributed Password Authentication. Specifies to use DPA
authentication.
l Microsoft Network Authentication Service. Specifies to
authenticate with Microsoft Network Authentication Service.

Active Roles 8.0 LTS Synchronization Service Administration Guide

120
Connections to external data systems
 l External. Specifies to use an external authentication method for the
connection.
l Kerberos. Specifies to use Kerberos authentication.
You can also use the following check boxes:
l Use TLS/SSL. Allows you to use the TLS (SSL) encryption to establish and
maintain the connection.
l Switch to TLS/SSL after establishing connection. Establishes the
connection without using the TLS (SSL) encryption. Then, after the connection
has been established, enables the TLS (SSL) encryption.
l Verify TLS/SSL certificate. Specifies whether or not to check the TLS (SSL)
certificate on the server.
l Use paged search. Specifies whether or not to use paged search for the
connection. When selecting this check box, you can set a page size limit in the
text box below.
l Test Connection. Click this button to verify the specified connection settings.
5. Click Finish to create a connection to Micro Focus NetIQ Directory.

Modifying an existing Micro Focus NetIQ

Directory connection
You can modify the various settings for an existing connection to Micro Focus NetIQ
Directory, such as the Micro Focus NetIQ Directory server to connect to, communication
port, access credentials, and the attributes used for naming objects in Micro Focus
NetIQ Directory.
Every object in Micro Focus NetIQ Directory has a naming attribute from which the object
name is formed. When you create a connection to Micro Focus NetIQ Directory, a default
naming attribute is selected for each object type in that data system. You can view the
default naming attribute currently selected for each object type in the directory and
optionally specify a different naming attribute.

To modify connection settings

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Connection settings below the existing Micro Focus NetIQ Directory
connection you want to modify.
3. On the Connection Settings tab, click an appropriate item to expand it and use the
options it provides.
You can expand the following items:
l Specify connection settings
l Specify naming attributes
4. Click Save.

Active Roles 8.0 LTS Synchronization Service Administration Guide

121
Connections to external data systems
Specify connection settings
This expandable item provides the following options that allow you to modify the
connection settings:

l Server. Type the fully qualified domain name of the Micro Focus NetIQ Directory
server to which you want to connect.
l Port. Type the number of the communication port used by the Micro Focus NetIQ
Directory server.
l Access Micro Focus NetIQ Directory Service using. Type the user name and
password with which you want to access Micro Focus NetIQ Directory. Ensure the
account has sufficient permissions to perform operations (read, write) on objects in
Micro Focus NetIQ Directory.
l Advanced. Click this button to specify a number of advanced options to access Micro
Focus NetIQ Directory. For example, you can select an authentication method,
configure TLS/SSL usage for the connection, and select whether or not you want to
use paged search.
From this Authentication method list, select one of the following methods:
l Anonymous. Allows you to establish the connection without passing
credentials.
l Basic. Specifies to use basic authentication.
l Microsoft Negotiate. Specifies to use Microsoft Negotiate authentication.
l NTLM. Specifies to use Windows NT Challenge/Response authentication.
l Digest. Specifies to use Digest Access authentication.
l Sicily. Employs a negotiation mechanism (Sicily) to choose the Microsoft
Network Authentication Service, Distributed Password Authentication, or
NTLM method.
l Distributed Password Authentication. Specifies to use DPA authentication.
l Microsoft Network Authentication Service. Specifies to authenticate with
Microsoft Network Authentication Service.
l External. Specifies to use an external authentication method for the
connection.
l Kerberos. Specifies to use Kerberos authentication.

1. On the Specify connection settings page, use the following options:

l Server. Type the fully qualified domain name of the Micro Focus NetIQ
Directory server to which you want to connect.
l Port. Type the number of the communication port used by the Micro Focus
NetIQ Directory server.
l Access Micro Focus NetIQ Directory Service using. Type the user name
and password with which you want to access NetIQ Directory. Ensure the

Active Roles 8.0 LTS Synchronization Service Administration Guide

122
Connections to external data systems
 account has sufficient permissions to perform operations (read, write) on
objects in Micro Focus NetIQ Directory.
l Advanced. Click this button to specify a number of advanced options to access
Micro Focus NetIQ Directory. For example, you can select an authentication
method, configure TLS/SSL usage for the connection, and select whether or not
you want to use paged search.
From this Authentication method list, select one of the following methods:
l Anonymous. Allows you to establish the connection without passing
credentials.
l Basic. Specifies to use basic authentication.
l Microsoft Negotiate. Specifies to use Microsoft Negotiate
authentication.
l NTLM. Specifies to use Windows NT Challenge/Response authentication.
l Digest. Specifies to use Digest Access authentication.
l Sicily. Employs a negotiation mechanism (Sicily) to choose the Microsoft
Network Authentication Service, Distributed Password Authentication, or
NTLM method.
l Distributed Password Authentication. Specifies to use DPA
authentication.
l Microsoft Network Authentication Service. Specifies to
authenticate with Microsoft Network Authentication Service.
l External. Specifies to use an external authentication method for the
connection.
l Kerberos. Specifies to use Kerberos authentication.
You can also use the following check boxes:
l Use TLS/SSL. Allows you to use the TLS (SSL) encryption to establish and
maintain the connection.
l Switch to TLS/SSL after establishing connection. Establishes the
connection without using the TLS (SSL) encryption. Then, after the connection
has been established, enables the TLS (SSL) encryption.
l Verify TLS/SSL certificate. Specifies whether or not to check the TLS (SSL)
certificate on the server.
l Use paged search. Specifies whether or not to use paged search for the
connection. When selecting this check box, you can set a page size limit in the
text box below.
l Test Connection. Click this button to verify the specified connection settings.

Specify naming attributes

Every object in Micro Focus NetIQ Directory has a naming attribute from which the object
name is formed. When you create a connection to the directory, a default naming attribute

Active Roles 8.0 LTS Synchronization Service Administration Guide

123
Connections to external data systems
is selected for each object type in that data system. You can use the Specify Naming
Attributes item to view the naming attribute currently selected for each object type in
Micro Focus NetIQ Directory and optionally specify a different naming attribute.
This expandable item provides following options:

l Default naming attribute. Displays the default naming attribute set for the
currently selected object type.
l Add. Adds a new naming attribute for the selected object type.
l Edit. Allows you to edit the name of the naming attribute currently specified for the
selected object type.
l Remove. Removes the currently selected entry from the list.

Working with Salesforce

This section describes how to create or modify a connection to Salesforce so that
Synchronization Service could work with data in that data system.
To create a connection to Salesforce, you need to use Synchronization Service in
conjunction with a special connector called Salesforce Connector. This connector is
included in the Synchronization Service package.
The Salesforce Connector supports the following features:

Table 58: Supported features

Feature Supported

Bidirectional synchronization Yes

Allows you to read and write data in the
connected data system.

Delta processing mode No

Allows you to process only the data that has
changed in the connected data system since
the last synchronization operation, thereby
reducing the overall synchronization
operation time.

Password synchronization Yes

Allows you to synchronize user passwords
from an Active Directory domain to the
connected data system.

Secure Sockets Layer (SSL) data Yes

Active Roles 8.0 LTS Synchronization Service Administration Guide

124
Connections to external data systems
Feature Supported

encryption
Uses SSL to encrypt data that is
transmitted between Synchronization
Service and connected data system.

In this section:

l Creating a Salesforce connection

l Modifying an existing Salesforce connection

For instructions on how to rename a connection, delete a connection, modify

synchronization scope for a connection, or specify password synchronization settings for a
connection, see Synchronization Service Administration Guide

Creating a Salesforce connection

To create a new connection

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Add connection, and then use the following options:
l Connection name. Type a descriptive name for the connection.
l Use the specified connector. Select Salesforce Connector.
3. Click Next.
4. Specify connection settings by using the following options:
l Connect to Salesforce Sandbox. Select this check box if you want to
connect to your Salesforce testing environment. If you want to connect to
production environment, make sure this check box is cleared. For more
information about Salesforce Sandbox, see the Salesforce documentation.
l User name. Type the user name of the account with which you want to access
Salesforce. The account must have the System Administrator profile in the
target Salesforce system.
l Password. Type the password of the account with which you want to access
Salesforce.
l Security token. Enter the security token provided to you by Salesforce. For
more information on what a security token is and how to obtain it, see the
Salesforce documentation.
l Use a proxy server for your LAN. Select this check box if your LAN uses a
proxy server, and then enter the proxy server address in the Proxy server box.
l Use credentials for proxy. Select this check box if your proxy server
requires authentication. Use the appropriate text boxes to specify the user

Active Roles 8.0 LTS Synchronization Service Administration Guide

125
Connections to external data systems
 name and password with which you want to authenticate.
l Test Connection. Click this button to verify the specified connection settings.
5. Click Finish to create a connection to Salesforce.

Modifying an existing Salesforce connection

To modify connection settings

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Connection settings below the existing Salesforce connection you want
to modify.
3. On the Connection Settings tab, click the Specify connection settings item to
expand it and use the following options:
l Connect to Salesforce Sandbox. Select this check box if you want to
connect to your Salesforce testing environment. If you want to connect to
production environment, make sure this check box is cleared. For more
information about Salesforce Sandbox, see the Salesforce documentation.
l User name. Type the user name of the account with which you want to access
Salesforce. The account must have the System Administrator profile in the
target Salesforce system.
l Password. Type the password of the account with which you want to access
Salesforce.
l Security token. Enter the security token provided to you by Salesforce. For
more information on what a security token is and how to obtain it, see the
Salesforce documentation.
l Use a proxy server for your LAN. Select this check box if your LAN uses a
proxy server, and then enter the proxy server address in the Proxy server box.
l Use credentials for proxy. Select this check box if your proxy server
requires authentication. Use the appropriate text boxes to specify the user
name and password with which you want to authenticate.
l Test Connection. Click this button to verify the specified connection settings.
4. Click Save.

Salesforce data supported out of the box

Out of the box, the Salesforce Connector supports all object types existing in Salesforce.
For each Salesforce object, the Salesforce Connector supports the same operations
(Read, Create, Delete, or Update) that you can perform on that object by using native
Salesforce tools.
To read and/or write data related to a particular object in Salesforce, you can use
the following:

Active Roles 8.0 LTS Synchronization Service Administration Guide

126
Connections to external data systems
 l Native Salesforce fields. In the Synchronization Service Administration Console user
interface these fields are referred to as attributes. For more information on native
Salesforce fields, see the “Reference | Standard Objects” section in the Salesforce
Web Services API Developer's Guide available online at
www.salesforce.com/us/developer/docs/api/.
l Additional attributes provided by the Salesforce Connector. The names of all such
attributes start with the va prefix. For information about these attributes, see the
following sections:
l User object additional attributes
l Group object additional attributes

User object additional attributes

Table 59: User additional attributes

Attribute Description Supported

operations

vaProfileName Allows you to specify a Salesforce Read, Write

profile. For example, you can use this
attribute to assign a Salesforce profile
to a user being provisioned to
Salesforce.
To specify a profile, enter the profile
name as it appears in the Salesforce
user interface.
Examples of vaProfileName values:

l System Administrator
l Force.com - Free User

vaRoleName Allows you to specify a Salesforce role. Read, Write

For example, you can use this attribute
to assign a Salesforce role to a user
being provisioned to Salesforce.
To specify a role, enter the role name in
the format used in the Salesforce user
interface.
For more information on roles, see the
Salesforce documentation.

vaManagerName Allows you to specify a manager for a Read, Write

particular user.
To specify a manager, enter the

Active Roles 8.0 LTS Synchronization Service Administration Guide

127
Connections to external data systems
 manager name in the format used in the
Salesforce user interface.

vaContactName Allows you to specify an associated Read, Write

contact for a particular user.
To specify an associated contact, enter
the associated contact name in the
format used in the Salesforce user
interface.

vaMemberOf Allows you to define group membership Read, Write

for a particular user (this attribute is
primarily intended for group
membership synchronization).
This attribute contains references to the
groups where the user is a member.

vaMemberOfName Allows you to define group membership Read, Write

for a particular user (for example, when
provisioning a user to Salesforce).
Specify the names of the Salesforce
groups where you want the user to be a
member.

vaLocale Allows you to specify a locale for a Read, Write

particular user (for example, when
provisioning a user to Salesforce).
To specify a locale, enter the locale
name in the format used in the
Salesforce user interface.
Example of a vaLocale value: English
(United States)

vaTimeZone Allows you to specify a time zone for a Read, Write

user (for example, when provisioning a
user to Salesforce).
To specify a time zone, enter the time
zone name in the format used in the
Salesforce user interface.
Example of a vaTimezone value:
(GMT+00:00) Greenwich Mean Time
(GMT)

vaEmailEncoding Allows you to specify outbound email Read, Write

encoding to be used for a user (for
example, when provisioning a user to
Salesforce).

Active Roles 8.0 LTS Synchronization Service Administration Guide

128
Connections to external data systems
 Specify email encoding in the format
used in the Salesforce user interface.
Example of a vaEmailEncoding value:
Unicode (UTF-8)

vaLanguage Allows you to specify a user interface Read, Write

language for a particular user.
The Salesforce user interface and help
will be displayed to the user in the
language you specify in this attribute.

vaDelegatedApproverUserName Allows you to specify the name of the Read, Write

user you want to appoint as a delegated
approver.

vaDelegatedApproverGroupName Allows you to specify the name of a Read, Write

group all members of which you want to
appoint as delegated approvers.

Group object additional attributes

Table 60: Group additional attributeses

Attribute Description Supported

operations

vaMemberOf Allows you to define group membership for the group Read, Write
in Salesforce (this attribute is primarily intended for
group membership synchronization).
The attribute contains references to other groups
where the group is a member.

vaMemberOfName Allows you to define group membership for the group. Read, Write
Specify the names of Salesforce groups where you
want the group to be a member.

vaMember Allows you to define members of the group. Read, Write

This attribute contains references to the users and/or
groups that are members of a particular group.

vaMemberName Allows you to define members of a particular group. Read, Write

Specify the names of users and/or groups you want to
be members of the group.

Active Roles 8.0 LTS Synchronization Service Administration Guide

129
Connections to external data systems
Scenario: Provisioning users from an Active
Directory domain to Salesforce
This scenario illustrates how to configure a synchronization workflow to provision users
from an Active Directory domain to Salesforce. The scenario includes the following steps:

l Step 1: Configure a connection to source Active Directory domain

l Step 2: Configure a connection to Salesforce
l Step 3: Create a new synchronization workflow
l Step 4: Configure a workflow step
l Step 5: Run your workflow

Step 1: Configure a connection to source Active

Directory domain
For instructions on how to create a new connection to an Active Directory domain, see
Synchronization Service Administration Guide.

Step 2: Configure a connection to Salesforce

For instructions on how to create a new connection to Salesforce, see Creating a Salesforce
connection.

Step 3: Create a new synchronization workflow

For instructions on how to create a new connection to Salesforce, see Synchronization
Service Administration Guide.

Step 4: Configure a workflow step

1. Open the workflow you created (in the Synchronization Service Administration
Console, on the Workflows tab, click the workflow name), and then click the Add
synchronization step link.
2. On the Select an action page, click Provision, and then click Next.
3. On the Specify source and criteria page, do the following:
a. Click the Specify button in the Source connected system option, then click
Select existing connected system, and select the Active Directory
connection you configured in Step 1: Configure a connection to source
Active Directory domain.
Click Finish.

Active Roles 8.0 LTS Synchronization Service Administration Guide

130
Connections to external data systems
 b. Click the Select button in the Source object type option, and then select the
User object type from the list. Click OK.
c. Click Next.
4. On the Specify target page, do the following:
a. Click the Specify button in the Target connected system option, then click
Select existing connected system, and select the Salesforce connection you
configured in Step 2: Configure a connection to Salesforce
Click Finish.
b. Click the Select button in the Target object type option, and then select the
User object type from the list. Click OK.
c. Click Next.
5. On the Specify provisioning rules page, in the Initial Attribute Population Rules
option, add rules to populate the following required attributes:
l Username. Use this attribute to specify a Salesforce user name for the user
being provisioned. Make sure the user name you specify meets the format
<UserName>@<Domain>, for example [email protected].
l vaProfileName. Use this attribute to assign a Salesforce profile to the user
being provisioned. A profile defines specific permissions a user has in
Salesforce. For more information on profiles, see the Salesforce
documentation. Alternatively, you can specify a Salesforce profile by using the
ProfileId attribute.
l Email. Use this attribute to specify an existing valid email address for the user
being provisioned.
l LastName. Use this attribute to specify the last name of the user being
provisioned.
l Alias. Use this attribute to specify a unique Salesforce alias for the user being
provisioned. A Salesforce alias can include up to 8 characters. For more
information on alias, see the Salesforce documentation.

Step 5: Run your workflow

For instructions on how to run a synchronization workflow, see Synchronization Service
Administration Guide.

Working with ServiceNow

This section describes how to create or modify a connection to ServiceNow so that
Synchronization Service could work with data in that data system.
To create a connection to ServiceNow, you need to use Synchronization Service in
conjunction with a special connector called ServiceNow Connector. This connector is
included in the Synchronization Service package.

Active Roles 8.0 LTS Synchronization Service Administration Guide

131
Connections to external data systems
The ServiceNow Connector supports the following features:

Table 61: Supported features

Feature Supported

Bidirectional synchronization Yes

Allows you to read and write data in the
connected data system.

Delta processing mode No

Allows you to process only the data that has
changed in the connected data system since
the last synchronization operation, thereby
reducing the overall synchronization
operation time.

Password synchronization Yes

Allows you to synchronize user passwords
from an Active Directory domain to the
connected data system.

Secure Sockets Layer (SSL) data Yes

encryption
Uses SSL to encrypt data that is
transmitted between Synchronization
Service and connected data system.

In this section:

l Creating a ServiceNow connection

l Modifying an existing ServiceNow connection
l ServiceNow data supported out of the box

For instructions on how to rename a connection, delete a connection, modify

synchronization scope for a connection, or specify password synchronization settings for a
connection, see Synchronization Service Administration Guide.

Creating a ServiceNow connection

Creating a new connection to ServiceNow includes the following steps:

l Step 1: Configure ServiceNow

l Step 2: Create a new connection to ServiceNow

Active Roles 8.0 LTS Synchronization Service Administration Guide

132
Connections to external data systems
Step 1: Configure ServiceNow
In this step, you need to configure your ServiceNow instance to make it accessible to
Synchronization Service.

To configure ServiceNow

1. Open the Web site of your ServiceNow instance.

2. In the left pane of the ServiceNow Web site, under System Properties, click
Web Services.
3. Make sure ServiceNow requires basic authorization for incoming RSS and SOAP
requests.
4. In the right pane, make sure you clear the check box below This property sets the
elementFormDefault attribute.
5. Click the Save button.

Step 2: Create a new connection to ServiceNow

To create a new connection

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Add connection, and then use the following options:
l Connection name. Type a descriptive name for the connection.
l Use the specified connector. Select ServiceNow Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l ServiceNow instance name. Type the name of the ServiceNow instance to
which you want to connect.
l Access ServiceNow instance using. Type the user name and password of
the account with which you want to access the specified ServiceNow instance.
l Use a proxy server for your LAN. Select this check box if your LAN uses a
proxy server. Then enter the proxy server address in the Proxy server box.
l Use credentials for proxy. Select this check box if your proxy server
requires authentication. Use the appropriate text boxes to specify the user
name and password with which you want to authenticate.
l Test Connection. Click this button to verify the specified connection settings.
5. Click Finish to create a connection to ServiceNow.
6. Synchronize the ServiceNow Connector schema with that of the connected
ServiceNow instance.
This step is required to pass information about object classes and attributes existing
in the connected ServiceNow instance to the ServiceNow Connector, so that the
connector could correctly read and write data in the connected ServiceNow instance.

Active Roles 8.0 LTS Synchronization Service Administration Guide

133
Connections to external data systems
 To synchronize the connector schema, do the following:
a. Below the ServiceNow connection you have just created, click the Connection
settings link.
b. On the Connection Settings tab, click the Update connector schema item
to expand it.
c. Click the Update Schema button.

Modifying an existing ServiceNow connection

To modify connection settings

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Connection settings below the existing ServiceNow connection you
want to modify.
3. On the Connection Settings tab, click the Specify connection settings item to
expand it and use the following options and use the options they provide:
Specify connection settings item:
l ServiceNow instance name. Type the name of the ServiceNow instance to
which you want to connect.
l Access ServiceNow instance using. Type the user name and password of
the account with which you want to access the specified ServiceNow instance.
l Use a proxy server for your LAN. Select this check box if your LAN uses a
proxy server. Then enter the proxy server address in the Proxy server box.
l Use credentials for proxy. Select this check box if your proxy server
requires authentication. Use the appropriate text boxes to specify the user
name and password with which you want to authenticate.
l Test Connection. Click this button to verify the specified connection settings.
Update connector schema item:
l Update Schema. Synchronizes the ServiceNow Connector schema with
changes in the connected ServiceNow instance. Use this button whenever
schema changes occur in the connected ServiceNow instance (for example,
object classes or attributes are added or deleted in the ServiceNow instance).
In order the ServiceNow Connector could correctly read and write data in the
ServiceNow instance, the connector schema must be completely in sync with
that of the ServiceNow instance.
4. Click Save.

ServiceNow data supported out of the box

The ServiceNow Connector supports all object classes and attributes existing in the
connected ServiceNow instance, provided that the ServiceNow Connector schema and the

Active Roles 8.0 LTS Synchronization Service Administration Guide

134
Connections to external data systems
ServiceNow instance schema are completely in sync.
To synchronize the ServiceNow Connector schema with the connected ServiceNow instance
schema, use the Update Connector Schema button in the ServiceNow connection settings.
For more information, see Modifying an existing ServiceNow connection

Working with Oracle Unified Directory

This section describes how to create or modify a connection to Oracle Unified Directory so
that Synchronization Service could work with data in that data system.
To create a connection to Oracle Unified Directory, you need to use Synchronization
Service in conjunction with a special connector called Oracle Unified Directory Connector.
This connector is included in the Synchronization Service package.
NOTE: Oracle Unified Directory was formerly know as Sun One Directory.
The Oracle Unified Directory Connector supports the following features:

Table 62: Supported features

Feature Supported

Bidirectional synchronization Yes

Allows you to read and write data in the
connected data system.

Delta processing mode No

Allows you to process only the data that has
changed in the connected data system since
the last synchronization operation, thereby
reducing the overall synchronization
operation time.

Password synchronization Yes

Allows you to synchronize user passwords
from an Active Directory domain to the
connected data system.

In this section:

l Creating an Oracle Unified Directory connection

l Modifying an existing Oracle Unified Directory Server connection

For instructions on how to rename a connection, delete a connection, modify

synchronization scope for a connection, or specify password synchronization settings for a
connection, see Synchronization Service Administration Guide.

Active Roles 8.0 LTS Synchronization Service Administration Guide

135
Connections to external data systems
Creating an Oracle Unified Directory connection
To create a new connection

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Add connection, and then use the following options:
l Connection name. Type a descriptive name for the connection.
l Use the specified connector. Select Oracle Unified Directory Server Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l Server. Type the fully qualified domain name of the computer running
Oracle Unified Directory Server that manages the directory to which you
want to connect.
l Port. Type the number of the communication port used by Oracle Unified
Directory Server.
l Access Oracle Unified Directory Server using. Type the user name and
password of the account with which you want to access Oracle Unified
Directory Server. Ensure the account has sufficient permissions to perform
operations (read, write) on objects in the directory managed by Oracle Unified
Directory Server.
l Advanced. Click this button to specify a number of advanced options to access
the directory managed by Oracle Unified Directory Server. For example, you
can select an authentication method, configure TLS/SSL usage for the
connection, and select whether or not you want to use paged search.
l From the Authentication method list, select one of the following methods:
l Anonymous. Allows you to establish the connection without passing
credentials.
l Basic. Specifies to use basic authentication.
l Microsoft Negotiate. Specifies to use Microsoft Negotiate
authentication.
l NTLM. Specifies to use Windows NT Challenge/Response authentication.
l Digest. Specifies to use Digest Access authentication.
l Sicily. Employs a negotiation mechanism (Sicily) to choose the Microsoft
Network Authentication Service, Distributed Password Authentication, or
NTLM method.
l Distributed Password Authentication. Specifies to use DPA
authentication.
l Microsoft Network Authentication Service. Specifies to
authenticate with Microsoft Network Authentication Service.

Active Roles 8.0 LTS Synchronization Service Administration Guide

136
Connections to external data systems
 l External. Specifies to use an external authentication method for the
connection.
l Kerberos. Specifies to use Kerberos authentication.
You can also use the following check boxes:
l Use TLS/SSL. Allows you to use the TLS (SSL) encryption to establish
and maintain the connection.
l Switch to TLS/SSL after establishing connection. Establishes the
connection without using the TLS (SSL) encryption. Then, after the
connection has been established, enables the TLS (SSL) encryption.
l Verify TLS/SSL certificate. Specifies whether or not to check the TLS
(SSL) certificate on the server.
l Use paged search. Specifies whether or not to use paged search for
the connection. When selecting this check box, you can set a page size
limit in the text box below.
l Test Connection. Click this button to verify the specified connection settings.
5. Click Finish to create a connection to Oracle Unified Directory Server.

Modifying an existing Oracle Unified Directory

Server connection
You can modify the various settings for an existing connection to a directory managed by
Oracle Unified Directory Server, such as server computer to which the connection is
established, communication port, access credentials, and the attributes used for naming
objects in the directory.
Every object in a directory managed by Oracle Unified Directory Server has a naming
attribute from which the object name is formed. When you create a connection to the
directory, a default naming attribute is selected for each object type in that data system.
You can view the default naming attribute currently selected for each object type in the
directory and optionally specify a different naming attribute.

To modify connection settings

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Connection settings below the existing Oracle Unified Directory connection
you want to modify.
3. On the Connection Settings tab, click an appropriate item to expand it and use the
options it provides.
You can expand the following items:
l Specify connection settings
l Specify naming attributes

4. Click Save.

Active Roles 8.0 LTS Synchronization Service Administration Guide

137
Connections to external data systems
Specify connection settings
This expandable item provides the following options that allow you to modify the
connection settings:

l Server. Type the fully qualified domain name of the computer running Oracle Unified
Directory Server that manages the directory to which you want to connect.
l Port. Type the number of the communication port used by Oracle Unified
Directory Server.
l Access Oracle Unified Directory Service using. Type the user name and
password of the account with which you want to access Oracle Unified Directory
Server. Ensure the account has sufficient permissions to perform the operations
you want (Read, Write) on objects in the directory managed by Oracle Unified
Directory Server.
l Advanced. Click this button to specify a number of advanced options to access the
directory managed by Oracle Unified Directory Server. For example, you can select
an authentication method, configure TLS/SSL usage for the connection, and select
whether or not you want to use paged search.
From this Authentication method list, select one of the following methods:
l Anonymous. Allows you to establish the connection without passing
credentials.
l Basic. Specifies to use basic authentication.
l Microsoft Negotiate. Specifies to use Microsoft Negotiate authentication.
l NTLM. Specifies to use Windows NT Challenge/Response authentication.
l Digest. Specifies to use Digest Access authentication.
l Sicily. Employs a negotiation mechanism (Sicily) to choose the Microsoft
Network Authentication Service, Distributed Password Authentication, or
NTLM method.
l Distributed Password Authentication. Specifies to use DPA authentication.
l Microsoft Network Authentication Service. Specifies to authenticate with
Microsoft Network Authentication Service.
l External. Specifies to use an external authentication method for the
connection.
l Kerberos. Specifies to use Kerberos authentication.

You can also use the following check boxes:

l Use TLS/SSL. Allows you to use the TLS (SSL) encryption to establish and maintain
the connection.
l Switch to TLS/SSL after establishing connection. Establishes the connection
without using the TLS (SSL) encryption. Then, after the connection has been
established, enables the TLS (SSL) encryption.

Active Roles 8.0 LTS Synchronization Service Administration Guide

138
Connections to external data systems
 l Verify TLS/SSL certificate. Specifies whether or not to check the TLS (SSL)
certificate on the server.
l Use paged search. Specifies whether or not to use paged search for the
connection. When selecting this check box, you can set a page size limit in the
text box below.
l Test Connection. Click this button to verify the specified connection settings.

Specify naming attributes

Every object in a directory managed by Oracle Unified Directory Server has a naming
attribute from which the object name is formed. When you create a connection to the
directory, a default naming attribute is selected for each object type in that data system.
You can use the Specify Naming Attributes item to view the naming attribute
currently selected for each object type in the directory and optionally specify a different
naming attribute.
This expandable item provides following options:

l Default naming attribute. Displays the default naming attribute set for the
currently selected object type.
l Add. Adds a new naming attribute for the selected object type.
l Edit. Allows you to edit the name of the naming attribute currently specified for the
selected object type.
l Remove. Removes the currently selected entry from the list.

Working with an LDAP directory service

This section describes how to create or modify a connection to an LDAP directory service so
that Synchronization Service could work with data in that data system.
To create a connection to an LDAP directory service, you need to use Synchronization
Service in conjunction with a special connector called Generic LDAP Connector. This
connector is included in the Synchronization Service package.
The Generic LDAP directory service Connector supports the following features:

Table 63: Supported features

Feature Supported

Bidirectional synchronization Yes

Allows you to read and write data in the

Active Roles 8.0 LTS Synchronization Service Administration Guide

139
Connections to external data systems
Feature Supported

connected data system.

Delta processing mode No

Allows you to process only the data that has
changed in the connected data system since
the last synchronization operation, thereby
reducing the overall synchronization
operation time.

Password synchronization Yes

Allows you to synchronize user passwords
from an Active Directory domain to the
connected data system.

In this section:

l Creating an LDAP directory service connection

l Modifying an existing Generic LDAP directory service connection
l Specify attributes to identify objects

For instructions on how to rename a connection, delete a connection, modify

synchronization scope for a connection, or specify password synchronization settings for a
connection, see Synchronization Service Administration Guide.

Creating an LDAP directory service connection

To create a new connection

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Add connection, and then use the following options:
l Connection name. Type a descriptive name for the connection.
l Use the specified connector. Select Generic LDAP Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l Server. Type the fully qualified domain name of the computer running an LDAP
directory service to which you want to connect.
l Port. Type the number of the communication port used by the LDAP server to
which you want to connect.
l Use TLS/SSL. Allows you to use the TLS (SSL) encryption to establish and
maintain the connection.

Active Roles 8.0 LTS Synchronization Service Administration Guide

140
Connections to external data systems
l Use connectionless LDAP. Enables the use of the connectionless LDAP
(CLDAP) protocol for the connection.
l User name. Type the user name of the account with which you want to bind.
l Password. Type the password of the account with which you want to bind.
l Bind with Synchronization Service account. Allows you to bind with the
account under which the Synchronization Service is running.
l Bind with credentials. Allows you to bind by specifying the credentials of a
particular user account.
l Use simple bind. Allows you to bind either without specifying user account
credentials or with a user password only. In the latter case, the password you
type is transmitted as clear text.
l Use custom bind. Allows you to configure a number of advanced settings for
binding. Click Configure, and then use the next options.
l From the Authentication method list, select one of the following methods:
l Anonymous. Allows you to establish the connection without passing
credentials.
l Basic. Specifies to use basic authentication.
l Microsoft Negotiate. Specifies to use Microsoft Negotiate
authentication.
l NTLM. Specifies to use Windows NT Challenge/Response authentication.
l Digest. Specifies to use Digest Access authentication.
l Sicily. Employs a negotiation mechanism (Sicily) to choose the Microsoft
Network Authentication Service, Distributed Password Authentication, or
NTLM method.
l Distributed Password Authentication. Specifies to use DPA
authentication.
l Microsoft Network Authentication Service. Specifies to
authenticate with Microsoft Network Authentication Service.
l External. Specifies to use an external authentication method for the
connection.
l Kerberos. Specifies to use Kerberos authentication.
You can also use the following check boxes:
l Switch to TLS/SSL after establishing connection. Establishes the
connection without using the TLS (SSL) encryption. Then, after the
connection has been established, enables the TLS (SSL) encryption.
l Verify TLS/SSL certificate. Specifies whether or not to check the TLS
(SSL) certificate on the server.
l Use paged search. Specifies whether or not to use paged search for

Active Roles 8.0 LTS Synchronization Service Administration Guide

141
Connections to external data systems
 the connection. When selecting this check box, you can set a page size
limit in the text box below.
l Test Connection. Click this button to verify the specified connection settings.
5. Click Next.
6. On the Specify directory partitions page, select the check boxes next to the
directory partitions you want to participate in the synchronization operations.
You can also use the following additional options:
l Select all. Selects the check boxes next to all directory partitions in the list.
l Add. Adds a new directory partition to the list.
l Remove. Removes currently selected directory partition from the list.
l Test Connection. Click this button to verify the specified connection settings.
7. Click Next.
8. On the Specify attributes to identify objects page, specify the attributes with
which you want to uniquely identify each object in the LDAP directory service.
You can use the following options:

l Available attributes. Lists the attributes that are available in the external data
system. Use this list to select the attributes whose values you want to use to
generate a unique identifier for each object in the external data system. You can
filter attributes by typing in the text box at the top of this list. To select multiple
attributes, hold down CTRL and click to select attributes in the list.
l UniqueID attributes. Lists the attributes whose values are currently used to
generate a unique identifier for each object in the external data system.
l Add->. Moves the selected attributes from the Available attributes list to the
UniqueID attributes list.
l <-Remove. Moves the selected attributes from the UniqueID attributes list to the
Available attributes list.
l Constructed UniqueID. Displays a combination of the attributes whose values will
make up a unique identifier for each object in the external data system.

9. Click Finish to create a connection to the LDAP directory service.

Active Roles 8.0 LTS Synchronization Service Administration Guide

142
Connections to external data systems
Modifying an existing Generic LDAP directory
service connection
To modify connection settings

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Connection settings below the existing generic LDAP connection you
want to modify.
3. On the Connection Settings tab, click an appropriate item to expand it and use the
options it provides.
You can expand the following items:
l Specify connection settings
l Specify directory partitions
l Specify naming attributes
l Specify attributes to identify objects
See the next subsections for the descriptions of these items.
4. Click Save.

Specify connection settings

This expandable item provides the following options that allow you to modify the
connection settings:

l Server. Type the fully qualified domain name of the computer running the LDAP
directory service to which you want to connect.
l Port. Type the number of the communication port used by the LDAP server to which
you want to connect.
l Use TLS/SSL. Allows you to use the TLS (SSL) encryption to establish and maintain
the connection.
l Use connectionless LDAP. Allows you to use the connectionless LDAP (CLDAP)
protocol for the connection.
l User name. Type the user name of the account with which you want to bind.
l Password. Type the password of the account with which you want to bind.
l Domain. Type the domain to which belongs the user account with which you
want to bind.
l Bind with Synchronization Service account. Allows you to bind with the account
under which the Synchronization Service is running.
l Bind with credentials. Allows you to bind by specifying the credentials of a
particular user account.

Active Roles 8.0 LTS Synchronization Service Administration Guide

143
Connections to external data systems
 l Use simple bind. Allows you to bind either without specifying user account
credentials or only with password. In the latter case, the password you specify is
transmitted as clear text.
l Use custom bind. Allows you to configure a number of advanced settings for
binding. Click Configure, and then use the next options.

From the Authentication method list, select one of the following methods:

l Anonymous. Allows you to establish the connection without passing credentials.

l Basic. Specifies to use basic authentication.
l Microsoft Negotiate. Specifies to use Microsoft Negotiate authentication.
l NTLM. Specifies to use Windows NT Challenge/Response authentication.
l Digest. Specifies to use Digest Access authentication.
l Sicily. Employs a negotiation mechanism (Sicily) to choose the Microsoft Network
Authentication Service, Distributed Password Authentication, or NTLM method.
l Distributed Password Authentication. Specifies to use DPA authentication.
l Microsoft Network Authentication Service. Specifies to authenticate with
Microsoft Network Authentication Service.
l External. Specifies to use an external authentication method for the connection.
l Kerberos. Specifies to use Kerberos authentication.

You can also use the following check boxes:

l Switch to TLS/SSL after establishing connection. Establishes the connection

without using the TLS (SSL) encryption. Then, after the connection has been
established, enables the TLS (SSL) encryption.
l Verify TLS/SSL certificate. Specifies whether or not to check the TLS (SSL)
certificate on the server.
l Use paged search. Specifies whether or not to use paged search for the
connection. When selecting this check box, you can set a page size limit in the
text box below.
l Test Connection. Click this button to verify the specified connection settings.

Specify directory partitions

Allows you to specify the directory partitions you want to participate in the synchronization
operations by selecting the check boxes next to such directory partitions. You can also use
the following additional options:

l Select all. Selects the check boxes next to all directory partitions in the list.
l Add. Adds a new directory partition to the list.
l Remove. Removes currently selected directory partition from the list.
l Test Connection. Click this button to verify the specified connection settings.

Active Roles 8.0 LTS Synchronization Service Administration Guide

144
Connections to external data systems
Specify naming attributes
Every object in an LDAP directory service has a naming attribute from which the object
name is formed. When you create a connection to an LDAP directory service, a default
naming attribute is selected for each object type in the data system. You can use the
Specify Naming Attributes item to view the naming attribute currently selected for each
object type in the data system and optionally specify a different naming attribute.
This expandable item provides following options:

l Default naming attribute. Displays the default naming attribute currently selected
for each object type.
l Add. Adds a new naming attribute for the selected object type.
l Edit. Allows you to edit the name of the naming attribute currently specified for the
selected object type.
l Remove. Removes the currently selected entry from the list.

Specify attributes to identify objects

This expandable item provides the following options that allow you to specify the
attributes with which you wish to uniquely identify each object in the connected LDAP
directory service:

l Available attributes. Lists the attributes that are available in the external data
system. Use this list to select the attributes whose values you want to use to
generate a unique identifier for each object in the external data system. You can
filter attributes by typing in the text box at the top of this list. To select multiple
attributes, hold down CTRL and click to select attributes in the list.
l UniqueID attributes. Lists the attributes whose values are currently used to
generate a unique identifier for each object in the external data system.
l Add->. Moves the selected attributes from the Available attributes list to the
UniqueID attributes list.
l <-Remove. Moves the selected attributes from the UniqueID attributes list to the
Available attributes list.
l Constructed UniqueID. Displays a combination of the attributes whose values will
make up a unique identifier for each object in the external data system.

Specify password sync parameters for LDAP

directory service
To synchronize passwords in an LDAP directory service connected to Synchronization
Service through the Generic LDAP Connector, you must specify the following parameters:

Active Roles 8.0 LTS Synchronization Service Administration Guide

145
Connections to external data systems
 l The target object type for which you want to synchronize passwords.
l The object attribute for storing passwords in the LDAP directory service.

To specify the target object type and attribute for storing passwords

1. Click the Connection settings link below the LDAP directory service connection for
which you want to specify the target object type and attribute for storing passwords.
2. Open the Password tab.
3. Make sure the Synchronize and manage passwords check box is selected.
4. Use the Synchronize passwords for objects of this type option to specify the
object type in LDAP directory service for which you want to synchronize passwords.
5. Use the Store password in this attribute option to specify the attribute in which
you want to store passwords.
6. Click Save.

Working with IBM DB2

This section describes how to create or modify a connection to IBM DB2 so that
Synchronization Service could work with data in that data system.
To create a connection to IBM DB2, you need to use Synchronization Service in conjunction
with a special connector called IBM DB2 Connector. This connector is included in the
Synchronization Service package.
The IBM DB2 Connector supports the following features:

Table 64: Supported features

Feature Supported

Bidirectional synchronization Yes

Allows you to read and write data in the
connected data system.

Delta processing mode No

Allows you to process only the data that has
changed in the connected data system since
the last synchronization operation, thereby
reducing the overall synchronization
operation time.

Password synchronization Yes

Allows you to synchronize user passwords
from an Active Directory domain to the
connected data system.

Active Roles 8.0 LTS Synchronization Service Administration Guide

146
Connections to external data systems
In this section:

l Creating an IBM DB2 connection

l Modifying an existing IBM DB2 connection

Creating an IBM DB2 connection

To create a new connection

1. On the system where Synchronization Service is installed, install IBM Data Server
Client supplied with the IBM DB2 version with which you plan to work.
2. In the Synchronization Service Administration Console, open the Connections tab.
3. Click Add connection, and then use the following options:
l Connection name. Type a descriptive name for the connection.
l Use the specified connector. Select IBM DB2 Connector.
4. Click Next.
5. On the Specify connection settings page, use the following options:
l IBM DB2 server. Type or select the fully qualified domain name of the IBM
DB2 computer that hosts the database you want to participate in data
synchronization operations. You can click Refresh to get a list of available IBM
DB2 servers.
l Access IBM DB2 server using. Type the user name and password with
which you want to access the IBM DB2 server.
l Connect to database. Type the name of the database to which you want to
connect on the IBM DB2 server.
l Advanced. Optionally, you can click this button to specify additional
parameters you want to add to the connection string that will be used to access
the IBM DB2 server. In the dialog box that opens, click the Add Parameter
button to specify the name and value of the parameter you want to add to the
connection string.
l Test Connection. Click this button to verify the specified connection settings.
6. Click Next.
7. On the Specify how to select and modify data page, use the following options:
l Use data from this table. Allows you to select the database table that
includes the data you want to participate in the synchronization operations. You
can click Preview to preview the database table you have selected.
l Use an SQL query to specify data. Allows you to compose an SQL query
that provides a more flexible way for specifying data for synchronization. For
example, you can use this option to specify multiple database tables.

Active Roles 8.0 LTS Synchronization Service Administration Guide

147
Connections to external data systems
 l Configure Settings. Click this button to specify settings for modifying data in
the connected system during synchronization operations. For example, you can
specify the database tables in which you want to insert, update, or delete data
during synchronization operations.
8. On the Specify attributes to identify objects page, use the following options:
l Available attributes. Lists the attributes that are available in the external
data system. Use this list to select the attributes whose values you want to use
to generate a unique identifier for each object in the external data system. You
can filter attributes by typing in the text box at the top of this list. To select
multiple attributes, hold down CTRL and click to select attributes in the list.
l UniqueID attributes. Lists the attributes whose values are currently used to
generate a unique identifier for each object in the external data system.
l Add->. Moves the selected attributes from the Available attributes list to
the UniqueID attributes list.
l <-Remove. Moves the selected attributes from the UniqueID attributes list
to the Available attributes list.
l Constructed UniqueID. Displays a combination of the attributes whose
values will make up a unique identifier for each object in the external
data system.
9. Click Finish to create a connection to the IBM DB2 system.

Modifying an existing IBM DB2 connection

To modify connection settings

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Connection settings below the existing IBM DB2 connection you want
to modify.
3. On the Connection Settings tab, click an appropriate item to expand it and use the
options it provides.
You can expand the following items:
l Specify connection settings
l Specify how to select and modify data
l Advanced
l Specify attributes to identify objects

4. Click Save.

Specify connection settings

This expandable item provides the following options that allow you to modify the
connection settings:

Active Roles 8.0 LTS Synchronization Service Administration Guide

148
Connections to external data systems
 l IBM DB2 server. Type or select the fully qualified domain name of the IBM DB2
computer that hosts the database you want to participate in data synchronization
operations. You can click Refresh to get a list of available IBM DB2 servers.
l Access IBM DB2 server using. Type the user name and password with which you
want to access the IBM DB2 server.
l Connect to database. Type the name of the database to which you want to connect
on the IBM DB2 server.
l Advanced. Click this button to specify additional parameters you want to add to the
connection string that will be used to access the IBM DB2 server. Then, click the Add
Parameter button to specify the name and value of the parameter you want to add
to the connection string.
l Test Connection. Click this button to verify the specified connection settings.

Specify how to select and modify data

This expandable item provides the following options that allow you to specify the data you
want to participate in the synchronization:

l Use data from this table. Allows you to select the database table that includes the
data you want to participate in the synchronization operations. You can click
Preview to preview the database table you have selected.
l Use an SQL query to specify data. Allows you to compose an SQL query that
provides a more flexible way for specifying data for synchronization. For example,
you can use this option to specify multiple database tables.
l Configure Settings. Click this button to specify settings for modifying data in the
connected system during synchronization operations. For example, you can specify
the database tables in which you want to insert, update, or delete data during
synchronization operations.

Advanced
Allows you to configure the execution timeout for all SQL queries you specified in the
connection settings (for example, those specified in the Specify How to Select and
Modify Data option). Use the SQL query execution timeout box to type the timeout
value you want to use.

Specify attributes to identify objects

This expandable item provides the following options that allow you to specify the attributes
with which you want to uniquely identify each object in the connected data system:

l Available attributes. Lists the attributes that are available in the external data
system. Use this list to select the attributes whose values you want to use to
generate a unique identifier for each object in the external data system. You can

Active Roles 8.0 LTS Synchronization Service Administration Guide

149
Connections to external data systems
 filter attributes by typing in the text box at the top of this list. To select multiple
attributes, hold down CTRL and click to select attributes in the list.
l UniqueID attributes. Lists the attributes whose values are currently used to
generate a unique identifier for each object in the external data system.
l Add->. Moves the selected attributes from the Available attributes list to the
UniqueID attributes list.
l <-Remove. Moves the selected attributes from the UniqueID attributes list to the
Available attributes list.
l Constructed UniqueID. Displays a combination of the attributes whose values will
make up a unique identifier for each object in the external data system.

Working with IBM AS/400

This section describes how to create or modify a connection to IBM AS/400 Directory
so that Synchronization Service could work with IBM AS/400 Directory data in that
data system.
To create a connection to IBM AS/400 Directory, you need to use Synchronization Service
in conjunction with a special connector called IBM AS/400 Directory Connector. This
connector is included in the Synchronization Service package.
The IBM AS/400 Directory Connector supports the following features:

Table 65: Supported features

Feature Supported

Bidirectional synchronization Yes

Allows you to read and write data in the
connected data system.

Delta processing mode No

Allows you to process only the data that has
changed in the connected data system since
the last synchronization operation, thereby
reducing the overall synchronization
operation time.

Password synchronization Yes

Allows you to synchronize user passwords
from an Active Directory domain to the
connected data system.

Prerequistes

Active Roles 8.0 LTS Synchronization Service Administration Guide

150
Connections to external data systems
 l The IBM AS/400 server must have LDAP directory services installed and configured.
l An LDAP service account must be created on your IBM AS/400 server which has the
appropriate permissions to administer users and groups on this platform.

In this section:

l Creating an IBM AS400 connection

l Modifying an existing IBM AS400 connection
l Specify connection settings
l Additional considerations

Creating an IBM AS/400 connection

To create a new connection

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Add connection, and then use the following options:
l Connection name. Type a descriptive name for the connection.
l Use the specified connector. Select IBM AS/400 Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l Server. Type or select the fully qualified DNS name of the IBM AS/400 server
running the LDAP service.
l Port. Type the IBM AS/400 LDAP communication port number in use by
the service.
l User name. Specify the fully distinguished name (DN) of the account under
which the application will access the IBM AS/400 LDAP directory service.
l Password. specify the password of the user account under which the
application will access the IBM AS/400 LDAP directory service. We recommend
that you select the SSL check box if synchronizing sensitive data between
connectors.
l Test Connection. Click this button to verify the specified connection settings.
5. Click Next.
6. Click Finish to create a connection to the IBM AS/400 system.

Active Roles 8.0 LTS Synchronization Service Administration Guide

151
Connections to external data systems
Modifying an existing IBM AS/400 connection
To modify connection settings

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Connection Settings below the existing IBM AS/400 connection you
want to modify.
3. On the Connection Settings tab, click the Specify connection settings item to
expand it and use the following options and use the options they provide:
l Server. Type or select the fully qualified DNS name of the IBM AS/400 server
running the LDAP service.
l Port. Type the IBM AS/400 LDAP communication port number in use by
the service.
l User name. Specify the fully distinguished name (DN) of the account under
which the application will access the IBM AS/400 LDAP directory service.
l Password. specify the password of the user account under which the
application will access the IBM AS/400 LDAP directory service. We recommend
that you select the SSL check box if synchronizing sensitive data between
connectors.
l Test Connection. Click this button to verify the specified connection settings.

4. Click Save.

Specify connection settings

This expandable item provides the following options that allow you to modify the
connection settings:

l Server. Type or select the fully qualified DNS name of the IBM AS/400 server
running the LDAP service. You can click Refresh to get a list of available servers.
l Port. Type the IBM AS/400 LDAP communication port number in use by the service.
l User name. Specify the fully distinguished name (DN) of the account under which
the application will access the IBM AS/400 LDAP directory service.
l Password. specify the password of the user account under which the application will
access the IBM AS/400 LDAP directory service. We recommend that you select the
SSL check box if synchronizing sensitive data between connectors.
l Test Connection. Click this button to verify the specified connection settings.

Additional considerations
This topic briefs about the additional points to consider when configuring the IBM
AS/400 connector.

Active Roles 8.0 LTS Synchronization Service Administration Guide

152
Connections to external data systems
Using groups with IBM AS/400
The IBM AS/400 operating system does not have any concept of groups as discrete entities.
Instead, an administrator creates a user profile which is used as a group profile. Other user
profiles are then linked to this using the GrpPrf or SupGrpPrf parameters of the ChgUsrPrf
command. The GrpPrf value maps to the os400-grpprf attribute in the IBM AS/400 schema,
while the SupGrpPrf value maps to the os400-supgrpprf attribute. The IBM AS/400 Quick
Connect mappings must be defined for users and groups to enable full user and group
synchronization.

Optional IBM AS/400 account unlock during password reset function

You can optionally unlock a user's IBM AS/400 account at the same time as performing a
password reset. This functionality is switched off by default and can be enabled by editing
the connector's configuration file as follows:
Edit the file:
<Program Files folder>\One Identity\Active Roles\8.0 LTS\SyncService\AS400Connector_
ConnectorConfig.xml
and add the following lines just before the </ConnectorInfo> which appears on the last line
of the file:
<SelfConfig>
<EnableAccount>true</EnableAccount>
</SelfConfig>
Only the value true will enable the new functionality.
The LDAP password request sent to IBM AS/400 will then also include a request to modify
the account status (os400-status=*ENABLED)).
The configuration file is read every time an LDAP connection is made to the IBM AS/400, so
the new value will be picked up for the next set of synchronizations.
NOTE: If you edited ConnectorConfig.xml to implement the optional unlock of a user's IBM
AS/400 account at the same time as performing a password reset in an earlier version of
the connector for IBM AS/400, then you will need to repeat that edit after installing a
later version.

Working with an OpenLDAP directory

service
This section describes how to create or modify a connection to an OpenLDAP directory
service so that Synchronization Service could work with data in that data system.
To create a connection to an OpenLDAP directory service, you need to use Synchronization
Service in conjunction with a special connector called OpenLDAP Connector. This connector
is included in the Synchronization Service package.
The OpenLDAP directory service Connector supports the following features:

Active Roles 8.0 LTS Synchronization Service Administration Guide

153
Connections to external data systems
Table 66: Supported features

Feature Supported

Bidirectional synchronization Yes

Allows you to read and write data in the
connected data system.

Delta processing mode No

Allows you to process only the data that has
changed in the connected data system since
the last synchronization operation, thereby
reducing the overall synchronization
operation time.

Password synchronization Yes

Allows you to synchronize user passwords
from an Active Directory domain to the
connected data system.

In this section:

l Creating an OpenLDAP directory service connection

l Modifying an existing Generic LDAP directory service connection

For instructions on how to rename a connection, delete a connection, modify

synchronization scope for a connection, or specify password synchronization settings for a
connection, see Synchronization Service Administration Guide.

Creating an OpenLDAP directory service

connection
To create a new connection

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Add connection, and then use the following options:
l Connection name. Type a descriptive name for the connection.
l Use the specified connector. Select OpenLDAP Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l Server. Type the fully qualified domain name of the computer running an
OpenLDAP directory service to which you want to connect.

Active Roles 8.0 LTS Synchronization Service Administration Guide

154
Connections to external data systems
l Port. Type the number of the communication port used by the OpenLDAP
server to which you want to connect.
l Access LDAP directory service using. Type the user name and password
of the account with which you want to access the OpenLDAP directory service.
Ensure the account has sufficient permissions to perform the operations you
want (Read, Write) on objects in the OpenLDAP directory service.
l Advanced. Click this button to specify a number of advanced options to access
the OpenLDAP directory service. For example, you can select an authentication
method to access the directory service, configure TLS/SSL usage for the
connection, and select whether or not you want to use paged search.
l From the Authentication method list, select one of the following methods:
l Anonymous. Allows you to establish the connection without passing
credentials.
l Basic. Specifies to use basic authentication.
l Microsoft Negotiate. Specifies to use Microsoft Negotiate
authentication.
l NTLM. Specifies to use Windows NT Challenge/Response authentication.
l Digest. Specifies to use Digest Access authentication.
l Sicily. Employs a negotiation mechanism (Sicily) to choose the Microsoft
Network Authentication Service, Distributed Password Authentication, or
NTLM method.
l Distributed Password Authentication. Specifies to use DPA
authentication.
l Microsoft Network Authentication Service. Specifies to
authenticate with Microsoft Network Authentication Service.
l External. Specifies to use an external authentication method for the
connection.
l Kerberos. Specifies to use Kerberos authentication.
You can also use the following check boxes:
l Use TLS/SSL. Allows you to use the TLS (SSL) encryption to establish
and maintain the connection.
l Switch to TLS/SSL after establishing connection. Establishes the
connection without using the TLS (SSL) encryption. Then, after the
connection has been established, enables the TLS (SSL) encryption.
l Verify TLS/SSL certificate. Specifies whether or not to check the TLS
(SSL) certificate on the server.
l Use paged search. Specifies whether or not to use paged search for
the connection. When selecting this check box, you can set a page size
limit in the text box below.

Active Roles 8.0 LTS Synchronization Service Administration Guide

155
Connections to external data systems
 l Test Connection. Click this button to verify the specified
connection settings.

9. Click Finish to create a connection to the OpenLDAP directory service.

After establishing a connection, you can define attributes to name objects in the data
system. For more information, see Modifying an existing Generic LDAP directory
service connection

Modifying an existing OpenLDAP directory

service connection
You can modify the various settings for an existing OpenLDAP directory service connection,
such as directory service server, communication port, access credentials, and the
attributes used for naming objects in the OpenLDAP directory service.
Every object in an OpenLDAP directory service has a naming attribute from which the
object name is formed. When you create a connection to an OpenLDAP directory service, a
default naming attribute is selected for each object type in the data system. You can view
the default naming attribute currently selected for each object type in the data system and
optionally specify a different naming attribute.

To modify connection settings

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Connection settings below the existing OpenLDAP connection you want
to modify.
3. On the Connection Settings tab, click an appropriate item to expand it and use the
options it provides.
You can expand the following items:
l Specify connection settings
l Specify naming attributes
See the next subsections for the descriptions of these items.
4. Click Save.

Specify connection settings

This expandable item provides the following options that allow you to modify the
connection settings:

l Server. Type the fully qualified domain name of the computer running an OpenLDAP
directory service to which you want to connect.
l Port. Type the number of the communication port used by the OpenLDAP server to
which you want to connect.

Active Roles 8.0 LTS Synchronization Service Administration Guide

156
Connections to external data systems
 l Access LDAP directory service using. Type the user name and password of the
account with which you want to access the OpenLDAP directory service. Ensure the
account has sufficient permissions to perform the operations you want (Read, Write)
on objects in the OpenLDAP directory service.
l Advanced. Click this button to specify a number of advanced options to access the
OpenLDAP directory service. For example, you can select an authentication method
to access the directory service, configure TLS/SSL usage for the connection, and
select whether or not you want to use paged search.
l From the Authentication method list, select one of the following methods:
l Anonymous. Allows you to establish the connection without passing
credentials.
l Basic. Specifies to use basic authentication.
l Microsoft Negotiate. Specifies to use Microsoft Negotiate authentication.
l NTLM. Specifies to use Windows NT Challenge/Response authentication.
l Digest. Specifies to use Digest Access authentication.
l Sicily. Employs a negotiation mechanism (Sicily) to choose the Microsoft
Network Authentication Service, Distributed Password Authentication, or
NTLM method.
l Distributed Password Authentication. Specifies to use DPA authentication.
l Microsoft Network Authentication Service. Specifies to authenticate with
Microsoft Network Authentication Service.
l External. Specifies to use an external authentication method for the
connection.
l Kerberos. Specifies to use Kerberos authentication.
You can also use the following check boxes:
l Use TLS/SSL. Allows you to use the TLS (SSL) encryption to establish and
maintain the connection.
l Switch to TLS/SSL after establishing connection. Establishes the
connection without using the TLS (SSL) encryption. Then, after the connection
has been established, enables the TLS (SSL) encryption.
l Verify TLS/SSL certificate. Specifies whether or not to check the TLS (SSL)
certificate on the server.
l Use paged search. Specifies whether or not to use paged search for the
connection. When selecting this check box, you can set a page size limit in the
text box below.
l Test Connection. Click this button to verify the specified connection settings

Specify naming attributes

Allows you to specify a naming attribute for each object type in the connected data system.
You can use the following options:
This expandable item provides following options:

Active Roles 8.0 LTS Synchronization Service Administration Guide

157
Connections to external data systems
 l Default naming attribute. Displays the default naming attribute set for the
currently selected object type.
l Add. Adds a new naming attribute for the selected object type.
l Edit. Allows you to edit the name of the naming attribute currently specified for the
selected object type.
l Remove. Removes the currently selected entry from the list.

Working with IBM RACF connector

To create a connection to IBM RACF connector, you need to use Synchronization Service in
conjunction with a special connector called IBM RACF Connector. This connector is included
in the Synchronization Service package.

Table 67: Supported features

Feature Supported

Bidirectional synchronization Yes

Allows you to read and write data in the
connected data system.

Delta processing mode No

Allows you to process only the data that has
changed in the connected data system since
the last synchronization operation, thereby
reducing the overall synchronization
operation time.

Password synchronization Yes

Allows you to synchronize user passwords
from an Active Directory domain to the
connected data system.

Prerequsites

l The IBM mainframe must have LDAP directory services installed and configured.
l The IBM RACF connector can be installed on Microsoft Windows Server 2008 or later.

NOTE: There is an 8 character limit for user and group names on IBM RACF. The
character limit is also applicable to the passwords on IBM RACF.

Active Roles 8.0 LTS Synchronization Service Administration Guide

158
Connections to external data systems
Creating a IBM RACF connection
To create a new connection

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Add connection, and then use the following options:
l Connection name. Type a descriptive name for the connection.
l Use the specified connector. Select IBM RACF Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l Server. Type the fully qualified DNS name of the IBM RACF server running the
LDAP service.type the fully qualified DNS name of the IBM RACF server running
the LDAP service.
l Port. Type the fully qualified DNS name of the IBM RACF server running the
LDAP service.
l User name. Specify the fully distinguished name (DN) of the account that the
application will use to access the IBM RACF LDAP directory service
l Password. Specify the password of the user account that the application will
use to access the IBM RACF LDAP directory service.
l Test Connection. Click this button to verify the specified connection settings.
5. Click Next.
6. Click Finish to create a connection to IBM RACF connector.

Modifying a IBM RACF connection

To create a new connection

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Connection Settings below the existing IBM RACF connection you want
to modify.
3. On the Connection Settings tab, click the Specify connection settings item to
expand it and use the following options and use the options they provide:
l Server. Type the fully qualified DNS name of the IBM RACF server running the
LDAP service.type the fully qualified DNS name of the IBM RACF server running
the LDAP service.
l Port. Type the fully qualified DNS name of the IBM RACF server running the
LDAP service.

Active Roles 8.0 LTS Synchronization Service Administration Guide

159
Connections to external data systems
 l User name. Specify the fully distinguished name (DN) of the account that the
application will use to access the IBM RACF LDAP directory service
l Password. specify the password of the user account that the application will
use to access the IBM RACF LDAP directory service.
l Test Connection. Click this button to verify the specified connection settings.
4. Click Save.

Example of Mapping for Dataset Information

The IBM RACF connector can be used to synchronize IBM RACF dataset information. The
LDAPX exit must be installed and configured for this functionality to be supported.
The examples in this topic shows how IBM RACF dataset information can be synchronised.
IBM RACF dataset names contain asterisk characters and as such cannot be synchronised
to AD which does not allow asterisk characters in names. As such, the example shows a
synchronization to a Microsoft SQL database. It is assumed that Microsoft SQL Server and
Microsoft SQL Server Manager have been installed and configured.

Create SQL Database and Table

Using Microsoft SQL Server Manager, create a database called IBM RACF_Datasets.
Within that database, create a table called Datasets with the following columns:

Column Name Data Type

Audit nchar(100)

Create_Group nchar(10)

Owner nchar(10)
UACC nchar(10)
UID (database key) nchar(100)

Create a connection to this database and table with the ARSS Microsoft SQL Server
Connector.

Provisioning Datasets
To synchronize the SQL table to IBM RACF follow the steps provided here.

Active Roles 8.0 LTS Synchronization Service Administration Guide

160
Connections to external data systems
To synchronize the SQL table to IBM RACF

1. Navigate to the Workflow tab.

2. Click Add sync workflow.
3. Enter IBM RACF Datasets and click OK.
4. Click on the IBM RACF Datasets workflow.
5. Click on Add synchronization.
6. Click Creation and then Next.
7. From the Source connected system section, click Specify.
8. Select your Microsoft SQL Server Connector and click Finish.
The SQL source object type is currently set to sql-Object. Do not change this value.

9. Click Next.
10. In the Target connected system field, click Specify and then locate your IBM
RACF connector and click Finish.
11. The object type in the Target object system field is populated automatically by
Synchronization service to racfUser. Change this to racfDataset.
12. Click Next.
13. In the Specify provisioning rules section, click Forward Sync Rule.
14. In the Source attribute field, click Attribute locate UID and click OK.
15. In the Target attribute field, click Attribute, locate racfDataset and click OK.
16. Repeat these steps so that the following five items are mapped:

SQL Attribute IBM RACF Attribute

Owner racfOwner

UACC racfUacc

Create_Group racfCreateGroup
Audit racfAudit
UID racfDataset

17. Click OK.

18. Click Finish to complete the synchronization.

Updating datasets
To synchronize Microsoft SQL attribute(s) to IBM RACF follow the steps provided here.

Active Roles 8.0 LTS Synchronization Service Administration Guide

161
Connections to external data systems
To synchronize the SQL table to IBM RACF

1. Navigate to the Sync Workflows tab, select IBM RACF Datasets and click OK.
2. Click Add synchronization step.
3. Click Update and then click Next.
4. From the Source connected system section and click Specify.
5. Select your Microsoft SQL Server Connector and click Finish.
The SQL source object type is currently set to sql-Object. Do not change this value.
6. Click Next.
7. In the Target connected system field, click Specify and then locate your IBM
RACF connector and click Finish.
8. The object type in the Target object system field is populated automatically by
Synchronization service to racfUser. Change this to racfDataset.
9. Click Next.
10. In the Specify provisioning rules section, click Forward Sync Rule.
11. In the Source attribute field, click Attribute locate UID and click OK.
12. In the Target attribute field, click Attribute, locate racfDataset and click OK.
13. Repeat these steps so that the following five items are mapped:

SQL Attribute IBM RACF Attribute

Owner racfOwner

UACC racfUacc

Create_Group racfCreateGroup
Audit racfAudit
UID racfDataset

14. Click OK.

15. Click Finish to complete the synchronization.

Deprovisioning datasets
To deprovision the datasets follow the steps provided here.

To deprovision datasets

1. Navigate to the Workflows tab and select IBM RACF Datasets.

2. Click Add synchronization step.
3. Click Deprovision and then click Next.

Active Roles 8.0 LTS Synchronization Service Administration Guide

162
Connections to external data systems
 4. From the Source connected system section and click Specify.
5. Select your SQL Server Connector and click Finish.
6. Select Source object is deleted or is out of synchronization scope option in
the Deprovision target objects if section.
7. Optionally, configure the Source object meets the following criteria.
8. Click Next.
9. In the Target connected system field, click Specify and then locate your IBM
RACF connector and click Finish.
10. The object type in the Target object system field is populated automatically by
Synchronization service to racfDataset.
11. Click Next.
12. Select Delete target object.
13. Click Finish to complete the synchronization.

Running TSO command

The IBM RACF connector can be used to run any command in the Time Sharing Option
(TSO) environment on the target IBM mainframe. The LDAPX exit must be installed and
configured for this functionality to be supported.

Working with TSO command

The TSO command is run using an ARSS synchronization step to create an object of type
ldapxtsocmd on the target IBM RACF system and supplying the name of the TSO command
or script to be run in the attribute racfprogrammername. When the step is run, the IBM RACF
connector intercepts the create command and instead sends an LDAP search command with
the required parameters via the LDAP protocol.
The LDAPX exit intercepts this request, extracts the TSO command information and runs
the command. The LDAP response is constructed, containing the results obtained from
running the command. The IBM RACF connector receives this LDAP response, extracts the
results and saves them in a text file that can be examined later.
No object is created during the synchronization step so it can be run indefinitely, each time
executing the TSO command stored in the racfprogrammername attribute from the same or
any other synchronization step.
The following example shows a method of issuing a TSO command using synchronisation
from Active Directory (AD).

1. Using Active Directory Users and Computers create a container in AD that can
be filtered on by the ARSS. For example, create an organisational unit container
called TSO Commands.

Active Roles 8.0 LTS Synchronization Service Administration Guide

163
Connections to external data systems
 2. Create a dummy computer object within this container with name TSOCMD and
description field set to the string STATUS. The TSO command STATUS will return
the current system status.
3. Create a workflow called Run TSO Command.
4. Within this workflow, create a synchronization step item as follows:
a. Synchronization step type: Create
b. Source object: Active Directory, specified container as created above, name
starts with TSOCMD.
c. Target connector: IBM RACF
d. Object type: ldapxtsocmd
e. Mapping: from AD Description attribute to IBM RACF
racfprogrammername attribute
5. Save the step.
6. Run the synchronization step. There should be one item to be created with the
following properties:
objecttype: ldapxtsocmd
racfprogrammername: STATUS
7. Perform the synchronization step.
8. The LDAP command will be sent and interpreted by the LDAPX exit to run the
TSO command.
9. Once complete, the synchronization step will show as being successful.
10. The output from running the command can be found in the following text file:
<ARSS installation
folder>\SyncService\TSOCommandOutput\YYDDMM.txt, where, YYMMDD
represents the date when the command was run.
11. The text file will contain the output returned from IBM RACF having run the
STATUS command.
12. Multiple commands run on the same day will have their output appended to the same
daily text file.

Working with MySQL database

This section describes how to create or modify a connection to MySQL database so that
Synchronization Service could work with data in that data system.
To create a connection to MySQL database, you need to use Synchronization Service in
conjunction with a special connector called MySQL Connector. This connector is included in
the Synchronization Service package.
The MySQL database Connector supports the following features:

Active Roles 8.0 LTS Synchronization Service Administration Guide

164
Connections to external data systems
Table 68: Supported features

Feature Supported

Bidirectional synchronization Yes

Allows you to read and write data in the
connected data system.

Delta processing mode No

Allows you to process only the data that has
changed in the connected data system since
the last synchronization operation, thereby
reducing the overall synchronization
operation time.

Password synchronization Yes

Allows you to synchronize user passwords
from an Active Directory domain to the
connected data system.

In this section:

l Creating a MySQL database connection

l Modifying an existing MySQL database connection

For instructions on how to rename a connection, delete a connection, modify

synchronization scope for a connection, or specify password synchronization settings for a
connection, see Synchronization Service Administration Guide.

Creating a MySQL database connection

To create a new connection

1. Make sure that on the system where Synchronization Service is installed, you install
the connector/Net, an ADO.NET driver for MySQL.
For supported versions of connector/Net, see the System Requirements section in
the latest version of the Active Roles Release Notes.
2. In the Synchronization Service Administration Console, open the Connections tab.
3. Click Add connection, and then use the following options:
l Connection name. Type a descriptive name for the connection.
l Use the specified connector. Select MySQL Connector.
4. Click Next.
5. On the Specify connection settings page, use the following options:

Active Roles 8.0 LTS Synchronization Service Administration Guide

165
Connections to external data systems
 l MySQL server. Type the fully qualified domain name of the MySQL server
that hosts the MySQL database that you want to participate in data
synchronization operations.
l Access MySQL server using. Type the user name and password of the
account with which you want to access MySQL server. Ensure the account has
sufficient permissions to perform operations (Read, Write) on objects in the
database to which you want to connect.
l Connect to database. Type the name of the database to which you want to
connect on the MySQL server.
l Advanced. Click this button to specify additional parameters you want to add
to the connection string that will be used to access the MySQL server. In the
dialog box that opens, click the Add Parameter button to specify the name and
value of the parameter you want to add to the connection string.
l Test Connection. Click this button to verify the specified connection settings.
6. Click Next.
7. On the Specify how to select and modify data page, use the following options:
l Use data from this table. Allows you to select the database table that
includes the data you want to participate in the synchronization operations. You
can click Preview to preview the database table you have selected.
l Use an SQL query to specify data. Allows you to compose an SQL query
that provides a more flexible way for specifying data that will participate in the
synchronization operations. For example, you can use this option to specify
multiple database tables. Select this option, and then click the Configure
Query button to type your SQL query.
l Configure Settings. Click this button to configure settings for modifying data
in the connected system during synchronization operations. For example, you
can specify the database tables in which you want to insert, update, or delete
data during synchronization operations.
8. Click Next.
9. On the Specify attributes to identify objects page, use the following options:
l Available attributes. Lists the attributes that are available in the external
data system. Use this list to select the attributes whose values you want to use
to generate a unique identifier for each object in the external data system. You
can filter attributes by typing in the text box at the top of this list. To select
multiple attributes, hold down CTRL and click to select attributes in the list.
l UniqueID attributes. Lists the attributes whose values are currently used to
generate a unique identifier for each object in the external data system.
l Add->. Moves the selected attributes from the Available attributes list to the
UniqueID attributes list.
l <-Remove. Moves the selected attributes from the UniqueID attributes list to
the Available attributes list.

Active Roles 8.0 LTS Synchronization Service Administration Guide

166
Connections to external data systems
 l Constructed UniqueID. Displays a combination of the attributes whose
values will make up a unique identifier for each object in the external
data system.
10. Click Finish to create a connection to MySQL database.

Modifying an existing MySQL database connection

To modify connection settings

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Connection settings below the existing MySQL connection you want to
modify.
3. On the Connection Settings tab, click an appropriate item to expand it and use the
options it provides.
You can expand the following items:
l Specify connection settings
l Specify how to select and modify data
l Advanced
l Specify attributes to identify objects
See the next subsections for the descriptions of these items.
4. Click Save.

Specify connection settings

This expandable item provides the following options that allow you to modify the
connection settings:

l MySQL server. Type the fully qualified domain name of the MySQL server that hosts
the MySQL database that you want to participate in data synchronization operations.
l Access MySQL server using. Type the user name and password of the account
with which you want to access MySQL server. Ensure the account has sufficient
permissions to perform operations (Read, Write) on objects in the database to which
you want to connect.
l Connect to database. Type the name of the database to which you want to connect
on the MySQL server.
l Advanced. Click this button to specify additional parameters you want to add to the
connection string that will be used to access the MySQL server. In the dialog box that
opens, click the Add Parameter button to specify the name and value of the
parameter you want to add to the connection string.
l Test Connection. Click this button to verify the specified connection settings.

Active Roles 8.0 LTS Synchronization Service Administration Guide

167
Connections to external data systems
Specify how to select and modify data
This expandable item provides the following options that allow you to specify the data you
want to participate in the synchronization:

l Use data from this table. Allows you to select the database table that includes the
data you want to participate in the synchronization operations. You can click
Preview to preview the database table you have selected.
l Use an SQL query to specify data. Allows you to compose an SQL query that
provides a more flexible way for specifying data for synchronization. For example,
you can use this option to specify multiple database tables.
l Configure Settings. Click this button to specify settings for modifying data in the
connected system during synchronization operations. For example, you can specify
the database tables in which you want to insert, update, or delete data during
synchronization operations.

Advanced
Allows you to configure the execution timeout for all SQL queries you specified in the
connection settings (for example, those specified in the Specify How to Select and
Modify Data option). Use the SQL query execution timeout box to type the timeout value
you want to use.

Specify attributes to identify objects

This expandable item provides the following options that allow you to specify the attributes
with which you want to uniquely identify each object in the connected data system:

l Available attributes. Lists the attributes that are available in the external data
system. Use this list to select the attributes whose values you want to use to
generate a unique identifier for each object in the external data system. You can
filter attributes by typing in the text box at the top of this list. To select multiple
attributes, hold down CTRL and click to select attributes in the list.
l UniqueID attributes. Lists the attributes whose values are currently used to
generate a unique identifier for each object in the external data system.
l Add->. Moves the selected attributes from the Available attributes list to the
UniqueID attributes list.
l <-Remove. Moves the selected attributes from the UniqueID attributes list to the
Available attributes list.
l Constructed UniqueID. Displays a combination of the attributes whose values will
make up a unique identifier for each object in the external data system.

Active Roles 8.0 LTS Synchronization Service Administration Guide

168
Connections to external data systems
Working with an OLE DB-compliant
relational database
This section describes how to create or modify a connection to an OLE DB-compliant
relational database so that Synchronization Service could work with data in that database.
To create a connection to an OLE DB-compliant relational database, you need to use
Synchronization Service in conjunction with a special connector called OLE DB Connector.
This connector is included in the Synchronization Service package.
The OLE DB Connector supports the following features:

Table 69: Supported features

Feature Supported

Bidirectional synchronization No
Allows you to read and write data in the By using this connector, you can only read
connected data system. data in the connected data system.

Delta processing mode No

Allows you to process only the data that
has changed in the connected data system
since the last synchronization operation,
thereby reducing the overall
synchronization operation time.

Password synchronization No
Allows you to synchronize user passwords
from an Active Directory domain to the
connected data system.

In this section:

l Creating an OLE DB-compliant relational database connection

l Modifying an existing OLE DB-compliant data source connection

Creating an OLE DB-compliant relational

database connection
To create a new connection
In the Synchronization Service Administration Console, open the Connections tab.
Click Add connection, and then use the following options:
Connection name. Type a descriptive name for the connection.

Active Roles 8.0 LTS Synchronization Service Administration Guide

169
Connections to external data systems
Use the specified connector. Select OLE DB Connector.
Click Next.
Use the Connection string text box to type the connection parameters to access the OLE
DB-compliant relational database. Alternatively, you can click the Configure button to
specify the connection parameters by using a dialog box provided by Windows.
Click Next.
On the Specify how to select data page, use the following options:
Use data from this table. Allows you to select a database table that includes the data
you want to participate in the synchronization operations. You can click Preview to
preview the database table you have selected.
Use an SQL query to specify data. Allows you to compose an SQL query that provides a
more flexible way for specifying data for synchronization. For example, you can use this
option to specify multiple database tables.
Click Next.
On the Specify attributes to identify objects page, use the following options:
Available attributes. Lists the attributes that are available in the external data system.
Use this list to select the attributes whose values you want to use to generate a unique
identifier for each object in the external data system. You can filter attributes by typing in
the text box at the top of this list. To select multiple attributes, hold down CTRL and click to
select attributes in the list.
UniqueID attributes. Lists the attributes whose values are currently used to generate a
unique identifier for each object in the external data system.
Add->. Moves the selected attributes from the Available attributes list to the UniqueID
attributes list.
<-Remove. Moves the selected attributes from the UniqueID attributes list to the
Available attributes list.
Constructed UniqueID. Displays a combination of the attributes whose values will make
up a unique identifier for each object in the external data system.
Click Finish to create a connection to the OLE DB-compliant relational database.

Modifying an existing OLE DB-compliant data

source connection
To modify connection settings

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Connection settings below the existing OLE DB-compliant relational database
connection you want to modify.
3. On the Connection Settings tab, click an appropriate item to expand it and use the
options it provides.

Active Roles 8.0 LTS Synchronization Service Administration Guide

170
Connections to external data systems
 You can expand the following items:
l Specify connection settings
l Specify how to select data
l Advanced
l Specify attributes to identify objects
4. See the next subsections for the descriptions of these items.
5. When you are finished, click Save.

Specify connection settings

Use the Connection string text box to type the connection parameters to access the OLE
DB-compliant relational database. Alternatively, you can click the Configure button to
specify the connection parameters by using a dialog box provided by Windows.

Specify how to select data

This expandable item provides the following options that allow you to specify the data you
want to participate in the synchronization:
Use data from this table. Allows you to select a database table that includes the data
you want to participate in the synchronization operations. You can click Preview to
preview the database table you have selected.
Use an SQL query to specify data. Allows you to compose an SQL query that provides a
more flexible way for specifying data for synchronization. For example, you can use this
option to specify multiple database tables.

Advanced
Allows you to configure the execution timeout for all SQL queries you specified in the
connection settings (for example, those specified in the Specify How to Select and
Modify Data option). Use the SQL query execution timeout box to type the timeout
value you want to use.

Specify attributes to identify objects

This expandable item provides the following options that allow you to specify the attributes
with which you want to uniquely identify each object in the connected data system:

l Available attributes. Lists the attributes that are available in the external data
system. Use this list to select the attributes whose values you want to use to
generate a unique identifier for each object in the external data system. You can
filter attributes by typing in the text box at the top of this list. To select multiple
attributes, hold down CTRL and click to select attributes in the list.

Active Roles 8.0 LTS Synchronization Service Administration Guide

171
Connections to external data systems
 l UniqueID attributes. Lists the attributes whose values are currently used to
generate a unique identifier for each object in the external data system.
l Add->. Moves the selected attributes from the Available attributes list to the
UniqueID attributes list.
l <-Remove. Moves the selected attributes from the UniqueID attributes list to the
Available attributes list.
l Constructed UniqueID. Displays a combination of the attributes whose values will
make up a unique identifier for each object in the external data system.

Working with SharePoint

This section describes how to create or modify a connection to Microsoft SharePoint so that
Synchronization Service could work with data in that data system.
To create a connection to SharePoint, you need to use Synchronization Service in
conjunction with a connector called SharePoint Connector. You must install this connector
on the SharePoint server you want to work with. The SharePoint connector is included in
the Synchronization Service package.
The SharePoint Connector supports the following features:

Table 70: Supported features

Feature Supported

Bidirectional synchronization Yes

Allows you to read and write data in the
connected data system.

Delta processing mode No

Allows you to process only the data that has
changed in the connected data system since
the last synchronization operation, thereby
reducing the overall synchronization
operation time.

Password synchronization No
Allows you to synchronize user passwords
from an Active Directory domain to the
connected data system.

In this section:

l Creating a SharePoint connection

l SharePoint data supported out of the box

Active Roles 8.0 LTS Synchronization Service Administration Guide

172
Connections to external data systems
 l Considerations for creating objects in SharePoint

Creating a SharePoint connection

To create a new connection

1. Ensure that you have installed the SharePoint Connector on the SharePoint server
you want to work with.
2. In the Synchronization Service Administration Console, open the Connections tab.
3. Click Add connection, and then use the following options:
l Connection name. Type a descriptive name for the connection.
l Use the specified connector. Select SharePoint Connector.
4. Click Next.
5. On the Specify connection settings page, click the Test Connection button to
ensure that the connector can access SharePoint.
6. If the test succeeds, click Finish to create a connection.

SharePoint data supported out of the box

The next table lists the objects supported by the SharePoint Connector out of the box and
the operations you can perform on these objects by using the connector.
For each of the supported SharePoint object types Synchronization Service provides special
attributes that allow you to read or write data in SharePoint. You can access and use these
attributes from the Synchronization Service Administration Console (for example, when
selecting the source and target attributes you want to participate in the synchronization
operation).

Table 71: Supported objects and operations

Object Read Create Delete Update

AlternateURL Yes No No No
Allows you to read data
related to an incoming
URL and the zone with
which it is associated.

ClaimProvider Yes No No No
Allows you to read data
related to a claim
provider.

Active Roles 8.0 LTS Synchronization Service Administration Guide

173
Connections to external data systems
Object Read Create Delete Update

Farm Yes No No No
Allows you to work with
a SharePoint farm.

Group Yes Yes Yes Yes

Allows you to work with
a group on a SharePoint
Web site.

Language Yes No No No
Allows you to work with
a language used in
SharePoint.

Policy Yes Yes Yes Yes

Allows you to work with
a policy assigned to a
user or group.

PolicyRole Yes Yes Yes Yes

Allows you to work with
the rights possessed by a
policy role.

Prefix Yes No No No
Allows you to work with
a relative URL that
determines segments of
the URL under which
sites may be created.

RoleAssignment Yes Yes Yes Yes

Allows you to work with
role assignments for a
user or group.

RoleDefinition Yes Yes Yes Yes

Allows you to work with
a role definition,
including name,
description,
management properties,
and a set of rights.

Site Yes Yes Yes Yes

Active Roles 8.0 LTS Synchronization Service Administration Guide

174
Connections to external data systems
Object Read Create Delete Update

Allows you to work with

site collections in a IIS
Web application.

User Yes Yes Yes Yes

Allows you to work with
a user in SharePoint.

Web Yes Yes Yes Yes

Allows you to work with
a SharePoint Web site.

WebApplication Yes No No Yes

Allows you to work with
an Internet Information
Services (IIS) load-
balanced Web
application installed on a
server farm.

WebTemplate Yes No No No
Allows you to work with
a site definition
configuration or a Web
template used to create
SharePoint sites.

The next sections describe the attributes provided by Synchronization Service and explain
what data you can read or write in SharePoint by using a particular attribute.
In the next sections:

l AlternateURL object attributes

l ClaimProvider object attributes
l Farm object attributes
l Group object attributes
l Language object attributes
l Policy object attributes
l PolicyRole object attributes
l Prefix object attributes
l RoleAssignment object attributes
l RoleDefinition object attributes
l Site object attributes
l PolicyRole object attributes

Active Roles 8.0 LTS Synchronization Service Administration Guide

175
Connections to external data systems
 l Web object attributes
l WebApplication object attributes
l WebTemplate object attributes

AlternateURL object attributes

Table 72: AlternateURL object attributes

Attribute Type Description Supported

operations

Id Single-valued, Gets the object’s ID. Read

string

IncomingUrl Single-valued, Gets the incoming URL that is Read

string associated with the zone from
which the request originated.

Parent Single-valued, Gets the object’s parent. Read

string,
reference
(WebApplication
object)

Uri Single-valued, Gets the incoming URL Read

string associated with the zone from
which the request originated, in
the form of an URI.

UrlZone Single-valued, Gets the zone that is associated Read

string with the alternate request URL.

ClaimProvider object attributes

Table 73: ClaimProvider object attributes

Attribute Type Description Supported

operations

AssemblyName Single- Gets the name of the assembly Read

valued, that implements the claims
string provider.

Description Single- Gets the description of the claims Read

valued, provider.

Active Roles 8.0 LTS Synchronization Service Administration Guide

176
Connections to external data systems
Attribute Type Description Supported
operations

string

DisplayName Single- Gets or sets the display name Read

valued, used in Microsoft 365 for the
string object.

Id Single- Gets the object’s ID. Read

valued,
string

IsEnabled Single- Gets whether the claims provider Read

valued, is enabled.
Boolean

IsUsedByDefault Single- Gets whether the claims provider Read

valued, applies by default to all Web
Boolean applications and zones.

IsValid Single- Gets whether the claims provider Read

valued, is valid.
Boolean

IsVisible Single- Gets whether the claims provider Read

valued, is visible.
Boolean

Parent Single- Gets the object’s parent. Read

valued,
string,
reference
(Farm
object)

TypeName Single- Read

valued,
string

Farm object attributes

Table 74: Farm object attributes

Attribute Type Description Supported

operations

BuildVersion Single- Gets the build version Read

valued, of the SharePoint
string server farm.

Active Roles 8.0 LTS Synchronization Service Administration Guide

177
Connections to external data systems
Attribute Type Description Supported
operations

CanBackupRestoreAsConfiguration Single- Gets whether the farm Read

valued, can participate in a
Boolean configuration-only
backup or restore.

CanRenameOnRestore Single- Gets whether the farm Read

valued, can be renamed
Boolean during its restore.

CanSelectForBackup Single- Gets whether the farm Read

valued, can be selected for
Boolean backup.

CanSelectForRestore Single- Gets whether the farm Read

valued, can be selected for
Boolean restore in the Central
Administration user
interface.

DaysBeforePassword Single- Gets the number of Read

ExpirationToSendEmail valued, days before password
integer expiration when a
notification email is
sent.

DefaultServiceAccount Single- Gets the default Read

valued, service account.
string

EncodedFarmId Single- Gets the farm Read

valued, identifier.
integer

Id Single- Gets the object’s ID. Read

valued,
string

Name Single- Gets the farm name. Read

valued,
string

Parent Single- Gets the object’s Read

valued, parent.
string

PasswordChangeEmail Single- Gets the email Read

Address valued, address that receives
string password change
notification messages.

Active Roles 8.0 LTS Synchronization Service Administration Guide

178
Connections to external data systems
Attribute Type Description Supported
operations

PasswordChangeGuard Single- Gets the time interval Read

Time valued, (in seconds) that is
integer used to wait for other
computers’ response
during password
change operations.

PasswordChange Single- Gets the maximum Read

MaximumTries valued, allowed number of
integer password change
attempts before the
operation fails.

PersistedFileChunkSize Single- Gets the chunk size Read

valued, used to transfer files
integer to or from the
configuration database
during a read or write
operation.

Products Multivalued, Gets the identifiers of Read

string products installed in
the farm.

ServerDebugFlags Multivalued, Gets server debug Read

integer flags.

Servers Multivalued, Gets the physical Read

string servers that are
included in the farm.

TimerService Single- Gets the timer service Read

valued, that is used by the
string farm.

TraceSessionGuid Single- Gets the GUID that is Read

valued, used for trace session
string registration.

UseMinWidthForHtml Single- Gets the HTML select Read

Picker valued, control.
Boolean

UserLicensingEnabled Single- Gets whether user Read

valued, licensing is enabled.
Boolean

XsltTransformTimeOut Single- Gets the timeout Read

valued, period (in seconds) for

Active Roles 8.0 LTS Synchronization Service Administration Guide

179
Connections to external data systems
Attribute Type Description Supported
operations

integer a customized XSLT

transformation
operation.

Group object attributes

Table 75: Group object attributes

Attribute Type Description Supported

operations

AllowMembersEdit Single- Gets or sets whether group Read, write

Membership valued, membership can be modified (update only)
Boolean by the group members.

AllowRequestToJoin Single- Gets or sets whether users can Read, write

Leave valued, request to join or leave the (update only)
Boolean group.

AutoAcceptRequestTo Single- Gets or sets whether users are Read, write

JoinLeave valued, automatically added or (update only)
Boolean removed from the group upon
their request.

CanCurrentUserEdit Single- Gets whether the current user Read

Membership valued, can modify membership of the
Boolean group.

CanCurrentUserManage Single- Gets whether the current user Read

Group valued, can manage the group.
Boolean

CanCurrentUserView Single- Gets whether the current user Read

Membership valued, can view a list of group
Boolean members.

ContainsCurrentUser Single- Gets whether the group Read

valued, contains the current user.
Boolean

Description Single- Gets or sets the group Read, write

valued, description. (update only)
string

DistributionGroupAlias Single- Gets the distribution group Read

valued, alias for the group.
string

Active Roles 8.0 LTS Synchronization Service Administration Guide

180
Connections to external data systems
Attribute Type Description Supported
operations

DistributionGroupEmail Single- Gets the distribution group Read

valued, email.
string

DistributionGroupError Single- Gets the last error message Read

Message valued, encountered during an
string asynchronous distribution
group operation.

ExplicitlyContains Single- Gets whether the group Read

CurrentUser valued, explicitly contains the current
Boolean user as a direct member.

Id Single- Gets the object’s ID. Read

valued,
string

LoginName Single- Gets the login name of the Read

valued, group.
string

Name Single- Gets or sets the name of the Read, write

valued, object.
string

OnlyAllowMembersView Single- Gets or sets whether only Read, write

Membership valued, group members can view the (update only)
Boolean list of members for the group.

Owner Single- Gets or sets the group owner. Read, write

valued, A group owner can be a user (create only)
string, or another group.
reference
(User or
Group
object)

Parent Single- Gets the object’s parent. Read

valued,
string,
reference
(Site object)

RequestToJoinLeave Single- Gets or sets the email address Read, write

EmailSetting valued, that receives requests to join (update only)
string or leave the group.

Users Multivalued, Gets or sets the users that are Read, write
string, members of the group. (update only)

Active Roles 8.0 LTS Synchronization Service Administration Guide

181
Connections to external data systems
Attribute Type Description Supported
operations

reference
(User
object)

Xml Single- Gets the group properties in Read

valued, the XML string format.
string

Language object attributes

Table 76: Language object attributes

Attribute Type Description Supported

operations

DisplayName Single- Gets the language name Read

valued, displayed on the user interface.
string

Id Single- Gets the object’s ID. Read

valued,
string

LanguageTag Single- Gets the language tag. Read

valued,
string

Parent Single- Gets the object’s parent. Read

valued,
string

Policy object attributes

Table 77: Policy object attributes

Attribute Type Description Supported

operations

Alias Single-valued, Gets the object’s alias. Read

string

DisplayName Single-valued, Gets or sets the display name Read, write

Active Roles 8.0 LTS Synchronization Service Administration Guide

182
Connections to external data systems
Attribute Type Description Supported
operations

string used in Microsoft 365 for the (update only)

object.

Id Single-valued, Gets the object’s ID. Read

string

IsSystemUser Single-valued, Gets or sets whether the user Read, write

Boolean identified by the policy is (update only)
represented as a system
account in the user interface.

Parent Single-valued, Gets the object’s parent. Read

string,
reference
(WebApplication
object)

PolicyRoleBindings Single-valued, Gets or sets policy roles for the Read, write
string, policy. (update only)
reference
(PolicyRole
object)

UrlZone Single-valued, Gets or sets the originating Read, write

string zone of an incoming request. (create only)

UserName Single-valued, Gets the user name of the user Read, write
string or group associated with the (create only)
policy.

PolicyRole object attributes

Table 78: PolicyRole object attributes

Attribute Type Description Supported

operations

DenyRightsMask Multivalued, Gets or sets the rights which the Read, write
string policy role denies. (update only)

Description Single-valued, Gets or sets the policy role Read, write

string description. (update only)

GrantRightsMask Multivalued, Gets or sets the rights which the Read, write
string policy role grants. (update only)

Id Single-valued, Gets the policy role GUID. Read

Active Roles 8.0 LTS Synchronization Service Administration Guide

183
Connections to external data systems
Attribute Type Description Supported
operations

string

IsSiteAdmin Single-valued, Gets or sets whether the policy Read, write

Boolean role grants site collection (update only)
administrator status.

IsSiteAuditor Single-valued, Gets or sets whether the policy Read, write

Boolean role grants site collection (update only)
auditor status.

Name Single-valued, Gets or sets the name of the Read, write

string object. (update only)

Parent Single-valued, Gets the object’s parent. Read

string,
reference
(WebApplication
object)

Type Single-valued, Gets the type of the policy role. Read

string

Xml Single-valued, Gets the policy role in the XML Read

string string format.

Prefix object attributes

Table 79: Prefix object attributes

Attribute Type Description Supported

operations

Id Single-valued, Gets the object’s ID. Read

string

Name Single-valued, Gets the server-relative URL of Read

string the prefix without the leading
forward slash.

Parent Single-valued, Gets the object’s parent. Read

string,
reference
(WebApplication
object)

PrefixType Single-valued, Gets the type of the prefix. Read

string

Active Roles 8.0 LTS Synchronization Service Administration Guide

184
Connections to external data systems
RoleAssignment object attributes

Table 80: RoleAssignment object attributes

Attribute Type Description Supported

operations

Alias Single-valued, Gets the object’s alias. Read

string

Id Single-valued, Gets the object’s ID. Read

string

Member Single-valued, Gets the user or group for the Read

string, role assignment.
reference
This attribute is required to
(Role or Group
create a new RoleAssignment
object)
object in SharePoint.

Parent Single-valued, Gets the parent for the role Read

string, assignment.
reference
(Web object)

RoleDefinitionBindings Single-valued, Gets the role definition Read, write

string, bindings for the role (update only)
reference assignment.
(RoleDefinition
object)

RoleDefinition object attributes

Table 81: RoleDefinition object attributes

Attribute Type Description Supported

operations

BasePermissions Multivalued, Gets or sets the base permissions Read, write

string for a role definition. (update only)

Description Single- Gets or sets the role definition Read, write

valued, description. (update only)
string

Hidden Single- Gets whether the role definition is Read

valued, displayed in the user interface.

Active Roles 8.0 LTS Synchronization Service Administration Guide

185
Connections to external data systems
Attribute Type Description Supported
operations

Boolean

Id Single- Gets the object’s identifier. Read

valued,
string

Members Multivalued, Gets or sets role assignments for Read, write

string, the role definition. (update only)
reference

Name Single- Gets or sets the name of the Read, write

valued, object.
string

Order Single- Gets or sets the order in which to Read, write

valued, display the permission levels in (update only)
string the user interface.

Parent Single- Gets the object’s parent. Read

valued,
string,
reference

Type Single- Gets the role definition type. Read

valued,
string

Xml Single- Gets the role definition Read

valued, permission in the XML format.
string

Site object attributes

Table 82: Site object attributes

Attribute Type Description Support

ed
operati
ons

AdministrationSiteType Single- Gets or sets the administration Read,

valued, site types supported by write
string SharePoint. (update
only)

AllowDesigner Single- Gets or sets the Site Collection Read,

Allow Designer property.

Active Roles 8.0 LTS Synchronization Service Administration Guide

186
Connections to external data systems
Attribute Type Description Support
ed
operati
ons

valued, write
Boolean (update
only)

AllowExternalEmbedding Single- Gets or sets the external Read,

valued, domain embedding for the site write
string collection. (update
only)

AllowMasterPageEditing Single- Gets whether master page Read

valued, editing is allowed.
Boolean

AllowRevertFrom Single- Gets or sets whether reverting Read,

Template valued, from a template is allowed. write
Boolean (update
only)

AllowRssFeeds Single- Gets whether the site collection Read

valued, allows RSS feeds.
Boolean

AllowSelfService Single- Gets or sets whether upgrade is Read,

Upgrade valued, allowed. write
Boolean (update
only)

AllowSelfService Single- Gets or sets whether upgrade Read,

UpgradeEvaluation valued, evaluation site collection can be write
Boolean created. (update
only)

AllowUnsafeUpdates Single- Gets or sets whether updates to Read,

valued, the database are allowed write
Boolean without security validation. (update
only)

ApplicationRightsMask Multivalue Gets the rights mask for the Read

d, string parent Web application of the
site collection.

Archived Single- Gets or sets whether the site is Read,

valued, in archived mode. write
Boolean (update
only)

AuditLogTrimming Single- Gets or sets the class name of Read,

Active Roles 8.0 LTS Synchronization Service Administration Guide

187
Connections to external data systems
Attribute Type Description Support
ed
operati
ons

Callout valued, the object that performs audit write

string log trimming. (update
only)

AuditLogTrimming Single- Gets or sets the period (in days) Read,

Retention valued, during which the audit log data write
integer is retained. (update
only)

AverageResourceUsage Single- Gets the average resource Read

valued, usage of the site collection for
string the specified number of days.

BrowserDocuments Single- Gets whether the documents Read

Enabled valued, can be viewed in a Web
Boolean browser.

CanUpgrade Single- Gets whether the object is Read

valued, upgradeable.
Boolean

CatchAccessDenied Single- Gets or sets whether SharePoint Read,

Exception valued, handles “Access denied” write
Boolean exceptions. (update
only)

CertificationDate Single- Gets the confirmation date and Read

valued, time for the automatic deletion
DateTime of the site collection.

CompatibilityLevel Single- Gets the major version number Read

valued, of the site collection. This
integer version number is used to
perform compatibility checks.

ContentDatabase Single- Gets the content database Read

valued, associated with the site
string collection.

CurrentChangeToken Single- Gets the change token that is Read

valued, used to write the next change to
string the site collection.

CurrentResourceUsage Single- Gets the resource usage for the Read

valued, site collection.
string

Active Roles 8.0 LTS Synchronization Service Administration Guide

188
Connections to external data systems
Attribute Type Description Support
ed
operati
ons

DeadWebNotificationCount Single- Gets the number of notifications Read

valued, that were sent about the Web
integer sites that are not in use within
the site collection.

DenyPermissionsMask Multivalue Gets or sets the deny Read,

d, string permission mask for all site write
users, including the site (update
administrator. only)

EvalSiteId Single- Gets the identifier of the Read

valued, upgrade evaluation site
string collection, if it was created for
(GUID) the site collection.

ExpirationDate Single- Gets or sets the date after which Read,

valued, an upgrade evaluation site write
DateTime collection gets automatically (update
deleted. only)

FileNotFoundUrl Single- Gets the URL to the file not Read,

valued, found page. write
string (update
The HTTP requests where the
only)
resource cannot be found are
redirected to this URL.

HasAppPrincipalContext Single- Gets whether the object is Read

valued, running within an application
Boolean principal context.

HideSystemStatusBar Single- Gets whether the site’s system Read

valued, status bar is hidden.
Boolean

HostHeaderIsSiteName Single- Gets whether the host header is Read

valued, used to uniquely identify the site
Boolean collection.

HostName Single- Gets the name of the server that Read

valued, hosts the site collection.
string

Id Single- Gets the object’s ID. Read

valued,
string

Active Roles 8.0 LTS Synchronization Service Administration Guide

189
Connections to external data systems
Attribute Type Description Support
ed
operati
ons

IISAllowsAnonymous Single- Gets a value that indicates Read

valued, whether IIS allows anonymous
Boolean access.

Impersonating Single- Gets the impersonation status of Read

valued, the object.
Boolean

InheritAllowSelfService Single- Gets or sets whether to inherit Read,

UpgradeEvaluation valued, the write
Setting Boolean AllowSelfServiceUpgradeEvalua (update
tionSetting value from the only)
parent.

InheritAllowSelfService Single- Gets or sets whether to inherit Read,

UpgradeSetting valued, the write
Boolean AllowSelfServiceUpgradeSetting (update
value from the parent. only)

InvitedUserMaximum Single- Description is not available. Read,

Level valued, write
integer (update
only)

IsEvalSite Single- Gets or sets whether the object Read,

valued, is an upgrade evaluation site write
Boolean collection. (update
only)

IsReadLocked Single- Gets or sets whether the site Read,

valued, collection is unavailable for write
Boolean Read access. (update
only)

Language Single- Description is not available. Read,

valued, write
integer,
reference

LastContentModified Single- Gets the date and time (in UTC) Read
Date valued, when the site content was last
DateTime modified.

LastSecurityModified Single- Gets the date and time (in UTC) Read
Date valued, when the site collection security
DateTime settings were last modified.

Active Roles 8.0 LTS Synchronization Service Administration Guide

190
Connections to external data systems
Attribute Type Description Support
ed
operati
ons

LockIssue Single- Gets or sets the comment of the Read,

valued, site collection lock. write
string (update
only)

MaintenanceMode Single- Gets whether the site is in Read

valued, maintenance mode.
Boolean

NeedsUpgrade Single- Gets or sets whether the site Read,

valued, requires upgrading. write
Boolean (update
only)

OutgoingEmailAddress Single- Gets or sets the outgoing email Read,

valued, address for the site. write
string (update
only)

Owner Single- Gets or sets the site collection Read,

valued, owner. write
string, (create
This attribute is required to
reference only)
create a new site collection in
(User
SharePoint.
object)

OwnerEmail Single- Gets or sets the site collection Read,

valued, owner email address. write
string

Parent Single- Gets the object’s parent. Read

valued,
string,
reference
(WebApplic
ation
object)

Port Single- Gets the port number used by Read

valued, the virtual server that hosts the
integer site collection.

PortalName Single- Gets or sets the portal name. Read,

valued, write
string (update
only)

Active Roles 8.0 LTS Synchronization Service Administration Guide

191
Connections to external data systems
Attribute Type Description Support
ed
operati
ons

PortalUrl Single- Gets or sets the portal URL. Read,

valued, write
string (update
only)

PrimaryUri Single- Gets the portal URI. Read

valued,
string

QuotaID Single- Description is not available. Read,

valued, write
integer (update
only)

ReadLocked Single- Gets or sets whether the site is Read,

valued, unavailable for Read access. write
Boolean (update
only)

ReadOnly Single- Gets or sets whether the site Read,

valued, collection is read-only and write
Boolean unavailable for Write access. (update
only)

ResourceQuotaExceeded Single- Gets whether the resource Read

valued, quota limit for the site collection
has been exceeded since the
Boolean
last daily quota reset operation.

ResourceQuotaExceededNotifi Single- Gets whether a resource quota Read

cationSent valued, exceeded notification was sent
Boolean since the last daily quota reset
operation for the site collection.

ResourceQuotaWarning Single- Gets whether a resource quota Read

NotificationSent valued, exceeded warning was sent
Boolean since the last daily quota reset
operation for the site collection.

SchemaVersion Single- Gets the site collection version Read

valued, number for upgrade
string compatibility checks.

SecondaryContact Single- Description is not available. Read,

valued, write
string, (update

Active Roles 8.0 LTS Synchronization Service Administration Guide

192
Connections to external data systems
Attribute Type Description Support
ed
operati
ons

reference only)
(User
object)

ServerRelativeUrl Single- Gets or sets the server-relative Read,

valued, URL of the root Web site. write
string (update
only)

ShareByEmailEnabled Single- Gets or sets whether the users Read,

valued, are allowed to grant access write
Boolean permissions to guests, so that (update
they could access the site only)
collection resources.

ShareByLinkEnabled Single- Gets or sets whether the users Read,

valued, are allowed to share the site write
Boolean collection documents by (update
providing hyperlinks to those only)
documents.

ShowURLStructure Single- Gets or sets whether to show Read,

valued, the site collection URL structure. write
Boolean (update
only)

SourceSiteId Single- Gets the source site ID for an Read

valued, upgrade evaluation site
string collection.
(GUID)

StorageMaximumLevel Single- Description is not available. Read,

valued, write
LargeIntege (update
r only)

StorageWarningLevel Single- Description is not available. Read,

valued, write
LargeIntege (update
r only)

SyndicationEnabled Single- Gets or sets whether RSS Read,

valued, syndication is enabled for the write
Boolean site collection. (update
only)

Active Roles 8.0 LTS Synchronization Service Administration Guide

193
Connections to external data systems
Attribute Type Description Support
ed
operati
ons

SystemAccount Single- Gets the system account of the Read

valued, site collection.
string,
reference
(User
object)

TrimAuditLog Single- Gets or sets whether to delete Read,

valued, old data from the audit log. write
Boolean (update
only)

UpgradeReminderDate Single- Description is not available. Read

valued,
DateTime

Upgrading Single- Gets whether a site upgrade is Read

valued, currently in progress.
Boolean

Url Single- Gets or sets the full URL of the Read,

valued, root Web site of the site write
string collection. The URL contains the (create
host name and port number. only)
This attribute is required to
create a new site collection in
SharePoint.

UserCodeEnabled Single- Gets whether the user code Read

valued, service is enabled for the site
Boolean collection.

UserCodeMaximumLevel Single- Description is not available. Read,

valued, write
string (update
only)

UserCodeWarningLevel Single- Description is not available. Read,

valued, write
string (update
only)

UserDefinedWorkflows Single- Gets or sets whether user- Read,

Enabled valued, defined workflows are enabled write
Boolean for the site collection. (update
only)

Active Roles 8.0 LTS Synchronization Service Administration Guide

194
Connections to external data systems
Attribute Type Description Support
ed
operati
ons

UserIsSiteAdminIn Single- Gets whether the current user is Read

System valued, a site collection administrator.
Boolean

UserToken Single- Gets the user token associated Read

valued, with the site collection
binary

WarningNotificationSent Single- Gets whether a warning Read

valued, notification has been sent.
Boolean

WebTemplate Single- Description is not available. Read,

valued, write
string

WriteLocked Single- Gets whether the site collection Read

valued, is unavailable for Write access.
Boolean

Zone Single- Gets the URL zone that was used Read
valued, when creating the site object.
string

User object attributes

Table 83: User object attributes

Attribute Type Description Supported

operations

Alias Single- Gets the alias of the object. Read

valued,
string

AllowBrowseUserInfo Single- Gets or sets whether the user Read, write

valued, can view information about (update only)
Boolean other users of the Web site.

Email Single- Gets or sets the user’s email Read, write

valued, address. (update only)
string

Groups Multivalued, Gets the groups in which the Read

object is a member.

Active Roles 8.0 LTS Synchronization Service Administration Guide

195
Connections to external data systems
Attribute Type Description Supported
operations

string,
reference
(Group
object)

Id Single- Gets the object’s ID. Read

valued,
string

IsApplicationPrincipal Single- Gets whether the user is an Read

valued, application principal.
Boolean

IsDomainGroup Single- Gets whether the user is a Read

valued, domain group.
Boolean

IsHiddenInUI Single- Gets whether the user is hidden Read

valued, in the user interface.
Boolean

IsShareByEmailGuest Single- Gets or sets whether the user is Read, write

User valued, shared by email guest user. (update only)
Boolean

IsSiteAdmin Single- Gets or sets whether the user is Read, write

valued, a site collection administrator. (update only)
Boolean

IsSiteAuditor Single- Gets whether the user is a site Read

valued, collection auditor.
Boolean

IsUserSettingsSynced Single- Gets or sets whether user Read, write

WithProvider valued, settings have been synchronized (update only)
Boolean with External Settings Provider.

LoginName Single- Gets or sets the login name of Read, write

valued, the object. (create only)
string

Name Single- Gets or sets the display name Read, write

valued, used in Microsoft 365 for the (update only)
string object.

Notes Single- Gets or sets notes about the Read, write

valued, object. (update only)
string

Active Roles 8.0 LTS Synchronization Service Administration Guide

196
Connections to external data systems
Attribute Type Description Supported
operations

Parent Single- Gets the object’s parent. Read

valued,
string,
reference
(Site object)

RawSid Single- Gets the system ID of the user. Read

valued,
binary

RequireRequestToken Single- Gets or sets whether the user Read, write

valued, requires a request token. (update only)
Boolean

Sid Single- Gets the SID for the user’s Read

valued, network account.
string

SystemUserKey Single- Gets the user key specific to the Read

valued, configuration.
string

UserId Single- Gets the user’s name identifier Read

valued, and the issuer of that identifier.
string

UserToken Single- Gets the token that identifies Read

valued, the authentication process for
binary the user.

Xml Single- Gets information about the user Read

valued, in the XML format.
string

Web object attributes

Table 84: Web object attributes

Attribute Type Description Supporte

d
operatio
ns

AllowAnonymousAccess Single-valued, Gets whether Read

Boolean anonymous access is
allowed for the Web

Active Roles 8.0 LTS Synchronization Service Administration Guide

197
Connections to external data systems
Attribute Type Description Supporte
d
operatio
ns

site.

AllowAutomaticASPX Single-valued, Gets or sets whether Read,

PageIndexing Boolean the .aspx page of the write
Web site should be (update
indexed for search only)
operations.

AllowDesignerFor Single-valued, Gets whether the Read

CurrentUser Boolean current user is allowed
to use the designer for
the Web site.

AllowMasterPageEditingForCurren Single-valued, Gets whether the Read

tUser Boolean current user is allowed
to edit master pages.

AllowRevertFrom Single-valued, Gets whether the Read

TemplateForCurrentUser Boolean current user is allowed
to revert from the Web
site template.

AllowRssFeeds Single-valued, Gets whether the Web Read

Boolean site allows RSS feeds.

AllowUnsafeUpdates Single-valued, Gets whether database Read,

Boolean updates are allowed write
without security (update
validation. only)

AllWebTemplates Single-valued, Gets whether all Read

Allowed Boolean available Web
templates (those
returned by the
GetAvailableWebTempl
ates method) are
allowed.

AlternateCssUrl Single-valued, Gets or sets the URL Read,

string pointing at an alternate write
CSS for the Web site. (update
only)

AlternateHeader Single-valued, Gets or sets the URL Read,

string pointing at an alternate write
.aspx page that is used (update

Active Roles 8.0 LTS Synchronization Service Administration Guide

198
Connections to external data systems
Attribute Type Description Supporte
d
operatio
ns

for rendering the top only)

navigation area on the
Web site.

AnonymousPermMask64 Multivalued, Gets or sets base Read,

string permissions for write
anonymous users of the (update
Web site. only)

AnonymousState Single-valued, Gets or sets the level of Read,

string access for anonymous write
users of the Web site. (update
only)

AppDatabaseName Single-valued, Gets the name of the Read

string application database
associated with the
Web site.

AppDatabaseServer Single-valued, Gets the ID of the Read

ReferenceId string (GUID) server on which the
database is located.

AppDatabaseTarget Single-valued, Gets the ID of the Read

ApplicationId string target application.

AppInstanceId Single-valued, Gets the ID of the App Read

string (GUID) instance the Web site
represents.

ASPXPageIndexed Single-valued, Gets whether the Read

Boolean automatic indexing of
Web site’s .aspx pages
is enabled.

AssociatedMemberGroup Single-valued, Gets or sets the users Read,

string, who can be contributors write
reference of the Web site.
(Group object)

AssociatedOwnerGroup Single-valued, Gets or sets the Read,

string, associated owner write
reference groups of the Web site. (update
(Group object) only)

AssociatedVisitorGroup Single-valued, Gets or sets the Read,

string, associated visitor group write

Active Roles 8.0 LTS Synchronization Service Administration Guide

199
Connections to external data systems
Attribute Type Description Supporte
d
operatio
ns

reference of the Web site.

(Group object)

Author Single-valued, Gets or sets the user Read,

string, who created the Web write
reference site.
(User object)

CacheAllSchema Single-valued, Gets or sets whether Read,

Boolean caching of all schemas write
of the Web site is (update
enabled. only)

ClientTag Single-valued, Gets or sets the client Read,

string (integer) cache control number write
for the Web site. (create
only)

Configuration Single-valued, Gets the ID of the site Read

string (integer) definition configuration
that was used to create
the Web site or the
template from which
the Web site was
created.

Created Single-valued, Gets or sets the date Read,

string and time when the Web write
(DateTime) site was created. (update
only)

CurrencyLocaleID Single-valued, Gets or sets the Read,

string (integer) identifier of the write
currency that is used on (update
the Web site. only)

CurrentChangeToken Single-valued, Gets the token that is Read

string used for logging the
(SPChangeTok next change to the Web
en) site.

CurrentUser Single-valued, Gets the current user of Read

string, the Web site.
reference
(User object)

Active Roles 8.0 LTS Synchronization Service Administration Guide

200
Connections to external data systems
Attribute Type Description Supporte
d
operatio
ns

CustomJavaScriptFileUrl Single-valued, Gets or sets the URL Read,

string pointing at the custom write
JavaScript file used by (update
the CustomJsUrl Web only)
control.

CustomMasterUrl Single-valued, Gets or sets the URL Read,

string pointing to a custom write
master page for the (update
Web site. only)

CustomUploadPage Single-valued, Gets or sets the path to Read,

string a custom application write
page for uploading (update
files. only)

Description Single-valued, Gets or sets the Read,

string description for the web write
site. (update
only)

DocumentLibraryCalloutOfficeWe Single-valued, Gets whether the WAC Read

bApp Boolean previewers are
PreviewersDisabled disabled for the
Document Library
Callouts.

EffectiveBase Multivalued, Gets the effective base Read

Permissions string permissions assigned
to the current user.

EffectivePresence Single-valued, Gets whether effective Read

Enabled Boolean presence information is
enabled for the Web
site.

EnableMinimalDownload Single-valued, Gets or sets whether Read,

Boolean Minimal Download write
Strategy is enabled for (update
the Web site. only)

ExcludeFromOffline Single-valued, Gets or sets whether to Read,

Client Boolean download data from the write
Web site to the client (update
during offline only)
synchronization.

Active Roles 8.0 LTS Synchronization Service Administration Guide

201
Connections to external data systems
Attribute Type Description Supporte
d
operatio
ns

ExecuteUrl Single-valued, Gets the URL that is Read

string called after
instantiating the site
definition for business
solutions.

Exists Single-valued, Gets a value that Read

Boolean indicates whether the
Web site exists.

FileDialogPost Single-valued, Gets or sets the ID for Read,

ProcessorId string (GUID) the user interface write
element used for Web (update
views in the file dialog only)
boxes and forms of
document libraries.

FirstUniqueAncestorWeb Single-valued, Gets the first unique Read

string, Web site that has
reference unique permissions.
(Web object)

FirstUniqueRole Single-valued, Gets the Web site that Read

DefinitionWeb string, defines role definitions
reference for the current Web
(Web object) site.

HasUniqueRole Single-valued, Gets or sets whether Read,

Assignments Boolean the object has unique write
role assignments or (create
inherits its assignments only)
from a parent.

HasUniqueRole Single-valued, Gets whether the object Read

Definitions Boolean has unique role
assignments, including
those inherited from a
parent object.

HideSiteContentsLink Single-valued, Gets or sets whether a Read,

Boolean link to site contents is write
available in the site (update
actions menu (the gear only)
icon).

Id Single-valued, Gets the object’s ID. Read

Active Roles 8.0 LTS Synchronization Service Administration Guide

202
Connections to external data systems
Attribute Type Description Supporte
d
operatio
ns

string

IncludeSupporting Single-valued, Gets or sets whether Read,

Folders Boolean supporting folders for write
files or folders in the (update
Web site are included in only)
enumeration operations
for these files or
folders.

IndexedPropertyKeys Multivalued, Gets the property keys Read

string for properties that need
to be exposed through
the Site Data Web
Service.

IsADAccountCreation Single-valued, Gets whether user Read

Mode Boolean accounts are created
automatically in Active
Directory when users
are invited to the Web
site.

IsADEmailEnabled Single-valued, Gets whether email for Read

Boolean AD DS is enabled on the
Web site.

IsAppWeb Single-valued, Gets whether the Web Read

Boolean site is a container for
an application.

IsMultilingual Single-valued, Gets or sets whether Read,

Boolean the Web site has a write
multilingual user (update
interface enabled. only)

IsRootWeb Single-valued, Gets whether the Web Read

Boolean site is the top-level site
in the site collection.

Language Single-valued, Gets or sets the locale Read,

reference identifier of the default write
(Language language for the Web (create
object) site. only)

LastItemModifiedDate Single-valued, Gets or sets the date Read,

Active Roles 8.0 LTS Synchronization Service Administration Guide

203
Connections to external data systems
Attribute Type Description Supporte
d
operatio
ns

string and time when the last write

(DateTime) modification was made (update
to an item on the Web only)
site.

Locale Single-valued, Gets the locale that is Read

string used to show time,
(CultureInfo) currency, and numeric
data on the Web site.

MasterPageReference Single-valued, Gets whether master Read

Enabled Boolean page referencing is
enabled for the Web
site.

MasterUrl Single-valued, Gets or sets the URL Read,

string pointing at the master write
page for the Web site. (update
only)

Name Single-valued, Gets or sets the name Read,

string of the object. write
(update
only)

NoCrawl Single-valued, Gets or sets whether Read,

Boolean searching is disabled write
for the Web site. (update
only)

NonHostHeaderUrl Single-valued, Gets the full URL of the Read

string Web site.

OverwriteTranslationsOnChange Single-valued, Gets or sets whether Read,

Boolean text changes made by write
user in the default (update
language automatically only)
overwrite existing
translations in all other
languages.

Parent Single-valued, Gets the object’s Read

string, parent.
reference (Site
object)

Active Roles 8.0 LTS Synchronization Service Administration Guide

204
Connections to external data systems
Attribute Type Description Supporte
d
operatio
ns

ParserEnabled Single-valued, Gets or sets whether Read,

Boolean parsing is enabled for write
document libraries of (update
the Web site. only)

PortalMember Single-valued, Gets whether the Web Read

Boolean site is associated with a
portal site.

PortalName Single-valued, Gets the name of the Read

string portal site associated
with the Web site.

PortalSubscriptionUrl Single-valued, Gets the URL that is Read

string used for alerts within
the portal.

PortalUrl Single-valued, Gets the URL that Read

string points to the portal site
associated with the
Web site.

PresenceEnabled Single-valued, Gets or sets whether Read,

Boolean inline presence write
information is enabled (update
for the Web site. only)

Provisioned Single-valued, Gets or sets whether Read,

Boolean the Web site has been write
provisioned. (update
only)

QuickLaunchEnabled Single-valued, Gets or sets whether Read,

Boolean the Quick Launch area write
is enabled and (update
available on the Web only)
site.

RecycleBinEnabled Single-valued, Gets whether the Read

Boolean recycle bin is enabled
for the Web site.

RequestAccessEmail Single-valued, Gets or sets the email Read,

string address to which write
access requests are (update
sent. only)

Active Roles 8.0 LTS Synchronization Service Administration Guide

205
Connections to external data systems
Attribute Type Description Supporte
d
operatio
ns

RequestAccessEnabled Single-valued, Gets whether it is Read

Boolean required to send a
request in order to get
access to the Web site.

RequireDynamicCanary Single-valued, Gets whether the Read

Boolean canary is required for
all requests to the
UrlZone.

SaveSiteAsTemplate Single-valued, Gets or sets whether Read,

Enabled Boolean the Web site can be write
saved as a template. (update
only)

ServerRelativeUrl Single-valued, Gets or sets the Web Read,

string site URL in a server- write
relative format. (update
only)

ShowUrlStructureFor Single-valued, Gets whether the Read

CurrentUser Boolean current user is allowed
to view the file
structure of the Web
site.

Site Single-valued, Gets the parent site Read

string, collection for the Web
reference (Site site.
object)

SiteClientTag Single-valued, Gets the client cache Read

string control number for the
site collection.

SiteLogoDescription Single-valued, Gets or sets the Read,

string description of the Web write
site logo. (update
only)

SiteLogoUrl Single-valued, Gets or sets the Read,

string absolute URL pointing write
at the Web site logo. (update
only)

SupportedUICultures Multivalued, Gets information about Read

Active Roles 8.0 LTS Synchronization Service Administration Guide

206
Connections to external data systems
Attribute Type Description Supporte
d
operatio
ns

string the cultures supported

(CultureInfo) by the Web site.

SyndicationEnabled Single-valued, Gets or sets whether Read,

Boolean RSS is enabled for the write
Web site. (update
only)

ThemedCssFolderUrl Single-valued, Gets or sets the URL Read,

string pointing to the folder write
that holds the CSS file (update
that is used to display only)
the Web site.

Title Single-valued, Gets or sets the title of Read,

string the object. write
(update
only)

TreeViewEnabled Single-valued, Gets or sets whether Read,

Boolean Tree View is enabled in write
the Web site user (update
interface. only)

UICulture Single-valued, Gets the default Read

string language for the Web
(CultureInfo) site.

UIVersion Single-valued, Gets or sets the current Read,

string (integer) version number of the write
user interface. (update
only)

Url Single-valued, Gets or sets the Read,

string absolute URL of the write
Web site. (create
only)

UserIsSiteAdmin Single-valued, Gets whether the user Read

Boolean has administrator
rights on the Web site.

UserIsWebAdmin Single-valued, Gets whether the user Read

Boolean is a member of the
Administrator group for
the Web site.

Active Roles 8.0 LTS Synchronization Service Administration Guide

207
Connections to external data systems
Attribute Type Description Supporte
d
operatio
ns

WebTemplate Single-valued, Gets the name of the Read

string site definition or
template that was used
to create the Web site.

WebTemplateId Single-valued, Gets or sets the ID of Read,

string (integer) the template or write
definition that was used (create
to create the Web site. only)

WebApplication object attributes

Table 85: WebApplication object attributes

Attribute Type Description Supporte

d
operatio
ns

AlertsEnabled Single- Gets or sets whether Read,

valued, alerts are allowed in write
Boolean the Web application. (update
only)

AlertsLimited Single- Gets or sets whether a Read,

valued, limit is imposed on the write
Boolean number of lists and list (update
items for which alerts only)
can be created.

AlertsMaximum Single- Gets or sets the Read,

valued, maximum number of write
integer lists and list items for (update
which a single user can only)
create alerts.

AlertsMaximumQuerySet Single- Gets or sets the Read,

valued, maximum number of write
integer records in a query set (update
that is associated with only)
an alert object.

AllowAccessToWebPart Single- Gets or sets whether Read,

Active Roles 8.0 LTS Synchronization Service Administration Guide

208
Connections to external data systems
Attribute Type Description Supporte
d
operatio
ns

Catalog valued, sites in the Web write

Boolean application can use Web (update
Parts located in the only)
global catalog.

AllowAnalyticsCookieForAnonymousU Single- Gets or sets whether Read,

sers valued, analytics cookies are write
Boolean allowed for anonymous (update
users. only)

AllowContributorsToEditScriptablePar Single- Gets or sets whether Read,

ts valued, the contributors are write
Boolean allowed to edit (update
scriptable Web parts. only)

AllowDesigner Single- Gets or sets whether Read,

valued, Web sites within the write
Boolean Web application can be (update
edited with SharePoint only)
Designer.

AllowedInline Multivalue Gets the MIME content Read

DownloadedMimeTypes d, string types that are not
force-downloaded to
the user’s computer.
Files not listed in this
attribute value are
considered to be script
files and can interact
with the Web
application on user’s
behalf.

AllowHighCharacterList Single- Gets or sets whether Read,

FolderNames valued, non-alphanumeric write
Boolean characters are allowed (update
in the list folder names only)
that are generated
automatically.

AllowMasterPageEditing Single- Gets or sets whether Read,

valued, the users are allowed to write
Boolean edit master pages. (update
only)

Active Roles 8.0 LTS Synchronization Service Administration Guide

209
Connections to external data systems
Attribute Type Description Supporte
d
operatio
ns

AllowOMCodeOverride Single- Gets or sets whether Read,

ThrottleSettings valued, custom object model write
Boolean code is allowed to (update
override the throttle only)
settings.

AllowPartToPart Single- Gets or sets whether Read,

Communication valued, the Web application write
Boolean allows communication (update
between different Web only)
Parts.

AllowRevertFrom Single- Gets or sets whether Read,

Template valued, customized sites can be write
Boolean rolled back to their (update
base templates. only)

AllowSelfService Single- Gets or sets whether Read,

UpgradeEvaluation valued, upgrade evaluation site write
Boolean collections can be (update
created. only)

AllowSilverlightPrompt Single- Gets or sets whether UI Read,

valued, elements that require write
Boolean Microsoft Silverlight (update
prompt the user to only)
download and install
Silverlight.

AlwaysProcess Single- Gets or sets whether Read,

Documents valued, documents to be write
Boolean returned are always (update
processed by document only)
parsers.

ApplicationPrincipalMaxRights Multivalue Gets or sets the Read,

d, string maximum rights that write
any application (update
principal user has in the only)
Web application.

AutomaticallyDelete Single- Gets or sets whether to Read,

UnusedSiteCollections valued, automatically delete write
Boolean unused site collections. (update
only)

Active Roles 8.0 LTS Synchronization Service Administration Guide

210
Connections to external data systems
Attribute Type Description Supporte
d
operatio
ns

BlockedFileExtensions Multivalue Gets the list of file Read

d, string name extensions that
are forbidden for
download from the sites
within the Web
application.

BrowserCEIPEnabled Single- Gets or sets whether Read,

valued, the Customer write
Boolean Experience (update
Improvement Program only)
is enabled in the Web
browser.

CanRenameOnRestore Single- Gets whether the Web Read

valued, application can be
Boolean renamed during its
restore.

CanSelectForBackup Single- Gets or sets whether Read,

valued, the Web application can write
Boolean be backed up. (update
only)

CanSelectForRestore Single- Gets or sets whether Read,

valued, the Web application can write
Boolean be restored. (update
only)

CascadeDeleteMaximumItemLimit Single- Gets or sets the Read,

valued, maximum number of write
integer items that can be (update
checked in a Cascade or only)
Restrict delete
operation.

CascadeDeleteTimeout Single- Gets or sets the cost Read,

Multiplier valued, per item deleted in a write
integer referential integrity (update
delete operation. only)

CellStorageWebService Single- Gets or sets whether Read,

Enabled valued, the Web service named write
Boolean WebSvcCellStorage is (update
enabled. only)

Active Roles 8.0 LTS Synchronization Service Administration Guide

211
Connections to external data systems
Attribute Type Description Supporte
d
operatio
ns

ChangeLogExpiration Single- Gets or sets whether Read,

Enabled valued, change logs get deleted write
Boolean after the retention (update
period set in the only)
ChangeLogRetentionPer
iod property expires.

ChangeLogRetention Single- Gets or sets the period Read,

Period valued, (in days) during which write
string the change logs are (update
(TimeSpa retained. only)
n)

CrossDomainPhotos Single- Gets or sets whether Read,

Enabled valued, the cross-domain photo write
Boolean pare is enabled. (update
only)

CustomAppErrorLimit Single- Gets or sets the Read,

valued, maximum number of write
integer calls that the Web (update
application can make only)
each 24 hours to log
custom errors.

DailyStartUnthrottled Single- Gets or sets the hour Read,

PrivilegedOperations valued, (in the local time zone) write
Hour integer when the unthrottled (update
daily time window only)
starts.

DailyStartUnthrottled Single- Gets or sets the minute Read,

PrivilegedOperations valued, (in the local time zone) write
Minute integer when the unthrottled (update
daily time window only)
starts.

DailyUnthrottled Single- Gets or sets the period Read,

PrivilegedOperations valued, (in hours) during which write
Duration integer the unthrottled daily (update
time window remains only)
open.

DaysToShowNew Single- Gets or sets the period Read,

Indicator valued, (in days) during which write
integer (update

Active Roles 8.0 LTS Synchronization Service Administration Guide

212
Connections to external data systems
Attribute Type Description Supporte
d
operatio
ns

the New icon is only)

displayed next to new
list items.

DefaultQuotaTemplate Single- Gets or sets the default Read,

valued, quota template write
string applicable to all site (update
collections. only)

DefaultServerComment Single- Gets the default Read

valued, comment for the IIS
string Web site.
This default comment is
used in situations
where a comment is not
specified by the Web
application.

DefaultTimeZone Single- Gets or sets the default Read,

valued, time zone for the Web write
integer application. (update
only)

DisableCoauthoring Single- Gets or sets whether Read,

valued, co-authoring using write
Boolean Microsoft Office is (update
disabled. only)

DisplayName Single- Gets or sets the display Read

valued, name used in Microsoft
string 365 for the object.

DocumentLibraryCalloutOfficeWebAp Single- Gets or sets whether Read,

p valued, the Document Library write
PreviewersDisabled Boolean Callout’s WAC (update
previewers are only)
disabled.

EmailToNoPermission Single- Gets or sets whether Read,

WorkflowParticipants valued, users that have no site write
Enabled Boolean permissions receive a (update
notification email when only)
they are assigned
workflow tasks.

EnabledClaimProviders Multivalue Reserved for internal Read

Active Roles 8.0 LTS Synchronization Service Administration Guide

213
Connections to external data systems
Attribute Type Description Supporte
d
operatio
ns

d, string use.

EventHandlersEnabled Single- Gets or sets whether Read,

valued, event handlers are write
Boolean enabled for the Web (update
application. only)

EventLogRetention Single- Gets or sets the period Read,

Period valued, (in days) during which write
string the event logs are (update
(TimeSpa retained. only)
n)

ExternalUrlZone Single- Gets or sets the URL Read,

valued, zone for cross-firewall write
string access. (update
only)

ExternalWorkflow Single- Gets or sets whether Read,

ParticipantsEnabled valued, external users can write
Boolean participate in a (update
workflow if they have a only)
document copy.

FileNotFoundPage Single- Gets or sets the name Read,

valued, of the HTML file that write
string contains the error (update
information to be only)
displayed in a situation
where a file is not
found.

ForceseekEnabled Single- Gets or sets whether Read,

valued, the FORCESEEK hint is write
Boolean enabled. (update
only)

Id Single- Gets or sets the Read,

valued, object’s ID. write
string

IncomingEmailServer Single- Gets or sets the name Read,

Address valued, of the email server that write
string is used to receive (update
incoming email only)
messages.

Active Roles 8.0 LTS Synchronization Service Administration Guide

214
Connections to external data systems
Attribute Type Description Supporte
d
operatio
ns

InheritDataRetrieval Single- Gets or sets whether Read,

Settings valued, the Web application write
Boolean inherits data retrieval (update
settings from the only)
central administration
application.

IsAdministrationWeb Single- Gets or sets whether Read,

Application valued, the Web application is write
Boolean the central (update
administration only)
application.

MasterPageReference Single- Gets or sets whether Read,

Enabled valued, site administrators can write
Boolean enable dynamic master (update
page referencing for only)
the Web application
pages.

MaximumFileSize Single- Gets or sets the Read,

valued, maximum file size limit write
integer for files to be uploaded. (update
only)

MaxItemsPerThrottled Single- Gets or sets the count Read,

Operation valued, of items at which write
integer throttling begins for list (update
operations. only)

MaxItemsPerThrottled Single- Gets or sets the Read,

OperationOverride valued, maximum count of write
integer items for which (update
throttling is not enabled only)
if the current user is an
administrator or
auditor.

MaxItemsPerThrottled Single- Gets or sets the Read,

OperationWarningLevel valued, warning level for the write
integer number of items in list (update
operations. only)

MaxQueryLookupFields Single- Gets or sets the Read,

valued, maximum number of write
integer (update

Active Roles 8.0 LTS Synchronization Service Administration Guide

215
Connections to external data systems
Attribute Type Description Supporte
d
operatio
ns

lookup fields that may only)

be included in a list
item query.

MaxSizeForSelfService Single- Gets or sets the Read,

EvalSiteCreationMB valued, maximum possible size write
LargeInteg (in MB) of a site (update
er collection for which the only)
creation of evaluation
sites is permitted
through self-service.

MaxUniquePermScopes Single- Gets or sets the Read,

PerList valued, maximum number write
integer unique scopes that can (update
be in a list. only)

MetaWeblog Single- Gets or sets whether Read,

AuthenticationEnabled valued, authentication via the write
Boolean MetaWeblog API is (update
enabled for the Web only)
application.

MetaWeblogEnabled Single- Gets or sets whether Read,

valued, the MetaWeblog API is write
Boolean enabled for the Web (update
application. only)

OfficialFileName Single- Gets or sets the name Read,

valued, of the Records write
string Repository Web Service (update
that is used to get the only)
official file.

OfficialFileUrl Multivalue Gets the URL of the Read

d, string Recovery Repository
Web Service that is
used to get the official
file.

OutboundMailCodePage Single- Gets or sets the default Read,

valued, code page that is used write
integer for sending emails. (update
only)

OutboundMailReplyTo Single- Gets or sets the default Read,

Active Roles 8.0 LTS Synchronization Service Administration Guide

216
Connections to external data systems
Attribute Type Description Supporte
d
operatio
ns

Address valued, reply email address to write

string be used in email (update
messages. only)

OutboundMailSender Single- Gets or sets the default Read,

Address valued, sender’s email address write
string to be displayed in the (update
From field of outgoing only)
email messages.

Parent Single- Gets or sets the Read,

valued, object’s parent. write
string

PresenceEnabled Single- Gets or sets whether Read,

valued, presence information is write
Boolean enabled in the Web (update
application. only)

ReadOnlyMaintenance Single- Gets or sets a link to Read,

Link valued, the upgrade write
string maintenance page. (update
only)

RecycleBinCleanup Single- Gets or sets whether Read,

Enabled valued, recycle bin cleanup is write
Boolean enabled. (update
only)

RecycleBinEnabled Single- Gets or sets whether Read,

valued, the recycle bin is write
Boolean enabled. (update
only)

RecycleBinRetention Single- Gets or sets the period Read,

Period valued, (in days) during which write
integer deleted items are (update
retained in the recycle only)
bin.

RenderingFromMetainfoEnabled Single- Gets or sets whether Read,

valued, page roundtrip write
Boolean optimization is enabled. (update
only)

RequireContactForSelf Single- Gets or sets whether Read,

Active Roles 8.0 LTS Synchronization Service Administration Guide

217
Connections to external data systems
Attribute Type Description Supporte
d
operatio
ns

ServiceSiteCreation valued, self-service site write

Boolean creation requires (update
contact information of only)
the site owner.

ScopeExternal Single- No description Read,

ConnectionsToSite valued, available. write
Subscriptions Boolean (update
only)

SecondStageRecycleBinQuota Single- Gets or sets the storage Read,

valued, quota (in per cent) write
integer available to the second (update
stage Recycle Bin. only)

SelfServiceCreate Single- Gets or sets whether Read,

IndividualSite valued, self-service should write
Boolean create an individual site (update
or a site collection. only)

SelfServiceCreation Single- Gets or sets the parent Read,

ParentSiteUrl valued, site URL under which write
string children sites are to be (update
created. only)

SelfServiceCreation Single- Gets or sets the quota Read,

QuotaTemplate valued, template to be used write
string when creating site (update
collections. only)

SelfServiceSiteCreation Single- Gets or sets whether Read,

Enabled valued, sites can be created by write
Boolean using self-service in the (update
Web application. only)

SelfServiceSiteCustom Single- Gets or sets the custom Read,

FormUrl valued, form URL to be used write
string when creating sites (update
through self-service. only)

SendLoginCredentialsByEmail Single- Gets or sets whether Read,

valued, logon credentials of write
Boolean newly-created users (update
are sent to them via only)
email.

Active Roles 8.0 LTS Synchronization Service Administration Guide

218
Connections to external data systems
Attribute Type Description Supporte
d
operatio
ns

SendSiteUpgradeEmails Single- Gets or sets whether an Read,

valued, email notification write
Boolean should be sent once a (update
site upgrade completes. only)

SendUnusedSite Single- Gets or sets whether to Read,

CollectionNotifications valued, sent notifications to the write
Boolean owners of unused sites. (update
only)

ShowStartASiteMenu Single- Gets or sets whether Read,

Item valued, the Start a new site write
Boolean menu command is (update
available. only)

ShowURLStructure Single- Gets or sets whether Read,

valued, the users are allowed to write
Boolean see the file structure of (update
the Web sites. only)

StorageMetrics Single- Gets or sets the Read,

ProcessingDuration valued, maximum duration (in write
integer second) for the (update
processing of metric only)
changes for documents.

SuiteBarBranding Single- Gets or sets the HTML Read,

ElementHtml valued, snippet that is write
string displayed in the (update
SuiteBarBrandingEleme only)
nt control.

SyndicationEnabled Single- Gets or sets whether Read,

valued, syndication is enabled. write
Boolean (update
only)

TypeName Single- Gets the type of object Read

valued, for the Web application.
string

UnthrottledPrivileged Single- Gets or sets whether to Read,

OperationWindow valued, enable unthrottled daily write
Enabled Boolean time window. When this (update
attribute is set to TRUE, only)
large list operations are

Active Roles 8.0 LTS Synchronization Service Administration Guide

219
Connections to external data systems
Attribute Type Description Supporte
d
operatio
ns

not throttled when they

occur within the time
window.

UnusedSiteNotification Single- Gets the time period Read

Period valued, during which the site
string was unused.
(TimeSpa
n)

UnusedSiteNotificationsBeforeDeletio Single- Gets or sets the number Read,

n valued, of site deletion write
integer notifications that must (update
be sent before an only)
unused site gets
deleted.

UpgradeEvalSites Single- Gets or sets the period Read,

RetentionDays valued, (in days) since the write
integer evaluation site creation (update
date after which the only)
evaluation site gets
deleted.

UpgradeMaintenance Single- Gets or sets a link Read,

Link valued, pointing to the upgrade write
string maintenance page. (update
only)

UpgradeReminderDelay Single- Gets or sets the number Read,

valued, of days by which the write
integer site collection (update
administrator can put only)
off the upgrade
reminder.
When this attribute
value is set to 0, the
status notification
shows that an upgrade
is required.

UseClaims Single- Gets or sets whether Read,

Authentication valued, claims authentication is write
Boolean enabled. (update
only)

Active Roles 8.0 LTS Synchronization Service Administration Guide

220
Connections to external data systems
Attribute Type Description Supporte
d
operatio
ns

UseExternalUrlZoneFor Single- Gets or sets whether to Read,

Alerts valued, use an external URL write
Boolean zone in emails (update
providing information only)
about alerts.
If this attribute is set to
TRUE and a cross-
firewall URL zone is
configured, then that
zone is used in the
emails containing
alerts.
If this attribute is set to
TRUE, and no cross-
firewall URL zone is
configured, then the
emails containing alerts
use the default zone
URL for the Web
application.

UserDefinedWorkflow Single- Gets or sets the Read,

MaximumComplexity valued, maximum number of write
integer activities and bindings (update
that a user-defined only)
workflow can have.

UserDefinedWorkflows Single- Gets or sets whether Read,

Enabled valued, the users can create write
Boolean workflows in the Web (update
application. only)

UserPhotoError Single- Gets or sets the period Read,

Expiration valued, (in hours) upon which write
string the error window for (update
(Double) photos expires. only)

UserPhotoExpiration Single- Gets or sets the period Read,

valued, (in hours) upon which write
string the photo expires. (update
(Double) only)

UserPhotoImportEnabled Single- Gets or sets whether Read,

valued, photo import is write

Active Roles 8.0 LTS Synchronization Service Administration Guide

221
Connections to external data systems
Attribute Type Description Supporte
d
operatio
ns

Boolean enabled. (update

only)

UserPhotoOnlineImport Single- Gets or sets whether Read,

Enabled valued, photo import is enabled write
Boolean for Exchange Online. (update
only)

WebFileExtensions Multivalue Gets the list of file Read

d, string name extensions that
identify Web files.

WebTemplate object attributes

Table 86: WebTemplate object attributes

Attribute Type Description Supported

operations

AllowGlobalFeature Single- Gets whether global feature Read

Associations valued, associations are allows on sites
Boolean created with the Web template.

CompatibilityLevel Single- Gets the compatibility level of Read

valued, the web template. This version
integer number is used to perform
compatibility checks.

Description Single- Gets the description of the Read

valued, object.
string

DisplayCategory Single- Gets the name of the category Read

valued, to which the web template
string belongs.

Id Single- Gets or sets the object’s ID. Read, write

valued, (create only)
string

IDWebTemplate Single- Gets the Web template ID. Read

valued,
integer

Active Roles 8.0 LTS Synchronization Service Administration Guide

222
Connections to external data systems
Attribute Type Description Supported
operations

IsCustomTemplate Single- Gets whether this is a custom Read

valued, Web template.
Boolean

IsFarmWideTemplate Single- Gets whether the Web template Read

valued, is a farm-wide template and
Boolean can be used to create sites
across the entire SharePoint
farm.

IsHidden Single- Gets whether the Web template Read

valued, is hidden from the user
Boolean interface.

IsRootWebOnly Single- Gets whether the Web template Read

valued, can only be applied to the root
Boolean site in the site collection.

IsSubWebOnly Single- Gets whether the Web template Read

valued, is only applicable to subsites
Boolean within the site collection.

IsUnique Single- Gets whether the site created Read

valued, from the Web template inherits
Boolean from its parent.

Lcid Single- Gets the locale identifier of the Read

valued, Web template.
integer

Name Single- Gets the Web template’s Read

valued, internal name.
string

Parent Single- Gets or sets the object’s parent. Read, write

valued, (create only)
string,
reference
(Web object)

ProvisionAssembly Single- Gets the name of the assembly Read

valued, that implements the class which
string contains logic for provisioning
sites created through the Web
template.

ProvisionClass Single- Gets the name of the class Read

valued, which provides logic for
string provisioning sites created

Active Roles 8.0 LTS Synchronization Service Administration Guide

223
Connections to external data systems
Attribute Type Description Supported
operations

through the Web template.

ProvisionData Single- Gets the data that is passed to Read

valued, the site provisioning handler
string when creating sites.

SupportsMultilingualUI Single- Gets whether it is possible to Read

valued, enable alternate user interface
Boolean languages for the sites created
from the Web template.

Title Single- Gets the display name of the Read

valued, web template.
string

UserLicensingId Single- Gets the per-user license. Read

valued,
string

VisibilityFeature Single- Gets the GUID of the feature on Read

DependencyId valued, which the Web template
string depends.

Considerations for creating objects in SharePoint

When creating objects in SharePoint, please consider the following:

l RoleAssignment object. To create this object, you must populate the value of the
Member attribute for the object. Since Member is a reference attribute, you can only
populate its value by configuring a value generation rule. For more information about
value generation rules, see Using value generation rules.
l Site object. To create this object, you must populate the values of attributes Url and
Owner for the object.

Configuring data synchronization with the

Office 365 Connector
With the Office 365 Connector, you can configure data synchronization connections for
the Microsoft 365 service.
NOTE: To use the Office 365 Connector, the Azure BackSync application requires the
following minimum set of permissions and roles for implementing automatic permission
and role assignment in Active Roles Synchronization Service.

Active Roles 8.0 LTS Synchronization Service Administration Guide

224
Connections to external data systems
 l Exchange Administrator
l Directory Writers

Configure these privileges in the Azure portal for the user account you use to configure
Azure BackSync.
The Office 365 Connector supports the following features:

Table 87: Supported features

Feature Supported

Bidirectional synchronization Yes

Specifies whether you can both read and
write data in the connected data system.

Delta processing mode No

Specifies whether the connection can
process only the data that has changed in
the connected data system since the last
synchronization operation. This reduces the
overall synchronization duration.

Password synchronization No
Specifies whether you can synchronize user
passwords from an Active Directory (AD)
domain to the connected data system.

Secure Sockets Layer (SSL) data Yes

encryption
Specifies whether the connector can use
SSL to encrypt data transmitted between
Active Roles Synchronization Service and
the connected data system.
The Office 365 Connector uses cmdlets
supplied by the Microsoft Azure Active
Directory Module for Windows PowerShell
to access Microsoft 365. For this reason, all
traffic between Active Roles
Synchronization Service and Microsoft 365
is encrypted using the SSL certificate
configured on the Microsoft 365 side.

Creating a Microsoft 365 connection

With the Office 365 Connector, you can configure data synchronization connections for
the Microsoft 365 service.

Active Roles 8.0 LTS Synchronization Service Administration Guide

225
Connections to external data systems
NOTE: To use the Office 365 Connector, the Azure BackSync application requires the
following minimum set of permissions and roles for implementing automatic permission
and role assignment in Active Roles Synchronization Service.

l Exchange Administrator
l Directory Writers

Configure these privileges in the Azure portal for the user account you use to configure
Azure BackSync.

To create a new Microsoft 365 connection

1. In the Active Roles Synchronization Service console, click Connections > Add
connection.

Figure 4: Active Roles Synchronization Service console – Adding a new

connection via Connections > Add connection

2. In Name connection and select connector, specify a custom Connection

name. Then, to load the Microsoft 365-specific connector settings, from the Use the
specified connector drop-down list, select Office 365 Connector.
3. (Optional) If you plan to use a remote connector for the configured connection,
configure Remote connector access as described in Creating a connection using a
remotely installed connector. To continue, click Next.
4. On the Specify connection settings page, configure the following settings:
l Microsoft Online Services ID: Specify the Microsoft Online Services ID with
which you want to access Microsoft 365.
NOTE: The Microsoft 365 user account whose ID you specify must have the
Global Administrator role and Exchange Online license assigned in your
Microsoft 365 organization.
l Password: Type the password for the specified Microsoft Online Services ID.
l Proxy server: Specify whether you want to use a proxy server for the
connection. The available options are the following:

Active Roles 8.0 LTS Synchronization Service Administration Guide

226
Connections to external data systems
 l Use WinHTTP settings: Causes the connector to use the proxy server
settings configured for Windows HTTP Services (WinHTTP).
l Automatically detect: Automatically detects and uses proxy
server settings.
l Do not use proxy settings: Specifies not to use any proxy server for
the connection.
l SharePoint Online. Select this option if you want to work with object types
and attributes specific to SharePoint Online. For more information about these
object types, see Objects and attributes specific to Microsoft 365 services.
If you select this option, specify the SharePoint Online administration center
URL in the Administration Center URL field.
NOTE: To use this option, you must install SharePoint Online Management
Shell on your computer. For more information, see System Requirements in
the Active Roles Release Notes.
5. To verify the specified connection settings, click Test Connection.
TIP: If Active Roles Synchronization Service finds any incorrect settings, it will
indicate them in an error message dialog. Check and fix those settings, then try
again. If testing fails again, then:
l Check your network connectivity.
l Check if the Microsoft 365 service is available.
l If you set the Proxy server settings to use the operating system config-
uration, make sure that the system-level proxy settings are properly
configured.
6. If testing completed successfully, create the new Microsoft 365 connection by
clicking Finish.

Viewing or modifying a Microsoft 365 connection

You can view or modify an existing connection based on the Office 365 Connector with
the Active Roles Synchronization Service Console. Modifying an Office 365 Connector
connection is typically required if any change occurs in the Microsoft 365 service of your
organization to which the Active Roles Synchronization Service connection was originally
configured.
NOTE: To use the Office 365 Connector, the Azure BackSync application requires the
following minimum set of permissions and roles for implementing automatic permission
and role assignment in Active Roles Synchronization Service.

l Exchange Administrator
l Directory Writers

Configure these privileges in the Azure portal for the user account you use to configure
Azure BackSync.

Active Roles 8.0 LTS Synchronization Service Administration Guide

227
Connections to external data systems
To view of modify an existing Microsoft 365 connection

1. In the Active Roles Synchronization Service Console, click Connections.

2. In the Connections page, search for the connection you want to modify, then click
Connection settings.
3. (Optional) In General, modify the custom Connection name.
4. (Optional) In Connection Settings, modify the following settings as you need:
l Microsoft Online Services ID: Specify the Microsoft Online Services ID with
which you want to access Microsoft 365.
NOTE: The Microsoft 365 user account whose ID you specify must have the
Global Administrator role and Exchange Online license assigned in your
Microsoft 365 organization.
l Password: Type the password for the specified Microsoft Online Services ID.
l Proxy server: Specify whether you want to use a proxy server for the
connection. The available options are the following:
l Use WinHTTP settings: Causes the connector to use the proxy server
settings configured for Windows HTTP Services (WinHTTP).
l Automatically detect: Automatically detects and uses proxy
server settings.
l Do not use proxy settings: Specifies not to use any proxy server for
the connection.
l SharePoint Online. Select this option if you want to work with object types
and attributes specific to SharePoint Online. For more information about these
object types, see Objects and attributes specific to Microsoft 365 services.
If you select this option, specify the SharePoint Online administration center
URL in the Administration Center URL field.
NOTE: To use this option, you must install SharePoint Online Management
Shell on your computer. For more information, see System Requirements in
the Active Roles Release Notes.
5. (Optional) In Scope, modify the scope of objects included in the data synchronization
process of the connection. For more information on the Scope settings, see
Modifying synchronization scope for a connection.
6. (Optional) In Connection Handlers, create, update or remove any automated data
synchronization operations for the connection. For more information on the
Connection Handlers settings, see Using connection handlers.
7. To apply your changes, click Save and Continue.

Microsoft 365 data supported for data

synchronization
The following table lists:

Active Roles 8.0 LTS Synchronization Service Administration Guide

228
Connections to external data systems
 l The Microsoft 365 object types supported by the Office 365 Connector.
l The CRUD operations that the Office 365 Connector can perform on each
supported object type.

Table 88: Microsoft 365 object types supported by the Office 365 Connector

Object Read Create Delete Update

ClientPolicy Yes No No No
Allows you to work with client policies
in Microsoft Teams.
Use client policies to determine the
features of Microsoft Teams available
to users.
For more information on the data your
can read, see ClientPolicy object
attributes supported for Microsoft 365
data synchronization.

ConferencingPolicy Yes No No No
Allows you to work with conferencing
policies in Microsoft Teams.
Use conferencing policies to determine
the features available to the users
participating in Teams conference
calls.
For more information on the data you
can read, see ConferencingPolicy
object attributes supported for
Microsoft 365 data synchronization.

Contact Yes Yes Yes Yes

Allows you to work with external
contact properties in Microsoft 365.
For more information on what data you
can create, read, update or delete, see
Contact object attributes supported for
Microsoft 365 data synchronization.

DistributionGroup Yes Yes Yes Yes

Allows you to work with distribution
group properties in Microsoft 365.
For more information on what data you
can create, read, update or delete, see
DistributionGroup object attributes
supported for Microsoft 365 data

Active Roles 8.0 LTS Synchronization Service Administration Guide

229
Connections to external data systems
Object Read Create Delete Update

synchronization.

Domain Yes No No No
Allows you to retrieve information
about domains in Microsoft 365.
For more information on what domain
data you can retrieve, see Domain
object attributes supported for
Microsoft 365 data synchronization.

DynamicDistributionGroup Yes Yes Yes Yes

Allows you to work with dynamic
distribution group properties in
Microsoft 365.
For more information on what data you
can create, read, update or delete, see
DynamicDistributionGroup object
attributes supported for Microsoft 365
data synchronization.

ExternalAccessPolicy Yes No No No
Allows you to work with external
access policies in Microsoft Teams.
For more information on what data you
can read, see ExternalAccessPolicy
object attributes supported for
Microsoft 365 data synchronization.

HostedVoicemailPolicy Yes No No No
Allows you to work with voice mail
policies in Microsoft Teams.
For more information on what data you
can read, see HostedVoicemailPolicy
object attributes supported for
Microsoft 365 data synchronization.

LicensePlanService Yes No No No
Allows you to retrieve information
related to the license plans and
services that are currently in use in
your Microsoft 365 organization.
For more information on what data you
can read, see LicensePlanService
object attributes supported for

Active Roles 8.0 LTS Synchronization Service Administration Guide

230
Connections to external data systems
Object Read Create Delete Update

Microsoft 365 data synchronization.

Mailbox Yes Yes Yes Yes

Allows you to work with Exchange
Online mailboxes in Microsoft 365.
For more information on what data you
can create, read, update or delete, see
Mailbox object attributes supported for
Microsoft 365 data synchronization.

MailUser Yes Yes Yes Yes

Allows you to work with mail user
properties in Microsoft 365.
For more information on what data you
can create, read, update or delete, see
MailUser object attributes supported
for Microsoft 365 data synchronization.

PresencePolicy Yes No No No
Allows you to work with presence
policies in Microsoft Teams.
For more information on what data you
can read, see PresencePolicy object
attributes supported for Microsoft 365
data synchronization.

SecurityGroup Yes Yes Yes Yes

Allows you to work with security group
properties in Microsoft 365.
For more information on what data you
can create, read, update or delete, see
SecurityGroup object attributes
supported for Microsoft 365 data
synchronization.

SPOSite Yes Yes Yes Yes

Allows you to work with the properties
of site collections in SharePoint Online.
For more information on what data you
can create, read, update or delete, see
SPOSite object attributes supported for
Microsoft 365 data synchronization.

SPOSiteGroup Yes Yes Yes Yes

Active Roles 8.0 LTS Synchronization Service Administration Guide

231
Connections to external data systems
Object Read Create Delete Update

Allows you to work with groups inside

site collections in SharePoint Online.
For more information on what data you
can create, read, update or delete, see
SPOSiteGroup object attributes
supported for Microsoft 365 data
synchronization.

SPOWebTemplate Yes No No No
Allows you to work with Web templates
in SharePoint Online.
For more information on what data you
can read, see SPOWebTemplate object
attributes supported for Microsoft 365
data synchronization.

SPOTenant Yes No No Yes

Allows you to work with the data of the
SharePoint Online organization.
For more information on what data you
can read, see SPOTenant object
attributes supported for Microsoft 365
data synchronization.

User Yes Yes Yes Yes

Allows you to work with user
properties in Microsoft 365.
For more information on what data you
can create, read, update or delete, see
User object attributes supported for
Microsoft 365 data synchronization.

VoicePolicy Yes No No No
Allows you to work with data related to
voice policies in Microsoft Teams.
For more information on what data you
can create, read, update or delete, see
VoicePolicy object attributes supported
for Microsoft 365 data synchronization.

Microsoft 365 Group Yes Yes Yes Yes

Allows you to work with data related to
Microsoft 365 groups.

Active Roles 8.0 LTS Synchronization Service Administration Guide

232
Connections to external data systems
Object Read Create Delete Update

For more information on what data you

can create, read, update or delete, see
Microsoft 365 Group attributes
supported for Microsoft 365 data
synchronization.

ClientPolicy object attributes supported for Microsoft 365

data synchronization
The Office 365 Connector supports the following ClientPolicy attributes for
synchronization.

Table 89: ClientPolicy attributes supported for data synchronization

Attribute Description Supported

operations

Anchor Gets the Anchor property value of the object. Read

Description Gets the description of the object. Read

Identity Gets the unique identifier assigned to the object. Read

Members Gets the users who have been assigned to the object. Read

ObjectID Gets the globally unique object identifier (GUID) of Read

the object.

ConferencingPolicy object attributes supported for

Microsoft 365 data synchronization
The Office 365 Connector supports the following ConferencingPolicy attributes for
synchronization.

Table 90: ConferencingPolicy attributes

Attribute Description Supported

operations

Anchor Gets the Anchor property value of the object. Read

Description Gets the description of the object. Read

Identity Gets the unique identifier assigned to the object. Read

Members Gets the users who have been assigned to the object. Read

ObjectID Gets the globally unique object identifier (GUID) of Read

the object.

Active Roles 8.0 LTS Synchronization Service Administration Guide

233
Connections to external data systems
Contact object attributes supported for Microsoft 365
data synchronization
The Office 365 Connector supports the following Contact attributes for synchronization.

Table 91: Contact attributes

Attribute Description Supported

operation
s

AcceptMessagesOnlyFrom Gets or sets the senders that Read,

can send email messages to Write
the object.
This reference attribute can
take senders in any of the
following formats:

l Alias
l Canonical name
l Display name
l DN
l Exchange DN
l GUID
l Name
l Primary SMTP email
address

This reference attribute

accepts the following object
types:

l MailUser
l Mailbox
l Contact

AcceptMessagesOnlyFromDLMembers Gets or sets the distribution Read,

groups whose members are Write
allowed to send email
messages to the object.
This reference attribute can
take distribution groups in any
of the following formats:

l Canonical name
l Display name

Active Roles 8.0 LTS Synchronization Service Administration Guide

234
Connections to external data systems
Attribute Description Supported
operation
s

l DN
l GUID
l Legacy Exchange DN
l Name
l Primary SMTP email
address

This reference attribute

accepts the following object
types:

l DistributionGroup
l Dynam-
icDistributionGroup

AcceptMessagesOnlyFromSendersOrMemb Gets or sets the senders who Read,

ers can send email messages to Write
the object.
This reference attribute can
take senders in any of the
following formats:

l Canonical name
l Display name
l Distinguished name
(DN)
l GUID
l Legacy Exchange DN
l Name
l Primary SMTP email
address

This reference attribute

accepts the following object
types:

l Contact
l DistributionGroup
l Dynam-
icDistributionGroup

Active Roles 8.0 LTS Synchronization Service Administration Guide

235
Connections to external data systems
Attribute Description Supported
operation
s

l Mailbox
l MailUser

Alias Gets or sets the alias of the Read,

object. Write

AllowUMCallsFromNonUsers Gets or sets whether to Read,

exclude or include the object Write
in directory searches.
This attribute can take one of
the following values:

l None: Specifies to
exclude the object from
directory searches.
l SearchEnabled: Specifies
to include the object in
directory searches.

AssistantName Gets or sets the name of the Read,

assistant associated with the Write
object.

BypassModerationFromSendersOrMembers Gets or sets the senders Read,

whose messages bypass Write
moderation for the object.
This reference attribute can
take any of the following
values for the senders:

l Canonical name
l Display name
l Distinguished name
(DN)
l GUID
l Name
l Legacy Exchange DN
l Primary SMTP email
address
l Moderation does not
apply to the senders
designated as moder-

Active Roles 8.0 LTS Synchronization Service Administration Guide

236
Connections to external data systems
Attribute Description Supported
operation
s

ators for the contact.

This reference attribute

accepts the following object
types:

l Contact
l DistributionGroup
l Dynam-
icDistributionGroup
l Mailbox
l MailUser

City Gets or sets the city Read,

associated with the object. Write

Company Gets or sets the company Read,

associated with the object. Write

CountryOrRegion Gets or sets the country or Read,

region associated with the Write
object.

CreateDTMFMap Sets whether to create a dual- Read,

tone multi-frequency (DTMF) Write
map for the object.
This attribute can take one of
the following values:

l TRUE. Specifies to create

a DTMF map for the
object.
l FALSE. Specifies not to
create a DTMF map for
the object.

Active Roles 8.0 LTS Synchronization Service Administration Guide

237
Connections to external data systems
Attribute Description Supported
operation
s

CustomAttribute1 Gets or sets the additional Read,

custom values you specified. Write
CustomAttribute2

CustomAttribute3

CustomAttribute4

CustomAttribute5

CustomAttribute6

CustomAttribute7

CustomAttribute8

CustomAttribute9

CustomAttribute10

CustomAttribute11

CustomAttribute12

CustomAttribute13

CustomAttribute14

CustomAttribute15

Department Gets or sets the department Read,

associated with the object. Write

DisplayName Gets or sets the display name Read,

used in Microsoft 365 for the Write
object.

EmailAddresses Gets or sets the email alias Read,

(es) of the object. Write
TIP: To specify multiple
email addresses, use
comma (,) as a separator.

ExtensionCustomAttribute1 Gets or sets the additional Read,

custom values you specify. Write
ExtensionCustomAttribute2 These attributes are
ExtensionCustomAttribute3 multivalued.
TIP: To specify multiple
ExtensionCustomAttribute4
values, use comma as a
ExtensionCustomAttribute5 separator.

Active Roles 8.0 LTS Synchronization Service Administration Guide

238
Connections to external data systems
Attribute Description Supported
operation
s

ExternalDirectoryObjectId Gets the globally unique Read

identifier (GUID) of the object.

ExternalEmailAddress Gets or sets the email address Read,

of the contact. Write

Fax Gets or sets the fax number of Read,

the object. Write

FirstName Gets or sets the first name of Read,

the object. Write

GrantSendOnBehalfTo Gets or sets the distinguished Read,

name (DN) of other senders Write
that can send messages on
behalf of the object.
This reference attribute
accepts the Mailbox object
type only.

HiddenFromAddressListsEnabled Gets or sets whether Microsoft Read,

365 hides the object from Write
address lists.
This attribute can take one of
the following values:

l TRUE: Hides the object

from address lists.
l FALSE (default): Shows
the object in address
lists.

HomePhone Gets or sets the home phone Read,

number associated with the Write
object.

Initials Gets or sets the initials Read,

associated with the object. Write

LastName Gets or sets the last name of Read,

the object. Write

MacAttachmentFormat Gets or sets the Apple Read,

Macintosh operating system Write
attachment format for
messages sent to the object.

Active Roles 8.0 LTS Synchronization Service Administration Guide

239
Connections to external data systems
Attribute Description Supported
operation
s

This attribute can take the

following values:
l BinHex
l UuEncode
l AppleSingle
l AppleDouble

MailTip Gets or sets the message Read,

displayed to senders when Write
they start writing an email
message to the object.

MailTipTranslations Gets or sets the MailTip Read,

message translations in Write
additional languages.
This attribute accepts the
following format:
<LanguageLocale>:<MailTip
MessageTranslation>
NOTE: MailTip message
translations cannot be
longer than 250 characters.

Manager Gets or sets the manager of Read,

the object. Write

MaxRecipientPerMessage Gets or sets the maximum Read,

number of recipients to which Write
the contact can address a
message.

MessageBodyFormat Gets or sets the message body Read,

format for messages sent to Write
the contact.
The values this attribute can
write depend on the value in
the MessageFormat attribute.
When the value of
MessageFormat is Mime, the
MessageBodyFormat attribute
can write the following values:

Active Roles 8.0 LTS Synchronization Service Administration Guide

240
Connections to external data systems
Attribute Description Supported
operation
s
l Text
l Html
l TextAndHtml

When the value of

MessageFormat is Text, the
MessageBodyFormat attribute
can only write the Text value.

MessageFormat Gets or sets the message Read,

format for messages sent to Write
the contact.
This attribute can take the
following values:
l Text
l Mime

MobilePhone Gets or sets the mobile phone Read,

number associated with the Write
object.

ModeratedBy Gets or sets the users who are Read,

moderating the messages sent Write
to the object.
TIP: To specify multiple
users as moderators, use
comma as separator.
NOTE: This reference
attribute is required if you
set the value of the
ModerationEnabled attribute
to TRUE.
This reference attribute
accepts the following object
types:

l Mailbox
l MailUser

ModerationEnabled Gets or sets whether Read,

moderation is enabled for the Write
object.

Active Roles 8.0 LTS Synchronization Service Administration Guide

241
Connections to external data systems
Attribute Description Supported
operation
s

This attribute can take one of

the following values:
l TRUE
l FALSE

Name Gets or sets the name of the Read,

object. Write

Notes Gets or sets notes about the Read,

object. Write

ObjectID Gets the globally unique object Read

identifier (GUID) of the object.

Office Gets or sets the company Read,

office location associated with Write
the object.

OtherFax Gets or sets the alternate fax Read,

number of the object. Write

OtherHomePhone Gets or sets the alternate Read,

home phone number of the Write
object.

Pager Gets or sets the pager number Read,

of the object. Write

Phone Gets or sets the work phone Read,

number of the object. Write

PhoneticDisplayName Gets or sets the phonetic Read,

pronunciation of the Write
DisplayName attribute value of
the object.

PostalCode Gets or sets the postal code of Read,

the object. Write

PostOfficeBox Gets or sets the post office Read,

box number of the object. Write

RejectMessagesFrom Gets or sets the senders Read,

whose messages to the object Write
will be rejected.
This attribute can take senders
in one of the following

Active Roles 8.0 LTS Synchronization Service Administration Guide

242
Connections to external data systems
Attribute Description Supported
operation
s

formats:

l Alias
l Canonical name
l Display name
l Distinguished name
(DN)
l GUID
l Name
l Legacy Exchange DN
l Primary SMTP email
address

This reference attribute

accepts the following object
types:

l Contact
l Mailbox

RejectMessagesFromDLMembers Gets or sets the distribution Read,

groups whose members Write
cannot send email messages
to the object (their messages
will be rejected).
This reference attribute can
take distribution groups in one
of the following formats:

l Alias
l Canonical name
l Display name
l Distinguished name
(DN)
l GUID
l Legacy Exchange DN
l Name
l Primary SMTP email
address

Active Roles 8.0 LTS Synchronization Service Administration Guide

243
Connections to external data systems
Attribute Description Supported
operation
s

This reference attribute

accepts the following object
types:

l DistributionGroup
l DynamicDistributionGro
up

RejectMessagesFromSendersOrMembers Gets or sets the senders that Read,

cannot send email messages Write
to the object (their messages
will be rejected).
This reference attribute can
take any of the following
values for the senders:

l Alias
l Canonical name
l Display name
l Distinguished name
(DN)
l GUID
l Name
l Legacy Exchange DN
l Primary SMTP email
address

This reference attribute

accepts the following object
types:

l Contact
l DistributionGroup
l Dynam-
icDistributionGroup
l Mailbox

RequireSenderAuthenticationEnabled Gets or sets whether the Read,

senders that send messages to Write
this object must be
authenticated.

Active Roles 8.0 LTS Synchronization Service Administration Guide

244
Connections to external data systems
Attribute Description Supported
operation
s

This attribute can take one of

the following values:

l TRUE: Messages sent to

this object must be
authenticated.
l FALSE: No message
authentication is
required.

SecondaryAddress Gets or sets the secondary Read,

address for the object if it has Write
Unified Messaging enabled.

SecondaryDialPlan Gets or sets the secondary Read,

Unified Messaging dial plan for Write
the object.

SendModerationNotifications Gets or sets whether to send Read,

status notifications to users Write
when a message they sent to
the moderated object is
rejected by a moderator.
This attribute can take one of
the following values:

l Always: Specifies that

notifications are sent to
all senders.
l Internal: Specifies that
notifications are only
sent to the senders
internal to your organ-
ization.
l Never: Specifies that all
status notifications are
disabled.

SimpleDisplayName Gets or sets an alternate Read,

description of the object if Write
only a limited set of
characters is allowed.
The limited set of characters
includes ASCII characters 26–

Active Roles 8.0 LTS Synchronization Service Administration Guide

245
Connections to external data systems
Attribute Description Supported
operation
s

126.

StateOrProvince Gets or sets the state or Read,

province information of the Write
object.

StreetAddress Gets or sets the street address Read,

information of the object. Write

TelephoneAssistant Gets or sets the phone number Read,

of the contact’s assistant. Write

Title Gets or sets the title of the Read,

object. Write

UMCallingLineIds Gets or sets telephone Read,

numbers or telephone Write
extensions that can be
mapped to the contact if it has
Unified Messaging enabled.
TIP: To specify multiple
telephone numbers, use a
comma as a separator.
NOTE: This attribute accepts
values with less than 128
characters only.

UMDtmfMap Gets or sets whether to create Read,

a user-defined DTMF map for Write
the object if it has Unified
Messaging enabled.

UseMapiRichTextFormat Gets or sets a format for the Read,

MAPI Rich Text Format Write
messages sent to the object.

l Never: Specifies to
convert all messages
sent to the object to the
plain text format.
l Always: Specifies to
always use the MAPI
Rich Text Format (RTF)
for the messages sent to
the object.

Active Roles 8.0 LTS Synchronization Service Administration Guide

246
Connections to external data systems
Attribute Description Supported
operation
s

l UseDefaultSettings:
Specifies to use the
message format set in
the MAPI client that sent
the message to the
object.

UsePreferMessageFormat Gets or sets whether the Read,

message format specified for Write
the object overrides any
global settings (for example,
those configured for the
remote domain).
This attribute can take one of
the following values:

l TRUE: Specifies that the

message format set for
the object overrides any
global settings.
l FALSE: Specifies that
global settings have
precedence over the
mail format set for the
object.

WebPage Gets or sets the web page Read,

contact information of the Write
object.

WindowsEmailAddress Gets or sets the email address Read,

of the object stored in Active Write
Directory.

DistributionGroup object attributes supported for

Microsoft 365 data synchronization
The Office 365 Connector supports the following DistributionGroup attributes for
synchronization.

Active Roles 8.0 LTS Synchronization Service Administration Guide

247
Connections to external data systems
Table 92: DistributionGroup attributes

Attribute Description Supported

operation
s

AcceptMessagesOnlyFrom Gets or sets the senders that Read,

can send email messages to Write
the object.
This reference attribute can
take senders in any of the
following formats:

l Alias
l Canonical DN
l Display name
l Distinguished name
(DN)
l Domain\account
l GUID
l Immutable ID
l Legacy Exchange DN
l SMTP address
l User principal name

This reference attribute

accepts the following object
types:

l MailUser
l Mailbox
l Contact

AcceptMessagesOnlyFromDLMembers Gets or sets the distribution Read,

groups whose members are Write
allowed to send email
messages to the object.
This reference attribute can
take distribution groups in any
of the following formats:

l Alias
l Canonical DN
l Display name

Active Roles 8.0 LTS Synchronization Service Administration Guide

248
Connections to external data systems
Attribute Description Supported
operation
s

l Distinguished name
(DN)
l Domain\account
l GUID
l Immutable ID
l Legacy Exchange DN
l SMTP address
l User principal name

This reference attribute

accepts the following object
types:

l DistributionGroup
l Dynam-
icDistributionGroup

AcceptMessagesOnlyFromSendersOrMemb Gets or sets the senders who Read,

ers can send email messages to Write
the object.
This attribute can take senders
in any of the following
formats:

l Alias
l Canonical DN
l Display name
l Distinguished name
(DN)
l Domain\account
l GUID
l Immutable ID
l Legacy Exchange DN
l SMTP address
l User principal name

This reference attribute

accepts the following object
types:

Active Roles 8.0 LTS Synchronization Service Administration Guide

249
Connections to external data systems
Attribute Description Supported
operation
s

l Contact
l DistributionGroup
l Dynam-
icDistributionGroup
l Mailbox
l MailUser

Alias Gets or sets the alias of the Read,

object. Write

BypassModerationFromSendersOrMembers Gets or sets the senders Read,

whose messages bypass Write
moderation for the object.
This reference attribute can
take senders in any of the
following formats:

l Alias
l Canonical DN
l Display name
l Distinguished name
(DN)
l Domain\account
l GUID
l Immutable ID
l Legacy Exchange DN
l SMTP address
l User principal name

This reference attribute

accepts the following object
types:

l Contact
l DistributionGroup
l DynamicDistributionGro
up
l Mailbox

Active Roles 8.0 LTS Synchronization Service Administration Guide

250
Connections to external data systems
Attribute Description Supported
operation
s

l MailUser

BypassNestedModerationEnabled Gets or sets whether Read,

moderators of parent groups Write
are allowed to moderate
nested groups for which
moderation is enabled.
This attribute can take one of
the following values:

l TRUE: Specifies that

email messages
approved by parent
group moderators
bypass any moderation
in nested groups.
l FALSE: Specifies that
email messages
approved by parent
group moderators still
can be moderated in
nested groups.

CreateDTMFMap Sets whether to create a dual- Write

tone multi-frequency (DTMF)
map for the object.
This attribute can take one of
the following values:

l TRUE. Specifies to create

a DTMF map for the
object.
l FALSE. Specifies not to
create a DTMF map for
the object.

Active Roles 8.0 LTS Synchronization Service Administration Guide

251
Connections to external data systems
Attribute Description Supported
operation
s

CustomAttribute1 Gets or sets the additional Read,

custom values you specified. Write
CustomAttribute2

CustomAttribute3

CustomAttribute4

CustomAttribute5

CustomAttribute6

CustomAttribute7

CustomAttribute8

CustomAttribute9

CustomAttribute10

CustomAttribute11

CustomAttribute12

CustomAttribute13

CustomAttribute14

CustomAttribute15

Description Gets or sets the description of Read,

the object. Write

DisplayName Gets or sets the display name Read,

used in Microsoft 365 for the Write
object.

EmailAddresses Gets or sets the email alias Read,

(es) of the object. Write
TIP: To specify multiple
email addresses, use
comma (,) as a separator.

ExtensionCustomAttribute1 Gets or sets the additional Read,

custom values you specify. Write
ExtensionCustomAttribute2 These attributes are
ExtensionCustomAttribute3 multivalued.
TIP: To specify multiple
ExtensionCustomAttribute4
values, use comma as a
ExtensionCustomAttribute5 separator.

Active Roles 8.0 LTS Synchronization Service Administration Guide

252
Connections to external data systems
Attribute Description Supported
operation
s

GrantSendOnBehalfTo Gets or sets the distinguished Read,

name (DN) of other senders Write
that can send messages on
behalf of the object.
This reference attribute can
take senders in any of the
following formats:

l Alias
l Canonical DN
l Display name
l Distinguished name
(DN)
l Domain\account
l GUID
l Immutable ID
l Legacy Exchange DN
l SMTP address
l User principal name

This reference attribute only

accepts the following object
type:

l Mailbox

HiddenFromAddressListsEnabled Gets or sets whether Microsoft Read,

365 hides the object from Write
address lists.
This attribute can take one of
the following values:

l TRUE: Hides the object

from address lists.
l FALSE (default): Shows
the object in address
lists.

IgnoreNamingPolicy Sets whether to ignore the Write

naming policy applicable to
the distribution groups created

Active Roles 8.0 LTS Synchronization Service Administration Guide

253
Connections to external data systems
Attribute Description Supported
operation
s

in the organization.
This attribute can take one of
the following values:

l TRUE: Specifies to ignore

the applicable naming
policy.
l FALSE: Specifies to use
the applicable naming
policy.

IsSecurity Gets or sets whether the Read,

distribution group is a security Write
distribution group.
NOTE:
This
attribute
allows
you to
write
data only
when you
use the
Microsoft
Office
365
Connecto-
r to
perform
a create
operation
in Office
365.

MailTip Gets or sets the MailTip Read,

message translations in Write
additional languages.
Gets or sets the message
displayed to senders when
they start writing an email
message to the object.

MailTipTranslations Gets or sets the MailTip Read,

message translations in Write
additional languages.

Active Roles 8.0 LTS Synchronization Service Administration Guide

254
Connections to external data systems
Attribute Description Supported
operation
s

This attribute accepts the

following format:
<LanguageLocale>:<MailTip
MessageTranslation>
NOTE: MailTip message
translations cannot be
longer than 250 characters.

ManagedBy Gets or sets the owner of the Read,

object. Write
This reference attribute
accepts the following object
types:

l Mailbox
l MailUser

Member Gets or sets the members of Read,

the distribution group by using Write
their Object IDs.
NOTE:
This
attribute
only
allows
you to
write
data
when you
use the
Microsoft
Office
365
Connecto-
r to
perform
an
update
operation
in Office
365.

MemberDepartRestriction Gets or sets the restrictions Read,

applicable to the members Write

Active Roles 8.0 LTS Synchronization Service Administration Guide

255
Connections to external data systems
Attribute Description Supported
operation
s

who want to leave the

distribution group.
This attribute can take one of
the following values:

l Open: Members can

freely leave the group.
l Closed: Members cannot
leave the group by
themselves.
l ApprovalRequired:
Members must request
approval to leave the
group.

MemberJoinRestriction Gets or sets the restrictions Read,

applicable to the members Write
who want to join the
distribution group.
This attribute can take one of
the following values:

l Open: The group is open

to join.
l Closed: Users cannot
join the group by
themselves.
l ApprovalRequired: Users
must request approval
to join the group.

ModeratedBy Gets or sets the users who are Read,

moderating the messages sent Write
to the object.
TIP: To specify multiple
users as moderators, use
comma as separator.
NOTE: This reference
attribute is required if you
set the value of the
ModerationEnabled attribute
to TRUE.

Active Roles 8.0 LTS Synchronization Service Administration Guide

256
Connections to external data systems
Attribute Description Supported
operation
s

This reference attribute can

take users in any of the
following formats:

l Alias
l Canonical DN
l Display name
l Distinguished name
(DN)
l Domain\account
l GUID
l Immutable ID
l Legacy Exchange DN
l SMTP address
l User principal name

This reference attribute

accepts the following object
types:

l Mailbox
l MailUser

ModerationEnabled Gets or sets whether Read,

moderation is enabled for the Write
object.
This attribute can take one of
the following values:
l TRUE
l FALSE

Name Gets or sets the name of the Read,

object. Write

Notes Gets or sets notes about the Read,

object. Write
NOTE:
You can
write

Active Roles 8.0 LTS Synchronization Service Administration Guide

257
Connections to external data systems
Attribute Description Supported
operation
s

data with
this
attribute
only if
Microsoft
365
object
was
created
with the
Office
365
Connect-
or.

ObjectID Gets the globally unique object Read

identifier (GUID) of the object.

PrimarySmtpAddress Gets or sets the primary SMTP Read,

email address of the object. Write
NOTE: You can use this
attribute if the object has
two or more SMTP email
addresses configured.

RejectMessagesFrom Gets or sets the senders Read,

whose messages to the object Write
will be rejected.
This attribute can take senders
in one of the following
formats:

l Alias
l Canonical DN
l Display name
l Distinguished name
(DN)
l Domain\account
l GUID
l Immutable ID
l Legacy Exchange DN

Active Roles 8.0 LTS Synchronization Service Administration Guide

258
Connections to external data systems
Attribute Description Supported
operation
s

l SMTP address
l User principal name

This reference attribute

accepts the following object
types:

l Contact
l Mailbox

RejectMessagesFromDLMembers Gets or sets the distribution Read,

groups whose members Write
cannot send email messages
to the object (their messages
will be rejected).
This reference attribute can
take distribution groups in one
of the following formats:

l Alias
l Canonical DN
l Display name
l Distinguished name
(DN)
l Domain\account
l GUID
l Immutable ID
l Legacy Exchange DN
l SMTP address
l User principal name

This reference attribute

accepts the following object
types:

l DistributionGroup
l Dynam-
icDistributionGroup

RejectMessagesFromSendersOrMembers Gets or sets the senders that Read,

cannot send email messages Write

Active Roles 8.0 LTS Synchronization Service Administration Guide

259
Connections to external data systems
Attribute Description Supported
operation
s

to the object (their messages

will be rejected).
This reference attribute can
take senders in one of the
following formats:

l Alias
l Canonical DN
l Display name
l Distinguished name
(DN)
l Domain\account
l GUID
l Immutable ID
l Legacy Exchange DN
l SMTP address
l User principal name

This reference attribute

accepts the following object
types:

l Contact
l Dynam-
icDistributionGroup
l DistributionGroup
l Mailbox

ReportToManagerEnabled Gets or sets whether to send Read,

delivery reports to the Write
manager of the object.
This Boolean attribute can
take one of the following
values:

l TRUE: Enables delivery

reports to the manager.
l FALSE (default): Disables
delivery reports to the
manager.

Active Roles 8.0 LTS Synchronization Service Administration Guide

260
Connections to external data systems
Attribute Description Supported
operation
s

ReportToOriginatorEnabled Gets or sets whether to send Read,

delivery reports to the user Write
who sent an email message to
the object.
This Boolean attribute can
take one of the following
values:

l TRUE: Enables delivery

reports to the user.
l FALSE (default): Disables
delivery reports to the
user.

RequireSenderAuthenticationEnabled Gets or sets whether the Read,

senders that send messages to Write
this object must be
authenticated.
This attribute can take one of
the following values:

l TRUE: Messages sent to

this object must be
authenticated.
l FALSE: No message
authentication is
required.

SendModerationNotifications Gets or sets whether to send Read,

status notifications to users Write
when a message they sent to
the moderated object is
rejected by a moderator.
This attribute can take one of
the following values:

l Always: Specifies that

notifications are sent to
all senders.
l Internal: Specifies that
notifications are only
sent to the senders
internal to your organ-

Active Roles 8.0 LTS Synchronization Service Administration Guide

261
Connections to external data systems
Attribute Description Supported
operation
s

ization.
l Never: Specifies that all
status notifications are
disabled.

SendOofMessageToOriginatorEnabled Gets or sets whether to send Read,

out-of-office messages to Write
users who sent an email
message to the object.
This attribute can take one of
the following values:

l TRUE: Enables sending

out-of-office messages.
l FALSE: Disables sending
out-of-office messages.

SimpleDisplayName Gets or sets an alternate Read,

description of the object if Write
only a limited set of
characters is allowed.
The limited set of characters
includes ASCII characters 26–
126.

UMDtmfMap Gets or sets whether to create Read,

a user-defined DTMF map for Write
the object if it has Unified
Messaging enabled.

WindowsEmailAddress Gets or sets the email address Read,

of the object stored in Active Write
Directory.

Domain object attributes supported for Microsoft 365

data synchronization
The Office 365 Connector supports the following Domain attributes for synchronization.

Active Roles 8.0 LTS Synchronization Service Administration Guide

262
Connections to external data systems
Table 93: Domain attributes

Attribute Description Supported

operations

Authentication Gets the authentication method with which the domain Read
in Microsoft 365 authenticates users.
This attribute can take one of the following values:

l Managed: Indicates that the domain uses

Microsoft 365 authentication.
l Federated: Indicates that the domain uses Single
Sign-on (SSO) to authenticate users.

DomainName Gets the domain name in Microsoft 365. Read

DomainServices Gets the Microsoft 365 services available in the Read

domain.

IsDefault Gets whether the domain is default in Microsoft 365. Read

IsInitial Gets whether the domain is initial in Microsoft 365. Read

ObjectID Gets the globally unique object identifier (GUID) of the Read
object.

Status Gets whether the domain is verified with Microsoft 365. Read
This attribute can take one of the following values:

l Verified: Indicates that the object is verified.

l Unverified: Indicates that the object is not
verified.

DynamicDistributionGroup object attributes supported for

Microsoft 365 data synchronization
The Office 365 Connector supports the following DynamicDistributionGroup attributes for
synchronization.

Table 94: DynamicDistributionGroup attributes

Attribute Description Supported operations

AcceptMessagesOnlyFrom Gets or sets the senders Read, Write

that can send email
messages to the object.
This reference attribute
can take senders in any
of the following

Active Roles 8.0 LTS Synchronization Service Administration Guide

263
Connections to external data systems
Attribute Description Supported operations

formats:

l Alias
l Canonical name
l Display name
l DN
l Exchange DN
l GUID
l Name
l Primary SMTP
email address

This reference attribute

accepts the following
object types:

l MailUser
l Mailbox
l Contact

AcceptMessagesOnlyFromDLMem Gets or sets the Read, Write

bers distribution groups
whose members are
allowed to send email
messages to the object.
This reference attribute
accepts any of the
following values for the
distribution groups:

l DN
l Canonical name
l GUID
l Name
l Display name
l Legacy Exchange
DN
l Primary SMTP
email address

This reference attribute

accepts the following

Active Roles 8.0 LTS Synchronization Service Administration Guide

264
Connections to external data systems
Attribute Description Supported operations

object types:

l DistributionGroup
l Dynam-
icDis-
tributionGroup

AcceptMessagesOnlyFromSenders Gets or sets the senders Read, Write

OrMembers who can send email
messages to the object.
This reference attribute
can take any of the
following values for the
senders:

l DN
l Canonical name
l GUID
l Name
l Display name
l Alias
l Exchange DN
l Primary SMTP
email address

This reference attribute

accepts the following
object types:

l Contact
l DistributionGroup
l Dynam-
icDis-
tributionGroup
l Mailbox
l MailUser

Alias Gets or sets the alias of Read, Write

the object.

BypassModerationFromSendersOr Gets or sets the senders Read, Write

Members whose messages
bypass moderation for

Active Roles 8.0 LTS Synchronization Service Administration Guide

265
Connections to external data systems
Attribute Description Supported operations

the object.
This reference attribute
can take any of the
following values for the
senders:

l DN
l Canonical name
l GUID
l Name
l Display name
l Legacy Exchange
DN
l Primary SMTP
email address

The values in this

attribute do not apply to
the senders that are the
moderators of the
dynamic distribution
group.
This reference attribute
accepts the following
object types:

l Contact
l DistributionGroup
l Dynam-
icDis-
tributionGroup
l Mailbox
l MailUser

Active Roles 8.0 LTS Synchronization Service Administration Guide

266
Connections to external data systems
Attribute Description Supported operations

ConditionalCustomAttribute1 Get or set recipients Read, Write

based on the
ConditionalCustomAttribute2
corresponding
ConditionalCustomAttribute3 CustomAttribute<X>
value.
ConditionalCustomAttribute4
For example,
ConditionalCustomAttribute5 ConditionalCustomAttri
bute1 corresponds to
ConditionalCustomAttribute6
CustomAttribute1,
ConditionalCustomAttribute7 ConditionalCustomAttri
bute2 corresponds to
ConditionalCustomAttribute8 CustomAttribute2, and
ConditionalCustomAttribute9 so on.

ConditionalCustomAttribute10

ConditionalCustomAttribute11

ConditionalCustomAttribute12

ConditionalCustomAttribute13

ConditionalCustomAttribute14

ConditionalCustomAttribute15

ConditionalDepartment Get or set the recipients Read, Write

of the dynamic
NOTE: When writing data
distribution group by
using this attribute, you
their Department
cannot use the
attribute.
RecipientFilter attribute
TIP: This attribute is to write data.
multivalued and uses
comma as separator.
Specifying multiple
departments with a
comma acts as an OR
operator.

ConditionalStateOrProvince Get or set the recipients Read, Write

of the dynamic
distribution group by
their StateOrProvince
attribute.
TIP: This attribute is
multivalued and uses
comma as separator.

Active Roles 8.0 LTS Synchronization Service Administration Guide

267
Connections to external data systems
Attribute Description Supported operations

Specifying multiple
departments with a
comma acts as an OR
operator.

CustomAttribute1 Gets or sets the Read, Write

additional custom
CustomAttribute2
values you specified.
CustomAttribute3

CustomAttribute4

CustomAttribute5

CustomAttribute6

CustomAttribute7

CustomAttribute8

CustomAttribute9

CustomAttribute10

CustomAttribute11

CustomAttribute12

CustomAttribute13

CustomAttribute14

CustomAttribute15

DisplayName Gets or sets the display Read, Write

name used in Microsoft
365 for the object.

EmailAddresses Gets or sets the email Read, Write

alias(es) of the object.
TIP: To specify
multiple email
addresses, use
comma (,) as a
separator.

GrantSendOnBehalfTo Gets or sets the Read, Write

distinguished name
(DN) of other senders
that can send messages
on behalf of the object.

Active Roles 8.0 LTS Synchronization Service Administration Guide

268
Connections to external data systems
Attribute Description Supported operations

IncludedRecipients Gets or sets the Read, Write

recipient types used to
build the dynamic
distribution group.
This attribute can take
the following values:
l AllRecipients
l MailContacts
l MailGroups
l MailUsers
l MailboxUsers
l Resources
l None

NOTE: You can use

either:

l The
AllRecipients
attribute only.
l A combination
of any other
values, except
AllRecipients.

LdapRecipientFilter Gets the recipient filter Read

that was created by
using the
RecipientFilter
attribute.

ManagedBy Gets or sets the owner Read, Write

of the object.
This reference attribute
accepts the following
object types:

l Mailbox
l MailUser

ManagedBy Gets or sets the name Read, Write

of the mail-enabled
user, group, or contact

Active Roles 8.0 LTS Synchronization Service Administration Guide

269
Connections to external data systems
Attribute Description Supported operations

displayed in the
Managed by tab of the
Active Directory object.
This reference attribute
accepts the name in one
of the following
formats:

l Alias
l Canonical DN
l Display Name
l Distinguished
Name (DN)
l Domain\Account
l GUID
l Immutable ID
l Legacy Exchange
DN
l SMTP Address
l User Principal
Name

This reference attribute

accepts the following
object types:

l Mailbox
l MailUser

ModeratedBy Gets or sets the users Read, Write

who are moderating the
messages sent to the
object.
TIP: To specify
multiple users as
moderators, use
comma as separator.
NOTE: This reference
attribute is required if
you set the value of
the ModerationEnabled
attribute to TRUE.

Active Roles 8.0 LTS Synchronization Service Administration Guide

270
Connections to external data systems
Attribute Description Supported operations

This reference attribute

accepts the following
object types:

l Mailbox
l MailUser

ModerationEnabled Gets or sets whether Read, Write

moderation is enabled
for the object.
This attribute can take
one of the following
values:
l TRUE
l FALSE

Name Gets or sets the name Read, Write

of the object.

Notes Gets or sets notes about Read, Write

the object.

ObjectID Gets the globally unique Read

object identifier (GUID)
of the object.

PhoneticDisplayName Gets or sets the Read, Write

phonetic pronunciation
of the DisplayName
attribute value of the
object.

PrimarySmtpAddress Gets or sets the Read, Write

primary SMTP email
address of the object.
NOTE: You can use
this attribute if the
object has two or
more SMTP email
addresses configured.

RecipientContainer Gets or sets the Read, Write

recipients used to build
the dynamic distribution
group, based on their
location in Active
Directory.

Active Roles 8.0 LTS Synchronization Service Administration Guide

271
Connections to external data systems
Attribute Description Supported operations

This attribute can take

the canonical name of
the Active Directory
organizational unit (OU)
or domain where the
recipients reside.
NOTE: When this
attribute is omitted,
the local container is
used.

RecipientFilter Gets or sets the mail- Read, Write

enabled recipients to
NOTE: When writing data
include in the dynamic
using this attribute, you
distribution group. This
cannot use any of the
attribute accepts OPATH
following attributes to
filtering syntax.
write data:
Syntax example:
l IncludedRecipients
((Company -eq l ConditionalCompany
'MyCompany') -and l ConditionalCustomA
(City -eq 'London')) ttribute<x>
l ConditionalDepartm
ent
l ConditionalStateOr
Province

RejectMessagesFrom Gets or sets the senders Read, Write

whose messages to the
object will be rejected.
This reference attribute
can take senders in one
of the following
formats:

l Alias
l Canonical DN
l Display name
l Distinguished
name (DN)
l Domain\account
l GUID

Active Roles 8.0 LTS Synchronization Service Administration Guide

272
Connections to external data systems
Attribute Description Supported operations

l Immutable ID
l Legacy Exchange
DN
l SMTP address
l User principal
name

This reference attribute

accepts the following
object types:

l Contact
l Mailbox

RejectMessagesFromDLMembers Gets or sets the Read, Write

distribution groups
whose members cannot
send email messages to
the object (their
messages will be
rejected).
This reference attribute
can take distribution
groups in one of the
following formats:

l Alias
l Canonical DN
l Display name
l Distinguished
name (DN)
l Domain\account
l GUID
l Immutable ID
l Legacy Exchange
DN
l SMTP address
l User principal
name

This reference attribute

accepts the following

Active Roles 8.0 LTS Synchronization Service Administration Guide

273
Connections to external data systems
Attribute Description Supported operations

object types:

l DistributionGroup
l Dynam-
icDis-
tributionGroup

RejectMessagesFromSendersOrM Gets or sets the senders Read, Write

embers that cannot send email
messages to the object
(their messages will be
rejected).
This reference attribute
can take senders in one
of the following
formats:

l Alias
l Canonical DN
l Display name
l Distinguished
name (DN)
l Domain\account
l GUID
l Immutable ID
l Legacy Exchange
DN
l SMTP address
l User principal
name

This reference attribute

accepts the following
object types:

l Contact
l DistributionGroup
l Dynam-
icDis-
tributionGroup
l Mailbox

Active Roles 8.0 LTS Synchronization Service Administration Guide

274
Connections to external data systems
Attribute Description Supported operations

ReportToManagerEnabled Gets or sets whether to Read, Write.

send delivery reports to
the manager of the
object.
This Boolean attribute
can take one of the
following values:

l TRUE: Enables
delivery reports
to the manager.
l FALSE (default):
Disables delivery
reports to the
manager.

ReportToOriginatorEnabled Gets or sets whether to Read, Write

send delivery reports to
the user who sent an
email message to the
object.
This Boolean attribute
can take one of the
following values:

l TRUE: Enables
delivery reports
to the user.
l FALSE (default):
Disables delivery
reports to the
user.

SendModerationNotifications Gets or sets whether to Read, Write

send status notifications
to users when a
message they sent to
the moderated object is
rejected by a
moderator.
This attribute can take
one of the following
values:

l Always: Specifies
that notifications

Active Roles 8.0 LTS Synchronization Service Administration Guide

275
Connections to external data systems
Attribute Description Supported operations

are sent to all

senders.
l Internal:
Specifies that
notifications are
only sent to the
senders internal
to your organ-
ization.
l Never: Specifies
that all status
notifications are
disabled.

SendOofMessageToOriginatorEna Gets or sets whether to Read, Write

bled send out-of-office
messages to users who
sent an email message
to the object.
This attribute can take
one of the following
values:

l TRUE: Enables
sending out-of-
office messages.
l FALSE: Disables
sending out-of-
office messages.

ExternalAccessPolicy object attributes supported for

Microsoft 365 data synchronization
The Office 365 Connector supports the following ExternalAccessPolicy attributes for
synchronization.

Table 95: ExternalAccessPolicy attributes

Attribute Description Supported

operations

Anchor Gets the Anchor property value of the object. Read

Description Gets the description of the object. Read

Active Roles 8.0 LTS Synchronization Service Administration Guide

276
Connections to external data systems
Attribute Description Supported
operations

Identity Gets the unique identifier assigned to the object. Read

Members Gets the users who have been assigned to the object. Read

ObjectID Gets the globally unique object identifier (GUID) of Read

the object.

HostedVoicemailPolicy object attributes supported for

Microsoft 365 data synchronization
The Office 365 Connector supports the following HostedVoicemailPolicy attributes for
synchronization.

Table 96: HostedVoicemailPolicy attributes

Attribute Description Supported

operations

Anchor Gets the Anchor property value of the object. Read

Description Gets the description of the object. Read

Identity Gets the unique identifier assigned to the object. Read

Members Gets the users who have been assigned to the object. Read

ObjectID Gets the globally unique object identifier (GUID) of Read

the object.

LicensePlanService object attributes supported for

Microsoft 365 data synchronization
The Office 365 Connector supports the following LicensePlanService attributes for
synchronization.

Table 97: LicensePlanService attributes

Attribute Description Supported

operations

AssignedLicenses Gets the number of used licenses in Read

Microsoft 365. This number includes both
valid and expired licenses that are currently
assigned.

ExpiredLicenses Gets the number of expired licenses in Read

Active Roles 8.0 LTS Synchronization Service Administration Guide

277
Connections to external data systems
Attribute Description Supported
operations

Microsoft 365.

ObjectID Gets the globally unique object identifier Read

(GUID) of the object.

PlanDisplayName Gets the name of the currently used license Read

plan as it appears on the Microsoft 365 GUI.

PlanName Gets the name of the currently used license Read

plan as it is returned by the Windows
PowerShell cmdlets for Microsoft 365.

ReducedFunctionalityLicenses Gets the number of licenses that are in Read

reduced functionality mode (RFM).

RelatedAttributeName Gets the name of the attribute in the Office Read

365 Connector schema that allows you to
work (for example, read and write) with the
specified Microsoft 365 service.

ServiceDisplayName Gets the license service name as it appears Read

on the Microsoft 365 GUI. The service
names are the names of the check boxes
shown under a license plan.

ServiceName Gets the license service name as it is Read

returned by the Windows PowerShell
cmdlets for Microsoft 365.

ValidLicenses Gets the number of valid licenses in your Read

Microsoft 365 organization. This number
includes both assigned and available
licenses.

Mailbox object attributes supported for Microsoft 365

data synchronization
The Office 365 Connector supports the following Mailbox attributes for synchronization.

Table 98: Mailbox attributes

Attribute Description Supported

operation
s

AcceptMessagesOnlyFrom Gets or sets the senders that Read,

can send email messages to Write
the object.

Active Roles 8.0 LTS Synchronization Service Administration Guide

278
Connections to external data systems
Attribute Description Supported
operation
s

This reference attribute

accepts any of the following
values for the distribution
groups:

l DN
l Canonical name
l GUID
l Name
l Display name
l Alias
l Exchange DN
l Primary SMTP email
address

This reference attribute

accepts the following object
types:

l MailUser
l Mailbox
l Contact

AcceptMessagesOnlyFromDLMembers Gets or sets the distribution Read,

groups whose members are Write
allowed to send email
messages to the object.
This reference attribute
accepts any of the following
values for the distribution
groups:

l DN
l Canonical name
l GUID
l Name
l Display name
l Legacy Exchange DN
l Primary SMTP email

Active Roles 8.0 LTS Synchronization Service Administration Guide

279
Connections to external data systems
Attribute Description Supported
operation
s

address

This reference attribute

accepts the following object
types:

l DistributionGroup
l Dynam-
icDistributionGroup

AcceptMessagesOnlyFromSendersOrMemb Gets or sets the senders who Read,

ers can send email messages to Write
the object.
This reference attribute can
take any of the following
values for the senders:

l DN
l Canonical name
l GUID
l Name
l Display name
l Alias
l Exchange DN
l Primary SMTP email
address

This reference attribute

accepts the following object
types:

l Contact
l DistributionGroup
l Dynam-
icDistributionGroup
l Mailbox
l MailUser

Alias Gets or sets the alias of the Read,

object. Write

ApplyMandatoryProperties Sets whether to modify the Write

Active Roles 8.0 LTS Synchronization Service Administration Guide

280
Connections to external data systems
Attribute Description Supported
operation
s

mandatory properties of a
legacy mailbox.
For example, you can use this
attribute to remove the
legacyMailbox tag from a
legacy mailbox residing on an
Exchange Server, or check
whether this tag exists on the
mailbox.
This attribute can take one of
the following values:

l TRUE: Specifies that the

legacyMailbox tag does
not exist on the mailbox.
l FALSE: Specifies that the
legacyMailbox tag exists
on the mailbox.

ArchiveName Gets or sets the name of the Read,

object. This is the name Write
displayed on the user interface
in Outlook Web App and
Microsoft Outlook.

AuditAdmin Gets or sets the operations to Read,

log for administrators. Write
This attribute can take the
following values:
l None
l Update
l Copy
l Move
l MoveToDeletedItems
l SoftDelete
l HardDelete
l FolderBind
l SendAs
l SendOnBehalf

Active Roles 8.0 LTS Synchronization Service Administration Guide

281
Connections to external data systems
Attribute Description Supported
operation
s
l MessageBind

To enable mailbox audit

logging, set the value of the
AuditEnabled attribute to TRUE.

AuditDelegate Gets or sets the operations to Read,

log for delegate users. Write
This attribute can take the
following values:
l None
l Update
l Move
l MoveToDeletedItems
l SoftDelete
l HardDelete
l FolderBind
l SendAs
l SendOnBehalf

To enable mailbox audit

logging, set the value of the
AuditEnabled attribute to TRUE.

AuditEnabled Gets or sets whether mailbox Read,

audit logging is enabled or Write
disabled. If mailbox audit
logging is enabled, the
operations specified for the
AuditAdmin, AuditDelegate, and
AuditOwner attributes will be
logged.
This attribute can take one of
the following values:

l TRUE: Enables mailbox

audit logging.
l FALSE: Disables mailbox
audit logging.

AuditLogAgeLimit Gets or sets the retention Read,

Active Roles 8.0 LTS Synchronization Service Administration Guide

282
Connections to external data systems
Attribute Description Supported
operation
s

period for the mailbox audit Write

logs. Logs whose age exceeds
the specified retention period
will be deleted.
This attribute accepts the
retention period in the
following format: DD.HH:MM:SS
The maximum value the
attribute can accept is
24855.03:14:07

Examples of use

l A value of
30.05:00:00
retains mailbox
audit logs for 30
days and 5 hours.
l A value of
00.00:00:00
retains mailbox
audit logs
indefinitely, and
will never be
deleted.

BypassModerationFromSendersOrMembers Gets or sets the senders Read,

whose messages bypass Write
moderation for the object.
This reference attribute can
take any of the following
values for the senders:

l DN
l Canonical name
l GUID
l Name
l Display name

Active Roles 8.0 LTS Synchronization Service Administration Guide

283
Connections to external data systems
Attribute Description Supported
operation
s

l Legacy Exchange DN
l Primary SMTP email
address

The values in this attribute do

not apply to the senders that
are the moderators of the
mailbox.
This reference attribute
accepts the following object
types:

l Contact
l DistributionGroup
l Dynam-
icDistributionGroup
l Mailbox
l MailUser

CalendarRepairDisabled Gets or sets whether the Read,

calendar items in the mailbox Write
can be repaired by the
Calendar Repair Assistant.
This attribute can take one of
the following values:

l TRUE: Enables repair

operations.
l FALSE: Disables repair
operations.

CalendarVersionStoreDisabled Gets or sets whether to log Read,

calendar changes for the Write
object.
This attribute can take one of
the following values:

l TRUE: Calendar changes

will be logged.
l FALSE: Calendar changes
will not be logged.

Active Roles 8.0 LTS Synchronization Service Administration Guide

284
Connections to external data systems
Attribute Description Supported
operation
s

CreateDTMFMap Sets whether to create a dual- Write

tone multi-frequency (DTMF)
map for the object.
This attribute can take one of
the following values:

l TRUE. Specifies to create

a DTMF map for the
object.
l FALSE. Specifies not to
create a DTMF map for
the object.

CustomAttribute1 Gets or sets the additional Read,

custom values you specified. Write
CustomAttribute2

CustomAttribute3

CustomAttribute4

CustomAttribute5

CustomAttribute6

CustomAttribute7

CustomAttribute8

CustomAttribute9

CustomAttribute10

CustomAttribute11

CustomAttribute12

CustomAttribute13

CustomAttribute14

CustomAttribute15

DeliverToMailboxAndForward Gets or sets whether this Read,

mailbox receives forwarded Write
messages if message
forwarding to another address
is configured for the mailbox.
This attribute can take one of

Active Roles 8.0 LTS Synchronization Service Administration Guide

285
Connections to external data systems
Attribute Description Supported
operation
s

the following values:

l TRUE:Messages are
delivered to this object
and to the forwarding
address.
l FALSE: Messages are
delivered to the forward-
ing address only and not
to this object.

DisplayName Gets or sets the display name Read,

used in Microsoft 365 for the Write
object.

EmailAddresses Gets or sets all the proxy Read,

addresses of the object. The Write
proxy addresses also include
the primary SMTP address.
NOTE: When writing proxy
addresses using this
attribute, make sure the
specified addresses are
valid, as they are not
validated by Exchange.

EndDateForRetentionHold Gets or sets the retention hold Read,

end date for messaging Write
records management (MRM).
TIP: To enable or disable
retention hold, use the
RetentionHoldEnabled
attribute.

ExternalDirectoryObjectId Gets the globally unique Read

identifier (GUID) of the object.

ExternalOofOptions Gets or sets whether out-of- Read,

office (OoO) messages are Write
sent to external senders.
This attribute can take one of
the following values:

l External: OoO messages

are sent for external

Active Roles 8.0 LTS Synchronization Service Administration Guide

286
Connections to external data systems
Attribute Description Supported
operation
s

senders as well.
l InternalOnly: OoO
messages are sent only
for messages originating
from your organization.

ExtensionCustomAttribute1 Gets or sets the additional Read,

custom values you specify. Write
ExtensionCustomAttribute2 These attributes are
ExtensionCustomAttribute3 multivalued.
TIP: To specify multiple
ExtensionCustomAttribute4
values, use comma as a
ExtensionCustomAttribute5 separator.

ForwardingAddress Gets or sets a forwarding Read,

address for the mailbox. Write

ForwardingSmtpAddress Gets or sets a forwarding Read,

SMTP address for the mailbox. Write

GrantSendOnBehalfTo Gets or sets the distinguished Read,

name (DN) of other senders Write
that can send messages on
behalf of the object.

HiddenFromAddressListsEnabled Gets or sets whether Microsoft Read,

365 hides the object from Write
address lists.
This attribute can take one of
the following values:

l TRUE: Hides the object

from address lists.
l FALSE (default): Shows
the object in address
lists.

ImmutableId Gets or sets a unique Read,

immutable ID in the form of Write
an SMTP address.
NOTE: The Office 365
Connector can read the
value of this attribute only if
it is stored in Microsoft 365

Active Roles 8.0 LTS Synchronization Service Administration Guide

287
Connections to external data systems
Attribute Description Supported
operation
s

in a base64 encoding
format. If the attribute value
is stored in any other
format, the connector will
return an error when
reading that value.

IsEquipment Gets or sets whether the Read,

mailbox belongs to a piece of Write
equipment.
This attribute can take one of
the following values:

l TRUE: Indicates an
equipment mailbox.
l FALSE: Indicates that the
mailbox is not assigned
to a piece of equipment.

IsRegular Gets or sets whether the Read,

mailbox belongs to a user. Write
This attribute can take one of
the following values:

l TRUE: Indicates that the

mailbox belongs to a
user.
l FALSE Indicates that the
mailbox is not assigned
to a user.

IsRoom Gets or sets whether the Read,

mailbox belongs to a room. Write
This attribute can take one of
the following values:

l TRUE: Indicates that the

mailbox belongs to a
room.
l FALSE: Indicates that the
mailbox is not assigned
to a room.

IsShared Gets or sets whether the Read,

Active Roles 8.0 LTS Synchronization Service Administration Guide

288
Connections to external data systems
Attribute Description Supported
operation
s

mailbox is shared. Write

This attribute can take one of
the following values:

l TRUE: Indicates that the

mailbox is shared.
l FALSE: Indicates that the
mailbox is not shared.

IssueWarningQuota Gets or sets the mailbox size Read,

at which a warning message is Write
sent to the mailbox user.
To specify a mailbox size, use
an integer value. To disable
the quota, set the value of this
attribute to Unlimited.
NOTE: The value set on a
mailbox by using this
attribute overrides the value
specified for the entire
mailbox database.

IsValid Gets whether or not the Read

mailbox object is configured
correctly.
This attribute can take one of
the following values:

l TRUE: Indicates that the

mailbox is correctly
configured.
l FALSE Indicates that the
mailbox is configured
incorrectly.

Languages Gets or sets preferred Read,

languages for the object in the Write
order of their priority.

LitigationHoldDate Gets or sets the date when the Read,

mailbox is placed on litigation Write
hold. This date is used only for
informational or reporting
purposes.

Active Roles 8.0 LTS Synchronization Service Administration Guide

289
Connections to external data systems
Attribute Description Supported
operation
s

LitigationHoldDuration Gets or sets the litigation hold Read,

duration for the mailbox in Write
days.

LitigationHoldEnabled Gets or sets whether litigation Read,

hold is enabled for the Write
mailbox.
When a mailbox is on litigation
hold, messages cannot be
deleted from the mailbox.
This attribute can take one of
the following values:

l TRUE: Litigation hold is

enabled.
l FALSE: Litigation hold is
disabled.

LitigationHoldOwner Gets or sets the user who put Read,

the mailbox on litigation hold. Write

MailboxPlan Gets or sets the mailbox plan Read,

name associated with the Write
mailbox.
TIP: When setting a mailbox
plan, make sure that the
plan is available in the organ-
ization of the mailbox.

MailTip Gets or sets the message Read,

displayed to senders when Write
they start writing an email
message to the object.

MailTipTranslations Gets or sets the MailTip Read,

message translations in Write
additional languages.
This attribute accepts the
following format:
<LanguageLocale>:<MailTip
MessageTranslation>
NOTE: MailTip message
translations cannot be

Active Roles 8.0 LTS Synchronization Service Administration Guide

290
Connections to external data systems
Attribute Description Supported
operation
s

longer than 250 characters.

MessageTrackingReadStatusEnabled Gets or sets whether the read Read,

status of sent messages is Write
provided to the senders who
sent messages to this
mailbox.
This attribute can take one of
the following values:

l TRUE: Message tracking

is enabled.
l FALSE: Message tracking
is disabled.

ModeratedBy Gets or sets the users who are Read,

moderating the messages sent Write
to the object.
TIP: To specify multiple
users as moderators, use
comma as separator.
NOTE: This reference
attribute is required if you
set the value of the
ModerationEnabled attribute
to TRUE.
This reference attribute
accepts the following object
types:
Mailbox
MailUser

ModerationEnabled Gets or sets whether Read,

moderation is enabled for the Write
object.
This attribute can take one of
the following values:
l TRUE
l FALSE

Name Gets or sets the name of the Read,

Active Roles 8.0 LTS Synchronization Service Administration Guide

291
Connections to external data systems
Attribute Description Supported
operation
s

object. Write
This is the name that appears
in the Active Directory Users
and Computers tool.

ObjectID Gets the globally unique object Read

identifier (GUID) of the object.

Office Gets or sets the company Read,

office location associated with Write
the object.

Password Sets the password for the user Write

account associated with the
mailbox.

PrimarySmtpAddress Gets or sets the primary SMTP Read,

email address of the object. Write
NOTE: You can use this
attribute if the object has
two or more SMTP email
addresses configured.
For external recipients, the
email address specified with
this attribute will appear.

ProhibitSendQuota Gets or sets the mailbox size Read,

at which the mailbox user can Write
no longer send messages.
To specify a mailbox size, use
an integer value. To disable
the quota, set the value of this
attribute to Unlimited.
NOTE: The value set on a
mailbox by using this
attribute overrides the value
specified for the entire
mailbox database.

ProhibitSendReceiveQuota Gets or sets the mailbox size Read,

at which the mailbox user can Write
no longer send or receive
messages.
To specify a mailbox size, use

Active Roles 8.0 LTS Synchronization Service Administration Guide

292
Connections to external data systems
Attribute Description Supported
operation
s

an integer value. To disable

the quota, set the value of this
attribute to Unlimited.
NOTE: The value set on a
mailbox by using this
attribute overrides the value
specified for the entire
mailbox database.

RejectMessagesFrom Gets or sets the senders Read,

whose messages to the object Write
will be rejected.
This reference attribute
accepts the following object
types:

l Contact
l Mailbox

RejectMessagesFromDLMembers Gets or sets the distribution Read,

groups whose members Write
cannot send email messages
to the object (their messages
will be rejected).
This reference attribute
accepts the following object
types:

l DistributionGroup
l DynamicDistributionGro
up

RejectMessagesFromSendersOrMembers Gets or sets the senders that Read,

cannot send email messages Write
to the object (their messages
will be rejected).
This attribute can take any of
the following values for the
recipients:

l DN
l Canonical name
l GUID

Active Roles 8.0 LTS Synchronization Service Administration Guide

293
Connections to external data systems
Attribute Description Supported
operation
s

l Name
l Display name
l Alias
l Exchange DN
l Primary SMTP email
address

This reference attribute

accepts the following object
types:

l Contact
l DistributionGroup
l Dynam-
icDistributionGroup
l Mailbox

RequireSenderAuthenticationEnabled Gets or sets whether the Read,

senders that send messages to Write
this object must be
authenticated.
This attribute can take one of
the following values:

l TRUE: Messages sent to

this object must be
authenticated.
l FALSE: No message
authentication is
required.

ResourceCapacity Gets or sets the maximum Read,

number of people that can be Write
accommodated by the room to
which the mailbox belongs.

ResourceCustom Gets or sets additional Read,

information about the Write
resource.

RetainDeletedItemsFor Gets or sets the duration of Read,

keeping deleted items. Write

Active Roles 8.0 LTS Synchronization Service Administration Guide

294
Connections to external data systems
Attribute Description Supported
operation
s

This attribute accepts a value

in the following format:
DD.HH:MM:SS
For example, a value of
10.00:00:00 means that
deleted items are retained for
10 days.

RetentionComment Gets or sets a comment Read,

onhold status of the user. This Write
comment is also displayed in
Outlook.
NOTE: You can only write
the value of this attribute if
the value of the
RetentionHoldEnabled
attribute is set to TRUE.

RetentionHoldEnabled Gets or sets whether retention Read,

hold is enabled for messaging Write
retention policies.
This attribute can take one of
the following values:

l TRUE: Retention hold is

enabled.
l FALSE: Retention hold is
disabled.

RetentionPolicy Gets or sets the name of the Read,

retention policy to apply to the Write
folders and mail items of this
mailbox.

RetentionUrl Gets or sets the URL of the Read,

web page providing additional Write
details about the messaging
retention policies in effect
within the organization.

RoleAssignmentPolicy Gets or sets the management Read,

role assignment policy to Write
assign to the mailbox when it
is created or enabled.

Active Roles 8.0 LTS Synchronization Service Administration Guide

295
Connections to external data systems
Attribute Description Supported
operation
s

TIP: Consider the following

when using this attribute:

l If the assignment
policy name you want
to specify contains
spaces, put the name
in quotation marks (").
l If you omit this
attribute when
creating or enabling a
mailbox, the system
will use the default
assignment policy.
l If you do not want to
assign an assignment
policy, leave this
attribute empty.

RulesQuota Gets or sets the size limit for Read,

the rules specified for the Write
mailbox.
Qualify the value you specify
in this attribute by appending
either B (bytes) or KB
(kilobytes): for example, 64 B
or 256 KB.
Unqualified values are
considered bytes. The
maximum value this attribute
can accept is 256 KB.

SecondaryAddress Gets or sets the secondary Write

address for the object if it has
Unified Messaging enabled.

SecondaryDialPlan Sets the secondary Unified Write

Messaging dial plan for the
object.

SendModerationNotifications Gets or sets whether to send Read,

status notifications to users Write
when a message they sent to
the moderated object is

Active Roles 8.0 LTS Synchronization Service Administration Guide

296
Connections to external data systems
Attribute Description Supported
operation
s

rejected by a moderator.
This attribute can take one of
the following values:

l Always: Specifies that

notifications are sent to
all senders.
l Internal: Specifies that
notifications are only
sent to the senders
internal to your organ-
ization.
l Never: Specifies that all
status notifications are
disabled.

SharingPolicy Gets or sets the sharing policy Read,

associated with the mailbox. Write

SimpleDisplayName Gets or sets an alternate Read,

description of the object if Write
only a limited set of
characters is allowed.
The limited set of characters
includes ASCII characters 26–
126.

SingleItemRecoveryEnabled Gets or sets whether the Read,

purging of recovery items is Write
enabled or disabled.
This attribute can take one of
the following values:

l TRUE: Disables the

purging of recovery
items.
l FALSE: Enables the
purging of recovery
items.

UMDtmfMap Gets or sets whether to create Read,

a user-defined DTMF map for Write
the object if it has Unified
Messaging enabled.

Active Roles 8.0 LTS Synchronization Service Administration Guide

297
Connections to external data systems
Attribute Description Supported
operation
s

UsageLocation Gets a two-letter country code Read

(for example, FR, GB or NL) that
defines the location of the
user. The usage location
determines the services
available to the user.

UserCertificate Gets or sets the digital Read,

certificate used to sign email Write
messages of the user.

UserPrincipalName Gets or sets the logon name of Read,

the mailbox user. Write

UserSMimeCertificate Gets or sets the SMIME Read,

certificate used to sign email Write
messages by the user.

MailUser object attributes supported for Microsoft 365

data synchronization
The Office 365 Connector supports the following MailUser attributes for synchronization.

Table 99: MailUser attributes

Attribute Description Supported

operations

AcceptMessagesOnlyFrom Gets or sets the senders that Read, Write

can send email messages to
the object.
This reference attribute can
take senders in any of the
following formats:

l Alias
l Canonical name
l Display name
l DN
l Exchange DN
l GUID
l Name

Active Roles 8.0 LTS Synchronization Service Administration Guide

298
Connections to external data systems
Attribute Description Supported
operations

l Primary SMTP email

address

This reference attribute

accepts the following object
types:

l MailUser
l Mailbox
l Contact

AcceptMessagesOnlyFromDLMembers Gets or sets the distribution Read, Write

groups whose members are
allowed to send email
messages to the object.
This reference attribute can
take distribution groups in
any of the following formats:

l Canonical name
l Display name
l DN
l GUID
l Legacy Exchange DN
l Name
l Primary SMTP email
address

This reference attribute

accepts the following object
types:

l DistributionGroup
l Dynam-
icDistributionGroup

AcceptMessagesOnlyFromSendersOrMem Gets or sets the senders who Read, Write

bers can send email messages to
the object.
This reference attribute can
take senders in any of the
following formats:

Active Roles 8.0 LTS Synchronization Service Administration Guide

299
Connections to external data systems
Attribute Description Supported
operations

l Alias
l Canonical name
l Display name
l DN
l GUID
l Name
l Legacy Exchange DN
l Primary SMTP email
address

This reference attribute

accepts the following object
types:

l Contact
l DistributionGroup
l Dynam-
icDistributionGroup
l Mailbox
l MailUser

Alias Gets or sets the alias of the Read, Write

object.

ArchiveName Gets or sets the name of the Read

object. This is the name
displayed on the user
interface in Outlook Web App
and Microsoft Outlook.

BypassModerationFromSendersOrMember Gets or sets the senders Read, Write

s whose messages bypass
moderation for the object.
This reference attribute can
take any of the following
values for the senders:

l Alias
l Canonical name
l Display name
l DN

Active Roles 8.0 LTS Synchronization Service Administration Guide

300
Connections to external data systems
Attribute Description Supported
operations

l GUID
l Name
l Legacy Exchange DN
l Primary SMTP email
address

Moderation does not apply to

the senders designated as
moderators for the mail user.
This reference attribute
accepts the following object
types:

l Contact
l DistributionGroup
l Dynam-
icDistributionGroup
l Mailbox
l MailUser

CalendarVersionStoreDisabled Gets or sets whether to log Read, Write

calendar changes for the
object.
This attribute can take one of
the following values:

l TRUE: Calendar changes

will be logged.
l FALSE: Calendar
changes will not be
logged.

CreateDTMFMap Sets whether to create a Write

dual-tone multi-frequency
(DTMF) map for the object.
This attribute can take one of
the following values:

l TRUE. Specifies to
create a DTMF map for
the object.
l FALSE. Specifies not to

Active Roles 8.0 LTS Synchronization Service Administration Guide

301
Connections to external data systems
Attribute Description Supported
operations

create a DTMF map for

the object.

CustomAttribute1 Gets or sets the additional Read, Write

custom values you specified.
CustomAttribute2

CustomAttribute3

CustomAttribute4

CustomAttribute5

CustomAttribute6

CustomAttribute7

CustomAttribute8

CustomAttribute9

CustomAttribute10

CustomAttribute11

CustomAttribute12

CustomAttribute13

CustomAttribute14

CustomAttribute15

DeliverToMailboxAndForward Gets whether messages sent Read

to the mail user are
forwarded to another address
in case message forwarding
is configured.
This attribute can take one of
the following values:

l TRUE:Messages are
delivered to this object
and to the forwarding
address.
l FALSE: Messages are
delivered to the
forwarding address
only and not to this
object.

Active Roles 8.0 LTS Synchronization Service Administration Guide

302
Connections to external data systems
Attribute Description Supported
operations

DisplayName Gets or sets the display name Read, Write

used in Microsoft 365 for the
object.

EmailAddresses Gets or sets the email alias Read, Write

(es) of the object.
TIP: To specify multiple
email addresses, use
comma (,) as a separator.

EndDateForRetentionHold Gets the retention hold end Read

date for messaging records
management (MRM).
TIP: To enable or disable
retention hold, use the
RetentionHoldEnabled
attribute.

ExtensionCustomAttribute1 Gets or sets the additional Read, Write

custom values you specify.
ExtensionCustomAttribute2 These attributes are
ExtensionCustomAttribute3 multivalued.
TIP: To specify multiple
ExtensionCustomAttribute4
values, use comma as a
ExtensionCustomAttribute5 separator.

ExternalDirectoryObjectId Gets the globally unique Read

identifier (GUID) of the
object.

ExternalEmailAddress Gets or sets an email address Read, Write

outside of the organization of
the mail user.
Messages sent to the mail
user will be delivered to this
external address.

FederatedIdentity Allows you to associate an Write

on-premises Active Directory
user with the Microsoft 365
mail user.

ForwardingAddress Gets the forwarding address Read

for the mail user.

GrantSendOnBehalfTo Gets or sets the distinguished Read, Write

Active Roles 8.0 LTS Synchronization Service Administration Guide

303
Connections to external data systems
Attribute Description Supported
operations

name (DN) of other senders

that can send messages on
behalf of the object.
This reference attribute
accepts the Mailbox object
type only.

HiddenFromAddressListsEnabled Gets or sets whether Read, Write

Microsoft 365 hides the object
from address lists.
This attribute can take one of
the following values:

l TRUE: Hides the object

from address lists.
l FALSE (default): Shows
the object in address
lists.

ImmutableId Gets or sets a unique Read, Write

immutable ID in the form of
an SMTP address.
NOTE: The Office 365
Connector can read the
value of this attribute only
if it is stored in Microsoft
365 in a base64 encoding
format. If the attribute
value is stored in any other
format, the connector will
return an error when
reading that value.

LitigationHoldDate Gets the date when the mail Read

user’s mailbox is placed on
litigation hold.

LitigationHoldEnabled Gets whether litigation hold is Read

enabled for the mailbox of the
mail user.
When a mailbox is on
litigation hold, messages
cannot be deleted from the
mailbox.

Active Roles 8.0 LTS Synchronization Service Administration Guide

304
Connections to external data systems
Attribute Description Supported
operations

This attribute can take one of

the following values:

l TRUE: Litigation hold is

enabled.
l FALSE: Litigation hold is
disabled.

LitigationHoldOwner Gets the user who enabled Read

litigation hold on the mailbox.
This attribute can only be
used for informational or
reporting purposes.

MacAttachmentFormat Gets or sets the Apple Read, Write

Macintosh operating system
attachment format for
messages sent to the object.
This attribute can take the
following values:
l BinHex
l UuEncode
l AppleSingle
l AppleDouble

MailTip Gets or sets the message Read, Write

displayed to senders when
they start writing an email
message to the object.

MailTipTranslations Gets or sets the MailTip Read, Write

message translations in
additional languages.
This attribute accepts the
following format:
<LanguageLocale>:<MailTip
MessageTranslation>
NOTE: MailTip message
translations cannot be
longer than 250 characters.

MessageBodyFormat Gets or sets the message Read, Write

body format for messages

Active Roles 8.0 LTS Synchronization Service Administration Guide

305
Connections to external data systems
Attribute Description Supported
operations

sent to the contact.

The values this attribute can
write depend on the value in
the MessageFormat attribute.
When the value of
MessageFormat is Mime, the
MessageBodyFormat attribute
can write the following
values:
l Text
l Html
l TextAndHtml

When the value of

MessageFormat is Text, the
MessageBodyFormat attribute
can only write the Text value.

MessageFormat Gets or sets the message Read, Write

format for messages sent to
the contact.
This attribute can take the
following values:
l Text
l Mime

ModeratedBy Gets or sets the users who Read, Write

are moderating the messages
sent to the object.
TIP: To specify multiple
users as moderators, use
comma as separator.
NOTE: This reference
attribute is required if you
set the value of the
ModerationEnabled attribute
to TRUE.
This reference attribute
accepts the following object
types:

Active Roles 8.0 LTS Synchronization Service Administration Guide

306
Connections to external data systems
Attribute Description Supported
operations

l Mailbox
l MailUser

ModerationEnabled Gets or sets whether Read, Write

moderation is enabled for the
object.
This attribute can take one of
the following values:
l TRUE
l FALSE

Name Gets or sets the name of the Read, Write

object.

ObjectID Gets the globally unique Read

object identifier (GUID) of the
object.

Password Sets the password for the Write

mail user.

RejectMessagesFrom Gets or sets the senders Read, Write

whose messages to the object
will be rejected.
This attribute can take
senders in one of the
following formats:

l Alias
l Canonical name
l Display name
l DN
l GUID
l Name
l Legacy Exchange DN
l Primary SMTP email
address

This reference attribute

accepts the following object
types:

l Contact

Active Roles 8.0 LTS Synchronization Service Administration Guide

307
Connections to external data systems
Attribute Description Supported
operations

l Mailbox

RejectMessagesFromDLMembers Gets or sets the distribution Read, Write

groups whose members
cannot send email messages
to the object (their messages
will be rejected).
This reference attribute can
take distribution groups in
one of the following formats:

l Alias
l Canonical name
l Display name
l DN
l GUID
l Legacy Exchange DN
l Name
l Primary SMTP email
address

This reference attribute

accepts the following object
types:

l DistributionGroup
l Dynam-
icDistributionGroup

RequireSenderAuthenticationEnabled Gets or sets whether the Read, Write

senders that send messages
to this object must be
authenticated.
This attribute can take one of
the following values:

l TRUE: Messages sent to

this object must be
authenticated.
l FALSE: No message
authentication is
required.

Active Roles 8.0 LTS Synchronization Service Administration Guide

308
Connections to external data systems
Attribute Description Supported
operations

RetainDeletedItemsFor Gets for how long to keep Read

deleted items for the mail
user.
This attribute accepts a value
in the following format:
DD.HH:MM:SS
For example, a value of
10.00:00:00 means that
deleted items are retained for
10 days.

RetentionComment Gets the comment on the hold Read

status of the mail user. This
comment is displayed in
Outlook.

RetentionHoldEnabled Gets whether retention hold is Read

enabled for messaging
retention policies.
This attribute can take one of
the following values:

l TRUE: Retention hold is

enabled.
l FALSE: Retention hold is
disabled.

RetentionUrl Gets the URL of the web page Read

providing additional details
about the messaging
retention policies in effect
within the organization.

SecondaryAddress Gets or sets the secondary Write

address for the object if it has
Unified Messaging enabled.

SecondaryDialPlan Sets the secondary Unified Write

Messaging dial plan for the
object.

SendModerationNotifications Gets or sets whether to send Read, Write

status notifications to users
when a message they sent to
the moderated object is
rejected by a moderator.

Active Roles 8.0 LTS Synchronization Service Administration Guide

309
Connections to external data systems
Attribute Description Supported
operations

This attribute can take one of

the following values:

l Always: Specifies that

notifications are sent to
all senders.
l Internal: Specifies that
notifications are only
sent to the senders
internal to your organ-
ization.
l Never: Specifies that all
status notifications are
disabled.

SimpleDisplayName Gets or sets an alternate Read, Write

description of the object if
only a limited set of
characters is allowed.
The limited set of characters
includes ASCII characters 26–
126.

SingleItemRecoveryEnabled Gets whether the purging of Read

recovery items is enabled.
This attribute can take one of
the following values:

l TRUE: Disables the

purging of recovery
items.
l FALSE: Enables the
purging of recovery
items.

StartDateForRetentionHold Gets the start date of the Read

retention hold.
TIP: To use this attribute,
you must set the
RetentionHoldEnabled
attribute to TRUE.

UMDtmfMap Gets or sets whether to Read, Write

create a user-defined DTMF
map for the object if it has

Active Roles 8.0 LTS Synchronization Service Administration Guide

310
Connections to external data systems
Attribute Description Supported
operations

Unified Messaging enabled.

UsageLocation Gets a two-letter country Read

code (for example, FR, GB or
NL) that defines the location
of the user. The usage
location determines the
services available to the user.

UseMapiRichTextFormat Gets or sets a format for the Read, Write

MAPI Rich Text Format
messages sent to the object. NOTE:
You can
l Never: Specifies to only
convert all messages write
sent to the object to the data by
plain text format. using
l Always: Specifies to this
always use the MAPI attribute
Rich Text Format (RTF) when
for the messages sent updating
to the object. an
existing
l UseDefaultSettings: object in
Specifies to use the Office
message format set in 365.
the MAPI client that
sent the message to the
object.

UsePreferMessageFormat Gets or sets whether the Read, Write

message format specified for
the object overrides any
global settings (for example,
those configured for the
remote domain).
This attribute can take one of
the following values:

l TRUE: Specifies that the

message format set for
the object overrides
any global settings.
l FALSE: Specifies that
global settings have
precedence over the

Active Roles 8.0 LTS Synchronization Service Administration Guide

311
Connections to external data systems
Attribute Description Supported
operations

mail format set for the

object.

UserPrincipalName Gets or sets the user principal Read, Write

name (UPN) of the mail user.

WindowsEmailAddress Gets or sets the email Read, Write

address of the object stored
in Active Directory.

PresencePolicy object attributes supported for Microsoft

365 data synchronization
The Office 365 Connector supports the following PresencePolicy attributes for
synchronization.

Table 100: PresencePolicy attributes

Attribute Description Supported

operations

Anchor Gets the Anchor property value of the object. Read

Description Gets the description of the object. Read

Identity Gets the unique identifier assigned to the object. Read

Members Gets the users who have been assigned to the object. Read

ObjectID Gets the globally unique object identifier (GUID) of Read

the object.

SecurityGroup object attributes supported for Microsoft

365 data synchronization
The Office 365 Connector supports the following SecurityGroup attributes for
synchronization.

Table 101: SecurityGroup attributes

Attribute Description Supported

operations

Description Gets or sets the description of the object. Read, Write

DisplayName Gets or sets the display name used in Microsoft 365 Read, Write

Active Roles 8.0 LTS Synchronization Service Administration Guide

312
Connections to external data systems
Attribute Description Supported
operations

for the object.

Members Gets or sets the users who have been assigned to the Read, Write
security group.

ObjectID Gets the globally unique object identifier (GUID) of Read

the object.

SPOSite object attributes supported for Microsoft 365

data synchronization
The Office 365 Connector supports the following SharePoint Online Site (SPOSite)
attributes for synchronization.

Table 102: SPOSite attributes

Attribute Description Supported

operations

AllowSelfServiceUpgrade Gets or sets whether site collection Read, Write

administrators can upgrade this site
collection.

CompatibilityLevel Gets the major version number of the site Read

collection. This version number is used to
perform compatibility checks.

Groups Gets or sets the site collection groups. Read, Write

NOTE: This attribute is required to create a
site collection in SharePoint Online.

LastContentModifiedDate Gets the date when the site collection Read

content was last modified.

LocaleId Gets or sets the Locale ID (LCID) of the site Read, Write
collection.

LockIssue Gets or sets the comment of the site Read

collection lock.

LockState Gets or sets the lock state of the site Read, Write
collection. This attribute can take one of the
following values:

l NoAccess: All traffic to the site collec-

tion is blocked. Traffic to sites with this
lock state is redirected to the URL set
with the NoAccessRedirectUrl attribute

Active Roles 8.0 LTS Synchronization Service Administration Guide

313
Connections to external data systems
Attribute Description Supported
operations

of the SPOTenant object. If no URL is set

in that attribute, a 404 error is
returned.
l Unlock. All traffic to the site collection
is allowed.

ObjectID Gets the globally unique object identifier Read

(GUID) of the object.

Owner Gets or sets the owner of the site collection. Read, Write
NOTE: This attribute is required to create a
site collection in SharePoint Online.

ResourceQuota Gets or sets the server resource quota for Read, Write
the object.

ResourceQuotaWarningLevel Gets or sets the warning level for the site Read, Write
collection. When the resource usage for the
site collection reaches the specified warning
level, a notification email is sent.

ResourceUsageAverage Gets average resource usage for the site Read

collection.

ResourceUsageCurrent Gets the current resource usage for the site Read
collection.

Status Gets or sets whether the SharePoint Online Read, Write

site is verified with Microsoft 365.
This attribute can take one of the following
values:

l Verified: Indicates that the object is

verified.
l Unverified: Indicates that the object is
not verified.

StorageQuota Gets or sets the storage quota limit for the Read, Write
object.
NOTE: This attribute is required to create a
site collection in SharePoint Online.

StorageQuotaWarningLevel Gets or sets the storage warning level for the Read, Write
site collection.
NOTE: This attribute is required to create a
site collection in SharePoint Online.

Active Roles 8.0 LTS Synchronization Service Administration Guide

314
Connections to external data systems
Attribute Description Supported
operations

StorageUsageCurrent Gets the current storage usage for the site Read
collection.

Template Gets or sets the template for the site Read, Write
collection.

TimeZoneId Gets or sets the identifier of the time zone Read, Write
for the site collection.

Title Gets or sets the title of the object. Read, Write

Url Gets or sets the web site address (URL). In Read, Write
SharePoint Online, you can view the Web site
address in the site collection properties.
NOTE: This attribute is required to create a
site collection in SharePoint Online.

WebsCount Gets the number of SharePoint web pages in Read

the site collection.

SPOSiteGroup object attributes supported for Microsoft

365 data synchronization
The Office 365 Connector supports the following SharePoint Site Group (SPOSiteGroup)
attributes for synchronization.

Table 103: SPOSiteGroup attributes

Attribute Description Supported

operations

LoginName Gets or sets the login name of the object. Read, Write

ObjectID Gets the globally unique object identifier (GUID) of Read

the object.

Owner Gets or sets the owner of the site group. Read, Write

PermissionLevels Gets or sets permission levels for the site group. Read, Write

Site Gets or sets the name of the site collection to which Read, Write
the site group belongs.

Users Gets or sets the users included in the site group. Read, Write

Active Roles 8.0 LTS Synchronization Service Administration Guide

315
Connections to external data systems
SPOWebTemplate object attributes supported for
Microsoft 365 data synchronization
The Office 365 Connector supports the following SharePoint Web Template
(SPOWebTemplate) attributes for synchronization.

Table 104: SPOWebTemplate attributes

Attribute Description Supported

operations

CompatibilityLevel Gets the compatibility level of the web template. This Read
version number is used to perform compatibility
checks.

Description Gets the description of the object. Read

DisplayCategory Gets the name of the category to which the web Read
template belongs.

LocaleID Gets the locale id (LCID) of the web template. Read

Name Gets the name of the web template. Read

ObjectID Gets the globally unique object identifier (GUID) of the Read
object.

Title Gets the title of the web template. Read

SPOTenant object attributes supported for Microsoft 365

data synchronization
The Office 365 Connector supports the following SharePoint Online tenant (SPOTenant)
attributes for synchronization.

Table 105: SPOTenant attributes

Attribute Description Supported

operations

ExternalServicesEnabled Gets or sets the maximum compatibility level for Read, Write
new sites. (update
only)

MinCompatibilityLevel Gets or sets the minimum compatibility level for Read, Write
new sites. (update
only)

NoAccessRedirectUrl Gets or sets the redirect URL for the SPOSite Read, Write
object whose LockState attribute value is set to (update
NoAccess. only)

Active Roles 8.0 LTS Synchronization Service Administration Guide

316
Connections to external data systems
Attribute Description Supported
operations

ObjectID Gets the globally unique object identifier (GUID) Read

of the object.

ResourceQuota Gets or sets the server resource quota for the Read, Write
object. (update
only)

ResourceQuotaAllocated Gets or sets the server resource quota limit for Read, Write
the SharePoint Online tenant organization. (update
only)

StorageQuota Gets or sets the storage quota limit for the Read, Write
object. (update
only)

StorageQuotaAllocated Gets or sets the storage quota limit for the Read, Write
SharePoint Online tenant organization. (update
only)

User object attributes supported for Microsoft 365 data

synchronization
The Office 365 Connector supports the following User object attributes for
synchronization.

License plan and Service attributes

The following attributes allow you to get or set the license plans and services available to
the user in Microsoft 365. The attributes support both Read and Write operations.
The names and display names of these attributes are formed dynamically according to the
following patterns:

Table 106: Naming patterns for attributes

Item Naming pattern Examples

Attribute <LicensePlanNameOnGUI> - <ServiceNameOnGUI> Microsoft Office

display 365 Plan E3 -
In this pattern:
name Office Web Apps
l LicensePlanNameOnGUI is the license plan name as it
Microsoft Office
is displayed on the Microsoft 365 user interface.
365 Plan K2 -
l ServiceNameOnGUI is the service name as it is Exchange Online
displayed below the corresponding license plan on Kiosk
the Microsoft 365 user interface.

Attribute <LicensePlanName>-<ServiceName> ENTERPRISEPACK-

Active Roles 8.0 LTS Synchronization Service Administration Guide

317
Connections to external data systems
Item Naming pattern Examples

name In this pattern: SHAREPOINTWAC

l LicensePlanName is the license plan name in the DESKLESSWOFFPACK-

form used by the Microsoft 365 cmdlets for EXCHANGE_S_
Windows PowerShell. DESKLESS

l ServiceName is the service name in the

corresponding license plan. The service name is
displayed in the form used by the Microsoft 365
cmdlets for Windows PowerShell.

These attributes can take one of the following values:

l True: The service is selected in the corresponding license plan in Microsoft 365.
l False. The service is not selected in the corresponding license plan in Microsoft 365.

TIP: You can modify the display names of Microsoft 365 license plans and services that
appear in the Active Roles Synchronization Service Console. For more information, see
Changing the display names of synchronized Microsoft 365 licenses and services.

Other attributes

The following attributes contain additional information and settings regarding the users in
your Microsoft 365 organization.

Table 107: Other attributes

Attribute Description Supported

operations

AllowUMCallsFromNonUsers Gets or sets whether to exclude or include Read, Write

the object in directory searches.
This attribute can take one of the following
values:

l None: Specifies to exclude the object

from directory searches.
l SearchEnabled: Specifies to include the
object in directory searches.

AlternateEmailAddresses Gets or sets the alternate email addresses of Read, Write

the user.

AssistantName Gets or sets the name of the assistant Read, Write

associated with the object.

BlockCredential Gets or sets whether the user can sign in and Read, Write
use the Microsoft 365 services.
This attribute can take one of the following

Active Roles 8.0 LTS Synchronization Service Administration Guide

318
Connections to external data systems
Attribute Description Supported
operations

values:

l TRUE: Disables the Microsoft Online

Services ID of the user to block their
access to the Microsoft 365 services.
l FALSE: (default). The user can sign in
and use the Microsoft 365 services of
your organization.

City Gets or sets the city associated with the Read, Write
object.

Company Gets or sets the company associated with the Read, Write
object.

Country Gets or sets the country of the user. Read, Write

CountryOrRegion Gets or sets the country or region associated Read, Write

with the object.

Department Gets or sets the department associated with Read, Write

the object.

DisplayName Gets or sets the display name used in Read, Write

Microsoft 365 for the object.

Fax Gets or sets the fax number of the object. Read, Write

FirstName Gets or sets the first name of the object. Read, Write

ForceChangePassword Sets whether the user is forced to change Write

their password the next time they sign in to
Microsoft 365.
This attribute can take one of the following
values:

l TRUE: The user must change their

password the next time they log in to
Microsoft 365.
l FALSE (default): No password change is
required.

NOTE: To write data using this attribute,

you must also write data using the Password
attribute at the same time.

HomePhone Gets or sets the home phone number Read, Write

associated with the object.

Active Roles 8.0 LTS Synchronization Service Administration Guide

319
Connections to external data systems
Attribute Description Supported
operations

ImmutableId Gets or sets a unique immutable ID in the Read, Write

form of an SMTP address.
NOTE: The Office 365 Connector can
read the value of this attribute only if it is
stored in Microsoft 365 in a base64
encoding format. If the attribute value is
stored in any other format, the connector
will return an error when reading that
value.
This ID is used to verify the identity of the
Active Directory user when the user accesses
Microsoft 365 using single sign-on.

Initials Gets or sets the initials associated with the Read, Write
object.

LastName Gets or sets the last name of the object. Read, Write

LiveID Gets the unique login ID of the user. Read

MailboxId Gets the GUID of the mailbox associated with Read

the user.

Manager Gets or sets the manager of the object. Read, Write

MobilePhone Gets or sets the mobile phone number Read, Write

associated with the object.

Name Gets or sets the name of the object. Read, Write

Notes Gets or sets notes about the object. Read, Write

ObjectID Gets the globally unique object identifier Read

(GUID) of the object.

Office Gets or sets the company office location Read, Write

associated with the object.

OtherFax Gets or sets the alternate fax number of the Read, Write
object.

OtherHomePhone Gets or sets the alternate home phone Read, Write

number of the object.

OtherTelephone Gets or sets the alternate phone number of Read, Write

the user.

Pager Gets or sets the pager number of the object. Read, Write

Active Roles 8.0 LTS Synchronization Service Administration Guide

320
Connections to external data systems
Attribute Description Supported
operations

Password Sets the password of the user. Write

PasswordNeverExpires Gets or sets whether the password of the Read, Write

user periodically expires.
This attribute can take one of the following
values:

l TRUE (Default): The user password

never expires.
l FALSE: The user password periodically
expires.

Phone Gets or sets the work phone number of the Read, Write
object.

PhoneNumber Gets or sets the phone number of the user. Read, Write

PhoneticDisplayName Gets or sets the phonetic pronunciation of the Read, Write

DisplayName attribute value of the object.

PostalCode Gets or sets the postal code of the object. Read, Write

PostOfficeBox Gets or sets the post office box number of Read, Write
the object.

PreferredLanguage Gets or sets the preferred language of the Read, Write

user.

RemotePowerShellEnabled Gets or sets whether remote Windows Read, Write

PowerShell cmdlets are available to the user.
This attribute can take one of the following
values:

l TRUE: Remote PowerShell cmdlets are

available to the user.
l FALSE: No remote PowerShell cmdlets
are available to the user.

ResetPasswordOnNextLogon Gets or sets whether the user must reset Read, Write
their password at their next logon.
This attribute can take one of the following
values:

l TRUE: The user must change their

password on their next logon.
l FALSE: No password change will be
required.

Active Roles 8.0 LTS Synchronization Service Administration Guide

321
Connections to external data systems
Attribute Description Supported
operations

SimpleDisplayName Gets or sets an alternate description of the Read, Write

object if only a limited set of characters is
allowed.
The limited set of characters includes ASCII
characters 26–126.

State Gets or sets the state where the user is Read, Write
located.

StateOrProvince Gets or sets the state or province information Read, Write

of the object.

StreetAddress Gets or sets the street address information of Read, Write

the object.

Title Gets or sets the title of the object. Read, Write

UMDtmfMap Gets or sets whether to create a user-defined Read, Write

DTMF map for the object if it has Unified
Messaging enabled.

UsageLocation Gets a two-letter country code (for example, Read, Write

FR, GB or NL) that defines the location of the
user. The usage location determines the
services available to the user.

UserPrincipalName Gets or sets the Microsoft Online Services ID Read, Write

of the user.

WebPage Gets or sets the web page contact Read, Write

information of the object.

WindowsEmailAddress Gets or sets the email address of the object Read, Write
stored in Active Directory.

VoicePolicy object attributes supported for Microsoft 365

data synchronization
The Office 365 Connector supports the following VoicePolicy object attributes for
synchronization.

Table 108: VoicePolicy attributes

Attribute Description Supported

operations

Anchor Gets the Anchor property value of the object. Read

Active Roles 8.0 LTS Synchronization Service Administration Guide

322
Connections to external data systems
Attribute Description Supported
operations

Description Gets the description of the object. Read

Identity Gets the unique identifier assigned to the object. Read

Members Gets the users who have been assigned to the object. Read

ObjectID Gets the globally unique object identifier (GUID) of Read

the object.

Microsoft 365 Group attributes supported for Microsoft

365 data synchronization
The Office 365 Connector supports the following Microsoft 365 Group object attributes
for synchronization.

Table 109: Office 365 group attributes

Attribute Description Supported

operations

AcceptMessagesOnlyFromSendersOrMembers Gets or sets the senders Read, Write

who can send email
messages to the object.
This attribute can take
senders in any of the
following formats. For
example:

l Name
l Alias
l Distinguished name
(DN)
l Email address

AccessType Gets or sets the privacy Read, Write

type for the Microsoft 365
group. The acceptable
values are:
l Public
l Private

Alias Gets or sets the alias of the Read, Write

object.

AlwaysSubscribeMembersToCalendarEvents Gets or sets the default Read, Write

Active Roles 8.0 LTS Synchronization Service Administration Guide

323
Connections to external data systems
Attribute Description Supported
operations

subscription settings of new

members added to the
Microsoft 365 group.

AuditLogAgeLimit Gets or sets the retention Read, Write

period for the mailbox audit
logs. Logs whose age
exceeds the specified
retention period will be
deleted.
This attribute accepts the
retention period in the
following format:
DD.HH:MM:SS
The maximum value the
attribute can accept is
24855.03:14:07

Examples of use

l A value of
30.05:00:00
retains mailbox
audit logs for
30 days and 5
hours.
l A value of
00.00:00:00
retains mailbox
audit logs
indefinitely,
and will never
be deleted.

AutoSubscribeNewMembers Gets or sets if new Read, Write

members added to the
Microsoft 365 group are
automatically subscribed to
conversations and calendar
events.

CalendarMemberReadOnly Gets if the Microsoft 365 Read

Active Roles 8.0 LTS Synchronization Service Administration Guide

324
Connections to external data systems
Attribute Description Supported
operations

group members have read-

only Calendar permissions.

Classification Gets the classification for Read

the Microsoft 365 group.

CustomAttribute1 Gets or sets the additional Read, Write

custom values you
CustomAttribute2 specified.
CustomAttribute3

CustomAttribute4

CustomAttribute5

CustomAttribute6

CustomAttribute7

CustomAttribute8

CustomAttribute9

DataEncryptionPolicy Gets the data encryption Read

policy applied to the
Microsoft 365 group.

DisplayName Gets or sets the display Read, Write

name used in Microsoft 365
for the object.

EmailAddresses Gets all the proxy Read

addresses of the Microsoft
365 group. The proxy
addresses also include the
primary SMTP address.

ExtensionCustomAttribute1 Gets or sets the additional Read, Write

custom values you specify.
ExtensionCustomAttribute2 These attributes are
ExtensionCustomAttribute3 multivalued.
TIP: To specify multiple
ExtensionCustomAttribute4
values, use comma as a
ExtensionCustomAttribute5 separator.

GrantSendOnBehalfTo Gets or sets the Read, Write

distinguished name (DN) of
other senders that can send
messages on behalf of the

Active Roles 8.0 LTS Synchronization Service Administration Guide

325
Connections to external data systems
Attribute Description Supported
operations

object.

HiddenFromAddressListsEnabled Gets or sets whether Read, Write

Microsoft 365 hides the
object from address lists.
This attribute can take one
of the following values:

l TRUE: Hides the object

from address lists.
l FALSE (default):
Shows the object in
address lists.

HiddenFromExchangeClientsEnabled Gets or sets if the Microsoft Read, Write

365 group is hidden from
the Outlook clients
connected to Microsoft 365.

Language Gets or sets preferred Read, Write

languages for the object in
the order of their priority.

MailboxRegion Gets the geolocation code Read

of the mailbox associated
with the Microsoft 365
group.
NOTE: This attribute is
reserved for internal
Microsoft use.

MailTip Gets the message displayed Read

to senders when they start
writing an email message
to the Microsoft 365 group.

MailTipTranslations Gets the MailTip message Read

translations in additional
languages.
This attribute accepts the
following format:
<LanguageLocale>:<MailTip
MessageTranslation>
NOTE: MailTip message
translations cannot be

Active Roles 8.0 LTS Synchronization Service Administration Guide

326
Connections to external data systems
Attribute Description Supported
operations

longer than 250 charac-

ters.

MaxReceiveSize Specifies the maximum Read, Write

size of the email messages
that can be sent to the
Microsoft 365 group.

MaxSendSize Specifies the maximum Read, Write

size of the email messages
that can be sent by
members of the Microsoft
365 group.

ModeratedBy Gets or sets the users who Read, Write

are moderating the
messages sent to the
object.
TIP: To specify multiple
users as moderators, use
comma as separator.
NOTE: This reference
attribute is required if
you set the value of the
ModerationEnabled
attribute to TRUE.

ModerationEnabled Gets or sets whether Read, Write

moderation is enabled for
the object.
This attribute can take one
of the following values:
l TRUE
l FALSE

Notes Gets or sets notes about the Read, Write

object.

PrimarySmtpAddress Gets or sets the primary Read, Write

SMTP email address of the
object.
NOTE: You can use this
attribute if the object has
two or more SMTP email
addresses configured.

Active Roles 8.0 LTS Synchronization Service Administration Guide

327
Connections to external data systems
Attribute Description Supported
operations

RejectMessagesFromSendersOrMembers Gets or sets the senders Read, Write

that cannot send email
messages to the object
(their messages will be
rejected).

RequireSenderAuthenticationEnabled Gets or sets whether the Read, Write

senders that send
messages to this object
must be authenticated.
This attribute can take one
of the following values:

l TRUE: Messages sent

to this object must be
authenticated.
l FALSE: No message
authentication is
required.

SubscriptionEnabled Gets or sets if subscriptions Read, Write

to conversations and
calendar events are
enabled for the Microsoft
365 group.

UnifiedGroupWelcomeMessageEnabled Gets or sets if system- Read, Write

generated welcome
messages will be sent to
users who are added as
members to the Microsoft
365 group.

Changing the display names of synchronized Microsoft

365 licenses and services
You can modify the display names of Microsoft 365 license plans and services that appear
in the Active Roles Synchronization Service Console. This is typically required when the
name of a license or service changes in the Microsoft 365 user interface, rendering the
corresponding attribute display name outdated in the Active Roles Synchronization Service.
These display names are part of the Office 365 Connector schema and are saved in
the file O365LicensePlansServices.xml file located in the Synchronization Service install-
ation folder:
%ProgramFiles%\One Identity\Active Roles\8.0 LTS\SyncService

Active Roles 8.0 LTS Synchronization Service Administration Guide

328
Connections to external data systems
To modify the attribute display names in the Office 365 Connector schema

1. Open the schema file O365LicensePlansServices.xml with an XML or text editor of your
choice. The file is located in the Synchronization Service installation folder, at the
following location by default:
%ProgramFiles%\One Identity\Active Roles\8.0 LTS\SyncService
2. In the appropriate XML elements, modify the values of the PlanDisplayName and
ServiceDisplayName attributes as necessary. See the following table for more
information about the XML elements used in the file:

Table 110: XML elements for M365 license plans and services in the
O365LicensePlansServices.xml schema file

XML Description Example

element

<Plan> Defines the name and display <Plan PlanName="STANDARDPACK"

name of the attribute related to a PlanDisplayName="Microsoft
specific Microsoft 365 license plan Office 365 Plan E1"/>
in the Office 365 Connector
schema.
This element has the following
attributes:
l PlanName: The license plan
name as it is referred to by
the Microsoft 365 cmdlets for
Windows PowerShell.
l PlanDisplayName. The license
plan name as it appears in
the Active Roles Synchron-
ization Service.

<Service> Defines the name and display <Service

name of the attribute related to a ServiceName="OFFICESUBSCRIPTION"
particular Microsoft 365 service in ServiceDisplayName="Office
the Office 365 Connector Professional Plus" />
schema.
This element has the following
attributes:
l ServiceName: The service
name as it is referred to by
the Microsoft 365 cmdlets for
Windows PowerShell.
l ServiceDisplayName: The
service name as it appears

Active Roles 8.0 LTS Synchronization Service Administration Guide

329
Connections to external data systems
 XML Description Example
element

in the Active Roles Synchron-

ization Service.

3. Save your changes, then close the file.

Objects and attributes specific to Microsoft 365

services
When configuring the O365 connection settings, you can select the Microsoft 365 services
you want to work with, such as SharePoint Online, Exchange Online, or Microsoft Teams.
The following table describes the object types and attributes that become available in the
Active Roles Synchronization Service Console when you select a particular check box in the
connection settings.
NOTE: The objects and object attributes that are not mentioned in the following table are
always available in the Active Roles Synchronization Service Console.

Table 111: Objects and attributes specific to Microsoft 365 services

Check box Related objects Related attributes

SharePoint SPOSiteGroup All

Online
SPOWebTemplate All

SPOTenant All

Exchange Contact All

Online
DistributionGroup All

DynamicDistributionGroup All

User Manager

Active Roles 8.0 LTS Synchronization Service Administration Guide

330
Connections to external data systems
Check box Related objects Related attributes

Microsoft ClientPolicy All

Teams
ConferencingPolicy All

ExternalAccessPolicy All

HostedVoicemailPolicy All

VoicePolicy All

PresencePolicy All

User l AudioVideoDisabled
l ClientPolicy
l ConferencingPolicy
l Enabled
l EnterpriseVoiceEnabled
l ExchangeArchivingPolicy
l ExternalAccessPolicy
l HostedVoicemailPolicy
l LineURI
l LineServerURI
l PresencePolicy
l PrivateLine
l RegistrarPool
l RemoteCallControlTelephonyEnabled
l SipAddress
l VoicePolicy

How the Office 365 Connector works with data

To read and write data in Microsoft 365, the Office 365 Connector relies on the cmdlets
of the following Windows PowerShell modules:

l Microsoft Azure Active Directory Module for Windows PowerShell (previously known
as Microsoft Online Services Module for Windows PowerShell)
l PowerShell Module for Microsoft Teams
l SharePoint Online Management Shell.

As a result, the connector can only work with data supported by the cmdlets of these
PowerShell modules.

Active Roles 8.0 LTS Synchronization Service Administration Guide

331
Connections to external data systems
 NOTE: Due to its reliance of the above PowerShell modules, the Office 365 Connector
cannot read or write the data of:

l Objects written to Microsoft 365 by the Microsoft Azure Active Directory Sync tool.
l Password hashes.

Configuring data synchronization with the

Microsoft Azure AD Connector
With the Microsoft Azure AD Connector, you can configure data synchronization
connections toward Microsoft Azure Active Directory (Azure AD).
The Microsoft Azure AD Connector supports the following features:

Table 112: Supported features

Feature Supported

Bidirectional synchronization Yes

Specifies whether you can both read and write data in the connected data
system.

Delta processing mode No

Specifies whether the connection can process only the data that has
changed in the connected data system since the last synchronization
operation. This reduces the overall synchronization duration.

Password synchronization No
Specifies whether you can synchronize user passwords from an Active
Directory (AD) domain to the connected data system.

Secure Sockets Layer (SSL) data encryption Yes

Specifies whether the connector can use SSL to encrypt data transmitted
between Active Roles Synchronization Service and the connected data
system.

Configuring a Microsoft Azure AD connection

To create a connection to Microsoft Azure Active Directory (Azure AD) with the Microsoft
Azure AD Connector, you must perform two procedures:

1. Configure Active Roles Synchronization Service as an Azure application in your

Microsoft Azure AD organization. For more information on this procedure, see
Configuring the Microsoft Azure AD Connector as an Azure application for data

Active Roles 8.0 LTS Synchronization Service Administration Guide

332
Connections to external data systems
 synchronization.
2. Configure the Microsoft Azure AD Connector in the Active Roles Synchronization
Service console. For more information, see Creating a connection with the Microsoft
Azure AD Connector.

Configuring the Microsoft Azure AD Connector as an Azure

application for data synchronization
To enable the Microsoft Azure AD Connector of the Active Roles Synchronization
Service read and write data in Microsoft Azure Active Directory (Azure AD), you must
configure the connector as an Azure application in your Microsoft Azure AD environment.

Prerequisites

To assign all required permissions to the application, you must install the Azure AD
PowerShell module. For more information on how to install the module, see Install Azure
Active Directory PowerShell for Graph in the Microsoft Azure documentation, or download
the module manually.

To configure Microsoft Azure AD Connector as an Azure application

1. In the Azure Portal, register a new application in the domain of your Microsoft Azure
AD environment where you want to perform data synchronization. For more
information, see Register an application with the Microsoft identity platform in the
Microsoft Azure documentation.
2. Assign the required permissions to the application via a Windows PowerShell script,
so that the Microsoft Azure AD Connector of the Active Roles Synchronization
Service can read and write data in Microsoft Azure AD. To do so, adapt and run the
following Windows PowerShell script.

Example PowerShell Script to assign permissions to Microsoft

Azure AD Connector

# Replace <ClientId> with the Client ID of the Active Roles Azure AD

Connector application (example format: 455ad643-332g-32h7-q004-
8ba89ce65ae26)

$Id = “<ClientId>”

# Prompt for Microsoft Azure AD Global Admin credentials.

# Save the supplied credentials to the $creds variable.

Active Roles 8.0 LTS Synchronization Service Administration Guide

333
Connections to external data systems
 $creds=get-credential

# Connect to Azure AD using the credentials stored in $creds.

Connect-AzureAD -credential $creds

# Get the Principal ID of the Active Roles Azure AD Connector

Application and save it to the $servicePrincipal variable

$servicePrincipal = Get-AzureADServicePrincipal -All $true | Where-

Object {$_.AppId -eq $Id}

# Get the required role ID from the Active Roles Azure AD Connector
Application and save it to the $roleId variable

$roleId = (Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq

'Company Administrator'}).ObjectId

# Assign the required permissions to the Active Roles Azure AD Connector

application

Add-AzureADDirectoryRoleMember -ObjectId $roleId -RefObjectId

$servicePrincipal.ObjectId

3. In the Azure Portal, open the application you created and take note of the following
information:
l Client ID
l Valid key of the application
These information will be required when configuring the Microsoft Azure AD
Connector as described in Creating a connection with the Microsoft Azure AD
Connector.

Creating a connection with the Microsoft Azure AD

Connector
You can configure an Active Roles Synchronization Service connection to your
Microsoft Azure Active Directory (Azure AD) environment with the Microsoft Azure
AD Connector.

Prerequisites

An Azure application with the required permissions for Microsoft Azure AD Connector
must exist in the Azure AD environment where you want to perform data synchronization.

Active Roles 8.0 LTS Synchronization Service Administration Guide

334
Connections to external data systems
For more information on configuring an Azure application and the required permissions,
see Configuring the Microsoft Azure AD Connector as an Azure application for data
synchronization.

To create a new Microsoft Azure AD Connector connection

1. In the Active Roles Synchronization Service Console, navigate to Connections >

Add Connection.

Figure 5: Active Roles Synchronization Service Console – Adding a new

connection via Connections > Add connection

2. In the Name connection and select connector step, specify a custom

Connection name. Then from the Use the specified connector drop-down list,
select Microsoft Azure AD Connector and click Next.
3. On the Specify connection settings page, configure the following options:
l Azure AD domain: Specify the domain name of the Azure AD environment
where you want to perform data synchronization.
l Client ID: Specify the client ID you took note of in Configuring the Microsoft
Azure AD Connector as an Azure application for data synchronization.
l Key: Specify the application key you took note of in Configuring the Microsoft
Azure AD Connector as an Azure application for data synchronization.
4. To verify that the specified authentication settings are correct, click Test
Connection. If testing fails, then:
l Check your network connectivity.
l Check if the Microsoft Azure service is available.
l Make sure that the specified Azure AD domain, Client ID and Key settings
are correct.
5. If testing completed successfully, create the new Microsoft Azure AD connection by
clicking Finish.

Active Roles 8.0 LTS Synchronization Service Administration Guide

335
Connections to external data systems
Viewing or modifying a Microsoft Azure AD
connection
You can view or modify an existing connection based on the Microsoft Azure AD
Connector with the Active Roles Synchronization Service Console. Modifying a Microsoft
Azure AD Connector connection is typically required if any change occurs in the Azure
application or the Azure AD environment to which the Active Roles Synchronization Service
connection was originally configured.

To view or modify an existing Microsoft Azure AD Connector connection

1. In the Active Roles Synchronization Service Console, click Connections.

2. In the Connections page, search for the connection that uses the Microsoft Azure
AD Connector, and click Connection settings.
3. On the Connection Settings tab, click Specify connection settings and view or
modify the following settings as required:
l Azure AD domain: Specify the domain name of the Azure AD environment
where you want to perform data synchronization.
l Client ID: Specify the client ID you took note of in Configuring the Microsoft
Azure AD Connector as an Azure application for data synchronization.
l Key: Specify the application key you took note of in Configuring the Microsoft
Azure AD Connector as an Azure application for data synchronization.
4. To verify that the specified authentication settings are correct, click Test
Connection. If testing fails, then:
l Check your network connectivity.
l Check if the Microsoft Azure service is available.
l Make sure that the specified Azure AD domain, Client ID and Key settings
are correct.
5. To apply your changes, click Save.

Microsoft Azure AD object types supported for

data synchronization
The Microsoft Azure AD Connector supports several user and group object attributes
for data synchronization. The following tables list the all supported user and group objects,
along with the operations you can perform on them.

Active Roles 8.0 LTS Synchronization Service Administration Guide

336
Connections to external data systems
Table 113: Supported objects and operations

Object Read Create Delete Update

User Yes Yes Yes Yes

Group Yes Yes Yes Yes

NOTE: When configuring a data synchronization mapping rule with the Microsoft Azure
AD Connector, consider that the following User and Group attributes are currently not
supported and cannot be queried via the Microsoft Graph API:

l User attributes:
l aboutMe
l birthday
l contacts
l hireDate
l interests
l mySite
l officeLocation
l pastProjects
l preferredName
l responsibilites
l schools
l skills
l Group attributes:
l acceptedSenders
l allowExternalSenders
l autoSubscribeNewMembers
l hasMembersWithLicenseErrors
l hideFromAddressLists
l hideFromOutlookClients
l isSubscribedByMail
l membersWithLicenseErrors
l rejectedSenders
l unseenCount

This means that although these user and group attributes are visible, they cannot be set
in a mapping rule.

Active Roles 8.0 LTS Synchronization Service Administration Guide

337
Connections to external data systems
Microsoft Azure AD user attributes supported for data
synchronization
The Microsoft Azure AD Connector of the Active Roles Synchronization Service
supports the following Azure Active Directory (Azure AD) user attributes for data
synchronization.
NOTE: When configuring a data synchronization mapping rule with the Microsoft Azure
AD Connector, consider that the following user attributes are currently not supported
and cannot be queried via the Microsoft Graph API:
l aboutMe
l birthday
l contacts
l hireDate
l interests
l mySite
l officeLocation
l pastProjects
l preferredName
l responsibilites
l schools
l skills

This means that although these user attributes are visible, they cannot be set in a
mapping rule.

Table 114: Azure AD user attributes supported for data synchronization

Attribute Description Supported

operations

accountEnabled Gets or sets whether the user account is Read, Write

enabled.
NOTE: This attribute is required when
creating a user.

assignedLicenses Gets the licenses assigned to the user. Read

assignedPlans Gets the plans assigned to the user. Read

city Gets or sets the user city. Read, Write

country Gets or sets the user country. Read, Write

department Gets or sets the user department. Read, Write

Active Roles 8.0 LTS Synchronization Service Administration Guide

338
Connections to external data systems
Attribute Description Supported
operations

dirSyncEnabled Gets or sets whether the user was Read, Write

synchronized from the on-premises Active
Directory Domain Services (AD DS).

directReports Gets the direct reports of the user. Read

displayName Gets or sets the user name in the address Read, Write
book.
NOTE: This attribute is required when
creating a user.

facsimileTelephoneNumber Gets or sets the user fax number. Read, Write

givenName Gets or sets the given name of the user. Read, Write

jobTitle Gets or sets the user job title. Read, Write

lastDirSyncTime Gets the time when the user was last Read
synchronized with the on-premises AD DS.

mail Gets or sets the primary e-mail address of Read, Write

the user.

mailNickName Gets or sets the mail alias of the user. Read, Write
NOTE: This attribute is required when
creating a user.

manager Gets or sets the manager of the user. Read, Write

memberOf Gets the group membership of the user. Read

mobile Gets or sets the mobile phone number o the Read, Write
user.

objectId Gets the unique identifier of the user. Read

objectType Gets the object type of the user. Read

otherMails Gets or sets other e-mail addresses for the Read, Write
user.

passwordPolicies Gets or sets password policies applicable to Read, Write

the user.

passwordProfile Gets or sets the password profile of the user. Read, Write
NOTE: This attribute is required when
creating a user.

physicalDeliveryOfficeName Gets or sets the office location of the user. Read, Write

Active Roles 8.0 LTS Synchronization Service Administration Guide

339
Connections to external data systems
Attribute Description Supported
operations

postalCode Gets or sets the postal code of the user. Read, Write

preferredLanguage Gets or sets the preferred language of the Read, Write

user.

provisionedPlans Gets the provisioned plans of the user. Read

provisioningErrors Gets the errors encountered when Read

provisioning the user.

proxyAddresses Gets the known address entries of the user. Read

state Gets or sets the state or province of the user. Read, Write

streetAddress Gets or sets the street address of the user. Read, Write

surname Gets or sets the family name of the user. Read, Write

telephoneNumber Gets or sets the telephone number of the Read, Write

user.

thumbnailPhoto Gets or sets the thumbnail photo of the user. Read, Write

usageLocation Gets or sets the usage location, that is the Read, Write
geographical location where the user is
located and operating from.

userPrincipalName Gets or sets the user principal name of the Read, Write
user.
NOTE: This attribute is required when
creating a user.

Microsoft Azure AD group attributes supported for data

synchronization
The Microsoft Azure AD Connector of the Active Roles Synchronization Service
supports the following Azure Active Directory (Azure AD) group attributes for data
synchronization.
NOTE: When configuring a data synchronization mapping rule with the Microsoft Azure
AD Connector, consider that the following group attributes are currently not supported
and cannot be queried via the Microsoft Graph API:
l acceptedSenders
l allowExternalSenders
l autoSubscribeNewMembers
l hasMembersWithLicenseErrors

Active Roles 8.0 LTS Synchronization Service Administration Guide

340
Connections to external data systems
 l hideFromAddressLists
l hideFromOutlookClients
l isSubscribedByMail
l membersWithLicenseErrors
l rejectedSenders
l unseenCount

This means that although these group attributes are visible, they cannot be set in a
mapping rule.

Table 115: Azure AD group attributes supported for data synchronization

Attribute Description Supported

operations

description Gets or sets the group description. Read, Write

dirSyncEnabled Gets whether the group was synchronized from the on- Read
premises Active Directory Domain Services (AD DS).

displayName Gets or sets the display name of the group. Read, Write
NOTE: This attribute is required when creating a
group.

lastDirSyncTime Gets the time when the group was last synchronized Read
with the on-premises AD DS.

mail Gets or sets the e-mail address of the group. Read, Write

mailEnabled Gets or sets whether the group is mail-enabled. Read, Write

NOTE: This attribute is required when creating a
group.

mailNickName Gets or sets the mail alias of the group. Read, Write
NOTE: This attribute is required when creating a
group.

members Gets or sets the members of the group. Read, Write

objectId Gets the unique identifier of the group. Read

objectType Gets the object type of the group. Read

provisioningErrors Gets the errors encountered when provisioning the Read

group.

proxyAddresses Gets the known address entries of the group. Read

securityEnabled Gets or sets whether the group is a security group. Read, Write
NOTE: This attribute is required when creating a
group.

Active Roles 8.0 LTS Synchronization Service Administration Guide

341
Connections to external data systems
Configuring data synchronization with the
SCIM Connector
With the SCIM Connector, you can configure inbound data synchronization connections
for the following SCIM-based One Identity Starling Connect connectors:

l PingOne
l Workday HR

NOTE: Consider the following when planning to configure a connection with the
SCIM Connector:

l The SCIM Connector is tested to support the Starling Connect PingOne and
Workday HR connectors. To configure a connection for import-based workflows to
the SCIM 2.0-based SuccessFactors HR 8.0 or ServiceNow 2.0 Starling connectors,
use the Generic SCIM Connector instead. For more information, see Configuring
data synchronization with the Generic SCIM Connector.
l The SCIM Connector supports only the standard schema of the SCIM protocol. It
does not support extended schemas, and therefore cannot handle user-made
custom attributes.

For the list of Active Roles Synchronization Service connector features that the SCIM
Connector supports or does not support, see the following table.

Table 116: SCIM Connector – Supported features

Feature Supported

Bidirectional synchronization No
Specifies whether you can both read and write data in the connected data
system.

Delta processing mode No

Specifies whether the connection can process only the data that has
changed in the connected data system since the last synchronization
operation. This reduces the overall synchronization duration.

Password synchronization No
Specifies whether you can synchronize user passwords from an Active
Directory (AD) domain to the connected data system.

Secure Sockets Layer (SSL) data encryption Yes

Specifies whether the connector can use SSL to encrypt data transmitted
between Active Roles Synchronization Service and the connected data
system.

For more information on the SCIM protocol, see the official SCIM site, or the following IETF
RFC documents:

Active Roles 8.0 LTS Synchronization Service Administration Guide

342
Connections to external data systems
 l IETF RFC-7642: System for Cross-domain Identity Management: Definitions,
Overview, Concepts, and Requirements
l IETF RFC-7643: System for Cross-domain Identity Management: Core Schema
l IETF RFC-7644: System for Cross-domain Identity Management: Protocol

Creating a SCIM connection

To create a new connection

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Add Connection, and then use the following options:
l Connection name. Type a descriptive name for the connection.
l Use the specified connector. Select SCIM Connector.
3. Click Next.
4. On the Add Connection page, select the following options:
l SCIM settings
l SCIM version. Select the required version of the SCIM. The available
options are V2 and V1.1.
l SCIM URL. Provide the SCIM URL.
l Schema URL. Provide the schema URL.
l Authentication type. Select the authentication type. The available
options are OAuth, Basic, and API Key.
l Authentication parameters
Based on the chosen Authentication type, the parameters required for
authenticating also differs.
Basic
l User name. Provide the username
l Password. Provide the password used for authentication.
IMPORTANT: Some of the connectors might use API key as the User
name and the API token as the Password. For example, Ping Identity
uses the API key and API token,
OAuth
Depending on the Grant Type selected, the following options are displayed. Th
available options are password, client_credentials, Bearer_Token
l password
l Token URL. Provide the URL of the token.
l User name. Provide the username.
l Password. Provide the password .

Active Roles 8.0 LTS Synchronization Service Administration Guide

343
Connections to external data systems
 l Client id. Provide the client id used to login.
l Client secret. Provide the client secret.
l client_credentials
l Token URL. Provide the URL of the token.
l Client id. Provide the client id used to login.
l Client secret. Provide the client secret.
l Bearer_Token
l Bearer token. Provide the bearer token.
IMPORTANT: A connection established using the bearer token has
a time-limit, specified by the token provider. After the expiration
of the time-limit, the connection is discontinued. A new token
must be created to establish a new connection session.
API_Key
l Key. Provide the API key.
l Token. Provide the API token.

5. Click Finish to create a connection to a SCIM connector.

Modifying a SCIM connection

This section assumes that the SCIM connector is created through which Synchronization
Service can read the data. For more information, see Creating a SCIM connection.

To modify connection settings

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Connection settings below the existing SCIM connection you want to modify.
3. On the Connection Settings tab, click the Specify connection settings item to
expand it and update the required settings.
For more information, see Creating a SCIM connection.

4. When you are finished, click Save.

Additional authentication parameters

Allows you to configure the additional authentication parameters along with the parameters
specified to authenticate and request from source system in the connection settings.

Active Roles 8.0 LTS Synchronization Service Administration Guide

344
Connections to external data systems
To create a connection with aditional authentication parameters

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Add Connection, and then use the following options:
l Connection name. Type a descriptive name for the connection.
l Use the specified connector. Select SCIM Connector.
3. Click Next.
4. On the Add Connection page, provide the SCIM settings and Authentication
parameters.
5. Click Add additional parameters to provide additional authentication parameters,
such as, region or organization ID.
6. Provide the additional parameters in either Plain text parameters or Masked
parameters field and click OK.
7. Click Finish to create a SCIM connector with additional authentication parameter.

Supported objects and operations

The table provides information about the operations you can perform on these objects by
using the connected that supports SCIM.

Table 117: Supported objects and operations for SCIM v2.0

Object Read Create Delete Update

Core user Yes Yes Yes Yes

Group Yes Yes Yes Yes
Enterprise Yes Yes Yes Yes

Table 118: Supported objects and operations for SCIM v1.1

Object Read Create Delete Update

User Yes Yes Yes Yes

Group Yes Yes Yes Yes

Active Roles 8.0 LTS Synchronization Service Administration Guide

345
Connections to external data systems
User object attributes <TBD>

Table 119: User object attributes

Attribute Description Supported Update

operations

User

Group

Enterprise

Configuring data synchronization with the

Generic SCIM Connector
With the Generic SCIM Connector, you can configure inbound data synchronization
connections for the following SCIM 2.0-based One Identity Starling Connect connectors:

l SuccessFactors HR version 8.0

l ServiceNow version 2.0

NOTE: Consider the following when planning to configure a SCIM-based data synchron-
ization connector:

l While the Generic SCIM Connector may work with other SCIM 2.0-based
Starling Connect connectors whose attribute query semantics are compatible on a
network level with the SuccessFactors HR 8.0 and ServiceNow 2.0 connectors, One
Identity tested it to work only with these two connectors.
l To configure a connection to the PingOne or Workday HR connectors of Starling
Connect, use the SCIM Connector of Active Roles Synchronization Service. For
more information, see Configuring data synchronization with the SCIM Connector.

For the list of Active Roles Synchronization Service connector features that the Generic
SCIM Connector supports or does not support, see the following table.

Table 120: Generic SCIM Connector – Supported features

Feature Supported

Bidirectional synchronization No
Specifies whether you can both read and write data in the connected data
system.

Delta processing mode No

Specifies whether the connection can process only the data that has
changed in the connected data system since the last synchronization

Active Roles 8.0 LTS Synchronization Service Administration Guide

346
Connections to external data systems
Feature Supported

operation. This reduces the overall synchronization duration.

Password synchronization No
Specifies whether you can synchronize user passwords from an Active
Directory (AD) domain to the connected data system.

Secure Sockets Layer (SSL) data encryption Yes

Specifies whether the connector can use SSL to encrypt data transmitted
between Active Roles Synchronization Service and the connected data
system.

For more information on the SCIM protocol, see the official SCIM site, or the following IETF
RFC documents:

l IETF RFC-7642: System for Cross-domain Identity Management: Definitions,

Overview, Concepts, and Requirements
l IETF RFC-7643: System for Cross-domain Identity Management: Core Schema
l IETF RFC-7644: System for Cross-domain Identity Management: Protocol

Configuring the Generic SCIM Connector for

Starling Connect connections
You can configure an Active Roles Synchronization Service connection to the
SuccessFactors HR 8.0 and ServiceNow 2.0 connectors of Starling Connect with the
Generic SCIM Connector.

Prerequisites

Before configuring the connection, make sure that the following conditions are met:

l Your organization must have an active Starling Connect account.

l The Starling connector to which you want to connect (SuccessFactors HR 8.0 or
ServiceNow 2.0) must be already configured in Starling Connect.
l If your organization is using a proxy server for outbound connections, make sure that
the system level proxy settings are properly configured.
To configure system-level proxy settings, navigate to one of the following Windows
configuration pages:
l Control Panel > Internet Settings > Connections > LAN Settings
l Settings > Network and Internet > Proxy

Active Roles 8.0 LTS Synchronization Service Administration Guide

347
Connections to external data systems
To configure a connection to a Starling Connect connector with the Generic
SCIM Connector

1. In the Active Roles Synchronization Service Console, navigate to Connections >

Add Connection.

Figure 6: Active Roles Synchronization Service Console – Adding a new

connection via Connections > Add connection

2. In the Name connection and select connector step, specify a custom

Connection name. Then, to load the SCIM-specific connector settings, from the
Use the specified connector drop-down list, select Generic: SCIM Connector.

Figure 7: Add Connection – Specifying the connection name and

connector type

3. (Optional) If you plan to use a remote connector for the configured connection,
configure Remote connector access as described in Creating a connection using a
remotely installed connector. To continue, click Next.

Active Roles 8.0 LTS Synchronization Service Administration Guide

348
Connections to external data systems
4. To continue, click Next.
The Connection settings step of the Generic SCIM Connector appears.

Figure 8: Generic SCIM Connector – General, authentication and

implementation settings

5. Under General settings, specify the base SCIM URL of the Starling Connect
connector to which you want to connect.
TIP: To check the base SCIM URL of the Starling Connect connector, in Starling
Connect, navigate to Connectors > Active Connectors, select the SCIM-based
connector to which you want to connect (SuccessFactors HR or ServiceNow),
then copy the value of the SCIM URL property.
6. Under Authentication settings, to enable the authentication scheme options
required by the supported Starling Connect connectors, select the Starling
authentication scheme, then configure the following settings:
l Token endpoint URL: Specifies the full path of the Starling connector
token endpoint.
TIP: To find the token endpoint URL of the Starling Connect connector, in
Starling Connect, navigate to Connectors > Active Connectors, and copy
the value of the SCIM Token Endpoint URL property.
l Client ID: Specifies the SCIM client ID.

Active Roles 8.0 LTS Synchronization Service Administration Guide

349
Connections to external data systems
 TIP: To find the SCIM client ID of the Starling Connect connector, in Starling
Connect, navigate to Connectors > Active Connectors, and copy the value
of the SCIM Client ID property.
l Client secret: Specifies the SCIM client secret.
TIP: To find the SCIM client secret of the Starling Connect connector, in
Starling Connect, navigate to Connectors > Active Connectors, and copy
the value of the Show SCIM Client Secret text box.
7. Under Implementation plugin, to enable the pre-made connection implementation
for the supported Starling Connect connectors, select Starling batch 1 - v1.0.
NOTE: While the Generic SCIM Connector may work with other SCIM 2.0-based
Starling Connect connectors whose attribute query semantics are compatible on a
network level with the SuccessFactors HR 8.0 and ServiceNow 2.0 connectors, One
Identity tested it to work only with these two connectors.
For the list of SCIM attributes supported by Starling Connect for these connectors,
see the SuccessFactors and ServiceNow chapters of the Starling Connect Active
Roles Administration Guide.
8. (Optional) Configure the following Starling Connect connection settings:
l Import uses direct query: When selected, Active Roles Synchronization
Service queries every synchronized object separately by their ID. One Identity
recommends selecting this setting when configuring a connection to the
Starling Connect ServiceNow 2.0 connector, or similar connectors.
NOTE: Enabling this setting decreases synchronization speed considerably,
but it is required to read all object attributes for Starling Connect ServiceNow
2.0 (or similar) connectors.
However, do not enable this setting when configuring the Generic SCIM
Connector for the Starling Connect SuccessFactors HR connector, as it has
no effect on the results of import data synchronization.
l Max degree of parallelism: If Import uses direct query is enabled, this
setting specifies the maximum number of threads that Active Roles
Synchronization Service can run in parallel for the direct query of each object
in the response list (that is, how many entries can Active Roles Synchronization
Service query simultaneously).
TIP: One Identity recommends testing the value optimal for your envir-
onment, and setting it as low as possible. Specifying a value of 1 means no
parallelism is configured.
NOTE: Consider the following when using this setting:
l This setting works only if Import uses direct query is enabled.
Active Roles Synchronization Service will ignore any value specified
for Max degree of parallelism if Import uses direct query is
not selected.

Active Roles 8.0 LTS Synchronization Service Administration Guide

350
Connections to external data systems
 l Setting the value of Max degree of parallelism too high may result
in connector service instability.
9. Check the implementation plugin information indicated on the screen. Make sure that
the Supported Features, the Target Service Providers and the supported
Starling Connect connector versions will meet the requirements of your planned
mapping rule and/or synchronization workflow.
10. To verify that the specified authentication settings are correct, click Test
Connection.
NOTE: Clicking Test Connection verifies only if the authentication settings for the
SCIM metadata endpoint connection are correct, and if Active Roles Synchron-
ization Service can fetch the SCIM schemas and query the resourceTypes metadata
from the configured SCIM service.
When testing the connection, Active Roles Synchronization Service does not query
any actual resource objects. Because of this, testing may finish successfully even if
the connection is down between Starling Connect and the third-party service
provider (for example, SuccessFactors HR), preventing the import of actual data
during synchronization later.
TIP: If testing fails, Active Roles Synchronization Service will highlight the settings
that it detects as incorrect. Check and fix those settings, then try again. If testing
fails again, then:
l Check your network connectivity.
l Check if the Starling Connect service is available.
l Make sure that the Starling Connect connector you specified during config-
uration is still active and working.
l If you use a proxy server, make sure that the system-level proxy settings
are properly configured.
11. If testing completed successfully, create the new SCIM connection to the Starling
Connect connector by clicking Finish.

Once Active Roles Synchronization Service creates the connection, you can use it to
configure SCIM-based data synchronization by setting up one or more mapping rules and
synchronization workflows.

l For an example SCIM-based mapping rule, see Creating object mapping between a
SCIM connection and an SQL connection.
l For an example SCIM-based synchronization workflow, see Creating a
synchronization workflow for synchronizing data from a SCIM-based Starling
Connect connector.
l For a PowerShell script example for synchronizing complex multi-value objects from
a SCIM source system, see Synchronizing complex multi-value objects from a SCIM
source system.

Active Roles 8.0 LTS Synchronization Service Administration Guide

351
Connections to external data systems
Viewing or modifying the settings of a Generic
SCIM Connector connection
You can view or modify an existing connection based on the Generic SCIM Connector
with the Active Roles Synchronization Service Console. Modifying a Generic SCIM
Connector connection is typically required if any change occurs in the SCIM-based
Starling Connect connectors to which the Active Roles Synchronization Service connection
was originally configured.

To view or modify an existing Generic SCIM Connector connection

1. In the Active Roles Synchronization Service Console, click Connections.

2. In the Connections page, search for the connection you want to modify, then click
Connection settings.

3. (Optional) In General, modify the custom Connection name.

4. (Optional) In Connection Settings, modify the following settings as you need:
l Token endpoint URL: Specifies the full path of the Starling connector
token endpoint.
TIP: To find the token endpoint URL of the Starling Connect connector, in
Starling Connect, navigate to Connectors > Active Connectors, and copy
the value of the SCIM Token Endpoint URL property.
l Client ID: Specifies the SCIM client ID.

Active Roles 8.0 LTS Synchronization Service Administration Guide

352
Connections to external data systems
 TIP: To find the SCIM client ID of the Starling Connect connector, in Starling
Connect, navigate to Connectors > Active Connectors, and copy the value
of the SCIM Client ID property.
l Client secret: Specifies the SCIM client secret.
TIP: To find the SCIM client secret of the Starling Connect connector, in
Starling Connect, navigate to Connectors > Active Connectors, and copy
the value of the Show SCIM Client Secret text box.
l Import uses direct query: When selected, Active Roles Synchronization
Service queries every synchronized object separately by their ID. One Identity
recommends selecting this setting when configuring a connection to the
Starling Connect ServiceNow 2.0 connector, or similar connectors.
NOTE: Enabling this setting decreases synchronization speed considerably,
but it is required to read all object attributes for Starling Connect ServiceNow
2.0 (or similar) connectors.
However, do not enable this setting when configuring the Generic SCIM
Connector for the Starling Connect SuccessFactors HR connector, as it has
no effect on the results of import data synchronization.
l Max degree of parallelism: If Import uses direct query is enabled, this
setting specifies the maximum number of threads that Active Roles
Synchronization Service can run in parallel for the direct query of each object
in the response list (that is, how many entries can Active Roles Synchronization
Service query simultaneously).
TIP: One Identity recommends testing the value optimal for your envir-
onment, and setting it as low as possible. Specifying a value of 1 means no
parallelism is configured.
NOTE: Consider the following when using this setting:
l This setting works only if Import uses direct query is enabled.
Active Roles Synchronization Service will ignore any value specified
for Max degree of parallelism if Import uses direct query is
not selected.
l Setting the value of Max degree of parallelism too high may result
in connector service instability.
5. (Optional) In Scope, modify the scope of objects included in the data synchronization
process of the connection. For more information on the Scope settings, see
Modifying synchronization scope for a connection.
6. (Optional) In Connection Handlers, create, update or remove any automated data
synchronization operations for the connection. For more information on the
Connection Handlers settings, see Using connection handlers.
7. To apply your changes, click Save and Continue.

Active Roles 8.0 LTS Synchronization Service Administration Guide

353
Connections to external data systems
Using connectors installed remotely
In some cases, you need to configure a connection to an external data system which is
separated by a firewall from the computer running Synchronization Service. To implement
this scenario, you can install an instance of Synchronization Service and built-in connectors
on a remote computer and switch this Synchronization Service instance in the remote
mode. This will allow the Synchronization Service instance running in the local mode to
communicate with the remotely installed instance and connectors via a single port.
Consider a scenario where you want to synchronize data between two Active Directory
domains that are separated by a firewall. In this case, you can install one Synchronization
Service instance in the local mode in the first domain, and then deploy another
Synchronization Service instance in the remote mode in the other domain. Then, ensure
the firewall allows traffic on the port used for communications between the
Synchronization Service instances.
In this section:

l Steps to install Synchronization Service and built-in connectors remotely

l Creating a connection using a remotely installed connector

Steps to install Synchronization Service and

built-in connectors remotely
To use connectors remotely, you need to install Synchronization Service and built-in
connectors on a required remote computer and switch the installed instance of
Synchronization Service to remote mode. For installation instructions, see Step 1: Install
Synchronization Service.

To set Synchronization Service in remote mode

1. Start the Synchronization Service Administration Console.

2. Follow the steps in the wizard that starts automatically to configure
Synchronization Service.
3. On the Service Account and Mode page, do the following and click Finish:
l Enter the account under which you want Synchronization Service to run.
l Select the remote mode for this instance of Synchronization Service.

Active Roles 8.0 LTS Synchronization Service Administration Guide

354
Connections to external data systems
Creating a connection using a remotely
installed connector
To create a connection using a remotely installed connector

1. Start the Synchronization Service Administration Console.

2. On the Connections tab, click Add connection.
3. In the Connection name text box, type a descriptive name for the connection.
4. From the Use the specified connector list, select the connector you want to use.
5. Click to expand the Remote connector access element, and then use the
following options:
l Use remote connector. Select this check box to use the connector installed
on a remote computer.
l Connector host. Type the Fully Qualified Domain Name (FQDN) of the
computer on which the Synchronization Service in the remote mode and the
corresponding connector are installed.
l Port. Type the port number on which you want the Synchronization Service to
access the remote connector. By default, this is port 8080.
l Connect using. Specify an account under which to access the remote
connector. The account must be a local administrator on the computer where
the remote connector is installed. Select one of the following:
l Synchronization Service account. Allows you to access the remote
connector using the account under which Synchronization Service is
running locally.
l Windows account. Allows you to type the user name and password of the
account with which you want to access the remote connector.
l Verify Settings. Click this button to verify that Synchronization Service can
access the remote connector using the settings you have specified.
6. Step through the wizard to complete the connection creation.

Creating a connection
To create a connection

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Add connection.

Active Roles 8.0 LTS Synchronization Service Administration Guide

355
Connections to external data systems
 3. On the wizard page that opens, use the following options:
l Connection name. Type a descriptive name for the connection being created.
l Use the specified connector. From this list, select the connector you
want to use.
l Remote connector access. Expand this element to specify settings to access
the connector installed on a remote computer. For more information, see Using
connectors installed remotely.
4. Follow the steps in the wizard to create a connection.

For information on the options you can use in the subsequent steps of the wizard, see the
section for the connector you have selected.

Renaming a connection
To rename a connection

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click the name of the existing connection you want to rename.
3. On the General tab, edit the connection name in the Connection name box.
4. Click Save.

Deleting a connection
To delete a connection

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Locate the connection you want to delete, and then click Delete connection for that
connection.
3. When prompted, confirm that you want to delete the connection.

Modifying synchronization scope for a

connection
For each connected data system, you can modify the scope of objects participating in the
data synchronization operations.

Active Roles 8.0 LTS Synchronization Service Administration Guide

356
Connections to external data systems
To modify the synchronization scope

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Locate the connection for which you want to modify the synchronization scope, and
then click
Synchronization scope.
3. Use the following options to modify the synchronization scope:
l Include objects from selected containers only. Select the check boxes
next to the containers that hold the objects you want to participate in data
synchronization operations. Note that this option may be unavailable for
some types of connected data systems, such as Microsoft SQL Server or
Oracle Database.
l Objects must meet these conditions. Set up a list of conditions that
objects must meet in order to participate in data synchronization operations.
4. When you are finished, click Save.

Using connection handlers

Connection handlers allow you to automatically perform specific actions on connected data
systems before, after, or instead of specific data synchronization operations (such as
create, modify, move, rename, delete, or password synchronization operation). When
creating a connection handler, you can specify the action you want to perform and set the
conditions for triggering the action.
Out of the box, Synchronization Service includes only one predefined handler type that can
execute your custom PowerShell script and thus perform the action you want.

IMPORTANT: If the predefined connection handler is configured to run your Power-

Shell script instead of a data synchronization operation, the script must return a
system entry object..

You can also develop and implement your own handler types.
To create, modify, or delete handlers for a connection, you can use the Connection
Handlers tab in the connection settings:

Figure 9: Connection Handlers

Active Roles 8.0 LTS Synchronization Service Administration Guide

357
Connections to external data systems
This tab provides the following elements:

l Add handler. Starts a wizard that helps you add a new connection handler. By
default, the wizard creates a new handler that allows you to run your
PowerShell script.
l Disable. Disables the connection handler.
l Enable. Enables the connection handler.
l Move up. Moves the connection handler one position up in the list.
l Move down. Moves the connection handler one position down in the list.
l Delete. Deletes the connection handler.

To create a connection handler

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click the name of the connection for which you want to create a handler, and then
click the Connection Handlers tab.
3. Click Add handler, and then follow the steps in the wizard to create your handler.

To modify a connection handler

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click the name of the connection for which you want to modify a handler, and then
click the Connection Handlers tab.
3. Click the name of the handler you want to modify, and then modify the handler
settings as necessary. When you are finished, click OK.
4. You can also do the following:
l Change the order in which handlers are activated. Synchronization
Service activates handlers in the order in which they appear in the list. To
move a handler in the list, use the Move up and Move down links below
the handler.
l Disable or enable handlers. You can enable or disable existing handlers. To
do so, use the Enable or Disable link below the handler.
5. When you are finished, click Save.

Active Roles 8.0 LTS Synchronization Service Administration Guide

358
Connections to external data systems
To delete a connection handler

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click the name of the connection for which you want to delete a handler, and then
click the Connection Handlers tab.
3. Click Delete below the handler you want to delete.

Specifying password synchronization

settings for a connection
For each connected data system that supports password synchronization, you can set
password synchronization settings. These settings allow you to enable or disable password
synchronization and manage passwords in the data system by using One Identity
Password Manager.
Optionally, you can use the password synchronization settings to type a custom Windows
PowerShell script you want to run each time the password synchronization completes for
the connected data system.

To specify password synchronization settings

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click the name of the connection for which you want to modify password
synchronization settings.
3. Open the Password tab, and use the following options to modify the password
synchronization settings as necessary:
l Synchronize and manage passwords. Allows you to enable or disable
password synchronization for this connection. Selecting this check box also
allows you to manage passwords in the connected data system by using One
Identity Password Manager. For more information about this product, please
visit https://www.oneidentity.com/products/password-manager/.
l Synchronize passwords for objects of this type. Allows you to specify
an object type that will participate in password synchronization. Click Select
next to this text box, and then specify the object type you want. This option
is only available for certain types of connected systems, such as LDAP
directory service.
l Password synchronization method. Allows you to select a password
synchronization method. This option is only available for certain types of
connected systems, such as LDAP directory service. You can select one of the
following methods:

Active Roles 8.0 LTS Synchronization Service Administration Guide

359
Connections to external data systems
 l Write password to this attribute. Displays the object attribute in which the
object password will be stored. To specify a different attribute, click Select
next to the text box in this option.
l Use LDAP extended operation. Allows you to automate the synchronization
of user passwords in the connected data system regardless of the form of the
authentication identity or the password storage mechanism used (for example,
in the case of non-directory storage of passwords).
l Configure Query. Allows you to use an SQL query to specify the data you
want to participate in the password synchronization. Click Configure, and then
type your SQL query. This option is only available for certain types of
connected systems, such as SQL Server or Oracle Database.
4. When you are finished, click Save.

Active Roles 8.0 LTS Synchronization Service Administration Guide

360
Connections to external data systems
 5

Synchronizing identity data

l Getting started with identity data synchronization

l Managing sync workflows
l Managing sync workflow steps
l Using sync workflow alerts

Getting started with identity data

synchronization
To synchronize identity data between connected data systems, you can use sync workflows
and synchronization steps. A sync workflow is a set of data synchronization operations
called synchronization steps. A sync workflow can include one or more steps. Each
synchronization step defines a synchronization operation to be run between the source and
target connected data systems. To manage sync workflows and their steps, you can use the
Sync Workflows tab in the Synchronization Service Administration Console.
You can configure a synchronization step to perform one of the following operations:

l Creation. Creates objects in the target data system based on the changes made to
specific objects in the source data system. When creating a new object in the target
data system, Synchronization Service generates initial values for the object
attributes using the attribute population rules you have configured.
l Update. Modifies object attributes in the target data system based on the changes
made to specific objects in the source data system. To specify the objects that will
participate in the update operation you can use object mapping rules. For more
information, see Mapping objects.
l Deprovision. Modifies or removes objects in the target data system after their
counterparts have been disconnected from the source data system. Synchronization
Service can be configured to remove target objects permanently or change them to a
specific state. To specify the objects that will participate in the deprovision operation
you can use object mapping rules. For more information, see Mapping objects.

When configuring a synchronization step you can specify the following:

Active Roles 8.0 LTS Synchronization Service Administration Guide

361
Synchronizing identity data
 l Containers to which you want to create or move objects.
l Settings to generate names for objects being created or modified.
l Settings to synchronize group memberships.
l Settings to synchronize attribute values.

To synchronize identity data between two data systems, you need to create a sync
workflow, populate the workflow with synchronization steps, and then run the sync
workflow manually or schedule the sync workflow run. The following figure illustrates how
Synchronization Service synchronizes identity data in connected data systems:

Figure 10: Identity Data Synchronization

Running a sync workflow causes Synchronization Service to read data in the source and
target data systems according to the settings in the sync workflow steps and prepare a list
of changes to be made in the target system. Then, you can commit these changes to the
target data system.
Running a sync workflow manually allows you to review a list of changes before
committing them to the target data system. A scheduled sync workflow run always
commits changes to the target data system automatically.
You can configure as many sync workflows as needed, each performing its own set of
synchronization steps.
In this chapter:

Active Roles 8.0 LTS Synchronization Service Administration Guide

362
Synchronizing identity data
 l Managing sync workflows
l Managing sync workflow steps

Managing sync workflows

In this section:

l Creating a sync workflow

l Running a sync workflow
l Renaming a sync workflow
l Deleting a sync workflow

Creating a sync workflow

To create a synchronization workflow

1. In the Synchronization Service Administration Console, open the Sync

Workflows tab.
2. Click Add sync workflow.
3. Use the Sync workflow name text box to type a name for the sync workflow
being created.
4. Click OK.
The new workflow appears on the Sync Workflows tab.
After you have created a sync workflow, you need to populate it with one or more
synchronization steps. For more information, see Managing sync workflow steps.

Running a sync workflow

After you have created a sync workflow and populated it with one or more steps, you can
run the sync workflow. Before running a sync workflow, you can select the workflow
steps you want to run. A sync workflow can be run manually or automatically on a
recurring schedule.
In this section:

l Running a sync workflow manually

l Running a sync workflow on a recurring schedule
l Disabling a sync workflow run schedule

Active Roles 8.0 LTS Synchronization Service Administration Guide

363
Synchronizing identity data
Running a sync workflow manually
This method allows you to select specific steps in a sync workflow and run them. You can
also specify how you want to commit the changes to the target data system: automatically
or manually. With the manual method you can review a list of changes before committing
them to decide whether or not you want these changes in the target system.

To run a sync workflow manually

1. In the Synchronization Service Administration Console, open the Sync

Workflows tab.
2. Click the name of the sync workflow you want to run.
3. Click Run now.
4. Select the check boxes next to the sync workflow steps you want to run.
5. If you want to automatically commit the changes made by the sync workflow run,
select the Automatically commit changes check box. If you want to review the
changes before committing them, leave this check box cleared.
6. Click one of the following to run the sync workflow:
l Full Run. With this option, Synchronization Service retrieves the data required
to run the sync workflow from the connected data systems.
l Quick Run. With this option, Synchronization Service first tries to run the
sync workflow by using the data that is available in the local cache. If the
local cache is missing or cannot be used to run the sync workflow, then
Synchronization Service retrieves the required data from the connected
data systems.

Running a sync workflow on a recurring schedule

This method allows you to create a recurring schedule to automatically run specific steps in
a sync workflow.
When scheduling a sync workflow, you can choose the workflow steps to run, specify how
frequently you want to run the steps, and set the date and time when you want the run
schedule to come into effect. If you have two or more Synchronization Service instances
installed in your environment, you can also select a Synchronization Service instance to be
used for running the sync workflow.
A scheduled sync workflow automatically commits changes to the target data system.

To run a sync workflow on a recurring schedule

1. In the Synchronization Service Administration Console, open the Sync

Workflows tab.
2. Click Schedule below the name of the sync workflow you want to run on a
recurring schedule.

Active Roles 8.0 LTS Synchronization Service Administration Guide

364
Synchronizing identity data
 3. In the dialog box that opens, select the Schedule the task to run check box, and
then specify a schedule.
4. If there are several Synchronization Service instances deployed in your
environment, under Run the task on, select the computer that hosts the
Synchronization Service instance you want to use for running the sync workflow.
5. Expand Sync Workflow Steps, and then select the check boxes next to the
workflow steps you want to run on the schedule.
6. Click OK to activate the schedule.

Disabling a sync workflow run schedule

To disable a sync workflow run schedule

1. In the Synchronization Service Administration Console, open the Sync

Workflows tab.
2. Click Schedule below the sync workflow for which you want to disable the
run schedule.
3. In the dialog box that opens, clear the Schedule the task to run check box.
4. Click OK to disable the schedule.

Renaming a sync workflow

To rename a sync workflow

1. In the Synchronization Service Administration Console, open the Sync

Workflows tab.
2. Click Rename below the sync workflow.
3. Use the Sync workflow name text box to type a new workflow name.
4. Click OK to apply the change.

Deleting a sync workflow

To delete a sync workflow

1. In the Synchronization Service Administration Console, open the Sync

Workflows tab.
2. Click Delete below the sync workflow.
3. When prompted, confirm that you want to delete the sync workflow.

Active Roles 8.0 LTS Synchronization Service Administration Guide

365
Synchronizing identity data
Managing sync workflow steps
In this section:

l Adding a creating step

l Creating an updating step
l Creating a deprovisioning step
l Modifying a step
l Deleting a step
l Changing the order of steps in a sync workflow
l Generating object names by using rules
l Modifying attribute values by using rules
l Using value generation rules
l Using sync workflow step handlers
l Example: Synchronizing group memberships
l Example: Synchronizing multivalued attributes

Adding a creating step

To add a creating step

1. In the Synchronization Service Administration Console, open the Sync

Workflows tab.
2. Click the name of the sync workflow in which you want to add a creating step.
If necessary, create a new sync workflow. For more information, see Creating a
sync workflow.

3. Click Add synchronization step.

4. Select Creation, and then click Next.
5. Specify the source system by using these options:
l Source connected system. Allows you to choose a source data system for
the creation operation. Click Specify to select a data system connected earlier
or add and select a new data system.
l Source object type. Allows you to specify the object type you want to use as
a source for the creation operation. Click Select to specify an object type.
l Creation Criteria. Allows you to narrow the scope of source data system
objects that participate in the creating step. Expand Creation Criteria to
specify the containers that hold the source objects you want to participate in

Active Roles 8.0 LTS Synchronization Service Administration Guide

366
Synchronizing identity data
 the step. You can also specify additional conditions to include objects into the
scope.
6. Click Next.
7. Specify the creation target by using these options:
l Target connected system. Allows you to choose a target data system for the
creation operation. Click Specify to select a data system connected earlier or
add and select a new data system.
l Target object type. Allows you to specify the target data system object type
to which you want to create objects from the source data system. Click Select
to specify an object type.
l Target container. Allows you to specify the target data system container in
which you want to create objects. Click the down arrow on the button, and then
select one of the following:
l Browse. Click to locate and select a single target container.
l PowerShell Script. Click to compose a PowerShell script that
calculates the target container name.
l Rule. Click to configure a set of rules for selecting target containers.
l Use Mapping. Click to define a target container based on the mapping
of the source object.
l Clear. Click to use an empty value.
l Rules to generate unique object name. Allows you to set up a list of rules
to generate a unique name for each object being created. For more
information, see Generating object names by using rules.
8. Click Next.
9. Specify rules to create objects into the target data system. You can use the
following options:
l Initial Attribute Population Rules. Expand this element to specify how you
want to populate the attributes of created objects. For more information, see
Modifying attribute values by using rules.
l Initial Password. Expand this element to specify an initial password for each
created object.
l User Account Options. Expand this element to specify settings for the user
accounts to be created.
10. Click Finish to add the creating step.

You can modify the settings of an existing synchronization step. For more information, see
Modifying a step.

Active Roles 8.0 LTS Synchronization Service Administration Guide

367
Synchronizing identity data
Creating an updating step
To create an updating step

1. In the Synchronization Service Administration Console, open the Sync

Workflows tab.
2. Click the name of the sync workflow in which you want to create an updating step.
If necessary, create a new sync workflow. For more information, see Creating a
sync workflow.

3. Click Add synchronization step.

4. Select Update, and then click Next.
5. Specify the update operation source by using these options:
l Source connected system. Allows you to choose a source data system for
the update operation. Click Specify to select a data system connected earlier
or add and select a new data system.
l Source object type. Allows you to specify the data system object type you
want to use as a source for the update operation. Click Select to specify an
object type.
l Updating Criteria. Allows you to narrow the scope of source data system
objects that will participate in the updating step. Expand Updating Criteria to
specify the containers that hold the source objects you want to participate in
the step. You can also specify additional criteria for selecting source objects.
6. Click Next.
7. Specify an update target by using these options:
l Target connected system. Allows you to choose a target connected system
for the update operation. Click Specify to select a data system connected
earlier or add and select a new data system.
l Target object type. Allows you to specify what type of objects you want to
update in the target data system. Click Select to specify an object type.
8. Click Next.
9. Specify rules to update objects in the target data system. You can use the following
options:
l Rules to Modify Object Attributes. Allows you to set up a list of rules to
modify specific attributes of objects in the target data system. For more
information, see Modifying attribute values by using rules.
l Rules to Move Objects. Allows you to specify the location to which you want
to move objects. Click the down arrow on the button, and then select one of the
following:

Active Roles 8.0 LTS Synchronization Service Administration Guide

368
Synchronizing identity data
 l Browse. Click to locate and select a single target container.
l PowerShell Script. Click to compose a PowerShell script that
calculates the target container name.
l Rule. Click to configure a set of rules for selecting target containers.
l Use Mapping. Click to define a target container based on the mapping
of the source object.
l Clear. Click to use an empty value.
l Rules to Rename Objects. Allows you to set up a list of rules to rename
objects in the result of the update operation. For more information, see
Generating object names by using rules.
10. Click Finish to create the updating step.

You can modify the settings of an existing synchronization step. For more information, see
Modifying a step.

Creating a deprovisioning step

To create a deprovisioning step

1. In the Synchronization Service Administration Console, open the Sync

Workflows tab.
2. Click the name of the sync workflow in which you want to create a
deprovisioning step.
If necessary, create a new sync workflow. For more information, see Creating a
sync workflow.

3. Click Add synchronization step.

4. Select Deprovision and then click Next.
5. Specify a deprovisioning source and criteria by using the following options:
l Source connected system. Allows you to choose a source data system for
the deprovision operation. Click Specify to select a data system connected
earlier or add and select a new data system.
l Source object type. Allows you to specify the data system object type you
want to use as a source for the deprovision operation. Click Select to specify
an object type.
l Deprovision target objects if. Allows you to specify criteria for
deprovisioning objects in the target data system.
6. Click Next.
7. Specify a deprovisioning target by using the following options:
l Target connected system. Allows you to choose a target data system for the
deprovision operation. Click Specify to select a data system connected earlier
or add and select a new data system.

Active Roles 8.0 LTS Synchronization Service Administration Guide

369
Synchronizing identity data
 l Target object type. Allows you to specify what type of objects you want to
deprovision in the target data system. Click Select to specify an object type.
8. Click Next.
9. Select a method to deprovision objects in the target data system. You can select
Delete target objects to delete target objects or Modify target objects to
modify target objects using the rules configured in the following options:
l Rules to Modify Object Attributes. Expand this option to set up a list of
rules to modify object attributes in the target data system. For more
information, see Modifying attribute values by using rules.
l Rules to Move Objects. Expand this option to specify the location to which
you want to move objects. Click the down arrow on the button, and then select
one of the following:
l Browse. Click to locate and select a single target container.
l PowerShell Script. Click to compose a PowerShell script that
calculates the target container name.
l Rule. Click to configure a set of rules for selecting target containers.
l Use Mapping. Click to define a target container based on the mapping
of the source object.
l Clear. Click to use an empty value.
l Rules to Rename Objects. Expand this option to set up a list of rules to
rename objects.
10. Click Finish to create the deprovisioning step.

You can modify the settings of an existing synchronization step. For more information, see
Modifying a step.

Modifying a step
To modify an existing step

1. In the Synchronization Service Administration Console, open the Sync

Workflows tab.
2. Click the name of the sync workflow in which you want to modify a step.
3. Click the name of the step you want to modify.
4. Use the following tabs to modify the step as necessary:
l General Options tab
l Source tab
l Target tab
l Creation Rules tab
l Deprovisioning Rules tab

Active Roles 8.0 LTS Synchronization Service Administration Guide

370
Synchronizing identity data
 l Updating Rules Tab
l Step Handlers tab
For more information on these tabs, see the next subsections.

5. When you are finished, click Save to apply your changes.

General Options tab

On this tab you can rename the step, specify a method for processing data in the source
and target connected systems, and specify conditions to stop data processing.
This tab has the following elements:

l Step name. Allows you to rename the step: type a new step name in this text box.
l Specify how to process data in connected systems. Allows you to select one of
the following methods for processing data in the source and target data systems:
l Process all data. If you select this method, each run of the step will process
all data in the configured synchronization scope.
l Process delta from last run. If you select this method, each run of the step
will process only the data that has changed in the configured synchronization
scope since the last run.
l Stop data processing if. Allows you to specify the conditions where you want to
stop data processing in the source and target data systems.

Source tab
Allows you to view information about the source connected system and source object type
specified for the synchronization step. You can also view or modify the criteria used to
perform the creation, deprovision, or update operation in the step.
For all types of synchronization steps (creating, deprovisioning, and updating) this tab
provides the following options:

l Source connected system. Displays the name of the source data system.
l Source object type. Displays the object type that is used as a source for the
synchronization step.

For deprovisioning steps, this tab also provides the Deprovision target objects if
option. It allows you to modify the criteria used for triggering the deprovision operation in
the target data system.
For creating steps, this tab also provides the Creation Criteria option. It allows you to
modify the scope of source data system objects that participate in the creating step.
Expand Creation Criteria to modify the list of containers that hold the source objects
you want to participate in the step. Also you can specify additional criteria for selecting
source objects.

Active Roles 8.0 LTS Synchronization Service Administration Guide

371
Synchronizing identity data
For updating steps, this tab also provides the Updating Criteria option. It allows you to
modify the scope of source data system objects that participate in the updating step.
Expand Updating Criteria to specify the containers that hold the source objects you
want to participate in the step. You can also specify additional criteria for selecting
source objects.

Target tab
Allows you to view information about the target connected system and target object type
specified for the synchronization step. For creating steps, you can use this tab to view and
modify the target container to which objects are created and rules to generate unique
names for created objects.
For all types of synchronization steps (creating, deprovisioning, and updating) this tab
provides the following elements:

l Target connected system. Displays the name of the data system that is currently
used as a target for the synchronization step.
l Target object type. Displays the object type that is currently used as a target for
the synchronization step.

For creating steps related to certain types of target data systems, this tab may also
provide any of the following additional elements:

l Target container. Allows you to specify the target data system container in which
you want to create objects from the source data system. For more information, see
Generating object names by using rules.
l Rules to generate unique object name. Allows you to set up a list of rules to
generate a unique name for each object being created. For more information, see
Generating object names by using rules.

Creation Rules tab

Allows you to view or modify the rules used for creating objects. This tab has the
following elements:

l Initial Attribute Population Rules. Expand this element to view or modify the
rules for populating the attributes of objects being created.
l Initial Password. Expand this element to view or modify how an initial password is
generated for each object being created.
l User Account Options. Expand this element to view or modify the settings used for
creating user accounts in the result of the creation operation.

You can use this tab to import or export initial attribute population rules.

Active Roles 8.0 LTS Synchronization Service Administration Guide

372
Synchronizing identity data
To export a population rule to a file

1. In the list of configured attribute population rules, select the rule you want to export.
2. Click More, and then click Export.
3. In the Save As dialog box, specify an XML file to store the rule.

To import a population rule from a file

1. Expand Initial Attribute Population Rules, click More, and then click Import.
2. Use the Open dialog box to open the XML file that stores the population rule
to import.

Deprovisioning Rules tab

Allows you to select a method for deprovisioning objects. You can select Delete target
objects to delete the target objects if the source objects meet the criteria specified earlier
in the wizard or Modify target objects to modify the target objects using the rules
configured in the options below:

l Rules to Modify Object Attributes. Expand this option to set up a list of rules to
modify the attributes of target objects. For more information, see Modifying attribute
values by using rules.
l Rules to Move Objects. Expand this option to specify the location to which you
want to move objects. Click the down arrow on the button, and then select one of
the following:
l Browse. Click to locate and select a single target container.
l PowerShell Script. Click to compose a PowerShell script that calculates the
target container name.
l Rule. Click to configure a set of rules for selecting target containers.
l Use Mapping. Click to define a target container based on the mapping of the
source object.
l Clear. Click to use an empty value.
l Rules to Rename Objects. Expand this option to set up a list of rules to
rename objects.

Updating Rules Tab

Allows you to view or modify the rules used for updating objects. This tab has the
following elements:

l Rules to Modify Object Attributes. Allows you to view or change the list of rules
used to modify the attributes of target objects. For more information, see Modifying
attribute values by using rules.

Active Roles 8.0 LTS Synchronization Service Administration Guide

373
Synchronizing identity data
 l Rules to Move Objects. Allows you to specify the location to which you want
to move objects. Click the down arrow on the button, and then select one of
the following:
l Browse. Click to locate and select a single target container.
l PowerShell Script. Click to compose a PowerShell script that calculates the
target container name.
l Rule. Click to configure a set of rules for selecting target containers.
l Use Mapping. Click to define a target container based on the mapping of the
source object.
l Clear. Click to use an empty value.
l Rules to Rename Objects. Allows you to view or change the list of rules used to
rename target objects. For more information, see Generating object names by
using rules.

Step Handlers tab

Allows you to create, modify, or delete handlers for the sync workflow step. For more
information on step handlers, see Using sync workflow step handlers. This tab has the
following elements:

l Add handler. Starts a wizard that helps you add a new handler for the sync
workflow step. By default, the wizard creates a new handler that runs your
PowerShell script.
l Disable. Disables the step handler.
l Enable. Enables the step handler.
l Move up. Moves the step handler one position up in the list.
l Move down. Moves the step handler one position down in the list.
l Delete. Deletes the step handler.

Deleting a step
To delete a sync workflow step

1. In the Synchronization Service Administration Console, open the Sync

Workflows tab.
2. Click the name of the sync workflow in which you want to delete a step.
3. Click Delete below the step you want to delete.
4. When prompted, confirm that you want to delete the step.

Active Roles 8.0 LTS Synchronization Service Administration Guide

374
Synchronizing identity data
Changing the order of steps in a sync
workflow
When you run a sync workflow, its steps are executed in the order they are displayed in the
Synchronization Service Administration Console. If necessary, you can change the order of
steps in a sync workflow.

To change the order of steps in a sync workflow

1. In the Synchronization Service Administration Console, open the Sync

Workflows tab.
2. Click the name of the sync workflow in which you want to change the order of steps.
3. Use the Move up and Move down links to arrange the steps as necessary.

Generating object names by using rules

When configuring a synchronization step, you can use the Rules to generate unique
object name list to specify rules for creating or modifying object names in the target
connected system. The Rules to generate unique object name list looks similar to
the following:

Figure 11: Add synchronization step

Active Roles 8.0 LTS Synchronization Service Administration Guide

375
Synchronizing identity data
To configure rules for generating object names

1. Click the down arrow on the leftmost button provided below the Rules to generate
unique object name list.
2. Select a list item:
l Attribute. Allows you to select the target object attribute whose value you
want to use as the object name.
l Rule. Allows you to configure a rule to generate target object names. For
details, see Using value generation rules.
l PowerShell Script. Allows you to type a PowerShell script to generate target
object names.

When the Rules to generate unique object name list includes two or more entries,
Synchronization Service uses the uppermost rule in the list to generate the target object
name. If the generated object name is not unique, Synchronization Service uses the next
rule in the list, and so on.

To copy and paste an existing rule

1. In the Rules to generate unique object name list, right-click a rule, and then
select Copy from the shortcut menu.
2. In the rules list, right-click an entry, and then select Paste from the shortcut menu.

Active Roles 8.0 LTS Synchronization Service Administration Guide

376
Synchronizing identity data
Modifying attribute values by using rules
In a sync workflow step you can configure a set of rules to automatically modify attribute
values during the step run. By using these rules, you can select or generate an initial
value, transform this value if necessary, and then assign the resulting value to the object
attribute you want.

To create a rule to modify attribute values

1. In the Synchronization Service Administration Console, open the Sync

Workflows tab.
2. Click the name of the appropriate sync workflow, then click the name of the sync
workflow step.
3. Depending on the workflow step type, complete the corresponding actions:
l Creating step. Click the Creation Rules tab, and then expand the Initial
Attribute Population Rules element.
l Updating step. Click the Updating Rules tab, and then expand the Rules to
Modify Object Attributes element.
l Deprovisioning step. Click the Deprovisioning Rules tab, and then expand
the Rules to Modify Object Attributes element.
4. In the element you have expanded, click the down arrow on the leftmost button to
select a rule type:
l Forward Sync Rule. Allows you to create a rule that synchronizes attribute
values from the source to the target data system. This type of rule is available
in creating, updating, and deprovisioning steps. For more information, see
Configuring a forward sync rule.
l Reverse Sync Rule. Allows you to create a rule that synchronizes attribute
values from the target to the source data system. This type of rule is available
in creating, updating, and deprovisioning steps. For more information, see
Configuring a reverse sync rule.
l Merge Sync Rule. Allows you to create a rule that merges the values of
specified attributes between the source and the target data systems. As a
result, the attribute values in the source and the target become identical. This
type of rule is only available in updating steps. For more information, see
Configuring a merge sync rule.

Configuring a forward sync rule

A forward sync rule allows you to synchronize data from the source data system to the
target data system. To create such a rule, follow the instructions in Modifying attribute
values by using rules to select the Forward Sync Rule type. Then, configure your rule by
using the options in the dialog box that opens.

Active Roles 8.0 LTS Synchronization Service Administration Guide

377
Synchronizing identity data
Source item
This option allows you to obtain an initial value for the synchronization operation. You can
then transform the obtained initial value before assigning it to the attribute you want.
To get started, click the down arrow on the button in this option, and then select an item
from the drop-down list:

l Attribute. Allows you to select the attribute whose value you want to use.
l Rule. Allows you to obtain a value by using a value generation rule. For more
information, see Using value generation rules.
l PowerShell script. Allows you to obtain a value by executing a Windows
PowerShell script.
l Text. Allows you to type a text value.
l Referenced object attribute. Allows you select an attribute of a referenced object
and use the value of the selected attribute.
l Parent object attribute. Allows you to select an attribute of a parent object and
use the value of the selected attribute.
l Empty. Generates an empty value.

Once you have explicitly selected an attribute in this option, you can click the Advanced
link to configure some advanced synchronization settings for the attribute.
For example, you can specify which characters to retrieve from the attribute value, how to
modify the retrieved value (remove white-space characters or change the capitalization),
or set how to process references in the attribute. The available settings depend on the
attribute types selected in the Source item and Target item options.

Target item
This option allows you to select the target attribute whose value you want to modify.
To get started, click the down arrow on the button in this option, and then select an item
from the drop-down list:

l Attribute. Allows you to select the object attribute whose value you want to modify.
l Referenced object attribute. Allows you to select the referenced object attribute
whose value you want to modify.
l Parent object attribute. Allows you to modify attribute values of objects that are
parents to the target object type selected in the sync workflow step settings.

Once you have selected an attribute, you can click the Advanced link to configure some
advanced synchronization settings for the attribute.
For example, you can select how to handle the existing attribute value (overwrite or
append data to the value) or set how to process references in the attribute. The
available settings depend on the attribute types selected in the Source item and
Target item options.

Active Roles 8.0 LTS Synchronization Service Administration Guide

378
Synchronizing identity data
Configuring a reverse sync rule
A reverse sync rule allows you to synchronize data from the target to the source
data system.
To create such a rule, follow the instructions in Modifying attribute values by using rules to
select the Reverse Sync Rule type. Then, configure your rule by using the options in the
dialog box that opens.

Source item
This option allows you to select the source attribute whose value you want to modify.
To get started, click the down arrow on the button in this option, and then select an item
from the drop-down list:

l Attribute. Allows you to select the object attribute whose value you want to modify.
l Referenced object attribute. Allows you to select the referenced object whose
attribute value you want to modify.
l Parent object attribute. Allows you to modify attribute values of objects that are
parents to the source object type selected in the sync workflow step settings.

Once you have selected an attribute, you can click the Advanced link to configure some
advanced synchronization settings for the attribute.
For example, you can select how to handle the existing attribute value (overwrite or
append data to the value) or set how to process references in the attribute. The
available settings depend on the attribute types selected in the Source item and
Target item options.

Target item
This option allows you to obtain an initial value for the synchronization operation. You can
then transform the obtained initial value before assigning it to the attribute you want.
To get started, click the down arrow on the button in this option, and then select an item
from the drop-down list:

l Attribute. Allows you to select the attribute whose value you want to use.
l Rule. Allows you to obtain an initial value by using a value generation rule. For more
information, see Using value generation rules.
l PowerShell script. Allows you to obtain an initial value by executing a Windows
PowerShell script.
l Text. Allows you to type an initial value.
l Referenced object attribute. Allows you select an attribute of a referenced object
and use its value.

Active Roles 8.0 LTS Synchronization Service Administration Guide

379
Synchronizing identity data
 l Parent object attribute. Allows you to select an attribute of a parent object and
use the value of the selected attribute.
l Empty. Generates an empty initial value.

Once you have explicitly selected an attribute in this option, you can click the Advanced
link to configure some advanced synchronization settings for the attribute.
For example, you can specify which characters to retrieve from the attribute value, how to
modify the retrieved value (remove white-space characters or change the capitalization),
or set how to process references in the attribute. The available settings depend on the
attribute types selected in the Source item and Target item options.

Configuring a merge sync rule

A merge sync rule allows you to merge attribute values between the source and the target
data system. As a result these values become identical.
To create such a rule, follow the instructions in Modifying attribute values by using rules to
select the Merge Sync Rule type. Then, configure your rule by using the options in the
dialog box that opens:

l Source item. Allows you to specify an attribute in the source data system. Click the
Attribute button to select an attribute.
l Target item. Allows you to specify the attribute in the target data system. Click the
Attribute button to select an attribute.
l Merge Settings. Allows you to select a method to merge the values of two
multivalued attributes. This link is only available if both the source and the target
attributes you have selected are multivalued.

When running a sync workflow step that has a merge sync rule configured for the first
time, Synchronization Service synchronizes attribute values from the source to the target.
In each subsequent run of the sync workflow step, the synchronization direction depends
on which attribute value (source or target) is more recent, as follows:

Table 121: Synchronization direction

More recent value Synchronization direction

Source Source => Target

Target Source <= Target

Source and target are equally recent Source => Target

Active Roles 8.0 LTS Synchronization Service Administration Guide

380
Synchronizing identity data
Using value generation rules
To configure a list of rules for selecting an attribute value or generating a value, you can
use the Configure Generation Rule dialog box that looks similar to the following:

Figure 12: Configure Generation Rule

To add a new rule entry

1. Click Add.
2. Configure the rule entry as appropriate. For more information, see Configuring
a rule entry.

To remove an existing rule entry

l From the Rule entries list, select the entry you want to remove, and then
click Remove.

To edit an existing rule entry

1. From the Rule entries list, select the entry you want to modify, and then click Edit.
2. Configure the rule entry as appropriate. For more information, see Configuring
a rule entry.

Active Roles 8.0 LTS Synchronization Service Administration Guide

381
Synchronizing identity data
Configuring a rule entry
This section provides instructions on how to configure a rule entry in the Define Entry
dialog box that looks similar to the following:

Figure 13: Define Entry

To configure a text entry

1. Under Entry type, select Text.

2. In the Text value box, type the value.
3. Click OK.

To configure an attribute-based entry

1. Under Entry type, select Attribute.

2. Click Select to select the attribute whose value you want to use, and then click OK.
3. If you want the entry to include the entire value of the attribute, select the All
characters option. Otherwise, click the Specified characters option, and then
specify the characters to include in the entry.

Active Roles 8.0 LTS Synchronization Service Administration Guide

382
Synchronizing identity data
 4. Optionally, click the If value is shorter, add filling characters at the end of
entry value option to specify a character to add to the entry.
5. Optionally, specify Advanced settings.
6. When finished, click OK.

Using sync workflow step handlers

Sync workflow step handlers allow you to automatically perform custom actions either
before running a workflow step or after the workflow step run results have been committed
(written) to the data system. Out of the box, Synchronization Service includes a single
predefined handler type that can automatically execute your custom PowerShell script and
thus perform the desired action.
To create, modify, or delete handlers for a sync workflow step, you can use the Step
Handlers tab in the sync workflow step properties.

To create a sync workflow step handler

1. In the Synchronization Service Administration Console, open the Sync

Workflows tab.
2. Click the name of the appropriate sync workflow.
3. Click the name of the sync workflow step for which you want to create a handler, and
then click the Step Handlers tab.
4. Click Add handler, and then follow the steps in the wizard to create your handler.

To modify a sync workflow step handler

1. In the Synchronization Service Administration Console, open the Sync

Workflows tab.
2. Click the name of the appropriate sync workflow.
3. Click the name of the sync workflow step whose handler you want to modify, and
then click the Step Handlers tab.
4. Click the name of the handler you want to modify.
5. Modify the handler settings as necessary. When you are finished, click OK.
6. You can also do the following:
l Change the order in which handlers are activated. Synchronization
Service activates handlers in the order in which they appear in the list. To
move a handler in the list, use the Move up and Move down links below
the handler.
l Disable or enable the handler. You can enable or disable existing handlers.
To do so, use the Enable or Disable link below the handler.
7. When you are finished, click Save.

Active Roles 8.0 LTS Synchronization Service Administration Guide

383
Synchronizing identity data
To delete a sync workflow step handler

1. In the Synchronization Service Administration Console, open the Sync

Workflows tab.
2. Click the name of the appropriate sync workflow.
3. Click the name of the sync workflow step whose handler you want to delete, and then
click the Step Handlers tab.
4. Click Delete below the handler you want to delete.

Example: Synchronizing group memberships

This example illustrates how to configure a creating step to synchronize group
memberships from an Active Directory domain to an AD LDS (ADAM) instance. The
example demonstrates how to create rules in the step to synchronize the value of
the member attribute in the Active Directory domain to the member attribute in
AD LDS (ADAM).

To synchronize the member attribute

1. Follow the steps described in the Adding a creating step section until you reach the
wizard page titled Specify creation rules.
2. In the Initial Attribute Population Rules element, click the down arrow on the
leftmost button below the list to select Forward Sync Rule.
3. In the dialog box that opens, add the following pair of attributes:
l Source item: member attribute (Active Directory)
l Target item: member attribute (AD LDS)
For more information about the options in this dialog box, see Configuring a
forward sync rule.

4. When you are finished, click OK.

5. Follow the steps in the wizard to complete the creating step.

Example: Synchronizing multivalued

attributes
This example illustrates how to configure a creating step to synchronize multivalued
attributes from an Active Directory domain to an AD LDS (ADAM) instance. The example
demonstrates how to create rules in the step to synchronize the value of the
otherTelephone attribute in the Active Directory domain to the otherTelephone
attribute in AD LDS (ADAM).

Active Roles 8.0 LTS Synchronization Service Administration Guide

384
Synchronizing identity data
To synchronize the otherTelephone attribute

1. Follow the steps provided in the Adding a creating step section until you reach the
wizard page titled Specify creation rules.
2. In the Initial Attribute Population Rules element, click the down arrow on the
leftmost button below the list to select Forward Sync Rule.
3. In the dialog box that opens, add the following pair of attributes:
l Source item: otherTelephone attribute (Active Directory)
l Target item: otherTelephone attribute (AD LDS)
For more information about the options in this dialog box, see Configuring a
forward sync rule.

4. When you are finished, click OK.

5. Follow the steps in the wizard to complete the configuration of the creating step.

Using sync workflow alerts

The Synchronization Service provides an email notification service that allows you to
inform recipients about the completion of a sync workflow run.
For each sync workflow that includes at least one synchronization step, you can configure
multiple alerts. Then, when a sync workflow run completes, the recipients signed up for the
alert receive an email message informing them about the completion of the sync workflow
run. For example, you can use sync workflow alerts to inform recipients when a sync
workflow run completes with errors.
To manage alerts for a sync workflow, go to the Sync Workflows tab in the
Synchronization Service Administration Console, and then click the Manage alerts link
below the sync workflow.
To manage outgoing mail profiles for sending sync workflow alerts, in the Synchronization
Service Administration Console, click the Settings menu in the upper right corner, and
then click the Mail Profiles.
In this section:

l Creating or editing a sync workflow alert

l Deleting a sync workflow alert
l Managing outgoing mail profiles

Active Roles 8.0 LTS Synchronization Service Administration Guide

385
Synchronizing identity data
Creating or editing a sync workflow alert
To create or edit an alert

1. In the Synchronization Service Administration Console, open the Sync

Workflows tab.
2. Click the Manage alerts link below the sync workflow for which you want to create
or edit an alert.
The Manage alerts link is only available on sync workflows that include one or
more synchronization steps.

3. In the Manage Sync Workflow Alerts dialog box, do one of the following:
l If you want to create a new alert, click the Add button under the Sync
workflow alerts list.
l If you want to edit an existing alert, select that alert in the Sync workflow
alerts list, and then click the Edit button under the list.
4. Use the following options in the dialog box that opens to specify alert settings, and
then click OK:
l When this event occurs.Select an event that will trigger the alert. You can
select one of the following:
l Sync workflow run completes (with or without errors). Triggers
the alert upon the sync workflow run completion regardless of any errors
encountered in the run.
l Sync workflow run completes with errors. Triggers the alert only
when the sync workflow run completed with errors.
l Send email to. Type the email addresses of the recipients to which you want
to send a notification email message when the selected event occurs. When
specifying multiple email addresses, use a semicolon as a separator.
l Email message subject. Type the text you want to include into the
notification email message subject.
l Ignore mapping errors. Select this check box if you want the alert to skip
mapping errors in sync workflow runs. This check box is only available when
you select Sync workflow run completes with errors in the When this
event occurs option.
l Ignore non-fatal errors in. Select this check box if you want this alert to
skip non-fatal errors in sync workflow runs. A non-fatal error causes a sync
workflow run to partially succeed. A fatal error causes a sync workflow run
to fail. If you select this check box, you must also select one of the
following options:
l All sync workflow steps. Causes the alert to skip non-fatal errors in all
steps of the sync workflow.
l The specified sync workflow steps. Causes the alert to skip non-fatal
errors in the sync workflow steps you specify in the text box below. Type sync

Active Roles 8.0 LTS Synchronization Service Administration Guide

386
Synchronizing identity data
 workflow step numbers separated by commas (example: 1, 3, 5). To specify a
range of steps, use a dash as a separator (example: 1, 3, 5-8).
This check box is only available when you select Sync workflow run
completes with errors in the When this event occurs option.
5. Use the Send email using this outgoing mail profile list to select the settings to
be used for sending notification emails generated by the alerts in the Sync
workflow alerts list.
To configure the current outgoing mail profile, click the Properties button. For more
information, see Managing outgoing mail profiles.

6. When you are finished, click OK to close the Manage Sync Workflow
Alerts dialog box.

Deleting a sync workflow alert

To delete an alert

1. In the Synchronization Service Administration Console, open the Sync

Workflows tab.
2. Click the Manage alerts link below the sync workflow for which you want to
delete an alert.
The Manage alerts link is only available on sync workflows that include one or
more synchronization steps.

3. In the Sync workflow alerts list, select the alert you want to delete, and then click
the Delete button under the list.

Managing outgoing mail profiles

To create, edit, or delete an outgoing mail profile, in the Synchronization Service
Administration Console, click the Settings menu in the upper right corner, and then click
the Mail Profiles. Then, follow the appropriate procedure below.

To create a profile

1. Click the Add button below the list of profiles, and then specify the settings you
want to use. For the descriptions of the settings you can specify, see Outgoing mail
profile settings.
2. When you are finished, click OK.

To edit a profile

1. In the list, select the outgoing mail profile you want to edit.

Active Roles 8.0 LTS Synchronization Service Administration Guide

387
Synchronizing identity data
 2. Click the Edit button below the list of profiles, and then specify the settings you
want to use. For the description of the settings you can specify, see Outgoing mail
profile settings.
3. When you are finished, click OK.

To delete a profile

1. In the list, select the outgoing mail profile you want to delete.
2. Click the Delete button below the list of profiles.

Outgoing mail profile settings

In each outgoing mail profile, you can use the following settings:

l Profile name. Type a descriptive name with which you want to identify the profile.
l Outgoing SMTP server. Type the fully qualified domain name of the SMTP mail
server you want to use for sending notification emails.
l This server requires an encrypted connection (SSL). Select this check box if
the specified mail server requires an encrypted connection.
l This server requires authentication. Select this check box if the specified mail
server requires authentication, and then type the user name and password with
which you want to access the server.
l Sender email address. Type the email address you want to use as the originating
address in the notification emails.
l Sender name. Type the sender name you want to display in the From field to the
recipients of the notification emails.

Active Roles 8.0 LTS Synchronization Service Administration Guide

388
Synchronizing identity data
 6

Mapping objects

l About mapping objects

l Steps to map objects
l Steps to unmap objects

About mapping objects

Object mapping allows you to establish one-to-one relationships between objects in two
connected data systems. By using object mapping, you can determine what objects will
participate in data synchronization operations you run between these two data systems.
Synchronization Service maps objects automatically when running the creating steps of a
sync workflow. In this case, one-to-one relationship is automatically established between
source objects and their counterparts created in the target connected system during the
creation operation. In some cases, however, you may need to manually map objects. For
example, you should configure object mapping before running a sync workflow that
includes updating or deprovisioning steps. By doing so, you provide Synchronization
Service with the information on which objects need to be updated or deprovisioned in the
target data system.
To map objects, you can use mapping pairs and mapping rules. A mapping pair allows you
to establish a relationship between a certain object type in one connected system and its
counterpart in the other connected system. A mapping rule allows you to define the scope
of conditions where the objects belonging to the object types specified in a particular
mapping pair will be mapped. For a mapping pair you can create multiple mapping rules,
each defining a specific mapping condition. In order your mapping rules take effect, you
need to run them. After you run a mapping rule, Synchronization Service reads data in the
connected data systems for which the rule is configured, and then maps the objects that
meet the conditions specified in the mapping rule.
The following example shows how a mapping rule works:

Active Roles 8.0 LTS Synchronization Service Administration Guide

389
Mapping objects
Figure 14: Object mapping

In this example, one-to-one relationship is established between the user object John
Malcolm in Connected System 1 and the user object John Doe in Connected System 2: the
first names of these user objects match, and thus the condition specified in the mapping
rule is met. Now, if you configure a sync workflow for these systems and populate it with
synchronization steps, identity information will be synchronized between these two user
objects, since they are mapped. The direction of synchronization depends on which of these
two connected data systems acts as the synchronization source and which is the target.
The next sections cover the following:

l Steps to map objects

l Steps to unmap objects

Active Roles 8.0 LTS Synchronization Service Administration Guide

390
Mapping objects
Steps to map objects
You can map objects in two data systems to which Synchronization Service is connected.
To map objects in two connected data systems, complete the following steps:

l Step 1: Create mapping pairs

l Step 2: Create mapping rules
l Step 3 (optional): Change scope for mapping rules
l Step 4: Run map operation

Step 1: Create mapping pairs

In this step, you create mapping pairs that specify the types of objects you want to map in
two connected systems. You can create as many mapping pairs as necessary.

To create a mapping pair

1. In the Synchronization Service Administration Console, open the Mapping tab.

2. Click the name of the connection for which you want to map objects.
3. Click Add mapping pair.
4. On the Specify source page, next to Connected system object type, click
Select, and then select the type of object you want to map.
5. Click Next.
6. On the Specify target page, do the following:
a. Next to Target connected system, click Specify, and then specify the other
connected system where you want to map objects.
b. Next to Connected system object type, click Select, and then select the
type of object you want to map.
7. Click Finish to create the mapping pair.
Repeat the above steps to create mapping pairs for as many object types as
necessary.

Step 2: Create mapping rules

Once you have created a mapping pair, you can configure mapping rules for that pair.
Mapping rules define the conditions where the objects that belong to the object types
specified in the mapping pair will be mapped. Synchronization Service maps objects only if
all mapping rules specified for a mapping pair are met.

Active Roles 8.0 LTS Synchronization Service Administration Guide

391
Mapping objects
To add a new mapping rule

1. In the Synchronization Service Administration Console, open the Mapping tab.

2. Click the name of the connection for which you want to create a mapping rule.
3. Click the mapping pair for which you want to create a mapping rule.
4. Click Add mapping rule.
5. Use the Define Mapping Rule dialog box to define the condition where the objects
in the connected systems are to be mapped. To do so, click the down arrow on the
button next to each of the two provided options and select one of the following:
l Attribute. Allows you to select an attribute in the connected system.
l Rule. Allows you to set up a list of rules to generate a value for the connected
system. For details, see Using value generation rules.
l PowerShell Script. Allows you to type a Windows PowerShell script that
generates a value for the connected system.
6. When you are finished, click OK to create the mapping rule.

Step 3 (optional): Change scope for

mapping rules
Each mapping rule applies to a scope of objects. By default, this scope includes all objects
that belong to the object types specified in the mapping rule. If necessary, you can narrow
the scope specified for a particular mapping rule or you can revert to the default scope.

To change the scope of a mapping rule

1. Go to the mapping pair that includes the mapping rule whose scope you want
to change:
a. In the Synchronization Service Administration Console, open the Mapping tab.
b. Click the name of the appropriate connection.
c. Click the appropriate mapping pair entry.
2. Locate the mapping rule whose scope you want to change. Use the following
elements provided for each mapping rule entry:
l Mapping scope for system 1. Shows the mapping rule scope applicable to
the data system shown on the left part of the mapping pair entry.
l Mapping scope for system 2. Shows the mapping rule scope applicable to
the data system shown on the right part of the mapping pair entry.
These elements can take one of the following values:
l Default. Indicates that the mapping rule applies to all objects of the
specified type.

Active Roles 8.0 LTS Synchronization Service Administration Guide

392
Mapping objects
 l Custom. Indicates that the mapping rule scope is narrowed down and only
applies to some objects of the specified type.
3. Change the mapping rule scope as necessary:
a. Click the value displayed next to Mapping scope for system 1 or Mapping
scope for system 2, and then specify the scope you want to use.
b. When you are finished, click OK.

Step 4: Run map operation

Once you have created mapping rules for a mapping pair, you need to run the map
operation in order to apply these rules and map objects that belong to the mapping pair.
There are two methods to run the map operation: you can manually run the map operation
once or you can create a recurring schedule to automatically run the map operation on a
regular basis.
The latter method is recommended when you want to use Synchronization Service to
synchronize passwords from an Active Directory domain to other connected systems.
Running mapping rules on a recurring schedule allows you to properly map newly-created
Active Directory user objects to their counterparts in the connected systems where you
automatically synchronize passwords with the Active Directory domain. If you do not run
mapping rules on a regular basis, some passwords may become out of sync because of the
changes that inevitably occur to your environment.
For example, new user objects are created, some user objects are deleted, but
Synchronization Service cannot detect these changes and synchronize passwords for the
newly-created users before you apply the mapping rules. In this scenario, the best way to
ensure Synchronization Service synchronizes all passwords is to apply your mapping rules
on a regular basis. You can accomplish this task by creating a recurring schedule for
applying your mapping rules.

To run the map operation once

1. In the Synchronization Service Administration Console, open the Mapping tab.

2. Click the name of the connection for which you want to run the map operation.
3. Click the mapping pair for which you want to run the map operation.
4. Click Map now.
5. In the dialog box that opens, click one of the following:
l Full Map. With this option, Synchronization Service retrieves the data
required to map objects from the connected data systems.
l Quick Map. With this option, Synchronization Service first tries to map
objects by using the data that is available in the local cache. If the local cache
is missing or cannot be used to map objects, then Synchronization Service
retrieves the required data from the connected data systems.
Wait for the map operation to complete.

Active Roles 8.0 LTS Synchronization Service Administration Guide

393
Mapping objects
 After the map operation completes, the Synchronization Service Administration
Console displays a report that provides information about the objects that
participated in the map operation. At this stage, the application does not map the
objects. To map the objects, you need to commit the map operation result.
You can click the number that is provided next to an object category name in the
report to view the details of objects that belong to that category.

6. Review the report about the objects that participated in the map operation, and then
click Commit to map the objects.

To automatically run the map operation on a recurring schedule

1. In the Synchronization Service Administration Console, open the Mapping tab.

2. Click the name of the connection for which you want to create a recurring
mapping schedule.
3. Click the mapping pair for which you want to run the map operation on a
recurring schedule.
4. Click Schedule mapping.
5. In the dialog box that opens, select the Schedule the task to run check box, and
then specify a schedule for the map operation.
It is recommended to schedule the map operation to run once in every 6 hours.

6. If several Synchronization Service instances are installed in your environment, under

Run the task on, select the computer that hosts the instance you want to use for
running the map operation.
7. Click OK to activate the schedule.
The results of a scheduled map operation always apply automatically, you do not
need to commit the changes.
When performing a scheduled map operation, Synchronization Service always
retrieves the required data from the connected data systems and never uses the data
available in the local cache.

Steps to unmap objects

You can unmap the objects that were mapped earlier.

To unmap objects

1. In the Synchronization Service Administration Console, open the Mapping tab.

2. Click the name of the connection for which you want to unmap objects.
3. Click the mapping pair that specifies the objects types you want to unmap.
4. Click Unmap now and wait until the unmap operation completes.

Active Roles 8.0 LTS Synchronization Service Administration Guide

394
Mapping objects
 After the unmap operation completes, the Synchronization Service Administration
Console displays a report which provides information about the objects that
participated in the unmap operation. At this stage, the application does not unmap
the objects. To unmap them, you need to commit the result of the unmap operation.
You can click the number provided next to an object category name in the report to
view the details of objects that belong to that category.

5. Review the report on the objects that participated in the unmap operation, and then
click Commit to unmap the objects.

Active Roles 8.0 LTS Synchronization Service Administration Guide

395
Mapping objects
 7

Automated password
synchronization

l About automated password synchronization

l Steps to automate password synchronization
l Managing Capture Agent
l Managing password sync rules
l Fine-tuning automated password synchronization

About automated password

synchronization
If your enterprise environment has multiple data management systems, each having its
own password policy and dedicated user authentication mechanism, you may face one or
more of the following issues:

l Because users have to remember multiple passwords, they may have difficulty
managing them. Some users may even write down their passwords. As a result,
passwords can be easily compromised.
l Each time users forget one or several of their numerous access passwords, they
have to ask administrators for password resets. This increases operational costs and
translates into a loss of productivity.
l There is no way to implement a single password policy for all of the data
management systems. This too impacts productivity, as users have to log on to each
data management system separately in order to change their passwords.

With Synchronization Service, you can eliminate these issues and significantly simplify
password management in an enterprise environment that includes multiple data
management systems.
Synchronization Service provides a cost-effective and efficient way to synchronize user
passwords from an Active Directory domain to other data systems used in your
organization. As a result, users can access other data management systems using their

Active Roles 8.0 LTS Synchronization Service Administration Guide

396
Automated password synchronization
Active Directory domain password. Whenever a user password is changed in the source
Active Directory domain, this change is immediately and automatically propagated to other
data systems, so each user password remains in sync in the data systems at all times.
You need to connect Synchronization Service to the data systems in which you want to
synchronize passwords through special connectors supplied with Synchronization Service.

Steps to automate password

synchronization
To automatically synchronize passwords from an Active Directory domain to another data
system, complete these steps:

1. Install Capture Agent on each domain controller in the Active Directory domain you
want to be the source for password synchronization operations.
Capture Agent tracks changes to the user passwords in the source Active Directory
domain and provides this information to Synchronization Service, which in turn
synchronizes passwords in the target connected systems you specify.
For more information on how to install Capture Agent, see Managing Capture Agent.

2. Connect the Synchronization Service to the Active Directory domain where you
installed Capture Agent in step 1.
Alternatively, you can configure a connection to Active Roles that manages the
source Active Directory domain.

3. Connect the Synchronization Service to the data system where you want to
synchronize user object passwords with those in the source Active Directory domain.
l For some target data systems (such as SQL Server) you must specify the
data you want to participate in the password synchronization by configuring
an SQL query.
l If the target data system is an LDAP directory service accessed via the
generic LDAP connector, you must specify the target object type for which you
want to synchronize passwords and the attribute where you want to store
object passwords.
4. Ensure that user objects in the source Active Directory domain are properly mapped
to their counterparts in the target connected system.
For more information about mapping objects, see Mapping objects.
Synchronization Service automatically maps objects between the source Active
Directory domain and the target connected system if you configure sync workflows to
manage the creation and deprovision operations between the source AD domain (or
Active Roles that manages that domain) and the target connected system.
For more information on sync workflows, see Synchronizing identity data.

Active Roles 8.0 LTS Synchronization Service Administration Guide

397
Automated password synchronization
 5. Create a password synchronization rule for the target connected system.
For more information, see Creating a password sync rule.

After you complete the above steps, the Synchronization Service starts to automatically
track user password changes in the source AD domain and synchronize passwords in the
target connected system.
If necessary, you can fine-tune the password synchronization settings by completing these
optional tasks:

l Modify the default Capture Agent settings.

l For more information, see Configuring Capture Agent.
l Modify the default Synchronization Service settings related to password
synchronization.
l For more information, see Configuring Synchronization Service.
l Specify a custom certificate for encrypting the password sync traffic between the
Capture Agent and the Synchronization Service. By default, a built-in certificate is
used for this purpose.
l For more information, see Specifying a custom certificate for encrypting password
sync traffic.
l Configure the Synchronization Service to automatically run your PowerShell script
after the password synchronization completes.
For more information, see Using PowerShell scripts with password synchronization.

Managing Capture Agent

Capture Agent is required to track changes to the user passwords in the Active Directory
domain you want to be the authoritative source for password synchronization operations.
To synchronize passwords, you must install Capture Agent on each domain controller in the
source Active Directory domain.
Whenever a password changes in the source Active Directory domain, the agent captures
that change and provides the changed password to the Synchronization Service. In turn,
the Synchronization Service uses the provided information to synchronize passwords in the
target connected systems according to your settings.
In this section:

l Installing Capture Agent manually

l Using Group Policy to install Capture Agent
l Uninstalling Capture Agent

Active Roles 8.0 LTS Synchronization Service Administration Guide

398
Automated password synchronization
Installing Capture Agent manually
You can use this method to manually deploy Capture Agent on each domain controller in the
source Active Directory domain.

To manually install Capture Agent

1. Run one of the following files supplied with the Synchronization Service
installation package:
l On a 32-bit domain controller, run the file SyncServiceCaptureAgent_
8.0_x86.msi.
l On a 64-bit domain controller, run the file SyncServiceCaptureAgent_
8.0_x64.msi.
You can find these files in the Solutions folder on the Active Roles
distribution media.

2. Step through the wizard to complete the agent installation.

You can perform an unattended installation of Capture Agent as follows.

To perform an unattended installation

On a 32-bit system, enter the following syntax at a command prompt:
msiexec /i "<Path to SyncServiceCaptureAgent_8.0_x86.msi>" /qb
INSTALLDIR="<Path to installation folder>" REBOOT="<Value>"

On a 64-bit system, enter the following syntax at a command prompt:

msiexec /i "<Path to SyncServiceCaptureAgent_8.0_x64.msi>" /qb
INSTALLDIR="<Path to installation folder>" REBOOT="<Value>"

In the above syntax:

Table 122: Arguments

Argument Description

INSTALLDIR Specifies the installation folder for the Capture Agent. When this
argument is omitted, the following default installation folder is
used:
%ProgramFiles%\One Identity\Active Roles\8.0
LTS\SyncServiceCaptureAgent

REBOOT Allows you to suppress a system restart in a situation where a

restart is required for the Capture Agent installation to complete.
To suppress the restart, use the following syntax:
REBOOT="ReallySupress"

Active Roles 8.0 LTS Synchronization Service Administration Guide

399
Automated password synchronization
Using Group Policy to install Capture Agent
You can use this method to automatically deploy Capture Agent on each domain
controller in the source Active Directory domain. This method is applicable in the
following scenarios only:

Table 123: Prerequisites by scenario

Supported scenario Prerequisites

Scenario 1: AD l All the domain controllers must be held in a single organ-

domain includes either izational unit (for example, the built-in Domain Control-
32- or 64-bit domain lers OU).
controllers
l At least one group policy object must be linked to the OU
holding the domain controllers (for example, the built-in
Default Domain Controllers Policy Group Policy
object).

Scenario 2: AD l The domain controllers must be held in two separate

domain includes both organizational units, each containing domain controllers of
32- and 64-bit domain the same bitness.
controllers
l At least one group policy object must be linked to each of
the two organizational units.

To install Capture Agent by using Group Policy

1. Save the SyncServiceCaptureAgent_8.0 LTS_x86.msi and

SyncServiceCaptureAgent_8.0 LTS_x64.msi files to a network share accessible
from each domain controller in the source Active Directory domain.
2. Depending on your scenario, complete the steps in the table:

Table 124: Steps by scenario

Scenario 1: AD domain includes Scenario 2: AD domain includes

either 32- or 64-bit domain both 32- and 64-bit domain
controllers controllers

1. Use Group Policy Editor to open 1. Use Group Policy Object Editor to
the group policy object linked to open the group policy object
the OU holding the domain control- linked to the OU holding the 32-bit
lers on which you want to install domain controllers.
Capture Agent.
2. In the Group Policy Object Editor
2. In the Group Policy Object Editor console tree, in Windows Server
console tree, in Windows Server 2016 or later, expand the
2016 or later, expand the Computer Configuration node,
Computer Configuration node, then expand Policies, and select
then expand Policies, and select Software Settings.

Active Roles 8.0 LTS Synchronization Service Administration Guide

400
Automated password synchronization
Scenario 1: AD domain includes Scenario 2: AD domain includes
either 32- or 64-bit domain both 32- and 64-bit domain
controllers controllers

Software Settings. 3. In the details pane, click

Software Installation, on the
3. In the details pane, click
Action menu point to New, then
Software Installation, on the
click Package.
Action menu point to New, and
then click Package. 4. Use the dialog box to open the
SyncServiceCaptureAgent_8.0
4. Use the dialog box to open one of
LTS_x86.msi file.
the following files:
5. In the Deploy Software dialog
SyncServiceCaptureAgent_8.0
box, select Assigned, and then
LTS_x86.msi if all your domain
click OK.
controllers are 32-bit.
6. Repeat steps 1-5 for the group
or
policy object linked to the OU
SyncServiceCaptureAgent_8.0 holding the 64-bit domain control-
LTS_x64.msi if all your domain lers. Use the SyncSer-
controllers are 64-bit. viceCaptureAgent_8.0 LTS_
5. In the Deploy Software dialog x64.msi file to install Capture
box, select Assigned, and then Agent on these domain control-
click OK. lers.

3. Run the following command at a command prompt to refresh the Group Policy
settings: gpupdate /force

Uninstalling Capture Agent

To uninstall Capture Agent

1. To open the list of installed programs on the computer where Capture Agent is
installed, in Control Panel, open Programs and Features.
2. In the list of installed programs, select One Identity Active Roles 8.0 LTS -
Synchronization Service Capture Agent x64 or One Identity Active Roles
8.0 LTS - Synchronization Service Capture Agent x86.
3. Click Uninstall to uninstall the agent.
4. Follow the on-screen instructions to uninstall Capture Agent.

Managing password sync rules

To synchronize passwords from an Active Directory domain to other connected systems,
you need to create and configure a password synchronization rule for each target

Active Roles 8.0 LTS Synchronization Service Administration Guide

401
Automated password synchronization
connected system where you want to synchronize passwords.
A password synchronization rule allows you to specify the following:

l The Active Directory domain you want to be the source for password synchronization
operations.
l The source object type for password synchronization operations (typically, this is the
user object type in Active Directory).
l The target connected system in which you want to synchronize passwords with the
source Active Directory domain.
l The target object type for password synchronization operations.

Optionally, you can configure a password synchronization rule to modify attribute values of
the target connected system objects whose passwords are being synchronized.
This section covers:

l Creating a password sync rule

l Deleting a password sync rule
l Modifying settings of a password sync rule

Creating a password sync rule

To create a password sync rule

1. In the Synchronization Service Administration Console, open the Password

Sync tab.
2. Click Add password sync rule.
3. On the Specify source for password sync page, do the following:
a. In the Source connected system option, specify the Active Directory domain
you want to be the source for password synchronization operations.
Alternatively, you can select the Active Roles instance that manages such an
Active Directory domain.
b. In the Connected system object type option, select the object type you
want to be the source for password synchronization.
4. Click Next.
5. On the Specify target for password sync page, do the following:
a. In the Target connected system option, specify the target connected system
in which you want to synchronize passwords.
b. In the Connected system object type option, select the object type you
want to be the target for password synchronization.
c. Optionally, you can click the Password Sync Settings button and then use
the following tabs to configure more password sync settings:

Active Roles 8.0 LTS Synchronization Service Administration Guide

402
Automated password synchronization
 l Password Sync Retry Options. Use this tab to specify how many
times you want Synchronization Service to retry the password
synchronization operation in the event of a password synchronization
failure. You can select one of the following options:
l Unlimited number of times. Causes Synchronization Service to retry
the password synchronization operation until it succeeds.
l This maximum number of times. Specify the maximum number of
times you want Synchronization Service to retry the password
synchronization operation.
l Password Transformation Script. Use this tab to type a PowerShell
script that transforms source Active Directory user passwords into
object passwords for the target connected system. Use this item if you
want the object passwords in the source and target connected systems
to be different. If you do not want to transform passwords, leave the
text box blank.
l Rules to Modify Object Attributes. Use this tab to specify rules for
modifying attribute values on the target connected system objects.
These rules will only apply to the objects on which Synchronization
Service modifies passwords in the target connected system.
d. When you are finished, click OK.
6. Click Finish to create the password sync rule.

Deleting a password sync rule

To delete a password sync rule

1. In the Synchronization Service Administration Console, open the Password

Sync tab.
2. Locate the rule you want to delete, and then click Delete this rule below the rule.

Modifying settings of a password sync rule

You can modify the following settings of an existing password sync rule:

l Specify how many times you want the Synchronization Service to retry the password
synchronization operation in the case of a password synchronization failure.
l Specify a PowerShell script to transform a source Active Directory user password
into an object password in the target connected system.

l Specify rules to modify the attributes of the target connected system objects on
which Synchronization Service changes passwords.

Active Roles 8.0 LTS Synchronization Service Administration Guide

403
Automated password synchronization
To modify the settings of a password sync rule

1. In the Synchronization Service Administration Console, open the Password

Sync tab.
2. Click the Password sync settings link below the password sync rule you
want to modify.
3. In the dialog box that opens, use the following tabs:
l Password Sync Retry Options. Use this tab to specify how many times you
want Synchronization Service to retry the password synchronization operation
in the event of a password synchronization failure. You can select one of the
following options:
l Unlimited number of times. Causes Synchronization Service to retry the
password synchronization operation until it succeeds.
l This maximum number of times. Specify the maximum number of
times you want Synchronization Service to retry the password
synchronization operation.
l Password Transformation Script. Use this tab to type a PowerShell
script that transforms source Active Directory user passwords into
object passwords for the target connected system. Use this tab if you
want the object passwords in the source and target connected systems
to be different. If you do not want to transform passwords, leave the
text box blank.
l Rules to Modify Object Attributes. Use this tab to specify rules for
modifying attribute values on the target connected system objects. These rules
will only apply to the objects on which Synchronization Service modifies
passwords in the target connected system.
4. When you are finished, click OK to save your changes.

Fine-tuning automated password

synchronization
This section provides information about the optional tasks related to configuring the
automated password synchronization from an Active Directory domain to connected
data systems.
In this section:

l Configuring Capture Agent

l Configuring Synchronization Service
l Specifying a custom certificate for encrypting password sync traffic
l Using PowerShell scripts with password synchronization

Active Roles 8.0 LTS Synchronization Service Administration Guide

404
Automated password synchronization
Configuring Capture Agent
Capture Agent has a number of parameters you can modify. After you install the agent,
each of these parameters is assigned a default value, as described in the following table:

Table 125: Capture Agent parameters

Parameter Description Default value

Maximum connection Determines the period of 24 hours

point validity for time (in hours) during
Capture Agent which a connection
Service between Capture Agent
and Synchronization
Service remains valid.

Interval between Determines the time 10 minutes

connection retries interval (in minutes)
during which Capture
Agent tries to reconnect
to Synchronization
Service.

Maximum duration of Determines the period of 7 days

a connection attempt time (in days) during
which Capture Agent tries
to connect to
Synchronization Service
to send the information
about changed user
passwords.
During this period
Capture Agent stores the
user passwords to be
synchronized in an
encrypted file.

Certificate to encrypt Specifies a certificate for By default, a built-in certificate is

Capture Agent traffic encrypting the password used.
sync data transferred
between Capture Agent
and Synchronization
Service.
For more information,
see Specifying a custom
certificate for encrypting
password sync traffic.

Active Roles 8.0 LTS Synchronization Service Administration Guide

405
Automated password synchronization
Parameter Description Default value

Connection Point 1 Define the If none of these parameters is set,

Synchronization Service Capture Agent looks for available
Connection Point 2
instances to which instances of the Synchronization
Connection Point 3 Capture Agent provides Service in the following container:
information about
Connection Point 4 CN=Active Roles Sync
changed user passwords.
Service,CN=One
Connection Point 5 Identity,CN=System,DC=<domain
name>
Connection Point 6

Connection Point 7

You can modify the default values of these parameters by using Group Policy and the
Administrative Template supplied with the Synchronization Service. The next steps assume
that all the domain controllers where the Capture Agent is installed are held within
organizational units.
Complete these steps to modify the default Capture Agent settings:

l Step 1: Create and link a Group Policy object

l Step 2: Add administrative template to Group Policy object
l Step 3: Use Group Policy object to modify Capture Agent settings

Step 1: Create and link a Group Policy object

Create a new Group Policy object. Link the object to each organizational unit holding the
domain controllers on which the Capture Agent is installed. For more information, see the
documentation for your version of the Windows operating system.

Step 2: Add administrative template to Group

Policy object
1. Use Group Policy Object Editor to connect to the Group Policy object you
created in step 1.
2. In the Group Policy Object Editor console, expand the Group Policy object, and in
Windows Server 2016 or later, expand Computer Configuration, expand Policies,
and then select Administrative Templates.
3. On the Action menu, point to All Tasks, and click Add/Remove Templates.
The Add/Remove Templates dialog box opens.
4. In the Add/Remove Templates dialog box, click Add, and then use the Policy
Templates dialog box to open the Administrative Template
(SyncServiceCaptureAgent.adm file) supplied with the Synchronization Service.

Active Roles 8.0 LTS Synchronization Service Administration Guide

406
Automated password synchronization
 The SyncServiceCaptureAgent.adm file is located in <Active Roles distribution
media>\Solutions\Sync Service Capture Agent.

Step 3: Use Group Policy object to modify Capture

Agent settings
1. Under Computer Configuration\Policies\Administrative Templates\Classic
Administrative Templates (ADM)\Active Roles, select Sync Service
Capture Agent Settings.
2. In the details pane, configure the appropriate Group Policy settings.
The names of Group Policy settings correspond to the names of the Capture Agent
parameters provided in the table in Configuring Capture Agent.
3. Run the following command at a command prompt for the changes to take effect:
gpupdate /force

Configuring Synchronization Service

You can modify the default values of the Synchronization Service parameters related to
password synchronization. These parameters and their default values are described in the
next table.

Table 126: Synchronization Service parameters

Parameter Description Default Value

Interval between The Capture Agent sends 10 minutes

attempts to reset information on changes made to
password Active Directory user passwords to
Synchronization Service. After
receiving this information,
Synchronization Service tries to
reset passwords in the target
connected systems you specified.
This parameter determines the
time interval (in minutes) between
attempts to reset passwords in the
target connected systems.

Synchronization Synchronization Service publishes 60 minutes

Service connection its connection point in Active
point update period Directory.

Active Roles 8.0 LTS Synchronization Service Administration Guide

407
Automated password synchronization
Parameter Description Default Value

This parameter determines the

frequency of updates (in minutes)
of the Synchronization Service
connection point.

Certificate to encrypt This parameter specifies the By default, a built-in

Capture Agent traffic thumbprint of the certificate used certificate is used.
to encrypt the password sync
traffic between Capture Agent and
Synchronization Service. The
same certificate must be used for
the Capture Agent and the
Synchronization Service.

You can modify the Synchronization Service parameters using Group Policy and the
Administrative Template supplied with Synchronization Service.

To modify Synchronization Service parameters using Group Policy

1. On the computer running the Synchronization Service, start Group Policy Object
Editor, and then connect to the Local Computer Policy Group Policy object.
2. In the Group Policy Object Editor console, expand the Local Computer
Policy node, expand the Computer Configuration node, and select
Administrative Templates.
3. On the Action menu, point to All Tasks, and click Add/Remove Templates.
4. In the Add/Remove Templates dialog box, click Add, and then use the Policy
Templates dialog box to open the SyncService.adm file that holds the
Administrative Template.
By default, the SyncService.adm file is stored in <Active Roles installation
folder>\SyncService\Administrative Templates

5. Under Computer Configuration\Administrative Templates\Active Roles,

select Sync Service Settings, and then in the details pane, configure the
appropriate group policy settings.
The names of group policy settings correspond to the names of the Synchronization
Service parameters provided in the table in Configuring Capture Agent.

6. For the changes to take effect, refresh the Group Policy settings by running the
following command at a command prompt: gpupdate /force

Active Roles 8.0 LTS Synchronization Service Administration Guide

408
Automated password synchronization
Specifying a custom certificate for
encrypting password sync traffic
By default, Synchronization Service uses a built-in certificate to encrypt password sync
traffic between the Capture Agent and the Synchronization Service. If necessary, you can
use a custom certificate for this purpose.
NOTE:

l SSL certificates signed with MD5 algorithm are not supported.

l Backward compatibility for Quick Connect v5.5 with Active Roles Synchronization
Service Capture Agent v8.0 LTS can be achieved through custom certificate signed
with SHA algorithm.

This section illustrates how to use a custom certificate for encrypting the password
synchronization traffic in Windows Server (2016 or later).
Complete the following steps:

l Step 1: Obtain and install a certificate

l Step 2: Export custom certificate to a file
l Step 3: Import certificate into certificates store
l Step 4: Copy certificate’s thumbprint
l Step 5: Provide certificate’s thumbprint to Capture Agent
l Step 6: Provide certificate’s thumbprint to Synchronization Service

Step 1: Obtain and install a certificate

To obtain and install a certificate, you have to make a certificate request. There are two
methods to request a certificate in Windows Server (2016 or later):

l Request certificates using the Certificate Request Wizard. To request

certificates from a Windows Server enterprise certification authority, you can use the
Certificate Request Wizard.
l Request certificates using the Windows Server Certificate Services Web
interface. Each certification authority that is installed on a computer running
Windows Server has a Web interface that allows the users to submit certificate
requests. By default, the Web interface is accessible at
http://servername/certsrv, where servername refers to the name of the
computer running Windows Server.

This section provides steps to request certificates using the Windows Server Certificate
Services Web interface. For detailed information about the Certificate Request Wizard,
refer to the documentation on Certification Authority.

Active Roles 8.0 LTS Synchronization Service Administration Guide

409
Automated password synchronization
To request a certificate using the Windows Server Certificate Services
Web interface

1. Use a Web browser to open to http://servername/certsrv, where servername

refers to the name of the Web server running Windows Server where the certification
authority that you want to access is located.
2. On the Welcome Web page, click Request a certificate.
3. On the Request a Certificate Web page, click advanced certificate request.
4. On the Advanced Certificate Request Web page, click Create and submit a
certificate request to this CA.
5. On the Web page that opens, do the following:
l Select the Store certificate in the local computer certificate store
check box.
l Under Additional Options, select the PKCS10 option, and in the Friendly
Name text box, specify a name for your certificate (such as My QC
Certificate).
Keep default values for all other options.

6. Click Submit.
7. On the Certificate Issued Web page, click Install this certificate.

After you install the certificate, it becomes available in the Certificates snap-in, in the
Personal/Certificates store.

Step 2: Export custom certificate to a file

In this step, you export the issued certificate to a file. You will need the file to install the
certificate on each domain controller running Capture Agent and on each computer running
Synchronization Service.

To export the certificate

1. On the computer where you installed the certificate in step 1, open the Certificates -
Local Computers snap-in.
2. In the console tree, click the Personal/Certificates store.
3. In the details pane, click the issued certificate you want to export.
4. On the Action menu, point to All Tasks, and then click Export.
5. Step through the wizard.
6. On the Export Private Key page, select Yes, export the private key, and then
click Next.
This option is available only if the private key is marked as exportable and you have
access to the private key.

Active Roles 8.0 LTS Synchronization Service Administration Guide

410
Automated password synchronization
 7. On the Export File Format page, do the following, and then click Next:
l To include all certificates in the certification path, select the Include all
certificates in the certification path if possible check box.
l To enable strong protection, select the Enable strong protection (requires
IE 5.0, NT 4.0 SP4 or above) check box.
8. On the Password page, use the Password text box to type a password to encrypt
the private key you are exporting. In Confirm password, type the same password
again, and then click Next.
9. On the File to Export page, use the File name text box to specify the PKCS
#12 file to which you want to export the certificate along with the private key,
and click Next.
10. On the Completion page, revise the specified settings and click Finish to create the
file and close the wizard.

Step 3: Import certificate into certificates store

In this step, you import the certificate to the Personal\Certificates certificate store by
using the Certificates snap-in. You must complete this step on each domain controller
running Capture Agent and on each computer running Synchronization Service that will
participate in the password synchronization.

To import the certificate

1. Open the Certificates - Local Computers snap-in.

2. In the console tree, click the Personal\Certificates logical store.
3. On the Action menu, point to All Tasks and then click Import.
4. Step through the wizard.
5. On the File to Import page, in File name, type the file name containing the
certificate to be imported or click Browse and to locate and select the file. When
finished, click Next.
6. On the Password page, type the password used to encrypt the private key, and then
click Next.
7. On the Certificate Store page, ensure that the Place all certificates in the
following store option is selected, and the Certificate store text box displays
Personal, and then click Next.
8. On the Completion page, revise the specified settings and click Finish to import the
certificate and close the wizard.

Step 4: Copy certificate’s thumbprint

In this step, you copy the thumbprint of your custom certificate. In the next steps, you will
need to provide the thumbprint to Capture Agent and Synchronization Service.

Active Roles 8.0 LTS Synchronization Service Administration Guide

411
Automated password synchronization
To copy the thumbprint of your custom certificate

1. Open the Certificates - Local Computer snap-in.

2. In the console tree, click the Personal store to expand it.
3. Click the Certificates store to expand it.
4. In the details pane, double-click the certificate.
5. In the Certificate dialog box, click the Details tab, and scroll through the list of
fields to select Thumbprint.
6. Copy the hexadecimal value of Thumbprint to Clipboard.

You will need the copied thumbprint value to configure the Capture Agent and
Synchronization Service.

Step 5: Provide certificate’s thumbprint to

Capture Agent
This step assumes that:

l The same Group Policy object is linked to each OU holding the domain controllers on
which the Capture Agent is installed. For more information on how to create and link
a Group policy object, see the documentation for your version of Windows.
l The SyncServiceCaptureAgent.adm administrative template file is linked to that
Group Policy object.

For instructions on how to add an administrative template file to a Group Policy object, see
Step 2: Add administrative template to Group Policy object

To provide the thumbprint to Capture Agent

On any computer joined to the domain where Capture Agent is installed, open Group Policy
Object Editor, and connect to the Group Policy object to which you added the Administrative
Template in Step 2: Add administrative template to Group Policy object.

1. In the Group Policy Object Editor console, expand the Group Policy object, and then
expand the Computer Configuration node.
2. Expand the Administrative Templates\Active Roles node to select Sync
Service Capture Agent Settings.
3. In the details pane, double-click Certificate to encrypt Capture Agent traffic.
4. Select the Enabled option, and then paste the certificate’s thumbprint (the one you
copied in Step 4: Copy certificate’s thumbprint) in the Thumbprint text box. When
finished, click OK.
5. For the changes to take effect, refresh the Group Policy settings by running the
following command at a command prompt: gpupdate /force

Active Roles 8.0 LTS Synchronization Service Administration Guide

412
Automated password synchronization
Step 6: Provide certificate’s thumbprint to
Synchronization Service
Perform the next steps on each computer running the Synchronization Service that
participates in the password sync operations.

To provide the thumbprint to Synchronization Service

1. On the computer running the Synchronization Service, start Group Policy Object
Editor, and then connect to the Local Computer Policy Group Policy object.
2. In the Group Policy Object Editor console, expand the Local Computer
Policy node, expand the Computer Configuration node, and select
Administrative Templates.
3. On the Action menu, point to All Tasks, and click Add/Remove Templates.
4. In the Add/Remove Templates dialog box, click Add, and then use the Policy
Templates dialog box to open the SyncService.adm file that holds the
Administrative Template.
5. By default, the SyncService.adm file is stored in <Active Roles installation
folder>\SyncServiceCaptureAgent\Administrative Templates.
6. Under Computer Configuration\Administrative Templates\Active Roles,
select Sync Service Settings.
7. In the details pane, double-click Certificate to encrypt Capture Agent traffic.
8. Select the Enabled option, and then paste the certificate’s thumbprint (the one you
copied in Step 4: Copy certificate’s thumbprint) in the Thumbprint text box. When
finished, click OK.
9. For the changes to take effect, refresh the Group Policy settings by running the
following command at a command prompt: gpupdate /force

Using PowerShell scripts with password

synchronization
Optionally, you can configure the Synchronization Service to run your custom PowerShell
script before, after, or instead of the password synchronization operation. To do so, create
a connection handler. For instructions, see Using connection handlers.

Active Roles 8.0 LTS Synchronization Service Administration Guide

413
Automated password synchronization
Example of a PowerShell script run after
password synchronization
#---- Specify the SMTP Server name in your organization ----
$SmtpServer = "smtpServerName"
$smtp = new-object system.net.mail.smtpClient($SmtpServer)
$mail = new-object System.Net.Mail.MailMessage
# ---- Set the sender mail ----
$mail.From = "[email protected]"
# ---- Set the destination mail ----
$mail.To.Add("[email protected]")
# --- Specify the message subject ----
$mail.Subject = "Password was changed"
# ---- Set the message text ----
$body = "The passwords were synchronized for the following object pair: "
$body = $body + $srcObj.Name + "->" + $dstObj.Name
$mail.Body = $body
# ---- Send mail ----
$smtp.Send($mail)
Description: After the password synchronization is complete, this script sends a
notification email message informing the administrator that the specified object password
has been modified in the target connected system. The message provides the names of the
source Active Directory object and its counterpart in the target connected system.

Active Roles 8.0 LTS Synchronization Service Administration Guide

414
Automated password synchronization
 8

Synchronization history

l About synchronization history

l Viewing sync workflow history
l Viewing mapping history
l Searching synchronization history
l Cleaning up synchronization history

About synchronization history

Synchronization Service Administration Console provides the Synchronization History
feature that allows you to view the details of completed sync workflow runs, password sync
rule runs, and map and unmap operations.
The synchronization history also helps you troubleshoot synchronization issues by
providing information on the errors that were encountered during sync workflow runs,
password sync rule runs, or map and unmap operations.
You can also selectively clean up entries from the synchronization history.
To access the synchronization history, use the Sync History tab in the Synchronization
Service Administration Console.
In this chapter:

l Viewing sync workflow history

l Viewing mapping history
l Searching synchronization history on page 418
l Cleaning up synchronization history

Active Roles 8.0 LTS Synchronization Service Administration Guide

415
Synchronization history
Viewing sync workflow history
You can use the Sync History tab in the Synchronization Service Administration
Console to view a list of completed sync workflow runs. This list provides such
information as the names of completed sync workflows, the dates when each sync
workflow run started and completed, and which Synchronization Service instance was
used to run each sync workflow.
You can click a sync workflow run entry in the list to view detailed information about the
sync workflow steps that were run, objects that participated in that run, and errors
encountered during the run, if any.

To view the details of a completed sync workflow run

1. In the Synchronization Service Administration Console, open the Sync History tab.
2. Click Sync Workflow History.
3. If you want to filter the list of completed sync workflows, use the following elements:
l Show items completed. Use this element to specify the time period when
the sync workflows you want to view completed.
l Maximum number of items to show. Specify the maximum number of
completed sync workflows you want to view.
You can sort the list of completed sync workflows by clicking the column titles in the
list. Also you can filter the list of completed sync workflows by typing keywords in
the text boxes provided below the column titles.
4. To view detailed information about a list entry, select that list entry, and then click
the Details button.
The details provided for each list entry look similar to the following:

Active Roles 8.0 LTS Synchronization Service Administration Guide

416
Synchronization history
 Figure 15: Synchronization Servce details

To view detailed information about the objects that belong to a certain object
category, click the number displayed next to the object category name in the Source
or Target column.
To view detailed information about encountered errors, click the link displaying the
number of errors.

Viewing mapping history

You can use the Sync History tab in the Synchronization Service Administration Console
to view the detailed information about a particular completed map or unmap operation. By
doing so, you can view a list of attributes for each object that participated in the map or
unmap operation.

To view the details of a mapped pair of objects

1. In the Synchronization Service Administration Console, open the Sync History tab.
2. Click Mapping History.
3. If you want to filter the list of completed map and unmap operations, use the
following elements:
l Show items completed. Specify a time period when the map and unmap
operations you want to view completed.
l Maximum number of items to show. Specify the maximum number of
completed map and unmap operations you want to view.

Active Roles 8.0 LTS Synchronization Service Administration Guide

417
Synchronization history
 You can sort the list of map and unmap operations by clicking the column titles. Also
you can filter the list of map and unmap operations by typing keywords in the text
boxes provided below the column titles.

4. To view detailed information about a list entry, select that list entry, and then click
the Details button.

Searching synchronization history

You can use the Sync History tab in the Synchronization Service Administrative Console
to search for completed creation, deprovision, update, and sync passwords operations in
the synchronization history. You can search by such criteria as target connected system on
which the operation was run, type of object that participated in the operation, and period
during which the operation completed.

To search the synchronization history for completed operations

1. In the Synchronization Service Administration Console, open the Sync History tab.
2. Click Search.
3. Use the following options to specify your search criteria:
l Target connection. Select the connected system for which you want to
search for completed creation, deprovision, update, and sync passwords
operations.
l Object type. Select the object type for which you want to search for
completed creation, deprovision, update, and sync passwords operations.
l Show items completed. Specify the time period during which the operation
you want to search for completed.
l Maximum number of items to show. Specify the maximum number of
completed creation, deprovision, update, and sync passwords operations you
want to view in the list.
You can sort the search results by clicking the column titles in the search results list.
Also you can filter the search results by typing keywords in the text boxes provided
below the column titles.

4. To view detailed information about an entry in the search results list, select that
entry, and then click the Details button.

Cleaning up synchronization history

You can selectively delete entries from the sync workflow history and object mapping
history. To delete entries, you can either run the cleanup operation once or you can create
a recurring schedule to run the cleanup operation on a regular basis.

Active Roles 8.0 LTS Synchronization Service Administration Guide

418
Synchronization history
To run the cleanup operation once

1. In the Synchronization Service Administration Console, open the Sync History tab.
2. Click Clean up now.
3. Specify what entries you want to delete.
4. Click OK to delete the entries from the synchronization history.

To create a recurring schedule for the cleanup operation

1. In the Synchronization Service Administration Console, open the Sync History tab.
2. Click Schedule cleanup.
3. In the dialog box that opens, select the Schedule the task to run check box, and
then specify a schedule for the cleanup operation.
4. If several Synchronization Service instances are deployed in your environment,
under Run the task on, select the computer that hosts the instance you want to use
for running the cleanup operation.
5. Click OK to activate the schedule.

To disable a scheduled cleanup operation

1. In the Synchronization Service Administration Console, open the Sync History tab.
2. Click Schedule cleanup.
3. In the dialog box that opens, clear the Schedule the task to run check box, and
then click OK.

Active Roles 8.0 LTS Synchronization Service Administration Guide

419
Synchronization history
 9

Scenarios of use

l About scenarios
l Scenario 1: Create users from a .csv file to an Active Directory domain
l Scenario 2: Use a .csv file to update user accounts in an Active Directory domain
l Scenario 3: Synchronizing data between One Identity Manager Custom Target
Systems and an Active Directory domain
l Scenario 4: Deprovisioning between One Identity Manager Custom Target Systems
and an Active Directory domain
l Scenario 5: Provisioning of Groups between One Identity Manager Custom Target
Systems and an Active Directory domain
l Scenario 6: Enabling Delta Sync mode between One Identity Manager Custom Target
Systems and an Active Directory domain

About scenarios
This section provides some use case scenarios that help you familiarize yourself with
Synchronization Service. The scenarios illustrate how to create and run sync workflows and
their steps to update and create user information from a Human Resources database
represented by a delimited text file to an Active Directory domain.
The scenarios are:
Scenario 1: Create users from a .csv file to an Active Directory domain. In this scenario,
Synchronization Service creates user accounts from a Comma Separated Values (.csv) file
that includes a Human Resources (HR) database to individual Organizational Units in an
Active Directory domain, depending on the city where each user is based.
Scenario 2: Use a .csv file to update user accounts in an Active Directory domain. In this
scenario, Synchronization Service updates user accounts in an Active Directory domain
based on the changes made to the Human Resources (HR) database saved in a Comma
Separated Values (.csv) file.
Scenario 3: Synchronizing data between One Identity Manager Custom Target Systems and
an Active Directory domain. In this scenario, Quick Connect updates data in One Identity
Manager based on the changes made in Active Directory domain.

Active Roles 8.0 LTS Synchronization Service Administration Guide

420
Scenarios of use
Scenario 4: Deprovisioning between One Identity Manager Custom Target Systems and an
Active Directory domain. In this scenario, Quick connect deprovisioning synchronized
objects in One Identity Manager processed from the Active Directory domain.
Scenario 5: Provisioning of Groups between One Identity Manager Custom Target Systems
and an Active Directory domain. In this scenario, Quick Connect provisions group objects to
be synchronized to One Identity Manager from Active Directory domain.
Scenario 6: Enabling Delta Sync mode between One Identity Manager Custom Target
Systems and an Active Directory domain. In this scenario, Quick Connect updates data
in One Identity Manager based on the changes made in Active Directory domain in the
delta sync mode.
Before you proceed with these sample scenarios, perform the following steps:
Make sure you have properly configured the connection to the target Active Directory
domain in the Synchronization Service Administration Console.
Create the Employees Organizational Unit (OU) at the root of the target Active
Directory domain.
In the Employees OU, create the following OUs:
New York
Tokyo
Amsterdam
OtherCities

Scenario 1: Create users from a .csv file

to an Active Directory domain
The following scenario demonstrates how to create user accounts from a Human Resources
(HR) database to an Active Directory domain. The HR database is represented by a sample
Comma Separated Values (.csv) file. Depending on the user city, accounts will be created
in one of the following OUs:

l Employees\New York
l Employees\Tokyo
l Employees\Amsterdam
l Employees\OtherCities

This scenario includes the following steps:

l Step 1: Create a sync workflow

l Step 2: Add a creating step
l Step 3: Run the configured creating step
l Step 4: Commit changes to Active Directory

Active Roles 8.0 LTS Synchronization Service Administration Guide

421
Scenarios of use
Step 1: Create a sync workflow
To create a new sync workflow

1. Start the Synchronization Service Administration Console.

2. Open the Sync Workflows tab, and then click Add sync workflow.
3. Type a descriptive name for the sync workflow being created, and then click OK to
create the sync workflow.

Step 2: Add a creating step

This section provides instructions on how to:

l Connect Synchronization Service to the source Comma Separated Values (.csv) file
and target Active Directory domain.
l Add a new creating step and configure its settings, for example, specify the object
attributes to create.
l Develop a Windows PowerShell script that returns the name of an Active Directory
container for created user accounts.
l Preview a list of user accounts to be created.

To add a creating step

1. In the Synchronization Service Administration Console, open the Sync Workflows

tab, and then click the sync workflow you created in Step 1: Create a sync workflow.
2. Click Add synchronization step.
3. On the Select an action page, select Creation, and then click Next.
4. On the Specify source and criteria page, click Specify, click Add new
connected system, and then step through the wizard to add the sample Comma
Separated Values (.csv) file as a connected system:
a. Use the Connection name box to type a descriptive name for the connection
being created.
b. In the Use the specified connector list, select Delimited Text File
Connector. Click Next.
c. Click Browse to locate and select the sample Comma Separated Values (.csv)
file supplied with Synchronization Service. This file is located in the folder
<Synchronization Service installation folder>\Samples.
d. Step through the wizard until you are on the Specify attributes to identify
objects page.
e. In the Available attributes list, select Employee ID, click Add, and then
click Finish.
5. Click Next.

Active Roles 8.0 LTS Synchronization Service Administration Guide

422
Scenarios of use
 6. On the Specify target page, click Specify, and then step through the wizard to add
the target Active Directory domain as a connected system:
a. Use the Connection name box to type a descriptive name for the connection
being created.
b. In the Use the specified connector list, select Active Directory
Connector. Click Next.
c. Use the Domain name box to type the FQDN name of the target Active
Directory domain. If necessary, adjust other connection settings on this page
as appropriate. Click Finish.
7. Click the down arrow on the button provided next to the Target container option.
8. In the provided list, click PowerShell Script.
9. Insert the following script sample into the dialog box, and then click OK:
$userCity = $srcObj["City"]
switch ($userCity)
{
"New York" {$container = "OU=New
York,OU=Employees,DC=mycompany,DC=com"; break}
"Amsterdam" {$container =
"OU=Amsterdam,OU=Employees,DC=mycompany,DC=com"; break}
"Tokyo" {$container = "OU=Tokyo,OU=Employees,DC=mycompany,DC=com";
break}
default {$container =
"OU=OtherCities,OU=Employees,DC=mycompany,DC=com"; break}
}
$container
NOTE: Before using the script, change the "DC=mycompany",DC=com" string
as appropriate to reflect your environment. For example, if you have created
the Employees OU in the testlab.ttt domain, use the following string:
"DC=testlab,DC=ttt"

10. Click the down arrow on the leftmost button provided below the Rules to generate
unique object name list.
11. In the provided list, click Attribute.
12. Select Logon Name, and then click OK. Click Next.
13. Expand Initial Attribute Population Rules, and then create forward sync rules to
synchronize the following pairs of attributes:

Table 127: Initial attribute population rules

CSV file attribute Synchronization Active Directory

direction attribute

Logon Name => Logon Name (Pre-

Windows 2000)

Active Roles 8.0 LTS Synchronization Service Administration Guide

423
Scenarios of use
 CSV file attribute Synchronization Active Directory
direction attribute

First Name => First Name

Last Name => Last Name

City => City

For information on how to create rules, see Modifying attribute values by using rules.

14. Expand Initial Password, click Text, and type a password in the Set Password
dialog box. Click OK.
15. Optionally, you can expand User Account Options to modify the default options to
create new user accounts.
16. Click Finish to close the wizard.

Step 3: Run the configured creating step

To run the creating step

1. On the Sync Workflows tab, click Run now.

2. In the Select sync workflow steps to run dialog box, select the check box next to
the step you created, and then click Full Run to run the step.
After the synchronization step run completes, the Synchronization Service
Administration Console displays a report that provides information about the objects
that participated in the creating step. At this stage, the application does not commit
changes to the target Active Directory domain.

TIP: To view a list of user accounts to be created in the Employees OU, click the
number next to Objects to be created.

Step 4: Commit changes to Active Directory

l Click Commit.

TIP: You can use the Active Directory Users and Computers tool to ensure that
Synchronization Service has created user accounts in the Employees OU. The New
York, Tokyo, Amsterdam, and OtherCities OUs may include some disabled user
accounts created by Synchronization Service.

Active Roles 8.0 LTS Synchronization Service Administration Guide

424
Scenarios of use
Scenario 2: Use a .csv file to update
user
accounts in an Active Directory domain
This scenario demonstrates how to update user accounts in an Active Directory domain
when the information on employees is changed in the Human Resource (HR) database held
in a Comma Separated Values (.csv) file.
NOTE: This scenario can be used only if the Employees OU already contains user
accounts created with the creating scenario described earlier in this document. Only
accounts for previously created employees will be updated.
This scenario has the following steps:

l Step 1: Create an updating step

l Step 2: Run the created updating step
l Step 3: Commit changes to Active Directory

Step 1: Create an updating step

This section explains how to create a step that updates user accounts from the HR database
to the target Active Directory domain.

To add an updating step to your existing sync workflow

1. In the Synchronization Service Administration Console, open the Sync

Workflows tab, and then click the sync workflow you have created in Step 1:
Create a sync workflow.
2. Click Add synchronization step.
3. On the Select an action page, select Update, and then click Next.
4. On the Specify source and criteria page, do the following:
a. Click Specify, click Select existing connected system, and then select the
Comma Separated Values (.csv) file you connected in Scenario 1: Create users
from a .csv file to an Active Directory domain. Click Finish.
b. Make sure that the object type specified in the Source object type box is
csv-Object.
5. Click Next.
6. On the Specify target page, do the following:
a. Click Specify, and then select the Active Directory domain you connected in
Scenario 1: Create users from a .csv file to an Active Directory domain.

Active Roles 8.0 LTS Synchronization Service Administration Guide

425
Scenarios of use
 b. Make sure that the object type specified in the Target object type box is
User (user).
7. Click Next.
8. Expand Rules to Modify Object Attributes, and then create forward sync rules to
synchronize the following pairs of attributes:

Table 128: Rules to modify object attributes

CSV file attribute Synchronization Active Directory

direction attribute

City => City

Department => Department

First Name => First Name

Last Name => Last Name

Telephone Number => Telephone Number

For information on how to create rules, see Modifying attribute values by using rules.

9. Click Finish.

Step 2: Run the created updating step

To run the updating step

1. On the Sync Workflows tab, click Run now.

2. In the Select sync workflow steps to run dialog box, select the check box next to
the step you created, and then click OK to run the step.
After the synchronization step run completes, the Synchronization Service
Administration Console displays a report that provides information about the objects
that participated in the updating step. At this stage, the application does not commit
changes to the target Active Directory domain.

TIP: To view a list of user accounts to be updated in the Employees OU, in the update
report, click the number next to Objects to be updated.

Step 3: Commit changes to Active Directory

To commit changes to the target Active Directory domain

l Click Commit.

Active Roles 8.0 LTS Synchronization Service Administration Guide

426
Scenarios of use
Scenario 3: Synchronizing data
between One Identity Manager Custom
Target Systems and an Active
Directory domain
Out of the box, Synchronization Service includes the One Identity Manager connector,
which allows you to access the One Identity Manager. In this scenario, the basic purpose
for the Quick Connect One Identity Manager connector is to use the connector for target
systems where there is no existing native One Identity Manager connector.
Administrators can create or configure multiple Custom Target Systems in One Identity
Manager. Each Target System has entities such as User Accounts, Groups, Container
Structure, and so on.
NOTE: One Identity Manager does not have any specific table space for target systems
that do not have a native One Identity Manager connector. The data synchronized is
placed in the One Identity Manager tablespace where the tables starts with UNS.. and
end with B, referred as UNS..B tables.
The following scenario shows how to use the Quick Connect One Identity Manager
Connector to synchronize data between One Identity Manager Custom Target Systems and
Active Directory domain.
This scenario includes the following steps:

l Step 1: Create connection to One Identity Manager

l Step 2: Configure One Identity Manager modules, Custom Target System and
Container Information
l Step 3: Create Workflow for Provisioning
l Step 4: Create Provisioning
l Step 5: Specify the synchronization rules
l Step 6: Execute Workflow
l Step 7: Commit changes to One Identity Manager
l Step 8: Verify on One Identity Manager

Active Roles 8.0 LTS Synchronization Service Administration Guide

427
Scenarios of use
Step 1: Create connection to One Identity
Manager
To create a new connection to One Identity Manager:

1. In the Synchronization Service Administration Console, open the Connections tab.

2. Click Add connection, and then use the following options:
l Connection name. Type a descriptive name for the connection.
l Use the specified connector. Select One Identity Manager Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l Application Server URL. Specify the address of the One Identity Manager
application server to which you want to connect.
l Authentication module. Identifies the One Identity Manager authentication
module to be used to verify the connection’s user ID and password.
l User name. Specify the user ID for this connection.
l Password. Specify the password of the user ID for this connection.
a. Test Connection. Click to verify the specified connection settings.
5. Click Next.

Step 2: Configure One Identity Manager

modules, Custom Target System and
Container Information
NOTE: The One Identity Manager target systems and One Identity Manager containers
are applicable only for the Target System Base module.

To select the One Identity Manager modules, Target Systems, and Containers:

1. Select the required One Identity Manager modules.

2. Select Target System Base module to synchronize data to One Identity Manager
custom target systems (UNS..B tables). This enables you to select the target object
types such as UNSAccountB, UNSGroupB, and so on.
3. Select the required One Identity Manager target system, for example Azure.
4. Select the required One Identity Manager container, for example Test AD.
5. Click Finish to create a connection to One Identity Manager.

Active Roles 8.0 LTS Synchronization Service Administration Guide

428
Scenarios of use
Step 3: Create Workflow for Provisioning
To create a workflow for provisioning data synchronization to One
Identity Manager:

1. Start the Synchronization ServiceAdministration Console.

2. Open the Sync Workflows tab, and then click Add Sync workflow.
3. Type a descriptive name, for example AD to OneIM Sync for the workflow being
created, and then click OK to create the workflow.

Step 4: Create Provisioning

To create a provisioning step:

1. In the Synchronization Service Administration Console, open the Sync Workflows

tab, and then click the workflow AD to OneIM Sync.
2. Click Add synchronization step.
3. On the Select an action dialog box, select Creation, and then click Next.
4. On the Specify source and criteria dialog box, click Specify, click Add new
connected system or Select existing connected system, and then step through
the wizard to add the Active Directory Test AD as a connected system.
5. Click Next.
6. On the Specify target dialog box, click Specify.
7. Click Add new connected system or Select existing connected system, and
then step through the wizard to add the target One Identity Manager domain as a
connected system.
8. Click Select, to add the required target object type.
9. On the Select Object Type dialog box, select the object type UNSAccountB from
the list of object types.
10. Click Ok.

Step 5: Specify the synchronization rules

To specify the synchronization rules:

1. In the Synchronization Service Administration Console, open the Workflows tab,

and then click the workflow AD to OneIM Sync.
2. Click the step Provision from Test AD to One Identity Manager Connection.
3. Click Provisioning Rules and then click Initial Attribute Population Rules.

Active Roles 8.0 LTS Synchronization Service Administration Guide

429
Scenarios of use
 4. Click Forward Sync Rule from the drop-down menu.
5. On the Forward Sync Rule dialog box, select the source attributes to be mapped to
the target attributes, and then click OK.
NOTE: For One Identity Manager workflows, the attribute configuration rule for CN
is mandatory, else a constraint violation error is displayed and the workflow
execution does not succeed.

6. Click Save and Continue.

Step 6: Execute Workflow

To run the provisioning step:

1. On the Workflows tab, click Run now.

2. In the Select workflow steps to run dialog box, select the check box next to the
step you created, and then click Full Run to run the step.
After the synchronization step run completes, the Synchronization Service
Administration Console displays a report that provides information about the objects
that participated in the provisioning step. At this stage, the application does not
commit changes to the target One Identity Manager domain.

Step 7: Commit changes to One Identity

Manager
To commit the changes to One Identity Manager:
Click Commit.
A message All changes committed is displayed. The changes are committed from the
source Active Directory Test AD to the target One Identity Manager.

Step 8: Verify on One Identity Manager

To verify if the data is synchronized to One Identity Manager:
Open the One Identity Manager console and verify that all the users from the AD are
synchronized with One Identity Manager as per the provisioning rules that were set.

Active Roles 8.0 LTS Synchronization Service Administration Guide

430
Scenarios of use
Scenario 4: Deprovisioning between
One Identity Manager Custom Target
Systems and an Active Directory
domain
The Deprovisioning operation in data synchronization using Synchronization Service allows
you to modify or remove objects in the target data system after their counterparts have
been disconnected from the source data system. Synchronization Servicecan be configured
to remove target objects permanently or change them to a specific state. To specify the
objects that will participate in the deprovision operation you can use object mapping rules.
This scenario describes how to create a deprovisioning step for a workflow to modify or
delete the synchronized objects in the target system based on the deprovisioning criteria
that is set.

To create a deprovisioning step:

1. In the Synchronization Service Administration Console, open the Sync Workflows

tab, and then click the workflow AD to OneIM Sync.
2. Click Add synchronization step.
3. On the Select an action dialog box, select Deprovision, and then click Next.
4. On the Specify source and criteria dialog box, click Specify, click Add new
connected system or Select existing connected system, and then step through
the wizard to add the Active Directory Test AD as a connected system.
5. Specify a deprovisioning criteria by selecting one of the following:
l Source object is deleted or out of synchronization scope
l Source object deprovisioning is initiated in connected system
l Source object meets these criteria - Add the criteria for the source objects to
be deprovisioned in the target system
6. Click Next.
7. On the Specify target dialog box, click Specify.
8. Click Add new connected system or Select existing connected system, and
then step through the wizard to add the target One Identity Manager domain as a
connected system.
9. Click Select, to add the required target object type.
10. On the Select Object Type dialog box, select the object type UNSAccountB from
the list of object types and click Ok.
11. On the Specify deprovisioning action dialog box, select the one of the following
action to deprovision:

Active Roles 8.0 LTS Synchronization Service Administration Guide

431
Scenarios of use
 l Delete target objects
l Initiate the object deprovisioning in <target system>
l Modify target objects - Click Forward Synch rule and select the attributes to
modify the object attributes.
12. Click Next.
The Deprovisioning step with the rules for the specified deprovisioning action
is created.

Scenario 5: Provisioning of Groups

between One Identity Manager Custom
Target Systems and an Active
Directory domain
Synchronization Service allows you to ensure that group membership information is in sync
in all connected data systems. For example, when provisioning a group object from an
Active Directory domain to One Identity Manager domain, you can configure rules to
synchronize the Member attribute from the source to the target domain.
This scenario describes how to create a provisioning step for a workflow to synchronize
group objects between the source and target systems.

To create a group provisioning step:

1. In the Synchronization Service Administration Console, open the Sync Workflows

tab, and then click the workflow AD to OneIM Sync.
2. Click Add synchronization step.
3. On the Select an action dialog box, select Creation, and then click Next.
4. On the Specify source and criteria dialog box, click Specify, click Add new
connected system or Select existing connected system, and then step through
the wizard to add the Active Directory Test AD as a connected system.
5. In Specify object type field, click Select and from the Select Object type list,
select Group and then click OK.
6. In the Provisioning Criteria section, click Add.
7. On the Select Container dialog box, from the containers list, select the required
container and click OK.
8. Click Next.
9. On the Specify target dialog box, click Specify.

Active Roles 8.0 LTS Synchronization Service Administration Guide

432
Scenarios of use
 10. Click Add new connected system or Select existing connected system, and
then step through the wizard to add the target One Identity Manager domain as a
connected system.
11. Click Select, to add the required target object type.
12. On the Select Object Type dialog box, select the object type UNSGroupB from the
list of object types.
13. Click Ok.
The Group provisioning step is created.

Scenario 6: Enabling Delta Sync mode

between One Identity Manager Custom
Target Systems and an Active
Directory domain
The Delta processing mode of the Synchronization Service allows you to synchronize
identities between the source and the target systems for only the data that has changed in
the source and target connected systems since their last synchronization.
This scenario describes how to enable the delta processing mode between the source
(Active Directory domain) and target (One Identity Manager) systems.
To enable the delta processing mode:

1. Step 1: Create a sync workflow for provisioning data synchronization between the
source (Active Directory) and target (One Identity Manager) system.
2. Step 2: Add a creating step for the workflow to provision users from the source
system to target system.
3. Click on the synchronization step for provision of users.
4. In the General Options tab, specify the delta process mode:
a. Under Source Connected System select the option Process delta
from last run.
b. Under Target Connected System select the option Process delta
from last run.
5. Click Save and continue.
NOTE: Before any data has been processed from the source to the target
system, the initial synchronization of data is always performed in the Process
all delta mode.

6. Step 3: Run the configured creating step.

The data for the users added or updated to the source since the previous run, is
displayed under Processed Objects.

Active Roles 8.0 LTS Synchronization Service Administration Guide

433
Scenarios of use
Example of using the Generic SCIM
Connector for data synchronization
Once you configured a connection with the Generic SCIM Connector as described in
Configuring the Generic SCIM Connector for Starling Connect connections, you can
configure import-based data synchronization tasks to import data from the SCIM-based
SuccessFactors HR and ServiceNow connectors of Starling Connect to another target
system supported by Active Roles Synchronization Service.
Creating such a SCIM-based synchronization workflow has two main steps:

1. Mapping objects by configuring one or more mapping pairs and mapping rules.
By mapping objects, you can specify logic checks by which Active Roles
Synchronization Service can identify if two data entries stored in two separate
databases are the same or not.
l With mapping pairs, you can establish a relationship between object types in
two connected systems.
l With mapping rules, you can define the conditions on how the objects specified
in the mapping pair will be mapped during synchronization.

Example: Mapping objects by user ID

You can use object mapping, for example, to identify the same data entries
between a SuccessFactors HR database (connected to Active Roles via a
Generic SCIM Connector connection) and an SQL server (connected to
Active Roles Synchronization Service via a Microsoft SQL Server
Connector).
To do so, you can set up a mapping that compares the User ID value of the
data entries in the two systems. If the data entries in the two systems share
the same User ID, Active Roles will consider them the same.

For more information on object mapping, see Mapping objects. For an example
mapping procedure using the Generic SCIM Connector, see Creating object
mapping between a SCIM connection and an SQL connection.
2. Setting up a synchronization workflow based on the configured object mapping, so
that you can automate creating, removing or deprovisioning specific data entries
between the connected systems.
For more information on synchronization workflows, see Getting started with identity
data synchronization. For an example workflow configuration procedure using the

Active Roles 8.0 LTS Synchronization Service Administration Guide

434
Scenarios of use
 Generic SCIM Connector, see Creating a synchronization workflow for
synchronizing data from a SCIM-based Starling Connect connector.

The following chapters will provide an example for setting up a synchronization workflow
that will import data from a SuccessFactors HR database via a Generic SCIM Connector
connection, and synchronizing that data to an SQL database.

Creating object mapping between a SCIM

connection and an SQL connection
Once you configured a connection with the Generic SCIM Connector as described in
Configuring the Generic SCIM Connector for Starling Connect connections, you can
configure import-based data synchronization tasks to import data from the SCIM-based
SuccessFactors HR and ServiceNow connectors of Starling Connect to another target
system supported by Active Roles Synchronization Service.
The first step of creating this synchronization is mapping objects between the SCIM-based
source system and a target system, so that Active Roles Synchronization Service can
detect identical data entries between the two system for proper data synchronization.
By mapping objects, you can specify logic checks by which Active Roles
Synchronization Service can identify if two data entries stored in two separate
databases are the same or not.

l With mapping pairs, you can establish a relationship between object types in two
connected systems.
l With mapping rules, you can define the conditions on how the objects specified in the
mapping pair will be mapped during synchronization.

The following example procedures show how to create a mapping pair and a mapping
rule between:

l A SuccessFactors HR database connected to Active Roles Synchronization Service

with the Generic SCIM Connector. The SuccessFactors HR database will be the
source system from which Active Roles Synchronization Service imports the data.
l An SQL database connected to Active Roles Synchronization Service with the
Microsoft SQL Server Connector. The SQL database will act as the target
system to which Active Roles Synchronization Service will synchronize the
SuccessFactors HR data.

Prerequisites

You can perform the following procedures only if Active Roles Synchronization Service
already contains the following working connectors:

l A Generic SCIM Connector connecting Active Roles Synchronization Service to the

Starling Connect SuccessFactors HR connector. To configure such a connection, see
Configuring the Generic SCIM Connector for Starling Connect connections. In this

Active Roles 8.0 LTS Synchronization Service Administration Guide

435
Scenarios of use
 example procedure, this connection is called SCIM Connection to SuccessFactors
HR.
l A Microsoft SQL Server Connector providing connection to the SQL server used in
this example. To configure such a connection, see Creating a Microsoft SQL Server
connection. In this example, this connection is called SQL Connection.

To configure a mapping pair between a SuccessFactors HR database and an

SQL database

1. In the Active Roles Synchronization Service Console, navigate to Mapping, then

click the SCIM Connection to SuccessFactors HR connection.

Figure 16: Active Roles Synchronization Service – Selecting a connector

for mapping objects

2. To start configuring a new object mapping with the Add mapping pair dialog, click
Add mapping pair.
3. In the Specify source step, under Connected system object type, select the
resource object type you want the object mapping to check. In this example, we are
using the Employees data entry of the SuccessFactors HR database, so click Select,
then in the Select Object Type step, select Employees.
TIP: If the data entry is hard to find due to the length of the list, use the Filter by
name field to find it quicker.
To apply your selection, click OK, then Next.
4. In the Specify target step, under Target connected system, configure the target
system where the other resource object type is located. To do so, click Specify, and
in the Add Connected System Wizard, select the Select existing connected
system option, then the connector of the SQL server (in this example, SQL
Connection). To apply your selection, click Finish.
5. Under Connected system object type, select sql-Object.
6. To create the mapping pair, click Finish.

Active Roles 8.0 LTS Synchronization Service Administration Guide

436
Scenarios of use
 7. (Optional) If needed, you can configure additional mapping pairs as well for your
synchronization workflow. To do so, click Add mapping pair again, and repeat the
procedure. This example procedure uses only one mapping pair.

Once the mapping pair is created, you can configure its associated mapping rule.

To configure a mapping rule between a SuccessFactors HR database and an

SQL database

1. In the Active Roles Synchronization Service Console, navigate to Mapping, then

click the SCIM Connection to SuccessFactors HR connection.
2. The previously configured mapping pair appears. To open the available mapping pair
settings, click the Employees object type in the mapping pair.

Figure 17: Active Roles Synchronization Service – Mapping pair in a

configured SCIM connection

3. To start configuring a new mapping rule, in the Mapping pair window, click Add
mapping rule.

4. In the Define Mapping Rule window, specify the source and target resource object
types that must be equal so that Active Roles Synchronization Service can map the
data pairs. In this example, we are using the UserID attribute for this purpose both in
the SuccessFactors HR database and in the SQL database as well.
Therefore, at the Value generated for SCIM Connection to SuccessFactors HR
by using field, click Attribute, then in the Select attribute window, select
userId. This adds the userId object value to both the source and target fields.
TIP: If the data entry is hard to find due to the length of the list, use the Filter by
name field to find it quicker.
5. To finish adding the mapping rule, click OK.

Active Roles 8.0 LTS Synchronization Service Administration Guide

437
Scenarios of use
 Figure 18: Active Roles Synchronization Service – Mapping rule in a
configured SCIM mapping pair

6. To start the mapping synchronization based on the configured value pair of the
mapping rule, click Map now. Active Roles Synchronization Service offers two
mapping types:
l Quick Map, using local cached data to speed up the mapping process.
l Full Map, retrieving data from the source and target data system for
accuracy.
As this is the first time of running this mapping, perform a Full Map.

Once the mapping rule finishes running successfully, it will indicate the unmapped, changed
and mapped objects, along with the objects that do not meet the scope conditions of the
configured mapping rule.

Creating a synchronization workflow for

synchronizing data from a SCIM-based
Starling Connect connector
Once you configured a connection with the Generic SCIM Connector as described in
Configuring the Generic SCIM Connector for Starling Connect connections, you can
configure import-based data synchronization tasks to import data from the SCIM-based
SuccessFactors HR and ServiceNow connectors of Starling Connect to another target
system supported by Active Roles Synchronization Service.
The second step of creating this synchronization task is setting up a synchronization
workflow based on the object mapping configured in Creating object mapping between
a SCIM connection and an SQL connection. By configuring a workflow, you can
automate creating, removing or deprovisioning specific data entries between the
connected systems.
The following example procedure shows how to create a workflow that creates and updates
data synchronization between:

Active Roles 8.0 LTS Synchronization Service Administration Guide

438
Scenarios of use
 l A SuccessFactors HR database connected to Active Roles Synchronization Service
with the Generic SCIM Connector. The SuccessFactors HR database will be the
source system from which Active Roles Synchronization Service imports the data.
l An SQL database connected to Active Roles Synchronization Service with the
Microsoft SQL Server Connector. The SQL database will act as the target
system to which Active Roles Synchronization Service will synchronize the
SuccessFactors HR data.

Prerequisites

Before performing the procedure, make sure that the following conditions are met:

l Active Roles Synchronization Service must already contain the following working
connectors:
l A Generic SCIM Connector connecting Active Roles Synchronization Service
to the Starling Connect SuccessFactors HR connector. To configure such a
connection, see Configuring the Generic SCIM Connector for Starling Connect
connections. In this example procedure, this connection is called SCIM
Connection to SuccessFactors HR.
l A Microsoft SQL Server Connector providing connection to the SQL server
used in this example. To configure such a connection, see Creating a Microsoft
SQL Server connection. In this example, this connection is called SQL
Connection.
l The mapping pair and mapping rule configured in Creating object mapping between a
SCIM connection and an SQL connection are active and working.

To configure a data synchronization workflow between a SuccessFactors HR

database and an SQL database

1. In the Active Roles Synchronization Service Console, click Sync Workflows > Add
sync workflow.

Figure 19: Active Roles Synchronization Service – Adding a new

synchronization workflow

2. In the Sync workflow name step, name the workflow (for example,
SuccessFactors HR to SQL Server), then click OK.
The new workflow then appears in the Sync Workflows tab.

Active Roles 8.0 LTS Synchronization Service Administration Guide

439
Scenarios of use
3. Configure a data synchronization creation step for the workflow. To do so, in Sync
Workflows, click the name of the workflow (in this example, SuccessFactors HR
to SQL Server), then click Add synchronization step.

Figure 20: Active Roles Synchronization Service – Adding a new

synchronization step

4. In the Select an action step, select Creation, then click Next.

The Creation step of the workflow will be used to create the synchronized data
entries of the SuccessFactors HR database in the target SQL database. The Creation
step performs data synchronization only for data entries that do not exist in the
target system. Because of this, you typically run this step only once.
5. In the Specify source and criteria step, configure the following settings:
l Source connected system: Specify the SuccessFactors HR database
connection here, created with the Generic SCIM Connector. To do so, click
Specify > Select existing connected system, then select the SCIM-based
connection (in this example, SCIM Connection to SuccessFactors HR).
l Source object type: Specify the source object type here (in this example, the
Employees object type). To do so, click Select, then in the Select Object Type
window, select Employees, and click OK.
TIP: If the data entry is hard to find due to the length of the list, use the
Filter by name field to find it quicker.
l (Optional) Creation Criteria: Specify additional conditions that the specified
source object(s) must meet for synchronization in this workflow step. This
setting is not used in this example.
6. In the Specify target step, configure the following settings:
l Target connected system: Specify the SQL server connection here, created
with the Microsoft SQL Server Connector. To do so, click Specify > Select
existing connected system, then select the SQL server connection (in this
example, SQL Connection).
l Target object type: Specify the target object type here. By default, when
selecting an SQL server connection in Target connected system, Active
Roles Synchronization Service sets this setting to sql-Object, the object type
used in this example.

Active Roles 8.0 LTS Synchronization Service Administration Guide

440
Scenarios of use
7. In the Specify creation rules step, configure the logic (called forward
synchronization rules) that Active Roles Synchronization Service will use to perform
first-time synchronization and copy data entries from the SuccessFactors HR
database over to the target SQL database.
To do so, specify one or more unique attributes that Active Roles Synchronization
Service can use to link the corresponding data entries in the connected
SuccessFactors HR and SQL data systems. In this example, four such SuccessFactors
HR attributes are specified: userName, userId, emails.value and
name.familyName.
To specify these creation rules:
a. Click Forward Sync Rule.
b. Click Source item > Attribute, and in the Select Object Attribute window,
search for the user name attribute in the SuccessFactors HR database (for
example, userName), then click OK.
TIP: If the data entry is hard to find due to the length of the list, use the
Filter by name field to find it quicker.
c. Click Target item > Attribute, and search for the applicable user name
attribute pair in the SQL database (for example, userName), then click OK.
TIP: If the data entry is hard to find due to the length of the list, use the
Filter by name field to find it quicker.

Figure 21: Active Roles Synchronization Service – Mapping attributes

for a forward synchronization rule

d. To apply the forward synchronization rule created for the specified user name
attributes, click OK.
e. To configure synchronization rules for the userId, emails.value and
name.familyName SuccessFactors HR data entries too, click Forward Sync
Rule again, and repeat the previous sub-steps by selecting the source and
target attributes applicable to these data entries.
8. Once all forward synchronization rules are configured, to finish configuring the
Creation step, click Finish.

Active Roles 8.0 LTS Synchronization Service Administration Guide

441
Scenarios of use
 Figure 22: Active Roles Synchronization Service – Finalizing all forward
synchronization rules

This creates the Creation step as the first step of the synchronization workflow.

Figure 23: Active Roles Synchronization Service – Step 1 created for the
SuccessFactors HR / SQL server workflow

9. Now that the Creation step of the workflow is configured, configure the Update
step. To do so, click Add synchronization step again.
The Update step of the workflow will be used to update existing data entries mapped
between the SuccessFactors HR database and the target SQL database. The Update
step performs data synchronization only for existing data entries: it does not create
new ones. Because of this, you typically run this step after running the Creation
step, and run only the Update step later once the data entries have been created
with the Creation step.
10. In the Select an action step, select Update, then click Next.
11. In the Specify source and criteria step, configure the following settings:
l Source connected system: Specify the SuccessFactors HR database
connection here, created with the Generic SCIM Connector. To do so, click
Specify > Select existing connected system, then select the SCIM-based
connection (in this example, SCIM Connection to SuccessFactors HR).

Active Roles 8.0 LTS Synchronization Service Administration Guide

442
Scenarios of use
 l Source object type: Specify the source object type here (in this example, the
Employees object type). To do so, click Select, then in the Select Object Type
window, select Employees, and click OK.
TIP: If the data entry is hard to find due to the length of the list, use the
Filter by name field to find it quicker.
l (Optional) Creation Criteria: Specify additional conditions that the specified
source object(s) must meet for synchronization in this workflow step. This
setting is not used in this example.
12. In the Specify target step, configure the following settings:
l Target connected system: Specify the SQL server connection here, created
with the Microsoft SQL Server Connector. To do so, click Specify > Select
existing connected system, then select the SQL server connection (in this
example, SQL Connection).
l Target object type: Specify the target object type here. By default, when
selecting an SQL server connection in Target connected system, Active
Roles Synchronization Service sets this setting to sql-Object, the object type
used in this example.
13. In the Specify update rules step, configure the forward synchronization rules that
Active Roles Synchronization Service will use to update existing data entries in the
target SQL database from the SuccessFactors HR database. In this example, four
such attributes are specified: userName, userId, SuccessFactors HR ID (displayed
as sfid) and metadata information (displayed as meta).
To specify these creation rules:
a. Click Forward Sync Rule.
b. Click Source item > Attribute, and in the Select Object Attribute window,
search for the user name attribute in the SuccessFactors HR database (for
example, userName), then click OK.
TIP: If the data entry is hard to find due to the length of the list, use the
Filter by name field to find it quicker.
c. Click Target item > Attribute, and search for the applicable user name
attribute pair in the SQL database (for example, userName), then click OK.
TIP: If the data entry is hard to find due to the length of the list, use the
Filter by name field to find it quicker.
d. To apply the forward synchronization rule created for the specified user name
attributes, click OK.
e. To configure synchronization rules for the user ID, sfid and meta data entries
too, click Forward Sync Rule again, and repeat the previous sub-steps by
selecting the source and target attributes applicable to these data entries.
14. Once all forward synchronization rules are configured, to finish configuring the
Update step, click Finish. The configured workflow will appear, containing
both steps.

Active Roles 8.0 LTS Synchronization Service Administration Guide

443
Scenarios of use
 15. Start the workflow by clicking Run workflow. For the first-time run, select only
Step 1 (Creation from SCIM Connection to SuccessFactors HR to SQL
Connection), then select the running method:
l Full Run fetches all data entries specified in the workflow steps directly from
the source system. As such, One Identity recommends using this method
when running the workflow the first time, even if the process takes longer
than a Quick Run.
l Quick Run uses cached data whenever possible, and is normally faster.
The run may take several minutes to complete.

Figure 24: Active Roles Synchronization Service – Running a configured

synchronization workflow for the first time

16. Once Active Roles Synchronization Service found all mapped objects, apply the
synchronization changes by clicking Commit.
Alternatively, to check detailed information about the processed objects, click the
Processed objects number. The Objects processed in window then opens, listing
all new data objects that Active Roles Synchronization Service will synchronize to the
target SQL database.

Synchronizing complex multi-value objects

from a SCIM source system
Data synchronization workflows that import data with a connection based on the Generic
SCIM Connector can import all three types of SCIM 2.0-based data entries:

l Simple attributes, that is, data entries with a single simple value. For example, a
user ID specified in a single string is a simple attribute.
l Complex single-value attributes, that is, data entries specified with several sub-
attributes. For example, the following name attribute is a complex single-value
attribute, specifying the name of an employee with three simple sub-attributes:

Active Roles 8.0 LTS Synchronization Service Administration Guide

444
Scenarios of use
 "name": {
"givenName": "Sam",
"familyName": "Smith",
"formatted": "Sam Smith"
},

The value of complex single-value attributes is the sum of the sub-attribute values.
l Complex multi-value attributes, that is, data entries with multiple complex
values, each of them specified with several simple sub-attributes. For example, the
following addresses attribute is a complex multi-value attribute, specifying several
addresses, each of them being a complex value containing several simple sub-
attributes:

"addresses": [
{
"type": "work",
"streetAddress": "22 Example Street",
"region": "Springfield",
"postalCode": "51487",
"country": "United States",
"primary": true
},
{
"type": "home",
"streetAddress": "12 Rue Exemple",
"region": "Montreal",
"postalCode": "46179",
"country": "Canada"
}
],

However, even though synchronization workflows using connections set with the Generic
SCIM Connector can import all three of these value types, Active Roles Synchronization
Service does not recognize complex single-value attributes and complex multi-value
attributes, as they contain more values than what Active Roles Synchronization Service can
identify for a single data entry by default.
To import complex single-value and multi-value attributes successfully, you can use the
following methods:

l For complex single-value attributes, you can map each individual sub-attribute
of the complex single-value attribute to separate attributes in the target system. For
example, in case of the name complex single-value attribute, you can map the
givenName, familyName and formatted sub-attributes to separate name.givenName,
name.familyName, and name.formatted attributes in the target system, respectively.
l For complex multi-value attributes, you can use two methods:
l When importing complex multi-value attributes, Active Roles Synchronization
Service can take a single value (and its sub-attributes), map the sub-attributes

Active Roles 8.0 LTS Synchronization Service Administration Guide

445
Scenarios of use
 to a set of target values (similarly to complex single-value attributes), then
discard the rest of the complex values of the attribute.
By default, Active Roles Synchronization Service takes the primary value of
the complex multi-value attribute (marked with a specific primary sub-
attribute). If no primary value is specified within the complex multi-value
attribute, Active Roles Synchronization Service imports the first value (and its
sub-attributes) only.
NOTE: This method imports only the primary value (or the first value, if no
primary value is specified). Active Roles Synchronization Service will discard
all other values (and their sub-attributes).
l If you map a complex multi-value attribute (such as the addresses attribute
shown in the above example) when configuring a mapping rule for a workflow,
you can configure an Active Roles Synchronization Service workflow to process
and extract every value (and their sub-attributes) of the complex multi-value
attribute with script-based attribute mapping.
The following procedure will provide an example on how to apply such a
PowerShell script to properly process the addresses complex multi-value
attribute shown in this chapter.

To configure a custom PowerShell script for a workflow to import complex

multi-value attributes

1. In the Active Roles Synchronization Service, click Sync Workflow, then click the
synchronization workflow that imports data from a SCIM-based source system (for
example, the SuccessFactors HR to SQL Server workflow used in Creating a
synchronization workflow for synchronizing data from a SCIM-based Starling Connect
connector).
2. Click the first step of the workflow (in the example SuccessFactors HR to SQL
Server workflow, this is named Step 1 (Creation from SCIM Connection to
SuccessFactors HR to SQL Connection).
3. Under Creation Rules, to open the initial population rules, click Forward
Sync Rule.
4. In the Forward Sync Rule window, at the Source item setting, open the Attribute
drop-down, and click PowerShell Script.
5. In the PowerShell Script Editor, paste the following script example, and click OK:

$addressesJsonArray = $srcObj["addresses"] | ConvertFrom-Json

if ($addressesJsonArray) {
for ($i = 0; $i -lt $addressesJsonArray.Length; $i++) {
if ($addressesJsonArray[$i].type -eq "work") {

Active Roles 8.0 LTS Synchronization Service Administration Guide

446
Scenarios of use
 return $addressesJsonArray[$i].streetAddress + ", " +
$addressesJsonArray[$i].region + ", " + $addressesJsonArray[$i].locality
}
}
}

The example script contains the following key parts:

l $srcObj refers to the source object that the script will act on.
l $srcObj["addresses"] extracts the raw value of the addresses attribute. In this
example, this attribute is a complex multi-value SCIM attribute, so the
attribute value will be a JSON array.
l $addressesJsonArray is a .NET array object containing the values of the
complex multi-value attribute.
The rest of the script performs the following steps:
a. It checks that the array is valid.
b. It traverses the elements of the array, and looks for the first element with a
type sub-attribute with a work value.
c. Once it finds an element with a work value type, it constructs a formatted string
from the streetAddress, region and locality sub-attributes.
d. It returns the results.
6. Use the output to parse and extract the data into other target values in the
target system.

Active Roles 8.0 LTS Synchronization Service Administration Guide

447
Scenarios of use
 A

Appendix A: Developing PowerShell

scripts for attribute
synchronization rules

You can configure synchronization rules for such steps as creating, deprovisioning, or
update. Synchronization Service provides a user interface (Synchronization Service
Administration Console) that allows you to set up a direct or rules-based synchronization
rule without any coding.
However, to set up a script-based synchronization rule, you must develop a Windows
PowerShell script that will build values of the target object attributes using values of the
source object attributes.
This section provides some reference materials on using the Windows PowerShell Script
Host feature and provides the sample script.

Accessing source and target objects

using built-in hash tables
Synchronization Service synchronizes data between the source and target objects using the
pre-configured synchronization rules.
In the PowerShell scripts used to set up the script-based synchronization rules, you can
employ the $srcObj and $dstObj built-in associative arrays (hash tables) that allow the
scripts to access the current values of attributes of the source and target objects,
respectively. The array keys names are names of the object attributes.
For more information about the use of the associative arrays, refer to Windows PowerShell
documentation.
In addition to $srcObj and $dstObj, Synchronization Service defines the $Request built-
in hash table. The $Request key names are also names of the object attributes. The
$Request hash table contains new values of the target object attributes to which the target
object attributes must be set after completing the synchronization process.

Active Roles 8.0 LTS Synchronization Service Administration Guide

Appendix A: Developing PowerShell scripts for attribute synchronization 448

rules
To clarify the use of built-in hash tables, let us consider the following scenario: you
synchronize between the "mail" attributes of user objects in an LDAP directory (source
connected system) and Active Roles (target connected system) using the following
synchronization rule: the value of the "mail" attribute in the target connected system must
be equal to that in the source connected system concatenated with current date.
For example, before the synchronization process started, the source object had the "mail"
attribute: [email protected], the target object had the "mail" attribute:
[email protected]. After the synchronization process completes, the
target user will have the following mail: [email protected] (5 December,
2012) (if you performed the synchronization process on 5 December, 2012.
The following code snippet illustrates the use of built-in hash tables:
#Returns "[email protected]
$strSourceMail=$srcObj["mail"]
#Returns [email protected]
$strTargetMail=$DstObj["mail"]
#Returns [email protected] (5 January, 2010)
$strNewMail=$Request["mail"]

Example script
The following script illustrates the use of $srcObj.
A creating task (creating step of a sync workflow as applied to Synchronization Service)
causes Synchronization Service to create user identity information from a delimited text
file to Active Directory using the following creating rule: the "co" attribute in all created
users must be set to the name of country where the user lives. The script-based creating
rule calculates the "co" attribute value basing on the user's city (the "City" attribute in the
connected data source).
The following script implements the described scenario:
# --- Retrieve the City attribute of the user object in connected data source.
$userCity = $srcObj["City"]
# --- Determine the user's country
switch ($UserCity)
{
"New York" {$country = "United States"; break}
"Paris" {$country = "France"; break}
"Tokyo" {$country = "Japan"; break}
default {$country = "Unknown"}
}
# --- Return the user country. The script-based creating rule

Active Roles 8.0 LTS Synchronization Service Administration Guide

Appendix A: Developing PowerShell scripts for attribute synchronization 449

rules
# --- assigns this value to the "co" attribute in the created user object.
$country
# End of the script

Active Roles 8.0 LTS Synchronization Service Administration Guide

Appendix A: Developing PowerShell scripts for attribute synchronization 450

rules
 B

Appendix B: Using a PowerShell

script to
transform passwords

You can use a Windows PowerShell script in a password sync rule to transform passwords.
This section provides some reference materials on how to write a Windows PowerShell
script for password transformation.

Accessing source object password

To synchronize passwords between the source Active Directory domain and the target
connected data system, Synchronization Service uses the password sync rules you
configure. In a password rule settings, you can type a PowerShell script that transforms
source Active Directory user passwords into object passwords for the target connected
system. For example, you can use such a script if you want the object passwords in the
source and target connected systems to be different.
When developing a PowerShell script to transform passwords, you can employ the
$srcPwd built-in associative array (hash table) that allows the scripts to access the source
object password. The $srcPwd returns a string that contains the object password.

Example script
To clarify the use of $srcPwd, consider a scenario where the target object password in the
target connected data system must include only 8 first characters of the source object
password in the source Active Directory domain.
The following scripts implements the described scenario:
if($srcPwd.length -gt 8)
{
$srcPwd.substring(0,8)

Active Roles 8.0 LTS Synchronization Service Administration Guide

451
Appendix B: Using a PowerShell script to transform passwords
}
else
{
$srcPwd
}
# End of the script

Active Roles 8.0 LTS Synchronization Service Administration Guide

452
Appendix B: Using a PowerShell script to transform passwords
 About us

About us

One Identity solutions eliminate the complexities and time-consuming processes often
required to govern identities, manage privileged accounts and control access. Our solutions
enhance business agility while addressing your IAM challenges with on-premises, cloud and
hybrid environments.

Contacting us
For sales and other inquiries, such as licensing, support, and renewals, visit
https://www.oneidentity.com/company/contact-us.aspx.

Technical support resources

Technical support is available to One Identity customers with a valid maintenance contract
and customers who have trial versions. You can access the Support Portal at
https://support.oneidentity.com/.
The Support Portal provides self-help tools you can use to solve problems quickly and
independently, 24 hours a day, 365 days a year. The Support Portal enables you to:

l Submit and manage a Service Request

l View Knowledge Base articles
l Sign up for product notifications
l Download software and technical documentation
l View how-to videos at www.YouTube.com/OneIdentity
l Engage in community discussions
l Chat with support engineers online
l View services to assist you with your product

Active Roles 8.0 LTS Synchronization Service Administration Guide

453
About us