Issue Adding Users

[iamdlfl]

Our organization has two separates processes that run to sync Adobe accounts and licensed group memberships respectively. Process two is responsible for getting license entitlements and adding users to a User Group that provides licensing. Process one is supposed to simply add and remove user accounts based on their affiliation with our organization.

I have run into an issue with process one. It will remove users just fine, but it isn't creating accounts for users. We use LDAP for the connector. I tested out if we add users to a default group, and it looks like it would create an account of new users if they are being added to a group, but NOT if they are not being added to a group.

Is there a way to configure UST to create accounts in our Adobe portal WITHOUT having to also add them to a group?

[adorton-adobe]

Can you provide more detail around how each of these sync processes are set up? Are both sync processes syncing from LDAP to the Admin Console?

[iamdlfl]

Sure, I'll provide some more detail. Let me know if you need anything else.

Process One runs on a CI/CD pipeline. It connects with LDAP for directory and the new Oauth server to server for connecting to Admin Console. For LDAP, the only setting out of the ordinary is we use an all_users_filter to only retrieve users from a specific group. This does successfully retrieve those users, because in the logs it lists the number of users on the directory side. The user-sync-config.yml has fairly common (from what I can tell) settings too:

invocation_defaults:
    adobe_only_user_action: remove
    adobe_users: all
    process_groups: False
    strategy: sync
    users: all

The only thing that made it work was setting process_groups to True and adding (under directory_users:) the following:

groups:
    - directory_group: {our_ldap_group}
      adobe_groups:
          - {some_default_group}

It seemed to me that the tool should add users without having to specify a group to add them to.

Our second process has no issues. It is set up to use a file connector instead of LDAP, and it adds and removes users from a couple of user groups that provide products.

[adorton-adobe]

adobe_groups can be null, which means you can omit the list of groups.

groups:
    - directory_group: {our_ldap_group}
      adobe_groups:

This will create the users without assigning them to any target group.

[iamdlfl]

Ah I see, that's very helpful. Thank you!

Last question (I think). I just want to match all users, is there any kind of selector or value that would do that? Or do I just have to find/create an LDAP group that would contain all the users.

I see you can use regex for "additional_groups" but that doesn't seem to work for the initial directory_group value.

[adorton-adobe]

You're using the option users: all which means you're already getting all users from the LDAP source (with respect to the queries configured in the LDAP config). If you're not seeing the users you'd expect, I recommend checking the LDAP config.

[iamdlfl]

That's what I thought users: all meant as well, but there are a lot of users from the directory that are not getting added to the Adobe console. In the screenshot below, you can see that there are ~113K directory users selected and ~75K adobe users, but there are not any "adds".

[adorton-adobe]

I would need more information to know what is happening. There are several potentially valid reasons why querying all users does not sync all of those users. For example, you may be querying users that are missing email address or another vital piece of information.

But the UST does allow you to sync all users without assigning any target groups. The user option controls this - you have it set to all which includes all users (with respect to LDAP filters).

I would need to take a look at a full log file (with the log level set to debug) to have a better idea of what is happening.