Active Roles 8.1.

Synchronization Service
Administration Guide
Copyright 2023 One Identity LLC.
ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described in this
guide is furnished under a software license or nondisclosure agreement. This software may be used
or copied only in accordance with the terms of the applicable agreement. No part of this guide may
be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying and recording for any purpose other than the purchaser’s personal use without the
written permission of One Identity LLC .
The information in this document is provided in connection with One Identity products. No license,
express or implied, by estoppel or otherwise, to any intellectual property right is granted by this
document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE
TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,
ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR
STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-
INFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT,
CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT
LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF
INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF
ONE IDENTITY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity makes
no representations or warranties with respect to the accuracy or completeness of the contents of this
document and reserves the right to make changes to specifications and product descriptions at any
time without notice. One Identity does not make any commitment to update the information
contained in this document.
If you have any questions regarding your potential use of this material, contact:
One Identity LLC.
Attn: LEGAL Dept
4 Polaris Way
Aliso Viejo, CA 92656
Refer to our Web site (http://www.OneIdentity.com) for regional and international office
information.
Patents
One Identity is proud of our advanced technology. Patents and pending patents may apply to this
product. For the most current information about applicable patents for this product, please visit our
website at http://www.OneIdentity.com/legal/patents.aspx.
Trademarks
One Identity and the One Identity logo are trademarks and registered trademarks of One Identity
LLC. in the U.S.A. and other countries. For a complete list of One Identity trademarks, please visit
our website at www.OneIdentity.com/legal/trademark-information.aspx. All other trademarks are
the property of their respective owners.
Legend

WARNING: A WARNING icon highlights a potential risk of bodily injury or property

damage, for which industry-standard safety precautions are advised. This icon is
often associated with electrical hazards related to hardware.

CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data

if instructions are not followed.

Active Roles Synchronization Service Administration Guide

Updated - 15 November 2023, 23:23
For the most recent documents and product information, see Online product documentation.
Contents

Synchronization Service overview 1

Synchronization Service features and benefits 1
Bidirectional synchronization 2
Delta processing mode 2
Synchronization of group membership 2
Windows PowerShell scripting 2
Attribute synchronization rules 3
Rule-based generation of distinguished names 3
Scheduling capabilities 3
Extensibility 3
Azure BackSync configuration 4
Technical overview 5
Synchronization Service 5
Capture Agent 6
Connectors and connected data systems 6
Sync workflows 6

Deploying Synchronization Service 8

Installing Synchronization Service 8
Configuring Synchronization Service 9
Configuring Azure BackSync 12
Configuring manual Azure BackSync 13
Configuring automatic Azure BackSync 15
Settings updated after Azure BackSync configuration operation 17
Finding the GUID (Tenant ID) of an Azure AD for Azure BackSync 19
Upgrade from Quick Connect and Synchronization Service 19
Transferring sync workflows from Quick Connect 20
Communication ports 21

Deploying Synchronization Service for use with AWS Managed Microsoft AD23
Supported AWS Managed Microsoft AD deployment configuration 23
Synchronization Service features and limitations when used with AWS Managed
Microsoft AD 24

Active Roles 8.1.3 Synchronization Service Administration Guide

3
Main steps of configuring Active Roles for AWS Managed Microsoft AD 25
Deployment requirements for AWS Managed Microsoft AD support 25
Creating the AWS Managed Microsoft AD instance 26
Creating the EC2 instance for Active Roles 27
Joining the EC2 instance to AWS Managed Microsoft AD 28
Creating the RDS instance for the Active Roles SQL Server 28
Verifying connectivity between the EC2 and RDS instances 29
Installing and configuring Synchronization Service for AWS Managed Microsoft AD 30

Getting started 31
Synchronization Service Console 31
Gear icon 32
Sync Workflows tab 33
Sync History tab 33
Connections tab 34
Mapping tab 34
Password Sync tab 35
Configuring diagnostic logging 36
How to synchronize identity data 37
Synchronization Service Management Shell 37
Cmdlet naming conventions 38
Getting help 38

Connections to external data systems 40

External data systems supported with built-in connectors 41
Working with Active Directory 42
Creating an Active Directory connection 43
Modifying an Active Directory connection 44
Communication ports required to synchronize data between two Active Directory
domains 45
Synchronizing user passwords between two Active Directory domains 45
Synchronizing SID history of users or groups 46
Working with an AD LDS (ADAM) instance 47
Creating an AD LDS (ADAM) instance connection 48
Modifying an existing AD LDS (ADAM) instance connection 48
Working with Skype for Business Server 49
Creating a new Skype for Business Server connection 50

Active Roles 8.1.3 Synchronization Service Administration Guide

4
 Modifying an existing Skype for Business Server connection 51
Supported Skype for Business Server data 52
Attributes required to create a Skype for Business Server user 55
Getting or setting the Telephony option value in Skype for Business Server 56
Working with Oracle Database 57
Creating an Oracle Database connection 57
Modifying an existing Oracle Database connection 59
Sample SQL queries for working with an Oracle Database 61
Working with Oracle Database user accounts 62
Creating an Oracle Database user accounts connection 63
Modifying an existing Oracle Database user account connection 64
Sample SQL queries for working with Oracle Database user accounts 65
Working with Exchange Server 66
Creating a new connection to Exchange Server 67
Modifying an existing connection to Exchange Server 68
Exchange Server data supported out of the box 70
Scenario: Migrate mailboxes from one Exchange Server to another 84
Working with Active Roles 85
Creating an Active Roles connection 86
Modifying an Active Roles connection 87
Working with One Identity Manager 88
Creating a One Identity Manager connection 88
Modifying a One Identity Manager connection 89
One Identity Manager Connector configuration file 90
Working with a delimited text file 91
Creating a delimited text file connection 92
Modifying an existing delimited text file connection 93
Working with Microsoft SQL Server 95
Creating a Microsoft SQL Server connection 96
Modifying an existing Microsoft SQL Server connection 97
Sample queries to modify SQL Server data 99
Working with Micro Focus NetIQ Directory 100
Creating a Micro Focus NetIQ Directory connection 101
Modifying an existing Micro Focus NetIQ Directory connection 102
Working with Salesforce 105

Active Roles 8.1.3 Synchronization Service Administration Guide

5
 Creating a Salesforce connection 105
Modifying an existing Salesforce connection 106
Salesforce data supported for synchronization 107
Scenario: Provisioning users from an Active Directory domain to Salesforce 110
Working with ServiceNow 112
Creating a ServiceNow connection 113
Modifying an existing ServiceNow connection 114
ServiceNow data supported for synchronization 115
Working with Oracle Unified Directory 115
Creating an Oracle Unified Directory connection 116
Modifying an existing Oracle Unified Directory Server connection 117
Working with an LDAP directory service 120
Creating an LDAP directory service connection 120
Modifying an existing Generic LDAP directory service connection 122
Specify password sync parameters for LDAP directory service 125
Working with an OpenLDAP directory service 126
Creating an OpenLDAP directory service connection 126
Modifying an existing OpenLDAP directory service connection 128
Working with IBM DB2 130
Creating an IBM DB2 connection 131
Modifying an existing IBM DB2 connection 132
Working with IBM AS/400 134
Creating an IBM AS/400 connection 135
Modifying an existing IBM AS/400 connection 136
Additional considerations for an IBM AS/400 connection 136
Working with IBM RACF 137
Creating an IBM RACF connection 138
Modifying an IBM RACF connection 138
Example of mapping for dataset information 139
Creating SQL database and table 139
Povisioning datasets 140
Updating datasets 141
Deprovisioning datasets 142
Working with TSO command 142
Working with MySQL database 143

Active Roles 8.1.3 Synchronization Service Administration Guide

6
 Creating a MySQL database connection 144
Modifying an existing MySQL database connection 145
Working with an OLE DB-compliant relational database 147
Creating an OLE DB-compliant relational database connection 148
Modifying an existing OLE DB-compliant data source connection 149
Working with SharePoint 151
Creating a SharePoint connection 151
SharePoint data supported for data synchronization 152
Considerations for creating objects in SharePoint 207
Working with Microsoft 365 207
Creating a Microsoft 365 connection 208
Modifying a Microsoft 365 connection 210
Microsoft 365 data supported out of the box 213
Objects and attributes specific to Microsoft 365 services 302
How the Microsoft 365 Connector works with data 303
Working with Microsoft Azure Active Directory 304
Creating a Microsoft Azure Active Directory connection 304
Modifying a Microsoft Azure Active Directory connection 309
Microsoft Azure Active Directory data supported for synchronization 311
Configuring data synchronization with the SCIM Connector 316
Objects and operations supported by the SCIM Connector 317
Creating a SCIM connection with the SCIM Connector 317
Viewing or modifying the settings of a SCIM Connector 319
Configuring data synchronization with the Generic SCIM Connector 319
Configuring the Generic SCIM Connector for Starling Connect connections 321
Viewing or modifying the settings of a Generic SCIM Connector connection 326
Using connectors installed remotely 328
Installing Synchronization Service and built-in connectors remotely 329
Creating a connection using a remotely installed connector 329
Creating a connection 330
Renaming a connection 330
Deleting a connection 331
Modifying synchronization scope for a connection 331
Using connection handlers 331
Specifying password synchronization settings for a connection 333

Active Roles 8.1.3 Synchronization Service Administration Guide

7
Synchronizing identity data 335
Creating a sync workflow 336
Running a sync workflow 337
Running a sync workflow manually 337
Running a sync workflow on a recurring schedule 337
Disabling a sync workflow run schedule 338
Renaming a sync workflow 338
Deleting a sync workflow 339
Adding a creating step 339
Creating an update step 340
Creating a deprovisioning step 342
Modifying an existing sync workflow step 343
General Options 344
Source 344
Target 345
Creation Rules 345
Deprovisioning Rules 346
Updating Rules 347
Step Handlers 347
Deleting a sync workflow step 348
Changing the order of steps in a sync workflow 348
Generating object names by using rules 348
Modifying attribute values by using rules 350
Configuring a forward sync rule 350
Forward sync rule source item 351
Forward sync rule target item 351
Configuring a reverse sync rule 352
Reverse sync rule source item 352
Reverse sync rule target item 352
Configuring a merge sync rule 353
Using value generation rules 354
Configuring a rule entry 355
Using sync workflow step handlers 356
Example: Synchronizing group memberships 357
Example: Synchronizing multivalued attributes 357

Active Roles 8.1.3 Synchronization Service Administration Guide

8
Using sync workflow alerts 358
Creating or editing a sync workflow alert 358
Deleting a sync workflow alert 360
Managing outgoing mail profiles 360
Outgoing mail profile settings 361

Mapping objects 362

How to map objects 363
Creating mapping pairs 363
Creating mapping rules 364
Change scope for mapping rules 364
Running map operation 365
How to unmap objects 367

Automated password synchronization 368

How to automate password synchronization 369
Managing Capture Agent 370
Installing Capture Agent manually 370
Using Group Policy to install Capture Agent 371
Uninstalling Capture Agent 373
Managing password sync rules 373
Creating a password sync rule 374
Deleting a password sync rule 375
Modifying settings for a password sync rule 375
Fine-tuning automated password synchronization 376
Configuring Capture Agent 376
Creating and linking a Group Policy object 378
Adding an administrative template to Group Policy object 378
Using Group Policy object to modify Capture Agent settings 378
Modifying Synchronization Service parameters 379
Specifying a custom certificate for encrypting password sync traffic 380
Obtaining and installing a certificate 380
Exporting the custom certificate to a file 381
Importing certificate into certificates store 382
Copying the certificate's thumbprint 383
Providing the certificate’s thumbprint to Capture Agent 383

Active Roles 8.1.3 Synchronization Service Administration Guide

9
 Providing the certificate’s thumbprint to Synchronization Service 384
Using PowerShell scripts with password synchronization 385

Synchronization history 386

Viewing sync workflow history 386
View mapping history 387
Searching synchronization history 388
Cleaning up synchronization history 389

Scenarios of use 390

Scenario: Create users from a .csv file to an Active Directory domain 391
Creating a sync workflow 391
Adding a creating step 392
Running the configured creating step 394
Committing changes to Active Directory 394
Scenario: Using a .csv file to update user accounts in an Active Directory domain 394
Creating an updating step 395
Running the configured updating step 396
Committing changes to Active Directory 396
Scenario: Synchronizing data between One Identity Manager Custom Target
Systems and an Active Directory domain 396
Creating a connection to One Identity Manager 397
Configuring One Identity Manager modules, Custom Target System and Container
Information 397
Creating a workflow for provisioning 398
Creating a provisioning step 398
Specifying synchronization rules 398
Running the workflow 399
Committing changes to One Identity Manager 399
Verify on One Identity Manager 399
Scenario: Deprovisioning between One Identity Manager Custom Target Systems
and an Active Directory domain 400
Scenario: Provisioning of groups between One Identity Manager Custom Target
Systems and an Active Directory domain 401
Scenario: Enabling Delta Sync mode between One Identity Manager Custom Target
Systems and an Active Directory domain 402
Example of using the Generic SCIM Connector for data synchronization 403
Creating object mapping between a SCIM connection and an SQL connection 404

Active Roles 8.1.3 Synchronization Service Administration Guide

10
 Creating a sync workflow for synchronizing data from a SCIM-based Starling
Connect connector 407
Synchronizing complex multi-value objects from a SCIM source system 414

Appendix: Developing PowerShell scripts for attribute synchronization

rules 418
Accessing source and target objects using built-in hash tables 418

Appendix: Using PowerShell script to transform passwords 420

Accessing source object password 420

About us 422

Contacting us 423

Technical support resources 424

Active Roles 8.1.3 Synchronization Service Administration Guide

11
 1

Synchronization Service overview

Within the same organization, identity information can be stored in many different data
systems, such as directories, databases, or formatted dump files. Managing identity
information and synchronizing it between these data systems can take a lot of time and
effort for administrators. In addition, performing data synchronization manually is error-
prone and can lead to duplicate information or incompatible data formats.
With Active Roles Synchronization Service, you can completely automate the process of
identity data synchronization between the data systems used in your enterprise
environment.
Synchronization Service increases data management efficiency by automating the
creation, deprovision and update operations between your data systems. For example, if an
employee joins or leaves the organization, Synchronization Service can automatically
update the related information in all data systems, reducing your administrative workload
and getting new users up and running faster.
The use of scripting capabilities provides a flexible way to:
l Automate day-to-day administration tasks.
l Integrate the administration of managed data systems with other business
processes.

To start synchronizing identity data, you must connect Synchronization Service to your
data systems with so-called "connectors". Connectors allow Synchronization Service to
access specific data systems, then read and synchronize data in that system according to
your settings.
Synchronization Service includes several built-in connectors that do not require any license
file. For the list of these connectors and more information on configuring them, see
External data systems supported with built-in connectors.

Synchronization Service features and

benefits
Synchronization Service offers a wide range of features to synchronize identity data
between your data systems.

Active Roles 8.1.3 Synchronization Service Administration Guide

1
Synchronization Service overview
Bidirectional synchronization
Bidirectional synchronization allows you to synchronize all changes occurred to identity
information between your data systems. Using this type of synchronization, you can
proactively prevent potential identity information conflicts between different data sources.
NOTE: Bidirectional synchronization is unavailable for some of the supported data
systems. For more information, see External data systems supported with built-in
connectors.

Delta processing mode

Delta processing mode allows you to synchronize identities more quickly by processing only
the data that has changed in the source and target connected systems since their last
synchronization.
Both the full mode and the delta mode provide you with the flexibility of choosing the
appropriate method for your synchronization tasks.
NOTE: Delta processing mode is unavailable for some of the supported data systems. For
more information, see External data systems supported with built-in connectors

Synchronization of group membership

Synchronization Service allows you to ensure that group membership information is in sync
in all connected data systems. For example, when creating a group object from an Active
Directory domain to an AD LDS (ADAM) instance, you can configure rules to synchronize
the Member attribute from the Active Directory domain to the AD LDS (ADAM) instance.

Windows PowerShell scripting

The Management Shell component of Synchronization Service is an automation and
scripting shell that provides a command-line management interface for synchronizing data
between connected systems via the Synchronization Service.
The Management Shell is implemented as a Windows PowerShell snap-in that extends the
standard Windows PowerShell functionality. The cmdlets provided by the Management
Shell conform to the Windows PowerShell standards and are fully compatible with the
default command-line tools that come with Windows PowerShell.
The Management Shell allows administrators to perform attribute or password
synchronization operations by using Windows PowerShell scripts. For example, you can
compose and run a Windows PowerShell script that assigns values to the target object
attributes using the values of the source object attributes. For more information, see Using
PowerShell script to transform passwords.

Active Roles 8.1.3 Synchronization Service Administration Guide

2
Synchronization Service overview
Attribute synchronization rules
With Synchronization Service, you can create and configure synchronization rules to
generate values of target object attributes. These rules support the following types of
synchronization:
l Direct synchronization: Assigns the value of a source object attribute to the target
object attribute you specify.
l Script-based synchronization: Allows you to use a Windows PowerShell script to
generate the target object attribute value.
l Rule-based synchronization: Allows you to create and use rules to generate the
target object attribute value you want.

Rule-based generation of distinguished

names
Synchronization Service lets you create flexible rules for generating the distinguished
names (DNs) of objects being created. These rules allow you to ensure that created objects
are named in full compliance with the naming conventions existing in your organization.

Scheduling capabilities
You can schedule running synchronization operations and automatically perform them on a
regular basis to satisfy your company’s policy and save time and effort.

Extensibility
To access external data systems, Synchronization Service employs special connectors. A
connector allows Synchronization Service to read and synchronize the identity data
contained in a particular data system. Out of the box, Synchronization Service includes
connectors that allow you to connect to the following data systems:
l Microsoft Active Directory Domain Services
l Microsoft Active Directory Lightweight Directory Services
l Microsoft Exchange Server
l Microsoft Skype for Business Server
l Microsoft Azure Active Directory
l Microsoft 365

Active Roles 8.1.3 Synchronization Service Administration Guide

3
Synchronization Service overview
 l Microsoft SQL Server
l Microsoft SharePoint
l Active Roles version 7.4.x, 7.3, 7.2, 7.1, 7.0, or 6.9
l One Identity Manager version 8.1, 8.0, or 7.0
l Data sources accessible through an OLE DB provider
l Delimited text files
l Generic LDAP Directory service
l MYSQL Database
l OpenLDAP Directory service
l Salesforce
l ServiceNow
l IBM DB2 Database
l IBM RACF Connector
l IBM AS/400 Connector
l Oracle Database connector
l Oracle Database User Accounts connector
l Micro Focus NetIQ Directory connector
l Oracle Unified Directory connector

Azure BackSync configuration

In any hybrid environment, on-premises Active Directory objects are synchronized to Azure
AD, for example with Azure AD Connect. When Active Roles is deployed in such a hybrid
environment, to ensure data synchronization between the two systems, the existing user
and group information (such as IDs) must be synchronized back from Azure AD to the on-
premises AD deployment. To synchronize existing AD users and groups from Azure AD with
Active Roles Synchronization Service, use the Azure back synchronization operation,
known as "Azure BackSync".
For an Azure BackSync operation, you configure Active Roles Synchronization Service sync
workflows to identify the unique Azure AD users or groups, then and map them to the on-
premises AD users or groups. After the back synchronization operation is completed, Active
Roles displays the configured Azure attributes for the synchronized objects.
Azure BackSync allows you to configure the back synchronization operation in Azure with
on-premises Active Directory objects through the Synchronization Service Console. The
required connections, mappings, and sync workflow steps are created automatically.
When you configure back synchronization, the Azure application registration is done
automatically with the default app ActiveRoles_AutocreatedAzureBackSyncApp_V2.
NOTE: Consider the following when configuring Azure BackSync:

Active Roles 8.1.3 Synchronization Service Administration Guide

4
Synchronization Service overview
 l If you receive an Application not found error, try configuring back
synchronization again later. The error may occur because Azure application
synchronization may take some time.
l If you use existing back synchronization configuration settings, then the existing
default app ActiveRoles_AutocreatedAzureBackSyncApp is used to run the back
synchronization workflow. However, One Identity recommends using the default
app ActiveRoles_AutocreatedAzureBackSyncApp_V2 since it requires reduced
administrator privileges. To use the latest Azure application, configure back
synchronization again as described in Configuring Azure BackSync.
l To ensure that back synchronization works as expected, you must have:
l Write permissions for edsvaAzureOffice365Enabled,
edsaAzureContactObjectId, edsvaAzureObjectID, and
edsvaAzureAssociatedTenantId attributes.
l Local administrator privileges where Active Roles Synchronization
Service is running.

Technical overview
The following illustration shows how Synchronization Service synchronizes data between
connected data systems.

Figure 1: Synchronization of data between connected systems

Synchronization Service uses Capture Agents, connected data systems, connectors,

connections, and sync workflows to synchronize identity data.

Synchronization Service
Synchronization Service performs data synchronization operations and include the
Synchronization Service Console that provides a graphical user interface for managing
connections to data systems and data synchronization operations.

Active Roles 8.1.3 Synchronization Service Administration Guide

5
Synchronization Service overview
Capture Agent
Synchronization Service Capture Agent allows you to synchronize user passwords between
Active Directory domains managed by Synchronization Service and other connected data
systems. The following diagram shows how password synchronization works with
Synchronization Service Capture Agent:

Figure 2: Password synchronization

Capture Agent tracks changes to user passwords in the source Active Directory domain
and provides that information to Synchronization Service, which then synchronizes the
changes to the target connected data systems by using the password synchronization
rules you specified.
To synchronize passwords, install Capture Agent on each domain controller in the Active
Directory domain you want to use as a source for the password synchronization operations.

Connectors and connected data systems

Synchronization Service lets you synchronize identity information between a wide variety
of external data systems. To synchronize identities, you must connect Synchronization
Service to your data systems through special connectors. A connector enables
Synchronization Service to access a specific data system and read and synchronize identity
data in that system.
For the list of supported data systems, see Extensibility.

Sync workflows
A sync workflow is a set of synchronization steps (or synchronization operations) that
define how to synchronize objects between two connected data systems. A sync workflow
can comprise one or more synchronization steps. You can use the Synchronization
Service Console, a component of Synchronization Service, to configure as many sync
workflows as needed.

Active Roles 8.1.3 Synchronization Service Administration Guide

6
Synchronization Service overview
You can configure a synchronization step to perform one of the following operations:
l Creation: Creates objects in the target connected data systems based on the
changes made to specific objects in the source connected system. When creating a
new object, Synchronization Service assigns initial values to the object attributes
based on the attribute population rules you have configured.
l Update: Changes the attributes of objects in the target connected data systems
based on the changes made to specific objects in the source connected system. To
define the objects that will participate in the update operation you can use object
mapping rules. For more information, see Mapping objects.
l Deprovision: Modifies or removes objects in the target connected data systems
after their counterparts have been disconnected from the source connected system.
Synchronization Service can be configured to remove objects permanently or change
them to a specific state.

Active Roles 8.1.3 Synchronization Service Administration Guide

7
Synchronization Service overview
 2

Deploying Synchronization Service

This section describes how to:

l Install and configure Active Roles Synchronization Service.
l Configure Azure BackSync.
l Upgrade from supported versions of One Identity Quick Connect.

It also lists the communication ports used by Synchronization Service.

Installing Synchronization Service

To install all features and components of Active Roles Synchronization Service, use the
installation media downloaded from the One Identity Support Portal. Alternatively, you can
also install the Synchronization Service Management Shell only.

To install Synchronization Service and all its components

1. Make sure the system on which you want to install Synchronization Service meets the
system requirements described in the Active Roles Release Notes.
2. From the Active Roles installation package, run the Active Roles setup.
3. Follow the instructions in the setup wizard.
4. On the Ready to Install page, click Install. The wizard will then install the following
components:
l Synchronization Service Console: The graphical user interface of Active Roles
Synchronization Service.
l Management Shell: A command-line interface to synchronize data between
external data systems with Active Roles Synchronization Service. For more
information, see Synchronization Service Management Shell.
l All built-in connectors to connect Synchronization Service to external data
systems.
5. To exit the wizard, click Finish.

Active Roles 8.1.3 Synchronization Service Administration Guide

8
Deploying Synchronization Service
To install Synchronization Service Management Shell only

1. In Windows Explorer, navigate to the following folder of the installation media:

\Components\ActiveRoles Synchronization Service
2. To open the Windows command prompt, click the navigation bar of Windows
Explorer, enter cmd, then press Enter.
3. To install Synchronization Service Management Shell only, enter the following
command, then press Enter:
SyncService.msi INSTALLSYNCSHELL=1
The installer then silently installs Synchronization Service Management Shell.
4. To check if Management Shell has finished installation, search the application either
in the Windows Start Menu, or in the Apps & Features list of the operating system.
After the setup finished the installation, Management Shell will appear in these lists.
To uninstall, navigate to Add or remove programs, click Active Roles
Synchronization Service Management Shell, then click Uninstall.
NOTE: Running the Active Roles installation wizard with the .exe file of the install-
ation media always installs both the Synchronization Service Console and the
Synchronization Service Management Shell.
One Identity recommends using the installation wizard to install both the Synchron-
ization Service Console and the Synchronization ServiceManagement Shell for
most use cases.

Configuring Synchronization Service

To configure Synchronization Service, you can use one of the following methods:
l Specify new SQL Server or Azure SQL Server databases for storing the
Synchronization Service data.
With this method, you can store the configuration settings and synchronization data
either in a single new SQL Server database or in two separate databases.
l Share existing configuration settings between two or more instances of
Synchronization Service.

Prerequisites
l If you are using an Azure SQL Server, set the db_owner database role to the user of
the Azure SQL Server.
l If you are using an SQL Server, set the dbcreator server role to the user of
the SQL Server.
dbcreator is the minimum role that the user of the SQL Server or Azure SQL Server
requires for the initial configuration of Synchronization Service.

Active Roles 8.1.3 Synchronization Service Administration Guide

9
Deploying Synchronization Service
 After creating the new database, you can revoke the dbcreator role because the db_
owner role that is automatically assigned to the same user of the SQL Server is
sufficient for the Synchronization Service database connection.

To configure Synchronization Service using a new database

1. Start the Synchronization Service Console.

2. Follow the steps in the wizard that starts automatically to configure
Synchronization Service.
3. On the Service Account and Mode page, specify the following and click Next:
l The account under which you want Synchronization Service to run.
l The mode (local or remote) in which you want to use Synchronization Service.
Use the remote mode to work with connectors installed remotely. For more
information, see Using connectors installed remotely. If you select the remote
mode, click Finish to close the wizard.
4. Select Create a new configuration and click Next.
5. On the Database Connection page, specify an SQL Server database.
l SQL Server: Enter the name of the SQL Server computer that hosts the
database you want to participate in data synchronization operations.
l Database: Enter a name for the new SQL Server database.
6. (Optional) Select Store sync data in a separate database.
l If you want to store the configuration settings and synchronization data in a
single SQL Server database, clear the check box.
l If you want to store the configuration settings and synchronization data in two
separate databases, select the check box, then specify the database in which
you want to store the synchronization data.
7. On the Database Connection page, select an SQL Server authentication method,
and click Next.
NOTE: For all Azure SQL Server variants, select Use SQL Server authentication
because Windows authentication is not supported.
l Use Windows authentication: Allows you to access the SQL Server in
the security context of the account under which the Synchronization
Service is running.
l Use SQL Server authentication: Allows you to access the SQL Server in the
security context of the SQL Server user account whose user name and
password you specify.
8. On the Configuration File page, select the file for storing the created configuration
profile, protect the file with a password, and click Finish.

Active Roles 8.1.3 Synchronization Service Administration Guide

10
Deploying Synchronization Service
To configure Synchronization Service using an existing database

1. Start the Synchronization Service Console.

2. Follow the steps in the wizard that starts automatically to configure
Synchronization Service.
3. On the Service Account and Mode page, specify the following and click Next:
l The account under which you want Synchronization Service to run.
l The mode (local or remote) in which you want to use Synchronization Service.
Use the remote mode to work with connectors installed remotely. For more
information, see Using connectors installed remotely. If you select the remote
mode, click Finish to close the wizard.
4. Select Use an existing configuration and click Next.
NOTE: If the Synchronization Service is already configured, using an existing config-
uration file does not override the existing SQL Server or Azure SQL Server database
settings. To change the settings of the database, you must reconfigure it or
reinstall the Synchronization Service with the new configuration.
5. On the Configuration File page, select I have the configuration file to provide
the configuration file you exported from an existing Synchronization Service
instance, enter the password if necessary, and click Next. If you do not have the
configuration file, after clicking Next you will need to enter the required settings.
6. If you provided the configuration file, specify the authentication method for accessing
the database. Otherwise, enter the required database name and select the
authentication method. Click Finish.

After you configure Synchronization Service, you can change its settings at any time using
the Configuration Wizard. To start the wizard, start the Synchronization Service Console
and click the gear icon in the upper right corner of the Synchronization Service Console.

Active Roles 8.1.3 Synchronization Service Administration Guide

11
Deploying Synchronization Service
 1

Configuring Azure BackSync

In hybrid environments, on-premises Active Directory (AD) objects are synchronized to
Azure AD, for example via Azure AD Connect. When you deploy Active Roles in such a
hybrid environment, this synchronization works only if existing user and group information
(such as the Id) are also synchronized back from Azure AD to the on-premises AD. Active
Roles uses Azure back-synchronization (also known as Azure BackSync) for this purpose.

Prerequisites

The hybrid environment must meet the following requirements to configure Azure
BackSync:
l Azure Active Directory (Azure AD) module version 2.0.0.131 or later must be
installed and configured.
l The Directory Writers role must be enabled in Azure AD. To enable the role, use the
following script:

$psCred=Get-Credential
Connect-AzureAD -Credential $psCred
$roleTemplate = Get-AzureADDirectoryRoleTemplate | ? { $_.DisplayName -eq
"Directory Writers" }

# Enable an instance of the DirectoryRole template

Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId

In addition, the user account you use to configure Azure BackSync must have the
following roles:
l User Administrator
l Exchange Administrator
l Application Administrator

Automatic and Manual Azure BackSync

You can perform Azure back-synchronization with Active Roles Synchronization Service,
either automatically or manually:

Active Roles 8.1.3 Synchronization Service Administration Guide

12
 l
You can configure automatic Azure back-synchronization via the (Settings) >
Configure Azure BackSync option of Active Roles Synchronization Service. For
more information, see Configuring automatic Azure BackSync.
l You can also configure manual Azure back synchronization, using existing Active
Roles Synchronization Service feature components. For more information, see
Configuring manual Azure BackSync.

Configuring manual Azure BackSync

You can configure manual Azure back synchronization (Azure BackSync) by using the
existing features of Active Roles Synchronization Service components. When setting up
manual Azure BackSync, you must configure sync workflow to identify Azure AD-specific
users or groups, and to map them to the corresponding on-premises Active Directory (AD)
users or groups. After a manual Azure BackSync operation is completed, Active Roles will
display the configured Azure attributes for the synchronized objects.
For more information on setting up automatic Azure back-synchronization, see Configuring
automatic Azure BackSync.

Prerequisites

The hybrid environment must meet the following requirements to configure Azure
BackSync manually:
l Azure Active Directory (Azure AD) module version 2.0.0.131 or later must be
installed and configured.
l You must authenticate the Azure tenant of the Azure AD for which you configure
back-synchronization. Also, you must consent Active Roles as an Azure application.
For more information, see Configuring Active Roles to manage Azure AD using the
GUI in the Active Roles Administration Guide.
l For the container where Active Roles performs back-synchronization, you must
enforce the built-in Azure AD policy that automatically sets the attribute
edsvaazureOffice365enabled to true.
l Your Active Roles user must have write permissions for the following attributes:
l edsvaAzureOffice365Enabled
l edsaAzureContactObjectId
l edsvaAzureObjectID
l edsvaAzureAssociatedTenantId
l Your Active Roles user must also have local administrator privileges on the machine
where Active Roles Synchronization Service is running.

Active Roles 8.1.3 Synchronization Service Administration Guide

13
To configure a manual Azure BackSync workflow

1. Create a connection to Azure AD using the Azure AD Connector. The configuration

requires the following data:
l The Azure domain name.
l The Client ID in Azure AD.
l The Client Key to establish the connection to Azure AD.
2. Create an Azure application (or use any relevant existing Azure application) under
the Azure tenant of your Azure AD. The application must have application
permissions to read and write directory data in Azure AD.
TIP: You can assign the required permissions to the application by running a
Windows PowerShell script. For more information, see Creating a Microsoft Azure
Active Directory connection.
3. Open the application properties and copy the following:
l Client ID
l The valid Client Key of the application.
4. Use the Client ID and Client Key when creating a new Azure AD connection or
modifying an existing one. For more information, see Creating a Microsoft Azure
Active Directory connection.
NOTE: Two applications are required for Azure BackSync operations:
l The Web Application that you created in this step, or is already available for
the Synchronization Service Azure AD Connector.
l An Azure application that you created while configuring Azure AD in the
Active Roles Administration Service.
For details, see Configuring Active Roles to manage Azure AD using the GUI
in the Active Roles Administration Guide).
Both applications are required for Azure BackSync operations.
5. Create a connection to Active Roles using the Active Roles Connector. The
configuration requires the local domain details and the version of Active Roles you
use. Define the scope to select the container from which Active Roles will select the
objects for synchronization.
6. In the Active Roles Synchronization Service, create a new sync workflow with Sync
Workflows > Add sync workflow. Use the Azure AD and Active Roles connections
configured previously, and add a synchronization step to synchronize the Azure AD
users or groups with the on-premises users or groups in Active Roles.
7. In the on-premises Active Roles users or groups, set the
edsvaAzureAssociatedTenantIdattribute attribute to the value of the Azure
tenant ID.
NOTE: If you did not configure edsvaAzureAssociatedTenantIdattribute, an error
will be logged for each object in the Event Viewer.
8. Configure the Forward Sync Rule to synchronize the following:

Active Roles 8.1.3 Synchronization Service Administration Guide

14
 l The Azure Object ID property of the Azure AD user or group to the
edsvaAzureObjectID property of the corresponding on-premises Active
Roles user or group.
l Set the edsvaAzureOffice365Enabled attribute in the on-premises Active
Roles user or group to true.
l Set the edsvaAzureAssociatedTenantId attribute to the value of the
Azure tenant ID.
9. Create a Mapping Rule. A mapping rule has two functions:
l It uniquely identifies the synchronized users or groups both in Azure AD in the
on-premises AD.
l It maps the specified properties from Azure AD to Active Roles appropriately.
For example, the property userprincipalname can be used to map users between
the on-premises AD and Azure AD in a federated environment.

CAUTION: Based on the environment, make sure to create the correct

mapping rule to identify the user or group uniquely. Incorrect
mapping rules may create duplicate objects, resulting in Azure
BackSync not working as expected.

NOTE: Consider the following when configuring manual Azure back synchron-
ization:
l You must perform the initial configuration and back synchronization of Azure
AD user IDs only once.
l Azure AD groups cannot be created in Federated or Synchronized
environments. Instead, Azure AD groups are created in Active Roles and are
synchronized to Azure AD using native Microsoft tools, such as Azure AD
Connect. To manage the Azure AD group through Active Roles, you must
perform periodic back synchronization to the on-premises AD.

Configuring automatic Azure BackSync

You can configure automatic Azure BackSync via the (Settings) > Configure Azure
BackSync option of Active Roles Synchronization Service Console. After you finish
configuration, the Synchronization Service Console will automatically create the Azure
BackSync registration, its required connections, mappings and workflows.
For more information on setting up manual Azure BackSync, see Configuring automatic
Azure BackSync.

Active Roles 8.1.3 Synchronization Service Administration Guide

15
To configure an automatic Azure BackSync workflow in Active Roles
Synchronization Service

1. To open the Configure BackSync operation in Azure with on-prem Active

Directory objects window of Synchronization Service Console, click (Settings)
> Configure Azure BackSync.
2. Select one of the following options based on the number of Azure AD services in your
Azure tenant:
l I have one Azure AD in my Azure tenant.
l I have more than one Azure AD in my Azure tenant.
3. Authenticate your access to Azure AD:
l If you have selected I have one Azure AD in my Azure tenant, to
authenticate your access to Azure AD, click Log in to Azure, and from the
Select Environment Type drop-down, select the environment type of your
Azure tenant.
l If you have selected I have more than one Azure AD in my Azure tenant,
in Tenant ID, enter the GUID of the Azure AD for which you want to set up
synchronization.
TIP: For more information on how to find the GUID of an Azure AD service,
see Finding the GUID (Tenant ID) of an Azure AD for Azure BackSync.
After specifying the tenant ID, to authenticate your access to Azure AD, click
Log in to Azure, and in the Select Environment Type drop-down, select
the environment of your Azure tenant.
NOTE: If you select I have more than one Azure AD in my Azure
tenant, the Log in to Azure button will be enabled only if you specify a
well-formed Azure AD GUID in the Tenant ID text box.
4. Under Connect to, specify the domain name of the computer where Active Roles
Synchronization Service is running.
5. Select the validation method used to access Active Roles Administration Service.
Depending on how Active Roles has been deployed in your organization, you can
either use Synchronization Service account or Windows account-based
validation. If you have selected Windows account authentication, enter your
Windows user name and password.
6. To test the configured Active Roles connection, click Test Active Roles
Connection.
7. To apply your changes, click Configure BackSync.
NOTE: If the Azure BackSync settings have already been configured previously,
Synchronization Service Console will display a warning message to confirm if you
want to override the existing Azure BackSync settings with the new settings.
l To override the existing settings, click Override BackSync Settings.
l To keep the existing settings, click Cancel.

Active Roles 8.1.3 Synchronization Service Administration Guide

16
 8. An Application Consent dialog will appear, prompting you for authentication. To
consent Active Roles, click OK.
Synchronization Service Console will automatically register the Azure application,
and it will also create the required connections, mappings, and workflow steps
for back synchronization. For more information on the automatically created
Azure BackSync settings, see Settings updated after Azure BackSync
configuration operation.
9. To make the new Azure BackSync workflow appear under Sync Workflows, close
and reopen Synchronization Service Console. The new Azure BackSync workflow will
appear with the following default name: AutoCreated_
AzureADBackSyncWorkFlow_<tenant-name>.

Settings updated after Azure BackSync

configuration operation
This section provides descriptions about the Azure App registration, connections,
mappings, and workflow steps that are created automatically as a result of the Azure
BackSync configuration operation.

Azure App registration

The Azure App is created automatically with the default name as ActiveRoles
AutocreatedAzureBackSyncApp_V2.
NOTE: After the Azure App is registered in Azure, you must not delete or modify the
application. The back synchronization operation will not work as expected in case you
modify or delete the registered Azure App.

Sync workflows

On the Synchronization Service Console, click Sync Workflows to view the sync workflow
named AutoCreated_AzureADBackSyncWorkflow_<tenant name> that is created as a result of
the Azure BackSync configuration. The workflow displays the following synchronization
update steps from Azure AD to Active Roles for users, groups, and contacts:
l Step 1: AutoCreated_UpdateFromAzureToARSForBackSyncWorkFlowUser_
<tenant> for users.
l Step 2: AutoCreated_
UpdateFromAzureToARSForBackSyncWorkFlowGroup_<tenant> for groups.
l Step 3: AutoCreated_
UpdateFromO365ToARSForBackSyncWorkFlowContact_<tenant> for
contacts.

NOTE: Consider the following:

Active Roles 8.1.3 Synchronization Service Administration Guide

17
 l Multiple tenants are supported in back synchronization. The workflows can be
identified using the name of the tenant.
l The Forward Sync Rules to synchronize the following are automatically
configured and displayed in the synchronization update steps for users and groups:
l The Azure ObjectID property of a user or group is mapped to the Active
Roles user or group edsvaAzureObjectID property.
l The edsvaAzureOffice365Enabled attribute in the Active Roles user or
group is set to True.
l The edsvaAzureAssociatedTenantId attribute in the Active Roles user or
group is set to the value of the Azure tenant ID.
l The Forward Sync Rule to synchronize the following are automatically configured
and displayed in the synchronization update steps for contacts:
l Azure ExternalDirectoryObjectID property of a contact is mapped to the
Active Roles contact edsaAzureContactObjectId property.
l The edsvaAzureOffice365Enabled attribute in the Active Roles user or
group is set to True.
l The edsvaAzureAssociatedTenantId attribute in the Active Roles user or
group is set to the value of the Azure tenant ID.

Connections

On the Synchronization Service Console, click Connections to view the connections from
Active Roles, Azure AD, and Microsoft 365 to external data systems. The following
connections are configured and displayed by default:
l AutoCreated_ARSConnectorForBackSyncWorkFlow_<tenant>
l AutoCreated_AzureADConnectorForBackSyncWorkFlow_<tenant>
l AutoCreated_O365ConnectorForBackSyncWorkFlow_<tenant>

NOTE: Multiple tenants are supported in back synchronization. The connection name can
be identified using the name of the tenant.

Mapping

On the Synchronization Service Console, click Mapping to view the mapping rules which
identify the users, groups, or contacts in Azure AD and on-premises AD uniquely and map
the specified properties from Azure AD to Active Roles appropriately.
On the Mapping tab, click a connection name to view or modify the mapping settings for
the corresponding connection. The user, group, and contact mapping pair information is
displayed by default as a result of the Azure BackSync configuration. For example, the
property userprincipalname can be used to map users between on-premises AD and
Azure AD in a federated environment.
NOTE: Consider the following when working with mapping rules:

Active Roles 8.1.3 Synchronization Service Administration Guide

18
 l For more information to manage mapping pairs for the connections see Change
scope for mapping rules.
l The mapping rules are created by default. Based on the environment, make
sure that the default mapping rules identify the user or group uniquely.
Otherwise, make sure to correct the mapping rule as required. Incorrect
mapping rules may create duplicate objects and the back synchronization
operation may not work as expected.
l Initial configuration and running of back synchronization operation for Azure AD
users ID and group ID is a one-time activity. If required, you can reconfigure the
Azure BackSync settings, which will override the previously configured back
synchronization settings.

Finding the GUID (Tenant ID) of an Azure

AD for Azure BackSync
If the Azure tenant of your organization contains multiple Azure AD services, One Identity
highly recommends to specify its GUID (also known as Tenant ID) when configuring Azure
BackSync automatically.
For details on configuring Azure BackSync automatically, see Configuring automatic
Azure BackSync.
The GUID of each Azure AD service is listed on the Microsoft Azure Portal.

To find the GUID (Tenant ID) of an Azure AD

1. Log in to the Microsoft Azure Portal.

2. Click Show portal menu.
3. Click Azure Active Directory.
4. In the Overview tab, under the Basic information heading, the value of the
Tenant ID is the GUID (Tenant ID) of the Azure AD.
TIP: If you have access to multiple Azure AD services, you can switch between
them with Manage tenants.

Upgrade from Quick Connect and

Synchronization Service
If you have sync workflows configured and run by Quick Connect (the predecessor of
Synchronization Service), or earlier versions of Active Roles Synchronization Service, then
you can transfer those sync workflows to the current version of Active Roles
Synchronization Service.

Active Roles 8.1.3 Synchronization Service Administration Guide

19
You can transfer sync workflows from the following Quick Connect or Active Roles
Synchronization Service versions:
l Quick Connect for Active Directory 6.1
l Quick Connect for AS400 1.4
l Quick Connect for Base Systems 2.4
l Quick Connect for Cloud Services 3.7
l Quick Connect for RACF 1.3
l Quick Connect Sync Engine 5.5 and 6.1
l Synchronization Service 7.5 and later

For more information, see Transferring sync workflows from Quick Connect in the Active
Roles Synchronization Service Administration Guide.

Transferring sync workflows from Quick

Connect
To transfer sync workflows from Quick Connect to Synchronization Service

1. Install Synchronization Service.

You can install Synchronization Service on the computer running Quick Connect or
on a different computer. For installation instructions, see Installing
Synchronization Service.
2. Configure Synchronization Service to use a new database for storing configuration
settings and synchronization data.
To perform this step, use the Configuration Wizard that appears when you start
the Synchronization Service Console the first time after you install Synchronization
Service. For more information, see Configuring Synchronization Service.
3. Import configuration settings from Quick Connect or Synchronization Service.
Before you proceed with this step, it is highly recommended to disable the scheduled
workflows and mapping operations in Quick Connect or earlier versions of
Synchronization Service. You can resume the scheduled workflows and mapping
operations after you complete this step.
To import configuration settings:
a. On the computer where you have installed Synchronization Service, start the
Synchronization Service Console.
b. In the upper right corner of the Active Roles Synchronization Service window,
click the gear icon, and then click Import Configuration.

Active Roles 8.1.3 Synchronization Service Administration Guide

20
 c. In the wizard that appears, select the version of Quick Connect Sync Engine
used by your Quick Connect version or Active Roles Synchronization Service
from which you want to import the configuration settings.
Optionally, you can select the Import sync history check box to import the
sync history along with the configuration settings.
d. Follow the steps in the wizard to complete the import operation.
If the synchronization data you want to import is stored separately from the
configuration settings, then, on the Specify source SQL Server databases step,
select the Import sync data from the specified database check box, and specify
the database.
4. Retype access passwords in the connections that were imported from Quick Connect.
NOTE: Re-entering passwords in the imported connections is required because due
to security reasons, the configuration import process does not retrieve encrypted
passwords from Quick Connect. To modify the imported connections later, use the
Synchronization Service Console. For more information, see External data systems
supported with built-in connectors.
5. If your sync workflows involve synchronization of passwords, then you need to install
the new version of Capture Agent on your domain controllers. For installation
instructions, see Managing Capture Agent.
The new version of Capture Agent replaces the old version. However, as the new
version supports both Synchronization Service and Quick Connect, you do not lose
the password synchronization functions of Quick Connect after you upgrade
Capture Agent.

Communication ports
The following table lists the default communication ports used by Synchronization Service:

Table 1: Default communication ports

Port Protocol Type of traffic Direction

of traffic

53 TCP/UDP DNS Inbound,

outbound
88 TCP/UDP Kerberos Inbound,
outbound
139 TCP SMB/CIFS Inbound,
outbound
445 TCP SMB/CIFS Inbound,
outbound

Active Roles 8.1.3 Synchronization Service Administration Guide

21
Port Protocol Type of traffic Direction
of traffic

389 TCP/UDP LDAP Outbound

3268 TCP LDAP Outbound
636 TCP SSL Outbound
NOTE: This port is only required if Synchronization
Service is configured to use SSL to connect to an
Active Directory domain.
3269 TCP SSL Outbound
NOTE: This port is only required if Synchronization
Service is configured to use SSL to connect to an
Active Directory domain.
15173 TCP Synchronization Service Outbound
NOTE: This port is used by Capture Agent to
communicate with Active Roles Synchronization
Service.
7148 TCP Between Synchronization Service and Capture Agent. Inbound
NOTE: This port is used only if Synchronization
Service is configured to synchronize user
passwords from an Active Directory domain to
other connected data systems.
135 TCP RPC endpoint mapper Inbound,
outbound
NOTE: Port 135 is a dynamically allocated TCP port
for RPC communication with Active Directory
domain controllers. For more information about
ports used for RPC communication, see the
following Microsoft Support Knowledge Base
articles at support.microsoft.com:
l How to restrict Active Directory RPC traffic to
a specific port (Original KB number: 224196)
l How to configure RPC dynamic port allocation
to work with firewalls (Original KB number:
154596)
l How to configure RPC to use certain ports
and how to help secure those ports by using
IPsec (Original KB number: 908472)
l The default dynamic port range for TCP/IP
has changed in Windows Vista and in
Windows Server 2008 (Original KB number:
929851)

Active Roles 8.1.3 Synchronization Service Administration Guide

22
 Deploying Synchronization Service
for use with AWS Managed
Microsoft AD

NOTE: This feature is officially supported starting from Active Roles 8.1.3 SP1 (build
8.1.3.10). It is not supported on Active Roles 8.1.3 (build 8.1.3.2) and earlier versions.
Active Roles Synchronization Service supports deployment and configuration in the
Amazon cloud to manage AWS Managed Microsoft AD object synchronization.
This allows you to:
l Synchronize directory data from an on-premises AD environment to AWS Managed
Microsoft AD.
l Synchronize passwords from an on-premises Active Directory to AWS Managed
Microsoft AD (with certain limitations).

Supported AWS Managed Microsoft AD

deployment configuration
To synchronize data to and from AWS Managed Microsoft AD, you must deploy Active Roles
in Amazon Web Services (AWS) in the following configuration:
l Active Roles must be deployed on an Amazon Elastic Compute Cloud (EC2) instance
or instances. For more information, see the Amazon Elastic Compute Cloud
documentation.
l The SQL Server required by Active Roles Synchronization Service must run on a
separate Amazon Relational Database Service for Microsoft SQL Server (RDS for SQL
Server) instance. For more information, see the Amazon RDS documentation.
l The Active Directory environment must be hosted in AWS via AWS Directory Service.
For more information, see the AWS Directory Service documentation.

NOTE: Support for AWS Managed Microsoft AD by Active Roles was tested only in this
configuration. Active Roles does not officially support managing AWS Managed Microsoft
AD environments in a hybrid deployment, that is, using an on-premises Active Roles
and/or SQL Server installation and hosting AD via AWS Directory Service.

Active Roles 8.1.3 Synchronization Service Administration Guide

Deploying Synchronization Service for use with AWS Managed 23

Microsoft AD
Synchronization Service features and
limitations when used with AWS
Managed Microsoft AD
If configured to manage AWS Managed Microsoft AD in the Amazon cloud, Active Roles
Synchronization Service offers the following features:
l Synchronization Service connections and sync workflows based on the following
Active Roles Synchronization Service connectors:
l Active Directory Connector
l Active Roles Connector
l Delimited Text File Connector
l Synchronizing passwords with Active Roles Synchronization Service from on-
premises AD to AWS Managed Microsoft AD.

However, when using Synchronization Service in an EC2 instance in the Amazon cloud, also
consider the following limitations.

Amazon Web Services limitations

For Active Roles installations deployed in Amazon Elastic Compute Cloud (EC2) instances
and SQL Servers hosted on Amazon Relational Database Service for SQL Server (RDS for
SQL Server) instances, the known EC2 and RDS limitations apply.
l For more information about the known EC2 limitations, see Launch template
restrictions, Hibernation limitations and (if applicable) Constraints on the size and
configuration of an EBS volume in the Amazon EC2 documentation.
l For more information about the known Amazon RDS limitations, see Quotas and
constraints in the Amazon RDS documentation.

Synchronization Service limitations

l When synchronizing directory data or passwords from on-premises Active Directory
to AWS Managed Microsoft AD, Active Roles Synchronization Service has the
following limitations:
l Active Roles Synchronization Service was only tested to work with connections
and sync workflows based on the following connectors:
l Active Directory Connector
l Active Roles Connector
l Delimited Text File Connector

Active Roles 8.1.3 Synchronization Service Administration Guide

Deploying Synchronization Service for use with AWS Managed 24

Microsoft AD
 Sync workflows and connections based on other connectors are not
officially supported.
l When synchronizing passwords from an on-premises Active Directory to AWS
Managed Microsoft AD, synchronizing the pwdHash attribute and synchronizing
then populating the SIDHistory attribute to AWS Managed Microsoft AD is not
supported. This is because the Synchronization Service Capture Agent cannot
be installed in an AWS Managed Microsoft AD environment.
l Synchronizing passwords from AWS Managed Microsoft AD to on-premises AD with
Active Roles Synchronization Service is not supported. This is because the
Synchronization Service Capture Agent cannot be installed in an AWS Managed
Microsoft AD environment.

Main steps of configuring Active Roles

for AWS Managed Microsoft AD
If your organization and environment meet the Deployment requirements for AWS
Managed Microsoft AD support, configuring Active Roles for managing AWS Managed
Microsoft AD via AWS Directory Service has the following main steps:

1. Creating your AWS Managed Microsoft AD environment.

2. Creating an Amazon Elastic Compute Cloud (EC2) instance for Active Roles.
3. Joining the EC2 instance to AWS Managed Microsoft AD.
4. Creating an Amazon Relational Database Service for SQL Server (RDS for SQL
Server) instance to host the Active Roles Synchronization Service database.
5. Verifying the connectivity between the EC2 and RDS instances.
6. Installing and configuring Active Roles Synchronization Service on the EC2 instance.

Deployment requirements for AWS Managed

Microsoft AD support
Before starting the deployment and configuration of Active Roles to manage AWS
Managed Microsoft AD via AWS Directory Service, make sure that the following
requirements are met.
NOTE: When setting up a virtual environment, carefully consider the configuration
aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to
ensure the virtual layer has the necessary resources available. Please consult One
Identity's Product Support Policies for more information on environment virtualization.

Active Roles 8.1.3 Synchronization Service Administration Guide

Deploying Synchronization Service for use with AWS Managed 25

Microsoft AD
Connectivity requirements

You must have:

l Stable network connectivity to Amazon Web Services (AWS).
l Port 1433 open and available for the Amazon Relational Database Service
(RDS) service.
l Access to the AWS service with the AWSAdministratorAccess permission.
NOTE: Make sure that you have AWSAdministratorAccess permission, as it is
required for certain configuration steps. The AWSPowerUserAccess permission
is not sufficient for completing the entire configuration procedure.

Infrastructure requirements

To deploy and configure Active Roles for AWS Managed Microsoft AD, you must have access
to the following AWS services and resources:
l AWS Managed Microsoft AD deployed via AWS Directory Service.
l One or more Amazon Elastic Compute Cloud (EC2) instance(s) hosting the Active
Roles services and components.
The EC2 instance(s) must have, at minimum:
l 2 vCPUs running at 2.0 GHz.
l 4 GB of RAM.
NOTE: AWS Managed Microsoft AD support was tested with a single t2.large
EC2 instance.
l An Amazon Relational Database Service for SQL Server (RDS for SQL Server).
NOTE: AWS Managed Microsoft AD support was tested with an RDS instance
running the latest version of Microsoft SQL Server.

Make sure that all these components are discoverable or visible to each other.

Creating the AWS Managed Microsoft AD

instance
To deploy and configure Active Roles in Amazon Web Services (AWS) for managing AWS
Managed Microsoft AD, first you must create an AWS Directory Service instance hosting
your AWS Managed Microsoft AD instance in the AWS console. For more information on
configuring the service in the AWS console, see Setting up AWS Directory Service in the
AWS Directory Service documentation.
NOTE: Consider the following when creating the AWS Managed Microsoft AD instance:

Active Roles 8.1.3 Synchronization Service Administration Guide

Deploying Synchronization Service for use with AWS Managed 26

Microsoft AD
 l Make sure that the connectivity requirements listed in Deployment requirements
for AWS Managed Microsoft AD support are met.
l During the procedure, take note of the following values, as they will be required in
later procedures:
l Directory DNS name: The fully qualified domain name (FQDN) of your AD
service (for example, activeroles.demo).
l Directory NetBIOS name: The NetBIOS name (or shortname) of your AD
service (for example, ARDEMO).
l Admin password: The password of the default admin account (named
admin).
l After specifying all required settings, it takes approximately 30-40 minutes to
create the AWS Managed Microsoft AD instance. If you run into any issues when
creating the environment, see Troubleshooting AWS Managed Microsoft AD in the
AWS Managed Microsoft AD documentation.

Creating the EC2 instance for Active Roles

To deploy and configure Active Roles in Amazon Web Services (AWS) for managing AWS
Managed Microsoft AD, you must create an Amazon Elastic Compute Cloud (EC2) instance
hosting your Active Roles installation.
Complete the procedure in AWS as described in Set up to use Amazon EC2 in the Amazon
EC2 documentation. If you run into any problems when configuring or connecting to the
EC2 instance, see Troubleshoot EC2 Windows instances in the Amazon EC2 documentation.
NOTE: Consider the following when creating the EC2 instance:
l Make sure that the connectivity requirements listed in Deployment requirements
for AWS Managed Microsoft AD support are met.
l For the operating system on the EC2 instance, select a Microsoft Windows
Server AMI supported by Active Roles. For the list of supported Windows Server
operating systems, see System requirements in the Active Roles Release Notes.
l Select an EC2 instance type that has, at minimum:
l 2 vCPUs running at 2.0 GHz.
l 4 GB of RAM.
l One Identity recommends setting the storage to a minimum of 60 GiB of gp2
root volume.

TIP: For consistency, after you logged in to the EC2 instance, rename the virtual machine
to the same name that you originally defined for the EC2 instance in the AWS console.

Active Roles 8.1.3 Synchronization Service Administration Guide

Deploying Synchronization Service for use with AWS Managed 27

Microsoft AD
Joining the EC2 instance to AWS Managed
Microsoft AD
After you created your AWS Managed Microsoft AD service and your EC2 instance(s), you
must join the configured Amazon Elastic Compute Cloud (EC2) instance(s) to AWS
Managed Microsoft AD.
Complete the procedure in Amazon Web Services (AWS) as described in Join an EC2
instance to your AWS Managed Microsoft AD directory in the AWS Directory Service
documentation.
NOTE: Consider the following when joining the EC2 instance(s) to AWS Managed
Microsoft AD:
l Make sure that the connectivity requirements listed in Deployment requirements
for AWS Managed Microsoft AD support are met.
l You need to use the fully qualified domain name that your configured during
Creating the AWS Managed Microsoft AD instance.

TIP: If the domain join process ends with an error, check the specified DNS addresses
and Domain Admin credentials in the AWS console.

Creating the RDS instance for the Active

Roles SQL Server
If you manage AWS Managed Microsoft AD with Active Roles in Amazon Web Services
(AWS), you must store the Synchronization Service database in an Amazon Relational
Database Service (RDS) instance.
Configure the RDS instance in AWS as described in Setting up for Amazon RDS in the
Amazon RDS documentation.
NOTE: Consider the following when creating the EC2 instance:
l Make sure that the connectivity requirements listed in Deployment requirements
for AWS Managed Microsoft AD support are met.
l Select the SQL Server edition that suits your needs the most. For most Active Roles
use cases, SQL Server Standard Edition is an optimal choice.
l Take note of the Master username and Master password, as these credentials
will be required later.
l For Storage type, select General Purpose SSD (gp2), and allocate a minimum
storage of 60 GiB.
l Consider selecting Enable storage autoscaling. Selecting this setting is useful if
the SQL Server is utilized with a heavy load most of the time, but it may incur
additional operational costs.

Active Roles 8.1.3 Synchronization Service Administration Guide

Deploying Synchronization Service for use with AWS Managed 28

Microsoft AD
Verifying connectivity between the EC2 and
RDS instances
After you created the RDS instance, you can test in the EC2 instance with the telnet client
or Microsoft SQL Server Management Studio (SSMS) if the RDS connectivity was
successfully configured.

To verify RDS connectivity in the EC2 instance

1. Log in to the EC2 instance created for Active Roles.

2. To test connectivity to RDS, install the telnet client. To do so:
a. Open Windows Server Manager.
b. On the Dashboard, click Add roles and features.
c. In Installation Type, select Role-based or feature-based installation,
then click Next.
d. In Server Selection, choose Select a server from the server pool, and
make sure that the local server (the EC2 instance) is selected.
e. In Server Roles, just click Next.
f. In Features, select Telnet Client.
g. In Confirmation, click Install, then Close the application.
3. To verify connectivity to the RDS instance, open the Windows Command Prompt, and
run the following command:
telnet <rds-server-endpoint> <port-number>
To find the RDS server endpoint and port to specify, open the entry of the RDS
instance in the AWS console, and check the values under Connectivity & Security
> Endpoint & port.
NOTE: If the command returns an empty prompt, that indicates connectivity
between the EC2 instance and the RDS instance.
4. Download and install Microsoft SQL Server Management Studio (SSMS) on the
EC2 instance.
5. To test the connection with SSMS, start the application, then in the Connect to
Server dialog, specify the following attributes:
l Server type: Select Database Engine.
l Server name: The same RDS instance endpoint used in the telnet command.
l Authentication: Select SQL Server Authentication, then specify the admin
user name and password created when configuring the RDS instance.
6. After you specified all connection properties, click Connect.

Active Roles 8.1.3 Synchronization Service Administration Guide

Deploying Synchronization Service for use with AWS Managed 29

Microsoft AD
Installing and configuring Synchronization
Service for AWS Managed Microsoft AD
When used to synchronize AWS Managed Microsoft AD resources and passwords from an
on-premises AD environment to AWS Managed Microsoft AD, you must install and configure
Synchronization Service on an Amazon Elastic Compute Cloud (EC2) instance.

Prerequisites

Before starting the procedure, make sure that the EC2 and RDS instances are connected,
as described in Verifying connectivity between the EC2 and RDS instances.

To install and configure Synchronization Service for use with AWS Managed
Microsoft AD

1. Download the Active Roles installation media to the EC2 instance.

2. Run the setup and install Active Roles Synchronization Service with all required
prerequisites as described in Installing Synchronization Service.
3. After installation is finished, start Active Roles Synchronization Service. The
Configuration Wizard appears.
4. In Service Account and Mode, configure the following settings:
l Synchronization Service account: Enter the user name and password of the
domain admin account supplied by Amazon Web Services (AWS).
l Synchronization Service mode: Select Local.
When you are ready, click Next.
5. In Instance Configuration, select Create a new configuration, then click Next.
6. In Database Connection, configure the following settings:
l SQL Server: Specify the endpoint URL of the RDS instance connected to your
EC2 instance. You can check the endpoint of the RDS instance in the AWS
console by selecting the RDS instance, then navigating to Connectivity &
Security > Endpoint & port.
l Database: Specify the name of the database that will be used by
Synchronization Service (for example, syncservice).
l For authentication, select Use SQL Server authentication, then enter the
user name and password of the primary user in your RDS instance (configured
in Creating the RDS instance for the Active Roles SQL Server).
7. In Configuration File, specify the name and save location of the Synchronization
Service configuration file.
8. (Optional) For added security, still in Configuration File, specify a password for the
configuration.
9. To apply your changes and start creating the configuration, click Finish.

Active Roles 8.1.3 Synchronization Service Administration Guide

Deploying Synchronization Service for use with AWS Managed 30

Microsoft AD
 2

Getting started

l Synchronization Service Console

l Synchronizing identity data
l Management Shell

Synchronization Service Console

The Synchronization Service Console is a graphical user interface that provides
access to the Synchronization Service functionality. You can use the Synchronization
Service Console to connect Synchronization Service to external data systems,
manage existing connections, and perform data synchronization operations between
the connected data systems. The Synchronization Service Console is installed as part
of Synchronization Service.
To start the Synchronization Service Console, depending on the version of your Windows
operating system, click Active Roles 8.1.3 Synchronization Service on the Apps page
or select All Programs > One Identity Active Roles 8.1.3 > Active Roles 8.1.3
Synchronization Service from the Start menu.
The Synchronization Service Console looks similar to the following:

Active Roles 8.1.3 Synchronization Service Administration Guide

31
Getting started
Figure 3: Synchronization Service Console

Gear icon
In the upper right corner of the Synchronization Service Console, you can click the
gear icon.
The Gear icon provides the following commands:
l Configure Sync Service: Starts a wizard that helps you change the configuration
settings of the current Synchronization Service instance.
l Import Configuration: Starts a wizard that helps you to import configuration
settings from a configuration file created by another instance of
Synchronization Service.
l Export Configuration: Starts a wizard that helps you to save the configuration
profile of the current Synchronization Service instance to a file. You can use this file
to apply the saved configuration to other instances of Active Roles Synchronization
Service deployed in your environment.
l Mail Profiles: Allows you to add, edit, or delete mail profiles for sending notification
emails about sync workflow runs. For more information on how to use the email
notification, see Using sync workflow alerts.
l Diagnostic Logging: Allows you to specify settings for writing Synchronization
Service diagnostic data to the Synchronization Service log file or Windows Event Log.
l Communication Port: Allows you to change the communication port number used
by the Synchronization Service.
l Configure Azure BackSync: Allows you to configure back synchronization
operation in Azure with on-premises Active Directory objects.

Active Roles 8.1.3 Synchronization Service Administration Guide

32
Getting started
Sync Workflows tab
The Sync Workflows tab allows you to manage data sync workflows for connected data
systems. A sync workflow can include a number of synchronization steps, each performing
a specific data synchronization operation (creation, deprovision, or update). For more
information on sync workflows and their steps, see Synchronizing identity data.
You can also use this tab to manage email notification settings for each existing sync
workflow. For more information, see Using sync workflow alerts alerts.
On the Sync Workflows tab, you can use the following elements (some of these elements
become available only after you create at least one sync workflow with one or more
synchronization steps):
l Add sync workflow: Creates a new sync workflow.
l Filter by: Allows you to filter existing sync workflows by the letters or text you type
in the text box. The filter applies to the sync workflow names.
l Sort by: Allows you to sort existing sync workflows by workflow name, last run time,
or the number of synchronization steps.
l <Workflow Name>: Represents a sync workflow. You can click the workflow name
to view and add, delete, or modify synchronization steps in that workflow.
l Schedule: Allows you to create a schedule for running the sync workflow.
l Manage alerts: Allows you to add, delete, or edit alerts for a sync workflow. An alert
allows you to automatically send notification emails about the completion of the sync
workflow run to specified recipients.
l Rename: Allows you to rename the sync workflow.
l Delete: Deletes the sync workflow.

Sync History tab

The Sync History tab allows you to view and selectively clean up the synchronization
history. This is the history of sync workflow runs and object mapping operations. For more
information, see Synchronization history.
On the Sync History tab, you can use the following elements:
l Clean up now: Allows you to selectively clean up sync history entries by specifying
the age of the entries that you want to clean up.
l Schedule cleanup: Allows you to schedule a recurring cleanup operation for the
sync history.
l Sync Workflow History: Allows you to view a list of completed sync workflow runs
and the details of objects that participated in a particular sync workflow run.
l Mapping History: Allows you to view a list of completed map and unmap operations
and the details of objects that participated in those operations.

Active Roles 8.1.3 Synchronization Service Administration Guide

33
Getting started
 l Search: Allows you to search the Synchronization Service synchronization history for
completed creation, deprovision, update, and sync passwords operations. You can
search by a number of criteria, such as the target connected data system and object
type on which the operation was performed and the time period during which the
operation completed.
l Usage Statistics: Allows you to view usage statistics for each connector i.e. a
number of processed objects, sync runs, and so on.

Connections tab
The Connections tab allows you to manage connections between the Synchronization
Service and the external data systems you want to use for data synchronization operations.
For more information on creating connections to external data systems supported out of
the box, see External data systems supported with built-in connectors.
On the Connections tab, you can use the following elements (some of these elements
become available only after you create at least one connection):
l Add connection: Allows you to create a new connection to an external data system.
l Filter by: Allows you to filter existing connections by the letters or text you type in
the text box. The filter applies to the connection names.
l Sort by: Allows you to sort existing connections by connection name, name of the
connector used, or the frequency of usage in sync workflow steps.
l <Connection Name>: Represents a connection to an external data system. You
can click a connection name to view or modify the corresponding connection settings.
l Connection settings: Allows you to view or modify settings for the connection.
l Synchronization scope: Allows you to view or modify synchronization scope for the
connection.
l Delete connection: Deletes the connection.

Mapping tab
The Mapping tab allows you to manage mapping pairs and mapping rules for existing
connections. To view or modify mapping pairs or rules for a connection, click the name of
that connection. For more information on mapping pairs and rules, see Mapping objects.
On the Mapping tab, you can use the following elements (some of these elements become
available only after you create at least one connection to an external data system):
l Filter by: Allows you to filter existing connections by the letters or text you type in
the text box. The filter only applies to the connection names.

Active Roles 8.1.3 Synchronization Service Administration Guide

34
Getting started
 l Sort by: Allows you to sort existing connections by connection name, name of the
connector used, or the frequency of usage in the sync workflow steps.
l <Connection Name>: Displays the name of a connection. You can click a
connection name to view or modify the mapping settings for the corresponding
connection.

When you click a connection name on this tab, you can manage mapping pairs for the
connection by using the following elements (some of these elements become available
after you create at least one mapping pair for the connection):
l Add mapping pair: Allows you to specify the types of objects in two connected
systems for which you want to create a mapping pair.
l <ObjectType1> - <ObjectType2>: Represents a mapping pair and displays the
object types that belong to the same mapping pair. You can click a mapping pair
to view and change the scope of conditions where the object types belonging to
that mapping pair will be mapped. To define these conditions, you can create
mapping rules.
l Schedule: Allows you to schedule a recurring map operation for the current
pair of objects.
l Map now: Allows you to manually run the map operation on the current pair
of objects.
l Delete: Deletes the mapping pair on which you click this link.

When you click a mapping pair, you can manage mapping rules for the mapping pair by
using the following elements (some of these elements become available only after you
create at least one mapping rule for the mapping pair):
l Map now: Allows you to manually run the map operation on the mapping pair by
using the conditions specified in the existing mapping rules.
l Unmap: Allows you to unmap the objects that were earlier mapped according to the
settings specified for the mapping pair.
l Schedule mapping: Allows you to schedule a recurring map operation for the
mapping pair.
l Add mapping rule: Allows you to create a rule that will define a condition for
mapping objects that belong to the mapping pair.
l Delete rule: Deletes the mapping rule on which you click this link.
l Move up: Moves the current mapping rule one position up in the list.
l Move down: Moves the current mapping rule one position down in the list.

Mapping rules are applied in the order they are listed.

Password Sync tab

The Password Sync tab allows you to manage password sync rules to automate password
synchronization from a specified Active Directory domain to other connected data systems.

Active Roles 8.1.3 Synchronization Service Administration Guide

35
Getting started
For more information, see Automated password synchronization.
On the Password Sync tab, you can use the following elements (some of these elements
become available only after you create at least one password sync rule):
l Add password sync rule: Allows you to create a rule for synchronizing passwords
from an Active Directory domain to another connected system.
l Password sync settings: Allows you to specify how many times you want to retry
the password synchronization operation in the event of a failure. Also allows you to
type a Windows PowerShell script to generate passwords for the target connected
system. For more information, see Using PowerShell script to transform passwords.
l Delete rule: Deletes the password sync rule on which you click this link.

Configuring diagnostic logging

In the Synchronization Service Console, you can configure a number of settings to write the
Synchronization Service diagnostic data to a separate log file or to the Windows Event Log.

To configure diagnostic logging

1. In the upper right corner of the Synchronization Service Console, select Settings >
Diagnostic Logging.
2. In the dialog that opens, use the following options:
l Windows Event Log Level: Drag the slider to select one of the following
options to write Synchronization Service data to the Windows Event Log:
l Error, Warning, and Information: Records errors, warnings, and
information events generated by Synchronization Service to the
Windows Event Log.
l Error and Warning: Records error and warning events generated by
Synchronization Service to the Windows Event Log.
l Error: Records error events generated by Synchronization Service to the
Windows Event Log.
l Off: Disables writing Synchronization Service data to the Windows
Event Log.
l Synchronization Service log level: Drag the slider to select one of the
following logging levels for the Synchronization Service log:
l All Possible Events: Writes detailed diagnostic data to the
Synchronization Service log file.
l Important Events: Writes only essential events to the Synchronization
Service log file.
l Off: Disables writing data to the Synchronization Service log file.
3. When you are finished, click OK to apply your settings.

Active Roles 8.1.3 Synchronization Service Administration Guide

36
Getting started
How to synchronize identity data
On a very high level, you need to complete the following steps to synchronize identity data
between two external data systems:

1. Connect the Synchronization Service to the data systems between which you want to
synchronize identity data.
For more information, see External data systems supported with built-in connectors.
2. Configure synchronization scope for the connected data systems.
For more information, see Modifying synchronization scope for a connection.
3. Create a sync workflow.
For more information, see Creating a sync workflow.
4. Create one or more steps in the sync workflow, and, if necessary, define
synchronization rules for these steps.
For more information, see Synchronizing identity data.
5. Run the sync workflow you have created.
For more information, see Running a sync workflow.

You can also use the Synchronization Service to automatically synchronize passwords from
a specified Active Directory domain to other connected data systems. For more
information, see Automated password synchronization.

Synchronization Service Management

Shell
Synchronization Service Management Shell is implemented as a Windows PowerShell
module, providing an extension to the Windows PowerShell environment. The commands
provided by Synchronization Service Management Shell conform to the Windows
PowerShell standards, and are fully compatible with the default command-line tools of
Windows PowerShell.
You can open Synchronization Service Management Shell either from the list of installed
applications, or directly from Windows PowerShell.

To launch Synchronization Service Management Shell

1. In the operating system, open the Start menu.

2. In the Start menu, search for Active Roles Synchronization Service
Management Shell 8.1.3, then click it.
Alternatively, use the Search bar of the system tray to find Synchronization Service
Management Shell, then click it for launch.

Active Roles 8.1.3 Synchronization Service Administration Guide

37
Getting started
To load Synchronization Service Management Shell in Windows PowerShell

1. Start Windows PowerShell.

2. To load the Synchronization Service Management Shell module, run the
following command:
Import-Module -Name "<full-path-to-synchronization-service-module-file>"
For example, if you installed Synchronization Service to the default installation
location, the full command is as follows:
Import-Module -Name "C:\Program Files\One Identity\Active
Roles\8.1.3\SyncService\SyncServiceShell\SyncServiceManagementShell.psd1"

NOTE: When loading Synchronization Service, your system may indicate that the certi-
ficate of some digitally-signed files published by One Identity are untrusted, and that you
must enable trust for the certificate issuer to run Synchronization Service. If this
happens, press either R (Run once) or A (Always run). One Identity recommends
selecting A to prevent this message appearing again.

Cmdlet naming conventions

All cmdlets are presented in verb-noun pairs. The verb-noun pair is separated by a hyphen
(-) without spaces, and the cmdlet nouns are always singular. The verb refers to the
action that the cmdlet performs. The noun identifies the entity on which the action is
performed. For example, in the Get-QCObject cmdlet name, the verb is Get and the noun is
QCObject. All the Management Shell cmdlets have the nouns prefixed with QC, to
distinguish the Management Shell cmdlets from those provided byPowerShell itself or by
other PowerShell modules.

Getting help
This section provides instructions on how to get help information for the cmdlets added by
Management Shell to the Windows PowerShell environment.

Table 2: To view help

To view this Run this command

A list of all the Synchronization Service Get-QCCommand

Management Shell cmdlets available to
the shell.

Information about the parameters and Run one of the following:

other components of a Synchronization
l Get-QCCommand <CmdletName>
Service Management Shell cmdlet.
l Get-Command <CmdletName>

Active Roles 8.1.3 Synchronization Service Administration Guide

38
Getting started
To view this Run this command

NOTE: You can use wildcard character

expansion. For example, to view information
about the cmdlets with the names ending in
Workflow, run this command: Get-Command
*Workflow.

Basic help information for a Get-Help <CmdletName>

Synchronization Service Management
Shell cmdlet.

Detailed help information for a Get-Help <CmdletName> -full

Synchronization Service Management
Shell cmdlet, including the descriptions
of available parameters and usage
examples.

Basic information about how to use the Get-Help

help system in Windows PowerShell,
including Help for the Synchronization
Service Management Shell.

Active Roles 8.1.3 Synchronization Service Administration Guide

39
Getting started
 3

Connections to external data

systems

l External data systems supported out of the box

l Using connectors installed remotely
l Creating a connection
l Renaming a connection
l Deleting a connection
l Modifying synchronization scope for a connection
l Using connection handlers
l Specifying password synchronization settings for a connection

Active Roles 8.1.3 Synchronization Service Administration Guide

40
Connections to external data systems
 4

External data systems supported with

built-in connectors
Active Roles Synchronization Service supports the following external data systems with
built-in connectors:
l Working with Active Directory
l Working with an AD LDS (ADAM) instance
l Working with Skype for Business Server
l Working with Oracle Database
l Working with Oracle Database user accounts
l Working with Exchange Server
l Working with Active Roles
l Working with One Identity Manager
l Working with a delimited text file
l Working with Microsoft SQL Server
l Working with Micro Focus NetIQ Directory
l Working with Salesforce
l Working with ServiceNow
l Working with Oracle Unified Directory
l Working with an LDAP directory service
l Working with an OpenLDAP directory service
l Working with IBM DB2
l Working with IBM AS/400
l Working with IBM RACF
l Working with MySQL database
l Working with an OLE DB-compliant relational database
l Working with SharePoint
l Working with Microsoft 365

Active Roles 8.1.3 Synchronization Service Administration Guide

41
 l Working with Microsoft Azure Active Directory
l Configuring data synchronization with the SCIM Connector
l Configuring data synchronization with the Generic SCIM Connector

Working with Active Directory

This section describes how to create or modify a connection to Active Directory so that
Synchronization Service could work with data in that data system.
To create a connection to Active Directory domain, you need to use Synchronization
Service in conjunction with a special connector called Active Directory Connector. This
connector is included in the Synchronization Service package.
The Active Directory Connector supports the following features:

Table 3: Active Directory Connector – Supported features

Feature Supported

Bidirectional synchronization Yes

Specifies whether you can both read and write data in the connected data
system.

Delta processing mode Yes

Specifies whether the connection can process only the data that has
changed in the connected data system since the last synchronization
operation. This reduces the overall synchronization duration.

Password synchronization Yes

Specifies whether you can synchronize user passwords from an Active
Directory (AD) domain to the connected data system.

The Active Directory Connector supports linked attributes existing in the Active Directory
schema. Linked attributes allow you to establish associations between two objects.
Linked attributes exist in pairs, as follows:
l Forward link attribute: This is a linked attribute that exists on a source object (for
example, the member attribute on the Group object). Forward link attributes can be
single-valued or multivalued.
l Back link attribute: This is a linked attribute that can be specified on a target
object (for example, the memberOf attribute on the User object). Back link attributes
are multivalued and they must have a corresponding forward link attribute. Back link
attributes are not stored in Active Directory. Rather, they are calculated based on the
corresponding forward link attribute each time a query is issued.

Active Roles 8.1.3 Synchronization Service Administration Guide

42
Creating an Active Directory connection
To create a new connection

1. In the Synchronization Service Console, open the Connections tab.

2. Click Add connection, then use the following options:
l Connection name: Type a descriptive name for the connection.
l Use the specified connector: Select Active Directory Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l Any available domain controller in the specified domain: Allows you to
connect to an available domain controller in the Active Directory domain you
specify. In the Domain text box, type the fully qualified domain name of the
domain to which you want to connect.
l Specified domain controller: Allows you to connect to a specific domain
controller in a particular Active Directory domain. In the Domain controller
text box, type the fully qualified domain name of the domain controller to which
you want to connect.
l Active Directory forest: Allows you to connect to the Active Directory forest
you specify in this option. When synchronizing data to or from a connected
forest, Synchronization Service automatically selects the appropriate domain
controllers in the forest to read and write data according to the synchronization
scope configured for the connection.
l Secure Sockets Layer usage: Use this list to select one of the
following:
l None: Allows you to connect without using Secure Sockets
Layer (SSL).
l Use: Allows you to connect through SSL.
l Preferred: Allows you to attempt the connection through SSL
first. If this connection attempt fails, the Synchronization Service
tries to connect without using SSL.
l Access Active Directory using: Use this option to select one of
the following:
l Synchronization Service account: Allows you to access the
Active Directory domain in the security context of the account
under which the Synchronization Service is running.
l Windows account: Allows you to access Active Directory in the
security context of the account whose user name and password
you specify below this option.
l To test the connection with the new parameters, click Test connection.
5. Click Finish to create a connection to Active Directory.

Active Roles 8.1.3 Synchronization Service Administration Guide

43
Modifying an Active Directory connection
To modify connection settings

1. In the Synchronization Service Console, open the Connections tab.

2. Click Connection settings below the existing Active Directory connection you
want to modify.
3. On the Connection Settings tab, click Specify connection settings to expand it
and use the following options.
l Any available domain controller in the specified domain: Allows you to
connect to an available domain controller in the Active Directory domain you
specify. In the Domain text box, type the fully qualified domain name of the
domain to which you want to connect.
l Specified domain controller: Allows you to connect to a specific domain
controller in a particular Active Directory domain. In the Domain controller
text box, type the fully qualified domain name of the domain controller to which
you want to connect.
l Active Directory forest: Allows you to connect to the Active Directory forest
you specify in this option. When synchronizing data to or from a connected
forest, Synchronization Service automatically selects the appropriate domain
controllers in the forest to read and write data according to the synchronization
scope configured for the connection.
l Secure Sockets Layer usage: Use this list to select one of the
following:
l None: Allows you to connect without using Secure Sockets
Layer (SSL).
l Use: Allows you to connect through SSL.
l Preferred: Allows you to attempt the connection through SSL
first. If this connection attempt fails, the Synchronization Service
tries to connect without using SSL.
l Access Active Directory using: Use this option to select one of
the following:
l Synchronization Service account: Allows you to access the
Active Directory domain in the security context of the account
under which the Synchronization Service is running.
l Windows account: Allows you to access Active Directory in the
security context of the account whose user name and password
you specify below this option.
l To test the connection with the new parameters, click Test connection.
4. Optionally, you can narrow the number of objects participating in the connection
scope by setting up filter conditions. On the Connection Settings tab, click the

Active Roles 8.1.3 Synchronization Service Administration Guide

44
 Advanced item to expand it, and then use the following list columns:
l Object type: Use this column to select the Active Directory object types for
which you want to configure filter conditions: click Add Object Type to add an
object type to the list. Once you have added an object type, use the Filter
condition column to specify a condition the objects of that type must meet in
order to participate in the connection scope.
l Filter condition: Use this column to specify a filter condition for the
corresponding Active Directory object type. To specify a filter condition, type
an LDAP query. The Active Directory objects that meet the specified filter
condition will participate in the connection scope. When no filter condition
specified for an object type, all objects that belong to that type participate in
the connection scope.
5. When you are finished, click Save.

Communication ports required to synchronize

data between two Active Directory domains
When synchronizing data between two Active Directory domains, Synchronization Service
uses the following ports to access domain controllers in the domains:

Table 4: Required communication ports

Port Protocol Type of traffic Direction of traffic

53 TCP/UDP DNS Inbound

88 TCP/UDP Kerberos Outbound
389 TCP/UDP LDAP Outbound
636 TCP LDAP over SSL (LDAPS) Outbound

Synchronizing user passwords between two

Active Directory domains
You can automatically synchronize user passwords from one Active Directory domain to the
other by using Synchronization Service. The next procedure assumes that Synchronization
Service is already connected to the source and target domains. For more information, see
Creating an Active Directory connection.

To synchronize user passwords between two Active Directory domains

1. Install Capture Agent on all domain controllers in the source and target Active
Directory domains.

Active Roles 8.1.3 Synchronization Service Administration Guide

45
 2. Use the pwdHash attribute to perform an initial synchronization of user passwords
between the source and target domains:
a. Create a new or choose an existing creating or updating synchronization step
for the source and target domains.
If you use an updating synchronization step, ensure that user objects in the
source domain are properly mapped to their counterparts in the target domain.
For more information on mapping objects, see Mapping objects.
In the creating or updating synchronization step, configure a rule to
synchronize the pwdHash attribute value from the user objects in the source
domain to their counterparts in the target domain.
b. Run the creating or updating synchronization step to perform an initial
synchronization of user passwords from the source to the target domain.
The step to perform an initial synchronization allows you to synchronize user
passwords only once. If you want to synchronize all subsequent password changes
on a permanent basis, complete the step to create a recurring run schedule.
3. Create a recurring run schedule for the synchronization step you configured
previously. For instructions, see Running a sync workflow on a recurring schedule.
l To synchronize all subsequent password changes from the source to the target
domain, do one of the following:
l Configure a password sync rule to automate the password
synchronization between the two Active Directory domains. For more
information, see Automated password synchronization.

Synchronizing SID history of users or groups

You can use Synchronization Service to synchronize SID history between user or group
objects in two Active Directory domains. For example, you can synchronize SID history
when migrating users from one Active Directory domain to the other.
NOTE: Consider the following when synchronizing SID history:
l To read SID data in the source Active Directory domain, you can use the sIDHistory
or objectSid attribute.
l To write SID data to the target Active Directory domain, always use the
sIDHistory attribute.

To synchronize SID history of users or groups

1. Install Capture Agent on all domain controllers in the source and target Active
Directory domains you want to participate in the SID history synchronization.
For more information on how to install Capture Agent, see Managing Capture Agent.
2. Use the Specified domain controller option to connect Synchronization Service to
the source and target domains.

Active Roles 8.1.3 Synchronization Service Administration Guide

46
 For more information on how to connect Synchronization Service to an Active
Directory domain, see Creating an Active Directory connection.
3. Create a new or choose an existing creating or updating synchronization step for the
source and target domains.
If you use an updating synchronization step, ensure that user objects in the source
domain are properly mapped to their counterparts in the target domain. For more
information on mapping objects, see Mapping objects.
4. Configure the synchronization step to do the following:
l Read SID data in the source Active Directory domain. For this purpose, you can
use the sIDHistory attribute or the objectSid attribute, or both.
l Write SID data to the target Active Directory domain by using the
sIDHistory attribute.
To read attribute values in the source domain and write them to the target domain,
you can configure attribute modification rules in your sync workflow step. For more
information, see Modifying attribute values by using rules.
5. Run the created step to synchronize SID history.

Working with an AD LDS (ADAM) instance

This section explains how to create or modify a connection to an AD LDS (ADAM) instance
so that Synchronization Service could work with data in that data system.
To create a connection to an AD LDS (ADAM) instance, you need to use Synchronization
Service in conjunction with a special connector called AD LDS (ADAM) Connector. This
connector is included in the Synchronization Service package.
The AD LDS (ADAM) Connector supports the following features:

Table 5: AD LDS (ADAM) Connector – Supported features

Feature Supported

Bidirectional synchronization Yes

Specifies whether you can both read and write data in the connected data
system.

Delta processing mode Yes

Specifies whether the connection can process only the data that has
changed in the connected data system since the last synchronization
operation. This reduces the overall synchronization duration.

Password synchronization Yes

Specifies whether you can synchronize user passwords from an Active
Directory (AD) domain to the connected data system.

Active Roles 8.1.3 Synchronization Service Administration Guide

47
Creating an AD LDS (ADAM) instance connection
To create a new connection

1. In the Synchronization Service Console, open the Connections tab.

2. Click Add connection, then use the following options:
l Connection name: Type a descriptive name for the connection.
l Use the specified connector: Select AD LDS (ADAM) Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l Server: Type the fully qualified domain name of the computer on which the AD
LDS (ADAM) instance to which you want to connect is running.
l Port: Type the LDAP communication port number used by the AD LDS
(ADAM) instance.
l Access AD LDS (ADAM) instance using: Use this option to select one
of the following:
l Synchronization Service account: Allows you to access the
target AD LDS (ADAM) instance in the security context of the
account under which the Synchronization Service is running.
l Windows account: Allows you to access the target AD LDS
(ADAM) instance in the security context of the account whose user
name and password you specify below this option.
l Advanced: Click to specify advanced settings for connecting to the AD LDS
(ADAM) instance.
l To test the connection with the new parameters, click Test connection.
5. Click Finish to create a connection to the AD LDS (ADAM) instance.

Modifying an existing AD LDS (ADAM) instance

connection
To modify connection settings

1. In the Synchronization Service Console, open the Connections tab.

2. Click Connection settings below the existing AD LDS (ADAM) instance connection
you want to modify.
3. On the Connection Settings tab, click Specify connection settings to expand it
and use the following options.

Active Roles 8.1.3 Synchronization Service Administration Guide

48
 l Server: Type the fully qualified domain name of the computer on which the AD
LDS (ADAM) instance to which you want to connect is running.
l Port: Type the LDAP communication port number used by the AD LDS
(ADAM) instance.
l Access AD LDS (ADAM) instance using: Use this option to select one
of the following:
l Synchronization Service account: Allows you to access the
target AD LDS (ADAM) instance in the security context of the
account under which the Synchronization Service is running.
l Windows account: Allows you to access the target AD LDS
(ADAM) instance in the security context of the account whose user
name and password you specify below this option.
l Advanced: Click to specify advanced settings for connecting to the AD LDS
(ADAM) instance.
l To test the connection with the new parameters, click Test connection.
4. Optionally, you can narrow the number of AD LDS (ADAM) objects participating in the
connection scope by setting up filter conditions. On the Connection Settings tab,
click the Advanced item to expand it, and then use the following list columns:
l Object type: Use this column to select the AD LDS (ADAM) object types for
which you want to configure filter conditions: click Add Object Type to add an
object type to the list. Once you have added an object type to the list, use the
Filter condition column to specify a condition the objects of that type must
meet in order to participate in the connection scope.
l Filter condition: Use this column to specify a filter condition for the
corresponding AD LDS (ADAM) object type. To specify a filter condition, type
an LDAP query. The AD LDS (ADAM) objects that meet the specified filter
condition will participate in the connection scope. When no filter condition
specified for an object type, all objects that belong to that type participate in
the connection scope.
5. When you are finished, click Save.

Working with Skype for Business Server

This section describes how to create or modify a connection to Microsoft Skype for Business
Server with the Active Roles Synchronization Service, to read and write data in Skype for
Business Server. It also lists the type of data you can read and/or write using the
configured connection.
To create a connection to Skype for Business Server, use the Skype for Business Server
Connector of Active Roles Synchronization Service.
The Skype for Business Connector supports the following features:

Active Roles 8.1.3 Synchronization Service Administration Guide

49
Table 6: Skype for Business Server Connector – Supported features

Feature Supported

Bidirectional synchronization Yes

Specifies whether you can both read and write data For more information on what data
in the connected data system. you can read and write in Skype for
Business Server, see Supported
Skype for Business Server data.

Delta processing mode No

Specifies whether the connection can process only
the data that has changed in the connected data
system since the last synchronization operation.
This reduces the overall synchronization duration.

Password synchronization No
Specifies whether you can synchronize user
passwords from an Active Directory (AD) domain to
the connected data system.

Creating a new Skype for Business Server

connection
You can create a new Skype for Business Server connection in the Synchronization
Service Console.

Prerequisites

Before creating a new Skype for Business Server connection, make sure that unsigned
Windows PowerShell scripts are allowed to run on the computer on which Active Roles
Synchronization Service is installed. This is required because Synchronization Service uses
Windows PowerShell scripts to work with Microsoft Skype for Business Server.
NOTE: To view the current Windows PowerShell initialization policy, use the Get-
ExecutionPolicy cmdlet supplied with Windows PowerShell. To change the Windows
PowerShell initialization policy, you can use the Set-ExecutionPolicy cmdlet of Windows
PowerShell.

To create a new Skype for Business Server connection

1. In the Synchronization Service Console, open the Connections tab.

2. Click Add connection, then use the following options:
a. Connection name: Type a descriptive name for the connection.
b. Use the specified connector: Select Skype for Business Server
Connector.

Active Roles 8.1.3 Synchronization Service Administration Guide

50
 3. Click Next.
4. Set the following settings:
l Skype for Business Server computer name: Specify the fully qualified
domain name (FQDN) of the Skype for Business Server computer to which you
want to connect.
l User name: Specify a domain user account that has sufficient rights to
administer Skype for Business Server users. The account must be a member of
all of the following groups that Skype for Business Server creates in Active
Directory: CsAdministrator, CsUserAdministrator, and
CsServerAdministrator.
l Password: Type the password of the specified user account.
To verify the specified connection settings, click Test Connection.
5. To apply your changes, click Finish.

Modifying an existing Skype for Business Server

connection
You can modify an existing Skype for Business Server connection in the Synchronization
Service Console.

To modify an existing Skype for Business connection

1. In the Synchronization Service Console, open the Connections tab.

2. Click Connection settings below the existing Skype for Business Server connection
you want to modify.
3. Expand the Specify Skype for Business Server name and access account
element to modify the following settings:
l Skype for Business Server computer name: Specify the fully qualified
domain name (FQDN) of the Skype for Business Server computer to which you
want to connect.
l User name: Specify a domain user account that has sufficient rights to
administer Skype for Business Server users. The account must be a member of
all of the following groups that Skype for Business Server creates in Active
Directory: CsAdministrator, CsUserAdministrator, and
CsServerAdministrator.
l Password: Type the password of the specified user account.
4. When you are finished, click Save.

Active Roles 8.1.3 Synchronization Service Administration Guide

51
Supported Skype for Business Server data
The following table lists the Skype for Business Server object types and the data
synchronization operations supported by the Skype for Business Server Connector.

Table 7: Supported objects and operations

Object Read Create Delete Update

User Yes Yes Yes Yes

Allows you to read and write data related
to users in Skype for Business Server.

ArchivingPolicy Yes No No Yes

Allows you to read and write data related NOTE: You
to custom archiving policies configured can only
on a per-user basis in Skype for Business update one
Server. attribute
provided for
this object
type.

ClientPolicy Yes No No Yes

Allows you to read and write data related NOTE: You
to custom client policies configured on a can only
per-user basis in Skype for Business update one
Server. attribute
provided for
Client policies define which Skype for
this object
Business Server features are available to
type.
users.

ClientVersionPolicy Yes No No Yes

Allows you to read and write data related NOTE: You
to custom client version policies can only
configured on a per-user basis in Skype update one
for Business Server. attribute
provided for
These policies define what clients (such
this object
as Microsoft Office Communicator 2007
type.
R2) and their versions can be used in
conjunction with Skype for Business
Server.

ConferencingPolicy Yes No No Yes

Allows you to read and write data related NOTE: You
to custom conferencing policies can only
configured on a per-user basis in Skype update one
for Business Server. attribute

Active Roles 8.1.3 Synchronization Service Administration Guide

52
Object Read Create Delete Update

provided for
this object
type.

DialPlanPolicy Yes No No Yes

Allows you to read and write data related NOTE: You
to custom dial plan policies configured on can only
a per-user basis in Skype for Business update one
Server. attribute
provided for
this object
type.

ExternalAccessPolicy Yes No No Yes

Allows you to read and write data related NOTE: You
to custom external access policies can only
configured on a per-user basis in Skype update one
for Business Server. attribute
provided for
this object
type.

LocationPolicy Yes No No Yes

Allows you to read and write data related NOTE: You
to custom location policies configured on can only
a per-user basis in Skype for Business update one
Server. attribute
provided for
These policies determine the
this object
configuration of the Enhanced 9-1-1 (E9-
type.
1-1) Location Information service.

MobilityPolicy Yes No No Yes

Allows you to read and write data related NOTE: You
to custom mobility policies configured on can only
a per-user basis in Skype for Business update one
Server. attribute
provided for
These policies determine who can use
this object
mobility features (such as Call via Work,
type.
Voice over IP (VoIP), or video).

PersistentChatPolicy Yes No No Yes

Allows you to read and write data related NOTE: You
to custom persistent chat policies can only
configured on a per-user basis in Skype update one
for Business Server. attribute

Active Roles 8.1.3 Synchronization Service Administration Guide

53
Object Read Create Delete Update

provided for
this object
type.

PinPolicy Yes No No Yes

Allows you to read and write data related NOTE: You
to custom PIN policies configured on a can only
per-user basis in Skype for Business update one
Server. attribute
provided for
this object
type.

VoicePolicy Yes No No Yes

Allows you to read and write data related NOTE: You
to custom voice policies configured on a can only
per-user basis in Skype for Business update one
Server. attribute
provided for
this object
type.

Skype for BusinessSettings Yes No No No

Allows you to read data related to a
number of Skype for Business Server
settings.
Skype for BusinessSettings is not a
native Skype for Business Server object
type and only exists in the Skype for
Business Server Connector schema.

For each of the previous Skype for Business Server object types, Synchronization Service
provides special attributes that allow you to read or write data in Skype for Business
Server. You can access and use these attributes from the Synchronization Service Console,
for example when selecting the source and target attributes you want to include in the
synchronization operation.
The following table shows the attributes provided by Synchronization Service and explains
what data you can read or write in Skype for Business Server by using a particular attribute
for every object, except the Skype for BusinessSettings object.

Table 8: General object attributes

Attribute Type Description Supported

operations

Description Single- Gets the policy description. Read

Active Roles 8.1.3 Synchronization Service Administration Guide

54
Attribute Type Description Supported
operations

valued, string
Identity Single- Gets the unique identifier of the policy. Read
valued, string
Members Multivalued, Gets or sets the user accounts to which Read, write
reference the policy is applicable.
Name Single- Gets the name of the policy. Read
valued, string
ObjectClass Single- Gets the type of the Skype for Business Read
valued, string Server object.

The following table lists the Skype for BusinessSettings object attributes and the type of
data you can read or write in Skype for Business Server by using a particular attribute.

Table 9: Skype for BusinessSettings attributes

Attribute Type Description Supported

operations

Domains Multivalued, Gets information about Session Read

string Initiation Protocol (SIP) domains
existing in your organization.
Identity Single- Gets the unique identifier of the Skype Read
valued, string for Business object.
ObjectClass Single- Gets the type of the Skype for Business Read
valued, string Server object.
Pools Multivalued, Gets information about Skype for Read
string Business Server pools. A pool is a
collection of computers that all run the
same set of Skype for Business Server
services.
ServerVersion Single- Gets the Skype for Business Server Read
valued, string version.

Attributes required to create a Skype for Business

Server user
To create a Skype for Business Server user, you must populate the following required
attributes provided by Synchronization Service:

Active Roles 8.1.3 Synchronization Service Administration Guide

55
 l RegistrarPool
l SipAddress
l DistinguishedName, DisplayName, or Identity

For more information about the attributes listed above, see Supported Skype for Business
Server data.

Getting or setting the Telephony option value in

Skype for Business Server
To get or set the Telephony option value for a Skype for Business Server user object, use
the following attributes provided by Synchronization Service:
l AudioVideoDisabled
l EnterpriseVoiceEnabled
l RemoteCallControlTelephonyEnabled

For more information about these and other attributes that Synchronization Service
provides for a Skype for Business Server user object, see Supported Skype for Business
Server data.
The following table lists the attribute value combinations that correspond to a particular
value in the Telephony option.

Table 10: Attribute value combinations in the Telephony option

Telepho AudioVideoDisa EnterpriseVoiceEn RemoteCallControlTelephony

ny bled abled Enabled
option
value in
Skype
for
Business
Server

Audio/vid TRUE FALSE FALSE

eo
disabled

PC-to-PC FALSE FALSE FALSE

only

Enterprise FALSE TRUE FALSE

voice

Remote FALSE FALSE TRUE

call
control

Active Roles 8.1.3 Synchronization Service Administration Guide

56
Telepho AudioVideoDisa EnterpriseVoiceEn RemoteCallControlTelephony
ny bled abled Enabled
option
value in
Skype
for
Business
Server

Remote TRUE FALSE TRUE

call
control
only

Working with Oracle Database

This section describes how to create or modify an Active Roles Synchronization Service
connection to Oracle Databases, so that you can synchronize data stored in those systems.
It also lists the type of data you can read and/or write in an Oracle Database with
Synchronization Service.
To create a connection to an Oracle Database, use the Oracle Database Connector of the
Synchronization Service.
The Oracle Database Connector supports the following features:

Table 11: Oracle Database Connector – Supported features

Feature Supported

Bidirectional synchronization Yes

Specifies whether you can both read and write data in the connected data
system.

Delta processing mode No

Specifies whether the connection can process only the data that has
changed in the connected data system since the last synchronization
operation. This reduces the overall synchronization duration.

Password synchronization No
Specifies whether you can synchronize user passwords from an Active
Directory (AD) domain to the connected data system.

Creating an Oracle Database connection

You can create a new Oracle Database connection in theSynchronization Service Console.

Active Roles 8.1.3 Synchronization Service Administration Guide

57
To create a new Oracle Database connection

1. Make sure that the Synchronization Service computer has the following
software installed:
l Oracle Client: Ensure Oracle Client is configured to connect to the Oracle
service that can be used to access Oracle Database that hosts the data you
want to work with.
l Oracle Net Services
l Oracle Data Provider for .NET
For supported versions of this software, see the System Requirements section
in the Active Roles Release Notes.
2. In the Synchronization Service Console, open the Connections tab.
3. Click Add connection, then use the following options:
l Connection name: Type a descriptive name for the connection.
l Use the specified connector: Select Oracle Database Connector.
4. Click Next.
5. On the Specify connection settings page, use the following options:
l Oracle service name: Specify the name of the Oracle service you want to use
to access Oracle Database. You can click Refresh to get a list of available
Oracle services.
l Access Oracle service with: Type the user name and password of the
account with which you want to access the Oracle service.
l To test the connection with the new parameters, click Test connection.
6. Click Next.
7. On the Specify how to select and modify data page, use the following options:
l Use data from this table: Allows you to select a database table that includes
the data you want to participate in the synchronization operations. You can
click Preview to preview the database table you have selected.
l Use an SQL query to specify data: Allows you to compose an SQL query
that provides a more flexible way for specifying the data for synchronization.
For example, you can use this option to specify multiple database tables.
8. Click Next.
9. On the Specify attributes to identify objects page, use the following options:
l Available attributes: Lists the attributes that are available in the external
data system. Use this list to select the attributes whose values you want to use
to generate a unique identifier for each object in the external data system. You
can filter attributes by typing in the text box at the top of this list. To select
multiple attributes, hold down CTRL and click to select attributes in the list.
l UniqueID attributes: Lists the attributes whose values are currently used to
generate a unique identifier for each object in the external data system.

Active Roles 8.1.3 Synchronization Service Administration Guide

58
 l Add->: Moves the selected attributes from the Available attributes list to
the UniqueID attributes list.
l <-Remove: Moves the selected attributes from the UniqueID attributes list
to the Available attributes list.
l Constructed UniqueID: Displays a combination of the attributes whose
values will make up a unique identifier for each object in the external
data system.
10. To finish creating the Oracle Database connection, click Finish.

Modifying an existing Oracle Database connection

You can modify an existing Oracle Database connection in the Synchronization
Service Console.

To modify an Oracle Database connection

1. Make sure that the Synchronization Service computer has the following
software installed:
l Oracle Client: Ensure Oracle Client is configured to connect to the Oracle
service that can be used to access Oracle Database that hosts the data you
want to work with.
l Oracle Net Services
l Oracle Data Provider for .NET
For supported versions of this software, see the System Requirements section
in the Active Roles Release Notes.
2. In the Synchronization Service Console, open the Connections tab.
3. Click Connection settings below the existing Oracle Database connection you
want to modify.
4. On the Connection Settings tab, click an appropriate item to expand it and use the
options it provides.
You can expand the following items:
l Specifying connection settings for Oracle Database
l Configuring advanced settings for an Oracle Database or Oracle Database user
account connection
l Specifying attributes to identify objects for Oracle Database
5. Click Save.

Specifying connection settings for Oracle Database

The Specify connection settings option provides the following options that allow you to
modify the connection settings:

Active Roles 8.1.3 Synchronization Service Administration Guide

59
 l Oracle service name: Specify the name of the Oracle service you want to use
to access Oracle Database. You can click Refresh to get a list of available
Oracle services.
l Access Oracle service with: Type the user name and password of the account with
which you want to access the Oracle service.
l To test the connection with the new parameters, click Test connection.

Configuring advanced settings for an Oracle Database or

Oracle Database user account connection
The Advanced setting provides the following options that allow you to specify custom SQL
queries which will automatically run each time Synchronization Service has created,
updated, or deleted a user account in Oracle Database:
l SQL queries to run after user provisioned: Specifies the SQL queries to run each
time Synchronization Service creates a user account in the Oracle Database.
l SQL queries to run after user updated: Specifies the SQL queries to run each
time Synchronization Service updates a user account in the Oracle Database.
l SQL queries to run after user deprovisioned: Specifies the SQL queries to run
each time Synchronization Service deletes a user account in the Oracle Database.

Below each of these options, you can use the following buttons:
l Add: Adds a new SQL query to the list.
l Edit: Allows you to edit the SQL query selected in the list.
l Delete: Deletes the SQL query selected in the list.

SQL queries run in the order they are listed. If necessary, you can rearrange the SQL
queries in the lists: select an SQL query in the appropriate list, then click the up or down
arrow button to move the query as necessary.

Specifying attributes to identify objects for Oracle

Database
The Specify attributes to identify objects option provides the following options,
allowing you to specify the attributes for uniquely identifying each object in the connected
data system:
l Available attributes: Lists the attributes that are available in the external data
system. Use this list to select the attributes whose values you want to use to
generate a unique identifier for each object in the external data system. You can filter
attributes by typing in the text box at the top of this list. To select multiple attributes,
hold down CTRL and click to select attributes in the list.
l UniqueID attributes: Lists the attributes whose values are currently used to
generate a unique identifier for each object in the external data system.

Active Roles 8.1.3 Synchronization Service Administration Guide

60
 l Add->: Moves the selected attributes from the Available attributes list to the
UniqueID attributes list.
l <-Remove: Moves the selected attributes from the UniqueID attributes list to the
Available attributes list.
l Constructed UniqueID: Displays a combination of the attributes whose values will
make up a unique identifier for each object in the external data system.

Sample SQL queries for working with an Oracle

Database
The sample queries provided below are only applicable if Synchronization Service is
connected to the target Oracle Database through the Oracle Database Connector.

Example: Adding a new entry

This SQL query illustrates how to add a new entry to the table named
SQLConnTest1 in Oracle Database to which you want to provision data from another
connected system.

Table 12: Adding a new entry to the SQLConnTest1 table

Database table structure Sample query

CREATE TABLE "SQLConnTest1"("Id" Insert into SQLConnTest1(attr1)
number,"attr1" nchar(64), "attr2" nchar values(:attr1) returning Id into
(64)) :Id

In this sample query, Id stands for the attribute that uniquely identifies each object
in the Oracle Database.

Example: Creating a new user

This SQL query illustrates how to create a new user in the Oracle Database:
call dbms_utility.exec_ddl_statement('CREATE USER ' || :USERNAME || '
IDENTIFIED BY ' || :newPassword)
In this sample query:
l USERNAME refers to the name of the attribute that uniquely identifies the user in
the Oracle Database.

Active Roles 8.1.3 Synchronization Service Administration Guide

61
 l newPassword refers to the name of the attribute that will store the initial
password you want to set for the new Oracle Database user.

Working with Oracle Database user

accounts
This section describes how to create or modify a connection to Oracle Database user
accounts with the Active Roles Synchronization Service. It also lists the type of data you
can read and/or write in Oracle Database user accounts with the Synchronization Service.
To create a connection to Oracle Database user accounts and work with the user accounts
in that data system, use the Oracle Database User Account Connector of the
Synchronization Service.
The Oracle Database User Account Connector supports the following features:

Table 13: Oracle Database User Account Connector – Supported features

Feature Supported

Bidirectional Yes
synchronization
Specifies whether you can both
read and write data in the
connected data system.

Delta processing mode No

Specifies whether the
connection can process only the
data that has changed in the
connected data system since
the last synchronization
operation. This reduces the
overall synchronization
duration.

Password synchronization Yes

Specifies whether you can NOTE: Password synchronization is only supported
synchronize user passwords for user accounts that are authenticated entirely by
from an Active Directory (AD) Oracle Database. The Oracle Database User Accounts
domain to the connected data Connector does not support password synchron-
system. ization for Oracle Database user accounts that use
external or global authentication from the side of the
connected Oracle system.

Active Roles 8.1.3 Synchronization Service Administration Guide

62
Creating an Oracle Database user accounts
connection
You can create a new Oracle Database user accounts connection in the Synchronization
Service Console.

To create a new Oracle Database user accounts connection

1. In the Synchronization Service Console, open the Connections tab.

2. Click Add connection, then use the following options:
l Connection name: Type a descriptive name for the connection.
l Use the specified connector: Select Oracle Database User
Accounts Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l Oracle service name: Specify the name of the Oracle service you want to use
to access Oracle Database user account. You can click Refresh to get a list of
available Oracle services.
l Access Oracle service with: Type the user name and password of the
account with which you want to access the Oracle service.
l To test the connection with the new parameters, click Test connection.
5. Click Next.
6. On the Specify how to select and modify data page, use the following options:
l Use data from this table: Allows you to select a database table that includes
the data you want to participate in the synchronization operations. You can
click Preview to preview the database table you have selected.
l Use an SQL query to specify data: Allows you to compose an SQL query
that provides a more flexible way for specifying the data for synchronization.
For example, you can use this option to specify multiple database tables.
7. Click Next.
8. On the Specify attributes to identify objects page, use the following options:
l Available attributes: Lists the attributes that are available in the external
data system. Use this list to select the attributes whose values you want to use
to generate a unique identifier for each object in the external data system. You
can filter attributes by typing in the text box at the top of this list. To select
multiple attributes, hold down CTRL and click to select attributes in the list.
l UniqueID attributes: Lists the attributes whose values are currently used to
generate a unique identifier for each object in the external data system.
l Add->: Moves the selected attributes from the Available attributes list to
the UniqueID attributes list.

Active Roles 8.1.3 Synchronization Service Administration Guide

63
 l <-Remove: Moves the selected attributes from the UniqueID attributes list
to the Available attributes list.
l Constructed UniqueID: Displays a combination of the attributes whose
values will make up a unique identifier for each object in the external
data system.
9. To complete configuring the connection to the Oracle Database, click Finish.

After connecting Synchronization Service to the Oracle Database with the Oracle Database
User Accounts Connector, you can specify custom SQL queries that will automatically run
each time after Synchronization Service created, updated, or deleted a user account in
Oracle Database User Accounts. For more information, see Modifying an existing Oracle
Database connection.

Modifying an existing Oracle Database user

account connection
You can modify an existing Oracle Database user accounts connection in the
Synchronization Service Console.

To modify an Oracle Database user accounts connection

1. In the Synchronization Service Console, open the Connections tab.

2. On the Connection Settings tab, click an appropriate item to expand it and use the
options it provides.
You can expand the following items:
l Specifying connection settings for an Oracle Database user account connection
l Configuring advanced settings for an Oracle Database or Oracle Database user
account connection
3. Click Save.

Specifying connection settings for an Oracle Database

user account connection
The Specify connection settings option provides the following settings, allowing you to
modify the connection:
l Oracle service name: Specify the name of the Oracle service you want to use to
access Oracle Database user account. You can click Refresh to get a list of available
Oracle services.
l Access Oracle service with: Type the user name and password of the account with
which you want to access the Oracle service.
l To test the connection with the new parameters, click Test connection.

Active Roles 8.1.3 Synchronization Service Administration Guide

64
Configuring advanced settings for an Oracle Database or
Oracle Database user account connection
The Advanced setting provides the following options that allow you to specify custom SQL
queries which will automatically run each time Synchronization Service has created,
updated, or deleted a user account in Oracle Database:
l SQL queries to run after user provisioned: Specifies the SQL queries to run each
time Synchronization Service creates a user account in the Oracle Database.
l SQL queries to run after user updated: Specifies the SQL queries to run each
time Synchronization Service updates a user account in the Oracle Database.
l SQL queries to run after user deprovisioned: Specifies the SQL queries to run
each time Synchronization Service deletes a user account in the Oracle Database.

Below each of these options, you can use the following buttons:
l Add: Adds a new SQL query to the list.
l Edit: Allows you to edit the SQL query selected in the list.
l Delete: Deletes the SQL query selected in the list.

SQL queries run in the order they are listed. If necessary, you can rearrange the SQL
queries in the lists: select an SQL query in the appropriate list, then click the up or down
arrow button to move the query as necessary.

Sample SQL queries for working with Oracle

Database user accounts
This section provides some SQL query examples that you can use a baseline for your own
queries toward the connected Oracle Database system.

Example: Calling an Oracle stored procedure

This SQL query illustrates how to call a specific Oracle stored procedure:
CALL "<ProcedureName>"('&USERNAME')
In this query:
l ProcedureName specifies the name of the Oracle stored procedure you
want to call.
l USERNAME refers to the name of the attribute that uniquely identifies a user in
the target Oracle Database system.

Active Roles 8.1.3 Synchronization Service Administration Guide

65
 Example: Creating a new user in the Oracle Database

This SQL query illustrates how to create a new user in the connected Oracle
Database:
insert into DatabaseTable(ColumnName) values (upper('&USERNAME'))
In this sample query:
l DatabaseTable specifies the name of the table into which the entry will
be added.
l USERNAME refers to the name of the attribute that uniquely identifies a user in
the target Oracle Database system.

Working with Exchange Server

This section describes how to create or modify a connection to Microsoft Exchange Server
so that Synchronization Service could read and write data in that data system. This section
also describes what data you can read and/or write in Exchange Server by using
Synchronization Service.
To create a connection to Microsoft Exchange, you need to use Synchronization Service in
conjunction with a special connector called Exchange Server Connector. This connector is
included in the Synchronization Service package.
The Exchange Server Connector supports the following features:

Table 14: Exchange Server Connector – Supported features

Feature Supported

Bidirectional synchronization Yes

Specifies whether you can both read and write data in the connected data
system.

Delta processing mode No

Specifies whether the connection can process only the data that has
changed in the connected data system since the last synchronization
operation. This reduces the overall synchronization duration.

Password synchronization No
Specifies whether you can synchronize user passwords from an Active
Directory (AD) domain to the connected data system.

Active Roles 8.1.3 Synchronization Service Administration Guide

66
Creating a new connection to Exchange Server
To create a new connection

1. In the Synchronization Service Console, open the Connections tab.

2. Click Add connection, then use the following options:
l Connection name: Type a descriptive name for the connection.
l Use the specified connector: Select Exchange Server Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l Select the Exchange Server version to which you want to connect:
Select the Exchange Server version to which you want to connect. If you select
the Automatically select latest version option, the connector searches your
environment for available Exchange Server 2019, 2016, or 2013, and connects
to the latest of these versions found. Use the Automatically select latest
version option only together with the Any available Exchange Server in
the forest option.
l Connect to: Choose how you want to connect to Exchange Server by selecting
one of the following:
l Any available Exchange Server in the forest: Allows you to connect
to any available Exchange Server computer residing in the Active
Directory forest you specify. In the Domain in the forest text box, type
the fully qualified domain name (FQDN) of any domain that belongs to
the forest that includes the Exchange Server you want to connect to. If
you select this option, make sure the account you specify under Access
Exchange Server using has sufficient permissions to read the Root
Directory Service Entry (rootDFS) and configuration naming context of
the forest.
l Specified Exchange Server: Allows you to connect to the Exchange
Server computer whose fully qualified domain name (FQDN) you type in
the provided text box.
l Advanced: Opens a dialog that allows you to specify advanced options for
connecting to Exchange Server and reading and writing Exchange configuration
data in Active Directory.
l Options related to reading and writing Exchange configuration data in
Active Directory:
l Use default domain controller: Causes Synchronization Service to
read and write Exchange configuration data in Active Directory by using
the default domain controller defined on the Exchange Server used for
the connection.

Active Roles 8.1.3 Synchronization Service Administration Guide

67
 l Use specified domain controller: Causes Synchronization Service to
read and write Exchange configuration data in Active Directory by using
the domain controller whose FQDN is specified in the text box below
this option.
l Options related to connecting to Exchange Server:
l Connect using HTTPS: Select this check box to connect to Exchange
Server by using HTTPS.
l Validate server certificate: Select this check box to validate server
certificate on the target Exchange Server.
l Authentication method: Select an authentication method to access
Exchange Server.
l Access Exchange Server using: Select one of the following access options:
l Synchronization Service account: Allows you to access Exchange
Server in the security context of the account under which the
Synchronization Service is running.
l Windows account: Allows you to access Exchange Server in the
security context of the account whose user name and password you type
in the provided text box.
l To test the connection with the new parameters, click Test connection.
5. Click Finish.

Modifying an existing connection to Exchange

Server
To modify connection settings

1. In the Synchronization Service Console, open the Connections tab.

2. Click Add connection, then use the following options:
l Connection name: Type a descriptive name for the connection.
l Use the specified connector: Select Exchange Server Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l Select the Exchange Server version to which you want to connect:
Select the Exchange Server version to which you want to connect. If you select
the Automatically select latest version option, the connector searches your
environment for available Exchange Server 2019, 2016, or 2013, and connects
to the latest of these versions found. Use the Automatically select latest
version option only together with the Any available Exchange Server in
the forest option.

Active Roles 8.1.3 Synchronization Service Administration Guide

68
 l Connect to: Choose how you want to connect to Exchange Server by selecting
one of the following:
l Any available Exchange Server in the forest: Allows you to connect
to any available Exchange Server computer residing in the Active
Directory forest you specify. In the Domain in the forest text box, type
the fully qualified domain name (FQDN) of any domain that belongs to
the forest that includes the Exchange Server you want to connect to. If
you select this option, make sure the account you specify under Access
Exchange Server using has sufficient permissions to read the Root
Directory Service Entry (rootDFS) and configuration naming context of
the forest.
l Specified Exchange Server: Allows you to connect to the Exchange
Server computer whose fully qualified domain name (FQDN) you type in
the provided text box.
l Advanced: Opens a dialog that allows you to specify advanced options for
connecting to Exchange Server and reading and writing Exchange configuration
data in Active Directory.
l Options related to reading and writing Exchange configuration data in
Active Directory:
l Use default domain controller: Causes Synchronization Service to
read and write Exchange configuration data in Active Directory by using
the default domain controller defined on the Exchange Server used for
the connection.
l Use specified domain controller: Causes Synchronization Service to
read and write Exchange configuration data in Active Directory by using
the domain controller whose FQDN is specified in the text box below
this option.
l Options related to connecting to Exchange Server:
l Connect using HTTPS: Select this check box to connect to Exchange
Server by using HTTPS.
l Validate server certificate: Select this check box to validate server
certificate on the target Exchange Server.
l Authentication method: Select an authentication method to access
Exchange Server.
l Access Exchange Server using: Select one of the following access options:
l Synchronization Service account: Allows you to access Exchange
Server in the security context of the account under which the
Synchronization Service is running.
l Windows account: Allows you to access Exchange Server in the
security context of the account whose user name and password you type
in the provided text box.
l To test the connection with the new parameters, click Test connection.
5. When you are finished, click Save.

Active Roles 8.1.3 Synchronization Service Administration Guide

69
Exchange Server data supported out of the box
The next table lists the Exchange Server object types supported by the Exchange Server
Connector out of the box and the operations you can perform on these objects by using
the connector.

Table 15: Supported objects and operations

Object Read Create Delete Update

ActiveSyncMailboxPolicy Yes No No No
Allows you to read the Mobile Device mailbox
policy settings for a specified Mobile Device
mailbox policy.
This object type works with the Exchange
Server versions supported by Active Roles. For
more information on the Microsoft Exchange
Server versions supported by Active Roles,
see System requirements in the Active Roles
Release Notes.
AddressBookPolicy Yes No No No
Allows you to read data related to address
book policies.
This object type works with the Exchange
Server versions supported by Active Roles. For
more information on the Microsoft Exchange
Server versions supported by Active Roles,
see System requirements in the Active Roles
Release Notes.
AddressList Yes No No No
Allows you to read data related to a specified
address list.
This object type works with the Exchange
Server versions supported by Active Roles. For
more information on the Microsoft Exchange
Server versions supported by Active Roles,
see System requirements in the Active Roles
Release Notes.
DistributionGroup Yes Yes Yes Yes
Allows you to read or write data related to a
specified distribution group.
This object type works with the Exchange
Server versions supported by Active Roles. For
more information on the Microsoft Exchange

Active Roles 8.1.3 Synchronization Service Administration Guide

70
Object Read Create Delete Update

Server versions supported by Active Roles,

see System requirements in the Active Roles
Release Notes.
DynamicDistributionGroup Yes Yes Yes Yes
Allows you to read or write data related to a
specified dynamic distribution group.
This object type works with the Exchange
Server versions supported by Active Roles. For
more information on the Microsoft Exchange
Server versions supported by Active Roles,
see System requirements in the Active Roles
Release Notes.
ExchangeServer Yes No No No
Allows you to read attribute values of a
specified Exchange Server.
This object type works with the Exchange
Server versions supported by Active Roles. For
more information on the Microsoft Exchange
Server versions supported by Active Roles,
see System requirements in the Active Roles
Release Notes.
GlobalAddressList Yes No No No
Allows you to read data related to a specified
global address list (GAL).
This object type works with the Exchange
Server versions supported by Active Roles. For
more information on the Microsoft Exchange
Server versions supported by Active Roles,
see System requirements in the Active Roles
Release Notes.
Mailbox Yes Yes Yes Yes
Allows you to read or write data related to a
specified mailbox.
This object type works with the Exchange
Server versions supported by Active Roles. For
more information on the Microsoft Exchange
Server versions supported by Active Roles,
see System requirements in the Active Roles
Release Notes.
MailboxDatabase Yes No No No

Active Roles 8.1.3 Synchronization Service Administration Guide

71
Object Read Create Delete Update

Allows you to read a specified mailbox

database object.
This object type works with the Exchange
Server versions supported by Active Roles. For
more information on the Microsoft Exchange
Server versions supported by Active Roles,
see System requirements in the Active Roles
Release Notes.
MailContact Yes Yes Yes Yes
Allows you to read or write data related to a
specified mail-enabled contact.
This object type works with the Exchange
Server versions supported by Active Roles. For
more information on the Microsoft Exchange
Server versions supported by Active Roles,
see System requirements in the Active Roles
Release Notes.
NOTE: The Exchange Server Connector
cannot create new users in Active Directory.
You can create new AD users with the Active
Directory Connector.
MailUser Yes Yes Yes Yes
Allows you to read or write data related to a
specified mail-enabled user.
This object type works with the Exchange
Server versions supported by Active Roles. For
more information on the Microsoft Exchange
Server versions supported by Active Roles,
see System requirements in the Active Roles
Release Notes.
NOTE: The Exchange Server Connector
cannot create new users in Active Directory.
You can create new AD users with the Active
Directory Connector.
OfflineAddressBook Yes No No No
Allows you to read data related to an offline
address book (OAB).
This object type works with the Exchange
Server versions supported by Active Roles. For
more information on the Microsoft Exchange
Server versions supported by Active Roles,

Active Roles 8.1.3 Synchronization Service Administration Guide

72
Object Read Create Delete Update

see System requirements in the Active Roles

Release Notes.
OrganizationConfig Yes No No No
Allows you to read configuration data of an
Exchange organization.
This object type works with the Exchange
Server versions supported by Active Roles. For
more information on the Microsoft Exchange
Server versions supported by Active Roles,
see System requirements in the Active Roles
Release Notes.
OwaMailboxPolicy Yes No No No
Allows you to read data related to Microsoft
Office Outlook Web App mailbox policies in the
Exchange organization.
This object type works with the Exchange
Server versions supported by Active Roles. For
more information on the Microsoft Exchange
Server versions supported by Active Roles,
see System requirements in the Active Roles
Release Notes.
PublicFolder Yes No No No
Allows you to read data related to a public
folder.
This object type works with the Exchange
Server versions supported by Active Roles. For
more information on the Microsoft Exchange
Server versions supported by Active Roles,
see System requirements in the Active Roles
Release Notes.
RoleAssignmentPolicy Yes No No No
Allows you to read data related to a
management role assignment policy.
This object type works with the Exchange
Server versions supported by Active Roles. For
more information on the Microsoft Exchange
Server versions supported by Active Roles,
see System requirements in the Active Roles
Release Notes.
UmDialPlan Yes No No No

Active Roles 8.1.3 Synchronization Service Administration Guide

73
Object Read Create Delete Update

Allows you to read data related to a Unified

Messaging (UM) dial plan.
This object type works with the Exchange
Server versions supported by Active Roles. For
more information on the Microsoft Exchange
Server versions supported by Active Roles,
see System requirements in the Active Roles
Release Notes.
UmMailboxPolicy Yes No No No
Allows you to read data related to a Unified
Messaging (UM) mailbox policy.
This object type works with the Exchange
Server versions supported by Active Roles. For
more information on the Microsoft Exchange
Server versions supported by Active Roles,
see System requirements in the Active Roles
Release Notes.

For each of the above-listed Exchange Server object types Synchronization Service
provides a number of special attributes that allow you to read and/or write the data related
to that object type in Exchange Server. You can access and use these attributes from the
Synchronization Service Console (for example, when selecting the source and target
attributes you want to participate in the synchronization operation).
The next sections describe the attributes provided by Synchronization Service and explain
what data you can read and/or write in Exchange Server by using a particular attribute.

ActiveSyncMailboxPolicy object attributes

Table 16: ActiveSyncMailboxPolicy attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the unique identifier for a specified Read

valued, object in Exchange Server.
string

Other attributes provided for the ActiveSyncMailboxPolicy object have the same names
and descriptions as parameters of the following Exchange Management Shell cmdlet:
l Get-ActiveSyncMailboxPolicy

Active Roles 8.1.3 Synchronization Service Administration Guide

74
AddressBookPolicy object attributes

Table 17: AddressBookPolicy attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the unique identifier for a specified Read

valued, object in Exchange Server.
string

Other attributes provided for the AddressBookPolicy object have the same names and
descriptions as parameters of the following Exchange Management Shell cmdlet:
l Get-AddressBookPolicy

AddressList object attributes

Table 18: AddressList object attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the unique identifier for a specified Read

valued, object in Exchange Server.
string

Other attributes provided for the AddressList object have the same names and
descriptions as parameters of the following Exchange Management Shell cmdlet:
l Get-AddressList

DistributionGroup object attributes

Table 19: DistributionGroup attributes

Attribute Type Description Supported

operations

Members Multivalued, Gets or sets the distribution group Read, Write

reference members.
For recipients, this attribute accepts any of
the following values:
l Alias
l Canonical DN
l Display Name

Active Roles 8.1.3 Synchronization Service Administration Guide

75
Attribute Type Description Supported
operations
l Distinguished Name (DN)
l Domain\Account
l GUID
l Immutable ID
l Legacy Exchange DN
l SMTP Address
l User Principal Name

For Active Directory users, this attribute

accepts any of the following values:
l Distinquished Name (DN)
l Domain\Account
l GUID
l User Principal Name (UPN)

ObjectID Single- Gets the unique identifier for a specified Read

valued, string object in Exchange Server.

Other attributes provided for the DistributionGroup object have the same names and
descriptions as parameters or return types of the following Exchange Management
Shell cmdlets:
l Enable-DistributionGroup
l Get-DistributionGroup
l Set-DistributionGroup

DynamicDistributionGroup object attributes

Table 20: DynamicDistributionGroup attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the unique identifier for a specified Read

valued, object in Exchange Server.
string

Other attributes provided for the DynamicDistributionGroup object have the same names
and descriptions as parameters or return types of the following Exchange Management
Shell cmdlets:

Active Roles 8.1.3 Synchronization Service Administration Guide

76
 l Get-DynamicDistributionGroup
l New-DynamicDistributionGroup
l Set-DynamicDistributionGroup

ExchangeServer object attributes

Table 21: ExchangeServer attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the unique identifier for a specified Read

valued, object in Exchange Server.
string

Other attributes provided for the ExchangeServer object have the same names and
descriptions as parameters of the following Exchange Management Shell cmdlet:
l Get-ExchangeServer

GlobalAddressList object attributes

Table 22: GlobalAddressList attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the unique identifier for a specified Read

valued, object in Exchange Server.
string

Other attributes provided for the GlobalAddressList object have the same names and
descriptions as parameters of the following Exchange Management Shell cmdlet:
l Get-GlobalAddressList

Mailbox object attributes

Table 23: Mailbox attributes

Attribute Type Description Supported

operations

LinkedCredentialLogin Single- Specifies the user name of the Write

valued, account with which you want to
string access the domain controller

Active Roles 8.1.3 Synchronization Service Administration Guide

77
Attribute Type Description Supported
operations

specified in the
LinkedDomainController
attribute.
LinkedCredentialPassword Single- Specifies the password that Write
valued, matches the user name
string specified in the
LinkedCredentialLogin
attribute.
MoveMailboxTo Single- Moves mailbox to the Exchange Write
valued, Server database whose name is
string specified in this attribute.
ObjectID Single- Gets the unique identifier for a Read
valued, specified object in Exchange
string Server.
RecipientTypeDetails Single- Gets or sets a mailbox type. Read, Write
valued,
When you create a mailbox
string
object, this attribute supports
the following values:
l DiscoveryMailbox
l EquipmentMailbox
l RoomMailbox
l SharedMailbox
l UserMailbox

When you update a mailbox

object, this attribute supports
the following values:
l EquipmentMailbox
l RoomMailbox
l SharedMailbox
l UserMailbox

When you read data of a

mailbox object, this attribute
supports the following values:
l DiscoveryMailbox
l EquipmentMailbox

Active Roles 8.1.3 Synchronization Service Administration Guide

78
Attribute Type Description Supported
operations
l LegacyMailbox
l LinkedMailbox
l RoomMailbox
l SharedMailbox
l UserMailbox

Other attributes provided for the Mailbox object have the same names and descriptions as
parameters or return types of the following Exchange Management Shell cmdlets:
l Set-CalendarProcessing
l Get-CASMailbox
l Set-CASMailbox
l Disable-Mailbox (called by Archive and RemoteArchive attributes)
l Enable-Mailbox (called by Archive and RemoteArchive attributes)
l Get-Mailbox
l Set-Mailbox
l Get-MailboxAutoReplyConfiguration
l Set-MailboxAutoReplyConfiguration
l Get-MailboxStatistics
l Get-MoveRequest
l New-MoveRequest
l Remove-MoveRequest
l Set-MoveRequest
l Disable-UMMailbox (called by UMEnabled attribute)
l Enable-UMMailbox (called by UMEnabled attribute)
l Get-UMMailbox
l Set-UMMailbox
l Get-UMMailboxPIN
l Set-UMMailboxPIN

NOTE: Some attributes may perform actions by calling certain Exchange Management
Shell cmdlets, as noted in the table.

Active Roles 8.1.3 Synchronization Service Administration Guide

79
MailContact object attributes

Table 24: MailContact attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the unique identifier for a specified Read

valued, object in Exchange Server.
string

Other attributes provided for the MailContact object have the same names and
descriptions as parameters or return types of the following Exchange Management
Shell cmdlets:
l Enable-MailContact
l Get-MailContact
l Set-MailContact

NOTE: The Exchange Server Connector cannot create new users in Active Directory. You
can create new AD users with the Active Directory Connector.

MailboxDatabase object attributes

Table 25: MailboxDatabase attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the unique identifier for a specified Read

valued, object in Exchange Server.
string

Other attributes provided for the MailboxDatabase object have the same names and
descriptions as parameters of the following Exchange Management Shell cmdlet:
l Get-MailboxDatabase

MailUser object attributes

Table 26: MailUser attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the unique identifier for a specified Read

valued, object in Exchange Server.
string

Active Roles 8.1.3 Synchronization Service Administration Guide

80
Other attributes provided for the MailUser object have the same names and descriptions as
parameters or return types of the following Exchange Management Shell cmdlets:
l Enable-MailUser
l Get-MailUser
l Set-MailUser

NOTE: The Exchange Server Connector cannot create new users in Active Directory. You
can create new AD users with the Active Directory Connector.

OfflineAddressBook object attributes

Table 27: OfflineAddressBook attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the unique identifier for a specified Read

valued, object in Exchange Server.
string

Other attributes provided for the OfflineAddressBook object have the same names and
descriptions as parameters of the following Exchange Management Shell cmdlet:
l Get-OfflineAddressBook

OrganizationConfig object attributes

Table 28: OrganizationConfig attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the unique identifier for a specified Read

valued, object in Exchange Server.
string

Other attributes provided for the OrganizationConfig object have the same names and
descriptions as parameters of the following Exchange Management Shell cmdlet:
l Get-OrganizationConfig

Active Roles 8.1.3 Synchronization Service Administration Guide

81
OwaMailboxPolicy object attributes

Table 29: OwaMailboxPolicy attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the unique identifier for a specified Read

valued, object in Exchange Server.
string

Other attributes provided for the OwaMailboxPolicy object have the same names and
descriptions as parameters of the following Exchange Management Shell cmdlet:
l Get-OwaMailboxPolicy

PublicFolder object attributes

Table 30: PublicFolder attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the unique identifier for a specified Read

valued, object in Exchange Server.
string

Other attributes provided for the PublicFolder object have the same names and
descriptions as parameters of the following Exchange Management Shell cmdlet:
l Get-PublicFolder

PublicFolderDatabase object attributes

Table 31: PublicFolderDatabase attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the unique identifier for a specified Read

valued, object in Exchange Server.
string

Other attributes provided for the PublicFolderDatabase object have the same names and
descriptions as parameters of the following Exchange Management Shell cmdlet:
l Get-PublicFolderDatabase

Active Roles 8.1.3 Synchronization Service Administration Guide

82
RoleAssignmentPolicy object attributes

Table 32: RoleAssignmentPolicy attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the unique identifier for a specified Read

valued, object in Exchange Server.
string

Other attributes provided for the RoleAssignmentPolicy object have the same names and
descriptions as parameters of the following Exchange Management Shell cmdlet:
l Get-RoleAssignmentPolicy

StorageGroup object attributes

Table 33: StorageGroup attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the unique identifier for a specified Read

valued, object in Exchange Server.
string

Other attributes provided for the StorageGroup object have the same names and
descriptions as parameters of the following Exchange Management Shell cmdlet:
l Get-StorageGroup

UmDialPlan object attributes

Table 34: UmDialPlan attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the unique identifier for a specified Read

valued, object in Exchange Server.
string

Other attributes provided for the UmDialPlan object have the same names and descriptions
as parameters of the following Exchange Management Shell cmdlet:
l Get-UMDialPlan

Active Roles 8.1.3 Synchronization Service Administration Guide

83
UmMailboxPolicy object attributes

Table 35: UmMailboxPolicy attributes

Attribute Type Description Supported

operations

ObjectID Single- Gets the unique identifier for a specified Read

valued, object in Exchange Server.
string

Other attributes provided for the UmMailboxPolicy object have the same names and
descriptions as parameters of the following Exchange Management Shell cmdlet:
l Get-UMMailboxPolicy

Scenario: Migrate mailboxes from one Exchange

Server to another
To migrate a mailbox, you need to use the MoveMailboxTo attribute provided for the
Mailbox object. Update the value of the MoveMailboxTo attribute, so that it includes the
name or GUID of the Exchange Server database to which you want to move the mailbox.
As a result, the mailbox is migrated to the Exchange Server computer that hosts the
specified database.
NOTE: Before migrating mailboxes, consider the following:
l You can only migrate mailboxes between Exchange Servers that belong to the
same Exchange organization.
l If the computers between which you want to migrate mailboxes run the same
version of Exchange Server, make sure they have either no or the same Exchange
Server Service Pack installed.

Configuring a connection to Exchange Server

Configure a connection to the Exchange Server installation you will use to move the
mailbox object. For more information on the Microsoft Exchange Server versions supported
by Active Roles, see System requirements in the Active Roles Release Notes.
NOTE: Both the source and target computers must have either the same Exchange
Server Service Packs installed, or no Exchange Server Service Packs installed at all.
For more information on how to configure a connection to Exchange Server, see Creating a
new connection to Exchange Server.

Creating a new sync workflow

For more information on how to create a new sync workflow, see Creating a sync workflow.

Active Roles 8.1.3 Synchronization Service Administration Guide

84
Configuring a step to update MoveMailboxTo attribute value

To configure a step to update MoveMailboxTo attribute value

1. In the sync workflow you created, create a new update step.

2. In the update step, select the target data system for the data synchronization
operation. This must be the Exchange Server to which you created the connection.
3. Configure the update step so that it updates the value of the MoveMailboxTo
attribute on the appropriate Mailbox objects. The new attribute value must
include the name or GUID of the Exchange Server database to which you want to
move the mailboxes.

For instructions on how to create and configure an update step, see Creating an
update step.

Running the sync workflow

For more information on how to run a sync workflow, see Running a sync workflow.

Working with Active Roles

To create a connection to Active Roles, you need to use Synchronization Service in
conjunction with a special connector called Active Roles Connector included in the
Synchronization Service package.
The Active Roles Connector supports the following Synchronization Service features:

Table 36: Active Roles Connector – Supported features

Feature Supported

Bidirectional synchronization Yes

Specifies whether you can both read and write data in the connected data
system.

Delta processing mode Yes

Specifies whether the connection can process only the data that has
changed in the connected data system since the last synchronization
operation. This reduces the overall synchronization duration.

Password synchronization Yes

Specifies whether you can synchronize user passwords from an Active
Directory (AD) domain to the connected data system.

The Active Roles Connector supports linked attributes in the Active Directory schema.
Linked attributes allow you to associate one object with another object. Linked attributes
exist in pairs:

Active Roles 8.1.3 Synchronization Service Administration Guide

85
 l Forward link attribute: This is a linked attribute that exists on a source object (for
example, the member attribute on the Group object). Forward link attributes can be
single-valued or multivalued.
l Back link attribute: This is a linked attribute that can be specified on a target
object (for example, the memberOf attribute on the User object). Back link attributes
are multivalued and they must have a corresponding forward link attribute. Back link
attributes are not stored in Active Directory. Rather, they are calculated based on the
corresponding forward link attribute each time a query is issued.

Creating an Active Roles connection

You can create a connection to Active Roles right after you install Synchronization Service
on your computer.

To create a new connection

1. In the Synchronization Service Console, open the Connections tab.

2. Click Add connection, then use the following options:
l Connection name: Type a descriptive name for the connection.
l Use the specified connector: Select Active Roles Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l Connect to: Allows you to specify the Active Roles Administration Service
to be used by the Synchronization Service. You can use one of the
following options:
l Administration Service on the specified computer: Type the name
of the computer running the Administration Service you want Active
Roles to use.
l Any Administration Service of the same configuration: Specify
any Administration Service whose database holds the necessary
configuration: type the DNS name of the computer running that
Administration Service. If Active Roles replication is used to synchronize
configuration data, this must be any Administration Service whose
database server acts as the Publisher for the configuration database.
l Active Roles version: Prompts you to specify the version of the Active Roles
Administration Service to which you want to connect. You can choose to
connect either to version 7.0 or later or to version 6.9 or earlier. In the latter
case, you have to install the Active Roles ADSI Provider of the respective legacy
Active Roles version on the computer running the Synchronization Service. For
installation instructions, see the Active Roles Quick Start Guide for version 6.9
or earlier.

Active Roles 8.1.3 Synchronization Service Administration Guide

86
 l Access Active Roles Administration Service using: Allows you to specify
an authentication option to access the Active Roles Administration Service. You
can use one of the following options:
l Active Roles account: Allows you to access the Administration Service
in the security context of the user account under which the Active Roles
is running.
l Windows account: Allows you to access the Administration Service in
the security context of the user account whose user name and password
you specify below this option.
l To test the connection with the new parameters, click Test connection.
5. Click Finish to create a connection to Active Roles.

Modifying an Active Roles connection

To modify connection settings

1. In the Synchronization Service Console, open the Connections tab.

2. Click Connection settings below the existing Active Roles connection you
want to modify.
3. On the Specify connection settings page, use the following options:
l Connect to: Allows you to specify the Active Roles Administration Service
to be used by the Synchronization Service. You can use one of the
following options:
l Administration Service on the specified computer: Type the name
of the computer running the Administration Service you want Active
Roles to use.
l Any Administration Service of the same configuration: Specify
any Administration Service whose database holds the necessary
configuration: type the DNS name of the computer running that
Administration Service. If Active Roles replication is used to synchronize
configuration data, this must be any Administration Service whose
database server acts as the Publisher for the configuration database.
l Active Roles version: Prompts you to specify the version of the Active Roles
Administration Service to which you want to connect. You can choose to
connect either to version 7.0 or later or to version 6.9 or earlier. In the latter
case, you have to install the Active Roles ADSI Provider of the respective legacy
Active Roles version on the computer running the Synchronization Service. For
installation instructions, see the Active Roles Quick Start Guide for version 6.9
or earlier.
l Access Active Roles Administration Service using: Allows you to specify
an authentication option to access the Active Roles Administration Service. You

Active Roles 8.1.3 Synchronization Service Administration Guide

87
 can use one of the following options:
l Active Roles account: Allows you to access the Administration Service
in the security context of the user account under which the Active Roles
is running.
l Windows account: Allows you to access the Administration Service in
the security context of the user account whose user name and password
you specify below this option.
l To test the connection with the new parameters, click Test connection.
4. Click Save.

Working with One Identity Manager

To create a connection to One Identity Manager, use the One Identity Manager
Connector of Active Roles Synchronization Service.
The One Identity Manager Connector supports the following Synchronization Service
features:

Table 37: One Identity Manager Connector – Supported features

Feature Supported

Bidirectional synchronization Yes

Specifies whether you can both read and write data in the connected data
system.

Delta processing mode Yes

Specifies whether the connection can process only the data that has
changed in the connected data system since the last synchronization
operation. This reduces the overall synchronization duration.

Password synchronization No
Specifies whether you can synchronize user passwords from an Active
Directory (AD) domain to the connected data system.

Creating a One Identity Manager connection

Synchronization Service supports One Identity Manager, allowing you to create a
connection to Identity Manager right after installing Synchronization Service.

Active Roles 8.1.3 Synchronization Service Administration Guide

88
To create a new Identity Manager connection

1. In the Synchronization Service Console, open the Connections tab.

2. Click Add connection, then use the following options:
l Connection name: Type a descriptive name for the connection.
l Use the specified connector: Select One Identity Manager Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l Application Server URL: Specify the address of the One Identity Manager
application server to which you want to connect.
l Authentication module: Identifies the One Identity Manager authentication
module that is to be used to verify the connection’s user ID and password.
l User name: Specify the user ID for this connection.
l Password: Specify the password of the user ID for this connection.
l To test the connection with the new parameters, click Test connection.
5. Click Next.
The One Identity Manager modules, target systems, and containers appear.
6. Select the required One Identity Manager modules.
NOTE: The One Identity Manager target systems and One Identity Manager contain-
ers are applicable only for the Target System Base module (that is, UNS<x>B tables).
7. To finish creating the connection to One Identity Manager, click Finish .

Modifying a One Identity Manager connection

You can modify an existing One Identity Manager Connector in the Active Roles
Synchronization Service Console.

To modify an existing One Identity Manager Identity Manager connection

1. In the Synchronization Service Console, open the Connections tab.

2. Click Connection settings below the existing One Identity Manager connection you
want to modify.
3. On the Specify connection settings page, use the following options:
l Application Server URL: Specify the address of the One Identity Manager
application server to which you want to connect.
l Authentication module: Identifies the One Identity Manager authentication
module that is to be used to verify the connection’s user ID and password.
l User name: Specify the user ID for this connection.

Active Roles 8.1.3 Synchronization Service Administration Guide

89
 l Password: Specify the password of the user ID for this connection.
l To test the connection with the new parameters, click Test connection.
4. Click Next.
The One Identity Manager modules, target systems, and containers are displayed.
5. Select the required One Identity Manager modules.
NOTE: The One Identity Manager target systems and One Identity Manager contain-
ers are applicable only for the Target System Base module (that is, UNS<x>B tables).
6. To finish creating the One Identity Manager connection, click Finish.

One Identity Manager Connector configuration file

One Identity Manager Connector saves its configuration settings in the configuration file
(.xml file) located in the Active Roles Synchronization Service installation folder. You can
edit the XML elements in the file to configure the various parameters of the One Identity
Manager Connector. The table below describes the XML elements you can edit.

Table 38: XML elements

XML element Description

<ExcludeDeletedObjects> Specifies how Active Roles will treat objects marked as

deleted in Identity Manager. This element can take one of
the following values:
l TRUE: Specifies to ignore deleted objects during data
synchronization operations.
l FALSE: Specifies to process deleted objects during
data synchronization operations.

For example:

<ExcludeDeletedObjects>
TRUE
</ExcludeDeletedObjects>

<PasswordAttributes> Specifies the default Identity Manager attribute to be used

for storing passwords for objects of a particular type.
Specifying an attribute for storing passwords in the Active
Roles GUI overrides the value set in this XML element.
For example:

<PasswordAttributes>
<PasswordAttributeDefinitions>
<PasswordAttributeDefinition objectType-

Active Roles 8.1.3 Synchronization Service Administration Guide

90
XML element Description

="Person" attribute="CentralPassword" />

</PasswordAttributeDefinitions>
</PasswordAttributes>

<ReadFullSync> Specifies a value of the FullSync variable for Read

operations performed in Identity Manager.
<CreateFullSync> Specifies a value of the FullSync variable for Create
operations performed in Identity Manager.
<ModifyFullSync> Specifies a value of the FullSync variable for Modify
operations performed in Identity Manager.
<DeleteFullSync> Specifies a value of the FullSync variable for Delete
operations performed in Identity Manager.
<ObjRefFullSync> Specifies a value of the FullSync variable for Modify Object
Reference operations performed in Identity Manager.
<SyncStatusFullSync> Specifies a value of the FullSync variable for Sync Status
operations performed in Identity Manager.

For more information about the FullSync variable and the values it can take, see the One
Identity Manager documentation.

Working with a delimited text file

This section describes how to create or modify a connection to a delimited text file so that
Synchronization Service could work with data in that file.
To create a connection to a delimited text file, you need to use Synchronization Service in
conjunction with a special connector called Delimited Text File Connector. This connector is
included in the Synchronization Service package.
The Delimited Text File Connector supports the following features:

Table 39: Delimited Text File Connector – Supported features

Feature Supported

Bidirectional synchronization No
Specifies whether you can both read and write data in the connected data
system.

Delta processing mode Yes

Specifies whether the connection can process only the data that has
changed in the connected data system since the last synchronization

Active Roles 8.1.3 Synchronization Service Administration Guide

91
Feature Supported

operation. This reduces the overall synchronization duration.

Password synchronization No
Specifies whether you can synchronize user passwords from an Active
Directory (AD) domain to the connected data system.

Creating a delimited text file connection

To create a new connection

1. In the Synchronization Service Console, open the Connections tab.

2. Click Add connection, then use the following options:
l Connection name: Type a descriptive name for the connection.
l Use the specified connector: Select Delimited Text File Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l Delimited text file: Click Browse to locate and select the delimited text file
to which you want to connect.
l Access delimited text file using: Select an access option:
l Synchronization Service account: Access the delimited text file in the
security context of the account under which the Synchronization Service
is running.
l Windows account: Access the delimited text file in the security
context of the account whose user name and password you specify
below this option.
l To test the connection with the new parameters, click Test connection.
5. Click Next.
6. On the Specify delimited text file format page, use the following options to
provide information about the delimited text file format:
l Delimiter: Select the delimiter used in the file you specified.
l Use first row for attribute names: Select this check box if the first line of
the specified file contains names of attributes. Otherwise, leave this check
box cleared.
l Advanced: Click this button to specify advanced options to access the
delimited text file, such as encoding, row delimiter, value delimiter, and
text qualifier.
7. Click Next.

Active Roles 8.1.3 Synchronization Service Administration Guide

92
 8. On the Specify attributes to identify objects page, use the following options:
l Available attributes: Lists the attributes that are available in the external
data system. Use this list to select the attributes whose values you want to use
to generate a unique identifier for each object in the external data system. You
can filter attributes by typing in the text box at the top of this list. To select
multiple attributes, hold down CTRL and click to select attributes in the list.
l UniqueID attributes: Lists the attributes whose values are currently used to
generate a unique identifier for each object in the external data system.
l Add->: Moves the selected attributes from the Available attributes list to
the UniqueID attributes list.
l <-Remove: Moves the selected attributes from the UniqueID attributes list
to the Available attributes list.
l Constructed UniqueID: Displays a combination of the attributes whose
values will make up a unique identifier for each object in the external
data system.
9. Click Finish to create a connection to the delimited text file.

Modifying an existing delimited text file

connection
To modify connection settings

1. In the Synchronization Service Console, open the Connections tab.

2. Click Connection settings below the existing delimited text file connection you
want to modify.
3. On the Connection Settings tab, click an appropriate item to expand it and use the
options it provides.
You can expand the following items:
l Specify connection settings for a delimited text file connection
l Specify delimited text file format
l Schema
l Specify attributes to identify objects for a delimited text file connection
4. When you are finished, click Save.

Specify connection settings for a delimited text file

connection
In this expandable item, you can use the following options:

Active Roles 8.1.3 Synchronization Service Administration Guide

93
 l Delimited text file: Click Browse to locate and select the delimited text file to
which you want to connect.
l Access delimited text file using: Select an access option:
l Synchronization Service account: Access the delimited text file in the
security context of the account under which the Synchronization Service
is running.
l Windows account: Access the delimited text file in the security context of the
account whose user name and password you specify below this option.
l To test the connection with the new parameters, click Test connection.

Specify delimited text file format

This expandable item provides the following options:
l Delimiter: Select the delimiter used in the file you specified.
l Use first row for attribute names: Select this check box if the first line of the
specified file contains names of attributes. Otherwise, leave this check box cleared.
l Advanced: Click this button to specify advanced options to access the delimited text
file, such as encoding, row delimiter, value delimiter, and text qualifier.

Schema
You can use this expandable item to view and modify the delimited text file schema saved
in the Synchronization Service configuration database.
When you create a connection to a delimited text file, Synchronization Service reads the
schema in the file (that is, the fields or columns related to each record in the file), and then
saves the schema in the Synchronization Service configuration database. Synchronization
Service then uses the saved file schema to read and modify the data in the connected file.
Should the schema in the connected file change, you will need to reflect these changes in
the Schema option so that Synchronization Service could correctly handle (read and write)
the data in the changed file.
This expandable item provides the following options:
l Attributes: Lists the names of Synchronization Service attributes that correspond to
certain columns or fields in the connected file. Basically, these are the names of
attributes you can select and use in the Synchronization Service Console for each
object in the connected delimited text file.
l Add: Allows you to add a new entry (for example, column or field) to the file
schema saved in the Synchronization Service configuration database. You can use
this button in case a new column or field was added to the connected file and you
want to reflect this change in the file schema saved in the Synchronization Service
configuration database.
l Edit: Allows you to edit the name of the selected Synchronization Service attribute
associated with a certain column or field in the connected file. For example, you can

Active Roles 8.1.3 Synchronization Service Administration Guide

94
 use this button in case a field or column name was changed in the connected file and
you want to reflect this change in the file schema saved in the Synchronization
Service configuration database. Also you can use this button to edit the display name
of a Synchronization Service attribute associated with a certain column or field in the
connected file.
l Remove: Allows you to remove the selected attribute from the file schema saved in
the Synchronization Service configuration database. For example, you can use this
button in case a field or column name was deleted from the connected file and you
want to reflect this change in the file schema saved in the Synchronization Service
configuration database.
l Reload scheme: Allows you to update the file schema saved in the
Synchronization Service configuration database by reloading the schema from the
file to the configuration database. As a result, the file schema saved in the
Synchronization Service configuration database will be completely rewritten with
new data from the file.
l Up arrow: Moves the selected attribute up.
l Down arrow: Moves the selected attribute down.

Specify attributes to identify objects for a delimited text

file connection
This expandable item provides the following options that allow you to specify the attributes
with which you wish to uniquely identify each object in the delimited text file:
l Available attributes: Lists the attributes that are available in the external data
system. Use this list to select the attributes whose values you want to use to
generate a unique identifier for each object in the external data system. You can filter
attributes by typing in the text box at the top of this list. To select multiple attributes,
hold down CTRL and click to select attributes in the list.
l UniqueID attributes: Lists the attributes whose values are currently used to
generate a unique identifier for each object in the external data system.
l Add->: Moves the selected attributes from the Available attributes list to the
UniqueID attributes list.
l <-Remove: Moves the selected attributes from the UniqueID attributes list to the
Available attributes list.
l Constructed UniqueID: Displays a combination of the attributes whose values will
make up a unique identifier for each object in the external data system.

Working with Microsoft SQL Server

This section describes how to create or modify a connection to Microsoft SQL Server so that
Synchronization Service could work with data in that data system.

Active Roles 8.1.3 Synchronization Service Administration Guide

95
To create a connection to Microsoft SQL Server, use the Microsoft SQL Server
Connector included by default in the Active Roles Synchronization Service.
The Microsoft SQL Server Connector supports the following features:

Table 40: Microsoft SQL Server Connector – Supported features

Feature Supported

Bidirectional synchronization Yes

Specifies whether you can both read and write data in the connected data
system.

Delta processing mode No

Specifies whether the connection can process only the data that has
changed in the connected data system since the last synchronization
operation. This reduces the overall synchronization duration.

Password synchronization Yes

Specifies whether you can synchronize user passwords from an Active
Directory (AD) domain to the connected data system.

Creating a Microsoft SQL Server connection

You can create a new Microsoft SQL Server connection in the Synchronization
Service Console.

To create a new connection

1. In the Synchronization Service Console, open the Connections tab.

2. Click Add connection, then use the following options:
l Connection name: Type a descriptive name for the connection.
l Use the specified connector: Select Microsoft SQL Server Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l SQL Server: Type or select the name of the SQL Server computer that hosts
the database you want to participate in data synchronization operations.
l Access SQL Server using: Select an access option:
l Use Windows authentication: Allows you to access the SQL Server in
the security context of the account under which the Synchronization
Service is running.
l Use SQL Server authentication: Allows you to access the SQL Server

Active Roles 8.1.3 Synchronization Service Administration Guide

96
 in the security context of the SQL Server user account whose user name
and password you specify below this option.
l To test the connection with the new parameters, click Test connection.
5. Click Next.
6. On the Specify how to select and modify data page, use the following options:
l Use data from this table: Allows you to select a database table that includes
the data you want to participate in the synchronization operations. You can
click Preview to preview the database table you have selected.
l Use an SQL query to specify data: Allows you to compose an SQL query
that provides a more flexible way for specifying the data for synchronization.
For example, you can use this option to specify multiple database tables.
l Configure Settings: Provides settings for modifying data in the connected
system during synchronization operations. For example, you can specify the
database tables in which you want to insert, update, or delete data during
synchronization operations.
7. Click Next.
8. On the Specify attributes to identify objects page, use the following options:
l Available attributes: Lists the attributes that are available in the external
data system. Use this list to select the attributes whose values you want to use
to generate a unique identifier for each object in the external data system. You
can filter attributes by typing in the text box at the top of this list. To select
multiple attributes, hold down CTRL and click to select attributes in the list.
l UniqueID attributes: Lists the attributes whose values are currently used to
generate a unique identifier for each object in the external data system.
l Add->: Moves the selected attributes from the Available attributes list to
the UniqueID attributes list.
l <-Remove: Moves the selected attributes from the UniqueID attributes list
to the Available attributes list.
l Constructed UniqueID: Displays a combination of the attributes whose
values will make up a unique identifier for each object in the external
data system.
9. To finish creating the connection to the Microsoft SQL Server database, click Finish.

Modifying an existing Microsoft SQL Server

connection
You can modify an existing Microsoft SQL Server connection in theSynchronization
Service Console.

Active Roles 8.1.3 Synchronization Service Administration Guide

97
To modify connection settings

1. In the Synchronization Service Console, open the Connections tab.

2. Click Connection settings below the existing Microsoft SQL Server connection you
want to modify.
3. On the Connection Settings tab, click an appropriate item to expand it and use the
options it provides.
You can expand the following items:
l Specifying connection settings for a Microsoft SQL Server connection
l Specifying how to select and modify data for a Microsoft SQL Server connection
l Advanced
l Specifying attributes to identify objects for a Microsoft SQL Server connection
4. When you are finished, click Save.

Specifying connection settings for a Microsoft SQL

Server connection
This expandable item provides the following options that allow you to modify the
connection settings:
l SQL Server: Type or select the name of the SQL Server computer that hosts the
database you want to participate in data synchronization operations.
l Access SQL Server using: Select an access option:
l Use Windows authentication: Allows you to access the SQL Server in
the security context of the account under which the Synchronization
Service is running.
l Use SQL Server authentication: Allows you to access the SQL Server in the
security context of the SQL Server user account whose user name and
password you specify below this option.
l To test the connection with the new parameters, click Test connection.
l Connect to database: Type the name of the SQL database to which you
want to connect.

Specifying how to select and modify data for a Microsoft

SQL Server connection
The Specify how to select and modify data setting allows you to configure how to
select and modify the data you want to be included in the synchronization process:
l Use data from this table: Allows you to select a database table that includes the
data you want to participate in the synchronization operations. You can click

Active Roles 8.1.3 Synchronization Service Administration Guide

98
 Preview to preview the database table you have selected.
l Use an SQL query to specify data: Allows you to compose an SQL query that
provides a more flexible way for specifying the data for synchronization. For
example, you can use this option to specify multiple database tables.
l Configure Settings: Specifies the settings for modifying data in the connected
system during synchronization operations. For example, you can specify the
database tables in which you want to insert, update, or delete data during
synchronization operations.

Advanced
Allows you to configure the running timeout for all SQL queries you specified in the
connection settings (for example, those specified in the Specify How to Select and
Modify Data option). Use the SQL query execution timeout box to type the timeout
value you want to use.

Specifying attributes to identify objects for a Microsoft

SQL Server connection
The Specify attributes to identify objects setting provides the following options that
allow you to specify the attributes with which you want to uniquely identify each object in
the connected data system:
l Available attributes: Lists the attributes that are available in the external data
system. Use this list to select the attributes whose values you want to use to
generate a unique identifier for each object in the external data system. You can filter
attributes by typing in the text box at the top of this list. To select multiple attributes,
hold down CTRL and click to select attributes in the list.
l UniqueID attributes: Lists the attributes whose values are currently used to
generate a unique identifier for each object in the external data system.
l Add->: Moves the selected attributes from the Available attributes list to the
UniqueID attributes list.
l <-Remove: Moves the selected attributes from the UniqueID attributes list to the
Available attributes list.
l Constructed UniqueID: Displays a combination of the attributes whose values will
make up a unique identifier for each object in the external data system.

Sample queries to modify SQL Server data

This section provides some sample SQL queries illustrating how to modify SQL Server data
during synchronization operations. In the sample queries, Id refers to an attribute (a
column name in an SQL Server table) that uniquely identifies an object in your SQL

Active Roles 8.1.3 Synchronization Service Administration Guide

99
database. These examples can be used only for configuring connections to Microsoft SQL
Server 2005.

Example: Inserting an object into a table

This sample illustrates how to create a query that inserts an object with specified
attributes into the table named SQLConnTest1.

Table 41: Inserting an object into a table

Database table structure Sample query

CREATE TABLE [SQLConnTest1]([Id] [bigint] IDENTITY INSERT into

(1,1),[attr1] [nchar](64),[attr2] [nchar](64))) SQLConnTest1(Id)
values(@Id)

Example: Creating an SQL Server account

This sample illustrates how to create a SQL Server account, and then retrieve the
UniqueID attribute for that account.
To define the scope where to create the SQL Server account, insert the following
query in the Query Editor dialog:
SELECT sid as Id,name as login from sys.server_principals
Insert the following SQL query into the Configure SQL Statements dialog:
EXEC sp_addlogin @login, @newPassword;
EXEC sp_adduser @login,@login,'db_owner';
SELECT sid as Id from sys.server_principals where name=@login;
IMPORTANT: None of the attribute names used in SQL queries can include
whitespace characters. For example, you cannot use names such as "user
password".

Working with Micro Focus NetIQ Directory

This section describes how to create or modify a connection to Micro Focus NetIQ Directory
(formerly known as Novell eDirectory) so that Synchronization Service could work with
Micro Focus NetIQ Directory data in that data system.
To create a connection to Micro Focus NetIQ Directory, use the Micro Focus NetIQ
Directory Connector, included by default in Active Roles Synchronization Service.
The Micro Focus NetIQ Directory Connector supports the following features:

Active Roles 8.1.3 Synchronization Service Administration Guide

100
Table 42: Micro Focus NetIQ Directory Connector – Supported features

Feature Supported

Bidirectional synchronization Yes

Specifies whether you can both read and write data in the connected data
system.

Delta processing mode No

Specifies whether the connection can process only the data that has
changed in the connected data system since the last synchronization
operation. This reduces the overall synchronization duration.

Password synchronization Yes

Specifies whether you can synchronize user passwords from an Active
Directory (AD) domain to the connected data system.

Creating a Micro Focus NetIQ Directory

connection
You can create a new Micro Focus NetIQ Directory connection in the Synchronization
Service Console.

To create a new connection

1. In the Synchronization Service Console, open the Connections tab.

2. Click Add connection, then use the following options:
l Connection name: Type a descriptive name for the connection.
l Use the specified connector: Select Micro Focus NetIQ Directory
Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l Server: Type the fully qualified domain name of the Micro Focus NetIQ
Directory server to which you want to connect.
l Port: Type the number of the communication port used by the Micro Focus
NetIQ Directory server.
l Access Micro Focus NetIQ Directory Service using: Type the user name
and password with which you want to access Micro Focus NetIQ Directory.
Ensure the account has sufficient permissions to perform operations (read,
write) on objects in Micro Focus NetIQ Directory.
l Advanced: Click this button to specify a number of advanced options to access
Micro Focus NetIQ Directory. For example, you can select an authentication
method, configure TLS/SSL usage for the connection, and select whether or not

Active Roles 8.1.3 Synchronization Service Administration Guide

101
 you want to use paged search.
From this Authentication method list, select one of the following methods:
l Anonymous: Allows you to establish the connection without passing
credentials.
l Basic: Specifies to use basic authentication.
l Microsoft Negotiate: Specifies to use Microsoft Negotiate
authentication.
l NTLM: Specifies to use Windows NT Challenge/Response authentication.
l Digest: Specifies to use Digest Access authentication.
l Sicily: Employs a negotiation mechanism (Sicily) to choose the Microsoft
Network Authentication Service, Distributed Password Authentication, or
NTLM method.
l Distributed Password Authentication: Specifies to use DPA
authentication.
l Microsoft Network Authentication Service: Specifies to
authenticate with Microsoft Network Authentication Service.
l External: Specifies to use an external authentication method for the
connection.
l Kerberos: Specifies to use Kerberos authentication.
You can also use the following check boxes:
l Use TLS/SSL: Allows you to use the TLS (SSL) encryption to establish
and maintain the connection.
l Switch to TLS/SSL after establishing connection: Establishes the
connection without using the TLS (SSL) encryption. Then, after the
connection has been established, enables the TLS (SSL) encryption.
l Verify TLS/SSL certificate: Specifies whether or not to check the TLS
(SSL) certificate on the server.
l Use paged search: Specifies whether or not to use paged search for
the connection. When selecting this check box, you can set a page size
limit in the text box below.
l To test the connection with the new parameters, click Test connection.
5. To complete creating the Micro Focus NetIQ Directory connection, click Finish.

Modifying an existing Micro Focus NetIQ

Directory connection
You can modify the various settings for an existing connection to Micro Focus NetIQ
Directory, such as the Micro Focus NetIQ Directory server to connect to, communication
port, access credentials, and the attributes used for naming objects in Micro Focus
NetIQ Directory.

Active Roles 8.1.3 Synchronization Service Administration Guide

102
Every object in Micro Focus NetIQ Directory has a naming attribute from which the object
name is formed. When you create a connection to the directory, a default naming attribute
is selected for each object type in that data system. You can use the Specify Naming
Attributes item to view the naming attribute currently selected for each object type in
Micro Focus NetIQ Directory and optionally specify a different naming attribute.

To modify connection settings

1. In the Synchronization Service Console, open the Connections tab.

2. Click Connection settings below the existing Micro Focus NetIQ Directory
connection you want to modify.
3. On the Connection Settings tab, click an appropriate item to expand it and use the
options it provides.
You can expand the following items:
l Specifying connection settings for a Micro Focus NetIQ Directory connection
l Specifying naming attributes for a Micro Focus NetIQ Directory connection
4. Click Save.

Specifying connection settings for a Micro Focus NetIQ

Directory connection
The Specify connection settings option provides the following options that allow you to
modify the connection settings:
l Server: Type the fully qualified domain name of the Micro Focus NetIQ Directory
server to which you want to connect.
l Port: Type the number of the communication port used by the Micro Focus NetIQ
Directory server.
l Access Micro Focus NetIQ Directory Service using: Type the user name and
password with which you want to access Micro Focus NetIQ Directory. Ensure the
account has sufficient permissions to perform operations (read, write) on objects in
Micro Focus NetIQ Directory.
l Advanced: Click this button to specify a number of advanced options to access Micro
Focus NetIQ Directory. For example, you can select an authentication method,
configure TLS/SSL usage for the connection, and select whether or not you want to
use paged search.
From this Authentication method list, select one of the following methods:
l Anonymous: Allows you to establish the connection without passing
credentials.
l Basic: Specifies to use basic authentication.
l Microsoft Negotiate: Specifies to use Microsoft Negotiate authentication.
l NTLM: Specifies to use Windows NT Challenge/Response authentication.

Active Roles 8.1.3 Synchronization Service Administration Guide

103
 l Digest: Specifies to use Digest Access authentication.
l Sicily: Employs a negotiation mechanism (Sicily) to choose the Microsoft
Network Authentication Service, Distributed Password Authentication, or
NTLM method.
l Distributed Password Authentication: Specifies to use DPA authentication.
l Microsoft Network Authentication Service: Specifies to authenticate with
Microsoft Network Authentication Service.
l External: Specifies to use an external authentication method for the
connection.
l Kerberos: Specifies to use Kerberos authentication.
You can also use the following check boxes:
l Use TLS/SSL: Allows you to use the TLS (SSL) encryption to establish and
maintain the connection.
l Switch to TLS/SSL after establishing connection: Establishes the
connection without using the TLS (SSL) encryption. Then, after the connection
has been established, enables the TLS (SSL) encryption.
l Verify TLS/SSL certificate: Specifies whether or not to check the TLS (SSL)
certificate on the server.
l Use paged search: Specifies whether or not to use paged search for the
connection. When selecting this check box, you can set a page size limit in the
text box below.
l To test the connection with the new parameters, click Test connection.

Specifying naming attributes for a Micro Focus NetIQ

Directory connection
Every object in Micro Focus NetIQ Directory has a naming attribute from which the object
name is formed. When you create a connection to the directory, a default naming attribute
is selected for each object type in that data system. You can use the Specify Naming
Attributes item to view the naming attribute currently selected for each object type in
Micro Focus NetIQ Directory and optionally specify a different naming attribute.
This expandable item provides following options:
l Default naming attribute: Displays the default naming attribute set for the
currently selected object type.
l Add: Adds a new naming attribute for the selected object type.
l Edit: Allows you to edit the name of the naming attribute currently specified for the
selected object type.
l Remove: Removes the currently selected entry from the list.

Active Roles 8.1.3 Synchronization Service Administration Guide

104
Working with Salesforce
This section describes how to create or modify a connection to Salesforce so that
Synchronization Service could work with data in that data system.
To create a connection to Salesforce, use the Salesforce Connector of Active Roles
Synchronization Service.
The Salesforce Connector supports the following features:

Table 43: Salesforce Connector – Supported features

Feature Supported

Bidirectional synchronization Yes

Specifies whether you can both read and write data in the connected data
system.

Delta processing mode No

Specifies whether the connection can process only the data that has
changed in the connected data system since the last synchronization
operation. This reduces the overall synchronization duration.

Password synchronization Yes

Specifies whether you can synchronize user passwords from an Active
Directory (AD) domain to the connected data system.

Secure Sockets Layer (SSL) data encryption Yes

Specifies whether the connector can use SSL to encrypt data transmitted
between Active Roles Synchronization Service and the connected data
system.

Creating a Salesforce connection

You can create a new Salesforce connection in the Synchronization Service Console.

To create a new Salesforce connection

1. In the Synchronization Service Console, open the Connections tab.

2. Click Add connection, then use the following options:
l Connection name: Type a descriptive name for the connection.
l Use the specified connector: Select Salesforce Connector.
3. Click Next.

Active Roles 8.1.3 Synchronization Service Administration Guide

105
 4. On the Specify connection settings page, use the following options:
l Connect to Salesforce Sandbox: Select this check box if you want to
connect to your Salesforce testing environment. If you want to connect to
production environment, make sure this check box is cleared. For more
information about Salesforce Sandbox, see the Salesforce documentation.
l User name: Type the user name of the account with which you want to access
Salesforce. The account must have the System Administrator profile in the
target Salesforce system.
l Password: Type the password of the account with which you want to access
Salesforce.
l Security token: Enter the security token provided to you by Salesforce. For
more information on what a security token is and how to obtain it, see the
Salesforce documentation.
l Use a proxy server for your LAN: Select this check box if your LAN uses a
proxy server, and then enter the proxy server address in the Proxy server box.
l Use credentials for proxy: Select this check box if your proxy server
requires authentication. Use the appropriate text boxes to specify the user
name and password with which you want to authenticate.
l To test the connection with the new parameters, click Test connection.
5. To complete the configuration of the Salesforce connection, click Finish.

Modifying an existing Salesforce connection

You can modify an existing Salesforce connection in the Synchronization Service Console.

To modify connection settings

1. In the Synchronization Service Console, open the Connections tab.

2. Click Connection settings below the existing Salesforce connection you want
to modify.
3. On the Connection Settings tab, click Specify connection settings to expand it
and use the following options.
l Connect to Salesforce Sandbox: Select this check box if you want to
connect to your Salesforce testing environment. If you want to connect to
production environment, make sure this check box is cleared. For more
information about Salesforce Sandbox, see the Salesforce documentation.
l User name: Type the user name of the account with which you want to access
Salesforce. The account must have the System Administrator profile in the
target Salesforce system.
l Password: Type the password of the account with which you want to access
Salesforce.

Active Roles 8.1.3 Synchronization Service Administration Guide

106
 l Security token: Enter the security token provided to you by Salesforce. For
more information on what a security token is and how to obtain it, see the
Salesforce documentation.
l Use a proxy server for your LAN: Select this check box if your LAN uses a
proxy server, and then enter the proxy server address in the Proxy server box.
l Use credentials for proxy: Select this check box if your proxy server
requires authentication. Use the appropriate text boxes to specify the user
name and password with which you want to authenticate.
l To test the connection with the new parameters, click Test connection.
4. Click Save.

Salesforce data supported for synchronization

The Salesforce Connector of Active Roles Synchronization Service supports all Salesforce
object types, with all operations (Create, Read, Update, Delete) that you can perform on
those objects with native Salesforce tools.
To read and/or write data related to a particular object in Salesforce, you can use the
following resources:
l Native Salesforce fields: In the Synchronization Service Console user interface
these fields are referred to as attributes. For more information on native Salesforce
fields, see the “Reference | Standard Objects” section in the Salesforce Web Services
API Developer's Guide available online at
www.salesforce.com/us/developer/docs/api/.
l Additional attributes provided by the Salesforce Connector: The names of all
such attributes start with the va prefix. For information about these attributes, see
Additional user object attributes for a Salesforce connection and Additional group
object attributes for a Salesforce connection

Additional user object attributes for a Salesforce

connection
You can specify the following additional user attributes in your Salesforce connection.

Table 44: Additional user attributes

Attribute Description Supported

operations
vaProfileName Allows you to specify a Salesforce Read, Write
profile. For example, you can use this
attribute to assign a Salesforce profile
to a user being provisioned to
Salesforce.

Active Roles 8.1.3 Synchronization Service Administration Guide

107
 To specify a profile, enter the profile
name as it appears in the Salesforce
user interface.
Examples of vaProfileName values:
l System Administrator
l Force.com - Free User

vaRoleName Allows you to specify a Salesforce role. Read, Write

For example, you can use this attribute
to assign a Salesforce role to a user
being provisioned to Salesforce.
To specify a role, enter the role name
in the format used in the Salesforce
user interface.
For more information on roles, see the
Salesforce documentation.
vaManagerName Allows you to specify a manager for a Read, Write
particular user.
To specify a manager, enter the
manager name in the format used in
the Salesforce user interface.
vaContactName Allows you to specify an associated Read, Write
contact for a particular user.
To specify an associated contact, enter
the associated contact name in the
format used in the Salesforce user
interface.
vaMemberOf Allows you to define group Read, Write
membership for a particular user.
NOTE: Consider the following:
l This attribute is primarily
intended for group member-
ship synchronization.
l This attribute contains refer-
ences to the groups where the
user is a member.
vaMemberOfName Allows you to define group Read, Write
membership for a particular user (for
example, when provisioning a user to
Salesforce).

Active Roles 8.1.3 Synchronization Service Administration Guide

108
 Specify the names of the Salesforce
groups where you want the user to be
a member.
vaLocale Allows you to specify a locale for a Read, Write
particular user (for example, when
provisioning a user to Salesforce).
To specify a locale, enter the locale
name in the format used in the
Salesforce user interface.
Example of a vaLocale value: English
(United States)

vaTimeZone Allows you to specify a time zone for a Read, Write

user (for example, when provisioning a
user to Salesforce).
To specify a time zone, enter the time
zone name in the format used in the
Salesforce user interface.
Example of a vaTimezone value:
(GMT+00:00) Greenwich Mean Time
(GMT)

vaEmailEncoding Allows you to specify outbound email Read, Write

encoding to be used for a user (for
example, when provisioning a user to
Salesforce).
Specify email encoding in the format
used in the Salesforce user interface.
Example of a vaEmailEncoding value:
Unicode (UTF-8)

vaLanguage Allows you to specify a user interface Read, Write

language for a particular user.
The Salesforce user interface and help
will be displayed to the user in the
language you specify in this attribute.
vaDelegatedApproverUserName Allows you to specify the name of the Read, Write
user you want to appoint as a
delegated approver.
vaDelegatedApproverGroupName Allows you to specify the name of a Read, Write
group all members of which you want
to appoint as delegated approvers.

Active Roles 8.1.3 Synchronization Service Administration Guide

109
Additional group object attributes for a Salesforce
connection
You can specify the following additional group attributes in your Salesforce connection.

Table 45: Additional group attributes

Attribute Description Supported

operations
vaMemberOf Allows you to define group membership for the group Read, Write
in Salesforce.
NOTE: Consider the following when using this
attribute:
l This attribute is primarily intended for group
membership synchronization.
l This attribute contains references to other
groups where this group is a member.
vaMemberOfName Allows you to define group membership for the group. Read, Write
Specify the names of Salesforce groups where you
want the group to be a member.
vaMember Allows you to define members of the group. Read, Write
This attribute contains references to the users and/or
groups that are members of a particular group.
vaMemberName Allows you to define members of a particular group. Read, Write
Specify the names of users and/or groups you want to
be members of the group.

Scenario: Provisioning users from an Active

Directory domain to Salesforce
This scenario illustrates how to configure a sync workflow to provision users from an Active
Directory domain to Salesforce.

Configuring a connection to the source Active Directory domain

For instructions on how to create a new connection to an Active Directory domain, see
Creating an Active Directory connection.

Active Roles 8.1.3 Synchronization Service Administration Guide

110
Configuring a connection to Salesforce

For instructions on how to create a new connection to Salesforce, see Creating a Salesforce
connection.

Creating a new sync workflow

For instructions on how to create a new sync workflow for the configured Salesforce
connection, see Scenario: Provisioning users from an Active Directory domain to
Salesforce.

Configuring a workflow step

Once the required connections and the sync workflow are set, configure a new
workflow step.

To configure a workflow step

1. In the Synchronization Service Console, navigate to the Workflows tab and open
the sync workflow you created by clicking its name. Then, click Add
synchronization step.
2. On the Select an action page, click Provision, then click Next.
3. On the Specify source and criteria page, do the following:
a. Click Specify in the Source connected system option, then click Select
existing connected system, and select the Active Directory connection you
configured in the Configuring a connection to source Active Directory
domain step.
b. Click Finish.
c. In Source object type, click Select, then select the User object type from
the list. Click OK.
d. Click Next.
4. On the Specify target page, do the following:
a. Click Specify in the Target connected system option, then click Select
existing connected system, and select the Salesforce connection you
configured in the Configuring a connection to Salesforce step.
b. Click Finish.
c. Click Select in the Target object type option, then select the User object
type from the list. Click OK.
d. Click Next.
5. On the Specify provisioning rules page, in the Initial Attribute Population
Rules option, add rules to populate the following required attributes:
l Username: Use this attribute to specify a Salesforce user name for the user
being provisioned. Make sure the user name you specify meets the format

Active Roles 8.1.3 Synchronization Service Administration Guide

111
 <UserName>@<Domain>, for example jdoe@domain.com.
l vaProfileName: Use this attribute to assign a Salesforce profile to the user
being provisioned. A profile defines specific permissions a user has in
Salesforce. For more information on profiles, see the Salesforce
documentation. Alternatively, you can specify a Salesforce profile by using the
ProfileId attribute.
l Email: Use this attribute to specify an existing valid email address for the user
being provisioned.
l LastName: Use this attribute to specify the last name of the user being
provisioned.
l Alias: Use this attribute to specify a unique Salesforce alias for the user being
provisioned. A Salesforce alias can include up to 8 characters. For more
information on the Alias attribute, see the Salesforce documentation.

Running your workflow

For instructions on how to run a sync workflow, see Running a sync workflow.

Working with ServiceNow

This section describes how to create or modify a connection to ServiceNow so that
Synchronization Service could work with data in that data system.
To create a connection to ServiceNow, use the ServiceNow Connector of Active Roles
Synchronization Service.
The ServiceNow Connector supports the following features:

Table 46: ServiceNow Connector – Supported features

Feature Supported

Bidirectional synchronization Yes

Specifies whether you can both read and write data in the connected data
system.

Delta processing mode No

Specifies whether the connection can process only the data that has
changed in the connected data system since the last synchronization
operation. This reduces the overall synchronization duration.

Password synchronization Yes

Specifies whether you can synchronize user passwords from an Active
Directory (AD) domain to the connected data system.

Secure Sockets Layer (SSL) data encryption Yes

Active Roles 8.1.3 Synchronization Service Administration Guide

112
Feature Supported

Specifies whether the connector can use SSL to encrypt data transmitted
between Active Roles Synchronization Service and the connected data
system.

Creating a ServiceNow connection

To create a new ServiceNow connection, you must:

1. Configure ServiceNow to accept synchronization requests from Active Roles

Synchronization Service.
2. Create a new ServiceNow connection in the Synchronization Service with the
ServiceNow Connector.
3. Synchronize the configured ServiceNow Connector schema with the connected
ServiceNow instance.

Configuring ServiceNow

To configure ServiceNow

1. Open the website of your ServiceNow instance.

2. In the left pane of the ServiceNow website, under System Properties, click
Web Services.
3. Make sure ServiceNow requires basic authorization for incoming RSS and SOAP
requests.
4. In the right pane, make sure you clear the check box below This property sets the
elementFormDefault attribute.
5. Click Save.

Creating a new connection to ServiceNow

To create a new connection

1. In the Synchronization Service Console, open the Connections tab.

2. Click Add connection, then use the following options:
l Connection name: Type a descriptive name for the connection.
l Use the specified connector: Select ServiceNow Connector.
3. Click Next.

Active Roles 8.1.3 Synchronization Service Administration Guide

113
 4. On the Specify connection settings page, use the following options:
l ServiceNow instance name: Type the name of the ServiceNow instance to
which you want to connect.
l Access ServiceNow instance using. Type the user name and password of
the account with which you want to access the specified ServiceNow instance.
l Use a proxy server for your LAN: Select this check box if your LAN uses a
proxy server. Then enter the proxy server address in the Proxy server box.
l Use credentials for proxy: Select this check box if your proxy server
requires authentication. Use the appropriate text boxes to specify the user
name and password with which you want to authenticate.
l To test the connection with the new parameters, click Test connection.
5. To complete the configuration of the ServiceNow connection, click Finish.
6. Synchronize the ServiceNow Connector schema with that of the connected
ServiceNow instance.
This step is required to pass information about object classes and attributes existing
in the connected ServiceNow instance to the ServiceNow Connector, so that the
connector could correctly read and write data in the connected ServiceNow instance.
To synchronize the connector schema, do the following:
a. Below the ServiceNow connection you have just created, click the Connection
settings link.
b. On the Connection Settings tab, click the Update connector schema item
to expand it.
c. Click Update Schema.

Modifying an existing ServiceNow connection

You can modify an existing ServiceNow connection in theSynchronization Service Console.

To modify the connection settings of a ServiceNow connection

1. In the Synchronization Service Console, open the Connections tab.

2. Click Connection settings below the existing ServiceNow connection you want
to modify.
3. On the Connection Settings tab, click Specify connection settings to expand it
and use the following options.
l The Specify connection settings item:
l ServiceNow instance name: Type the name of the ServiceNow
instance to which you want to connect.
l Access ServiceNow instance using. Type the user name and
password of the account with which you want to access the specified

Active Roles 8.1.3 Synchronization Service Administration Guide

114
 ServiceNow instance.
l Use a proxy server for your LAN: Select this check box if your LAN
uses a proxy server. Then enter the proxy server address in the Proxy
server box.
l Use credentials for proxy: Select this check box if your proxy server
requires authentication. Use the appropriate text boxes to specify the
user name and password with which you want to authenticate.
l To test the connection with the new parameters, click Test connection.
l The Update connector schema item:
l Update Schema: Synchronizes the ServiceNow Connector schema with
changes in the connected ServiceNow instance. Use this button
whenever schema changes occur in the connected ServiceNow instance
(for example, object classes or attributes are added or deleted in the
ServiceNow instance). The ServiceNow Connector can only read and
write data correctly if the connector schema is completely in sync with
the ServiceNow instance.
4. Click Save.

ServiceNow data supported for synchronization

The ServiceNow Connector supports all object classes and attributes existing in the
connected ServiceNow instance, provided that the ServiceNow Connector schema and the
ServiceNow instance schema are completely in sync.
To synchronize the ServiceNow Connector schema with the connected ServiceNow instance
schema, use the Update Connector Schema button in the ServiceNow connection
settings. For more information, see Modifying an existing ServiceNow connection.

Working with Oracle Unified Directory

This section describes how to create or modify a connection to Oracle Unified Directory
(formerly known as Sun One Directory) so that Synchronization Service could work with
data in that data system.
To create a connection to Oracle Unified Directory, use the Oracle Unified Directory
Connector of the Active Roles Synchronization Service.
The Oracle Unified Directory Connector supports the following features:

Table 47: Oracle Unified Directory Connector – Supported features

Feature Supported

Bidirectional synchronization Yes

Active Roles 8.1.3 Synchronization Service Administration Guide

115
Feature Supported

Specifies whether you can both read and write data in the connected data
system.

Delta processing mode No

Specifies whether the connection can process only the data that has
changed in the connected data system since the last synchronization
operation. This reduces the overall synchronization duration.

Password synchronization Yes

Specifies whether you can synchronize user passwords from an Active
Directory (AD) domain to the connected data system.

Creating an Oracle Unified Directory connection

You can create a new Oracle Unified Directory connection in the Synchronization
Service Console.

To create a new Oracle Unified Directory connection

1. In the Synchronization Service Console, open the Connections tab.

2. Click Add connection, then use the following options:
l Connection name: Type a descriptive name for the connection.
l Use the specified connector: Select Oracle Unified Directory
Server Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l Server: Type the fully qualified domain name of the computer running
Oracle Unified Directory Server that manages the directory to which you
want to connect.
l Port: Type the number of the communication port used by Oracle Unified
Directory Server.
l Access Oracle Unified Directory Server using: Type the user name and
password of the account with which you want to access Oracle Unified
Directory Server. Ensure the account has sufficient permissions to perform
operations (read, write) on objects in the directory managed by Oracle Unified
Directory Server.
l Advanced: Click this button to specify a number of advanced options to access
the directory managed by Oracle Unified Directory Server. For example, you
can select an authentication method, configure TLS/SSL usage for the
connection, and select whether or not you want to use paged search.
From this Authentication method list, select one of the following methods:

Active Roles 8.1.3 Synchronization Service Administration Guide

116
 l Anonymous: Allows you to establish the connection without passing
credentials.
l Basic: Specifies to use basic authentication.
l Microsoft Negotiate: Specifies to use Microsoft Negotiate
authentication.
l NTLM: Specifies to use Windows NT Challenge/Response authentication.
l Digest: Specifies to use Digest Access authentication.
l Sicily: Employs a negotiation mechanism (Sicily) to choose the Microsoft
Network Authentication Service, Distributed Password Authentication, or
NTLM method.
l Distributed Password Authentication: Specifies to use DPA
authentication.
l Microsoft Network Authentication Service: Specifies to
authenticate with Microsoft Network Authentication Service.
l External: Specifies to use an external authentication method for the
connection.
l Kerberos: Specifies to use Kerberos authentication.
You can also use the following check boxes:
l Use TLS/SSL: Allows you to use the TLS (SSL) encryption to establish
and maintain the connection.
l Switch to TLS/SSL after establishing connection: Establishes the
connection without using the TLS (SSL) encryption. Then, after the
connection has been established, enables the TLS (SSL) encryption.
l Verify TLS/SSL certificate: Specifies whether or not to check the TLS
(SSL) certificate on the server.
l Use paged search: Specifies whether or not to use paged search for
the connection. When selecting this check box, you can set a page size
limit in the text box below.
l To test the connection with the new parameters, click Test connection.
5. To finish configuring the Oracle Unified Directory Server connection, click Finish .

Modifying an existing Oracle Unified Directory

Server connection
You can modify the various settings for an existing connection to a directory managed by
Oracle Unified Directory Server, such as the server computer to which the connection is
established, communication port, access credentials, and the attributes used for naming
objects in the directory.
Every object in a directory managed by Oracle Unified Directory Server has a naming
attribute from which the object name is formed. When you create a connection to the

Active Roles 8.1.3 Synchronization Service Administration Guide

117
directory, a default naming attribute is selected for each object type in that data system.
You can view the default naming attribute currently selected for each object type in the
directory and optionally specify a different naming attribute.

To modify the connection settings of an Oracle Unified Directory Server

connection

1. In the Synchronization Service Console, open the Connections tab.

2. Click Connection settings below the existing Oracle Unified Directory connection
you want to modify.
3. On the Connection Settings tab, click an appropriate item to expand it and use the
options it provides.
You can expand the following items:
l Specifying connection settings for an Oracle Unified Directory connection
l Specifying naming attributes for an Oracle Unified Directory connection
4. Click Save.

Specifying connection settings for an Oracle Unified

Directory connection
The Specify connection settings option provides the following settings that allow you to
modify the connection:
l Server: Type the fully qualified domain name of the computer running Oracle Unified
Directory Server that manages the directory to which you want to connect.
l Port: Type the number of the communication port used by Oracle Unified
Directory Server.
l Access Oracle Unified Directory Server using: Type the user name and
password of the account with which you want to access Oracle Unified Directory
Server. Ensure the account has sufficient permissions to perform operations (read,
write) on objects in the directory managed by Oracle Unified Directory Server.
l Advanced: Click this button to specify a number of advanced options to access the
directory managed by Oracle Unified Directory Server. For example, you can select
an authentication method, configure TLS/SSL usage for the connection, and select
whether or not you want to use paged search.
From this Authentication method list, select one of the following methods:
l Anonymous: Allows you to establish the connection without passing
credentials.
l Basic: Specifies to use basic authentication.
l Microsoft Negotiate: Specifies to use Microsoft Negotiate authentication.
l NTLM: Specifies to use Windows NT Challenge/Response authentication.
l Digest: Specifies to use Digest Access authentication.

Active Roles 8.1.3 Synchronization Service Administration Guide

118
 l Sicily: Employs a negotiation mechanism (Sicily) to choose the Microsoft
Network Authentication Service, Distributed Password Authentication, or
NTLM method.
l Distributed Password Authentication: Specifies to use DPA authentication.
l Microsoft Network Authentication Service: Specifies to authenticate with
Microsoft Network Authentication Service.
l External: Specifies to use an external authentication method for the
connection.
l Kerberos: Specifies to use Kerberos authentication.
You can also use the following check boxes:
l Use TLS/SSL: Allows you to use the TLS (SSL) encryption to establish and
maintain the connection.
l Switch to TLS/SSL after establishing connection: Establishes the
connection without using the TLS (SSL) encryption. Then, after the connection
has been established, enables the TLS (SSL) encryption.
l Verify TLS/SSL certificate: Specifies whether or not to check the TLS (SSL)
certificate on the server.
l Use paged search: Specifies whether or not to use paged search for the
connection. When selecting this check box, you can set a page size limit in the
text box below.
l To test the connection with the new parameters, click Test connection.

Specifying naming attributes for an Oracle Unified

Directory connection
Every object in a directory managed by Oracle Unified Directory Server has a naming
attribute from which the object name is formed. When you create a connection to the
directory, a default naming attribute is selected for each object type in that data system.
You can use the Specify Naming Attributes item to view the naming attribute currently
selected for each object type in the directory and optionally specify a different naming
attribute. The setting has the following options:
l Default naming attribute: Displays the default naming attribute set for the
currently selected object type.
l Add: Adds a new naming attribute for the selected object type.
l Edit: Allows you to edit the name of the naming attribute currently specified for the
selected object type.
l Remove: Removes the currently selected entry from the list.

Active Roles 8.1.3 Synchronization Service Administration Guide

119
Working with an LDAP directory service
This section describes how to create or modify a connection to an LDAP directory service so
that Synchronization Service could work with data in that data system.
To create a connection to an LDAP directory service, you need to use Synchronization
Service in conjunction with a special connector called Generic LDAP Connector. This
connector is included in the Synchronization Service package.
The Generic LDAP Connector supports the following features:

Table 48: Generic LDAP Connector – Supported features

Feature Supported

Bidirectional synchronization Yes

Specifies whether you can both read and write data in the connected data
system.

Delta processing mode No

Specifies whether the connection can process only the data that has
changed in the connected data system since the last synchronization
operation. This reduces the overall synchronization duration.

Password synchronization Yes

Specifies whether you can synchronize user passwords from an Active
Directory (AD) domain to the connected data system.

Creating an LDAP directory service connection

To create a new connection

1. In the Synchronization Service Console, open the Connections tab.

2. Click Add connection, then use the following options:
l Connection name: Type a descriptive name for the connection.
l Use the specified connector: Select Generic LDAP Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l Server: Type the fully qualified domain name of the computer running an
LDAP directory service to which you want to connect.
l Port: Type the number of the communication port used by the LDAP server to
which you want to connect.

Active Roles 8.1.3 Synchronization Service Administration Guide

120
l Use TLS/SSL: Allows you to use the TLS (SSL) encryption to establish and
maintain the connection.
l Use connectionless LDAP: Enables the use of the connectionless LDAP
(CLDAP) protocol for the connection.
l User name: Type the user name of the account with which you want to bind.
l Password: Type the password of the account with which you want to bind.
l Bind with Synchronization Service account: Allows you to bind with the
account under which the Synchronization Service is running.
l Bind with credentials: Allows you to bind by specifying the credentials of a
particular user account.
l Use simple bind: Allows you to bind either without specifying user account
credentials or with a user password only. In the latter case, the password you
type is transmitted as clear text.
l Use custom bind: Allows you to configure a number of advanced settings for
binding. Click Configure, and then use the next options.
l From this Authentication method list, select one of the following methods:
l Anonymous: Allows you to establish the connection without passing
credentials.
l Basic: Specifies to use basic authentication.
l Microsoft Negotiate: Specifies to use Microsoft Negotiate
authentication.
l NTLM: Specifies to use Windows NT Challenge/Response authentication.
l Digest: Specifies to use Digest Access authentication.
l Sicily: Employs a negotiation mechanism (Sicily) to choose the Microsoft
Network Authentication Service, Distributed Password Authentication, or
NTLM method.
l Distributed Password Authentication: Specifies to use DPA
authentication.
l Microsoft Network Authentication Service: Specifies to
authenticate with Microsoft Network Authentication Service.
l External: Specifies to use an external authentication method for the
connection.
l Kerberos: Specifies to use Kerberos authentication.
You can also use the following check boxes:
l Use TLS/SSL: Allows you to use the TLS (SSL) encryption to establish
and maintain the connection.
l Switch to TLS/SSL after establishing connection: Establishes the
connection without using the TLS (SSL) encryption. Then, after the
connection has been established, enables the TLS (SSL) encryption.

Active Roles 8.1.3 Synchronization Service Administration Guide

121
 l Verify TLS/SSL certificate: Specifies whether or not to check the TLS
(SSL) certificate on the server.
l Use paged search: Specifies whether or not to use paged search for
the connection. When selecting this check box, you can set a page size
limit in the text box below.
l To test the connection with the new parameters, click Test connection.
5. Click Next.
6. On the Specify attributes to identify objects page, specify the attributes with
which you want to uniquely identify each object in the LDAP directory service.
You can use the following options:
l Available attributes: Lists the attributes that are available in the external
data system. Use this list to select the attributes whose values you want to use
to generate a unique identifier for each object in the external data system. You
can filter attributes by typing in the text box at the top of this list. To select
multiple attributes, hold down CTRL and click to select attributes in the list.
l UniqueID attributes: Lists the attributes whose values are currently used to
generate a unique identifier for each object in the external data system.
l Add->: Moves the selected attributes from the Available attributes list to
the UniqueID attributes list.
l <-Remove: Moves the selected attributes from the UniqueID attributes list
to the Available attributes list.
l Constructed UniqueID: Displays a combination of the attributes whose
values will make up a unique identifier for each object in the external
data system.
7. Click Finish to create a connection to the LDAP directory service.

Modifying an existing Generic LDAP directory

service connection
To modify connection settings

1. In the Synchronization Service Console, open the Connections tab.

2. Click Connection settings below the existing generic LDAP connection you
want to modify.
3. On the Connection Settings tab, click an appropriate item to expand it and use the
options it provides.
You can expand the following items:
l Specify connection settings for a Generic LDAP directory service connection
l Specify directory partitions for a Generic LDAP directory service connection

Active Roles 8.1.3 Synchronization Service Administration Guide

122
 l Specify naming attributes for a Generic LDAP directory service connection
l Specify attributes to identify objects for a Generic LDAP directory service
connection
4. Click Save.

Specify connection settings for a Generic LDAP directory

service connection
This expandable item provides the following options that allow you to modify the
connection settings:
l Server: Type the fully qualified domain name of the computer running an LDAP
directory service to which you want to connect.
l Port: Type the number of the communication port used by the LDAP server to which
you want to connect.
l Use TLS/SSL: Allows you to use the TLS (SSL) encryption to establish and maintain
the connection.
l Use connectionless LDAP: Enables the use of the connectionless LDAP (CLDAP)
protocol for the connection.
l User name: Type the user name of the account with which you want to bind.
l Password: Type the password of the account with which you want to bind.
l Bind with Synchronization Service account: Allows you to bind with the account
under which the Synchronization Service is running.
l Bind with credentials: Allows you to bind by specifying the credentials of a
particular user account.
l Use simple bind: Allows you to bind either without specifying user account
credentials or with a user password only. In the latter case, the password you type is
transmitted as clear text.
l Use custom bind: Allows you to configure a number of advanced settings for
binding. Click Configure, and then use the next options.
l From this Authentication method list, select one of the following methods:
l Anonymous: Allows you to establish the connection without passing
credentials.
l Basic: Specifies to use basic authentication.
l Microsoft Negotiate: Specifies to use Microsoft Negotiate authentication.
l NTLM: Specifies to use Windows NT Challenge/Response authentication.
l Digest: Specifies to use Digest Access authentication.
l Sicily: Employs a negotiation mechanism (Sicily) to choose the Microsoft
Network Authentication Service, Distributed Password Authentication, or NTLM

Active Roles 8.1.3 Synchronization Service Administration Guide

123
 method.
l Distributed Password Authentication: Specifies to use DPA authentication.
l Microsoft Network Authentication Service: Specifies to authenticate with
Microsoft Network Authentication Service.
l External: Specifies to use an external authentication method for the
connection.
l Kerberos: Specifies to use Kerberos authentication.
You can also use the following check boxes:
l Use TLS/SSL: Allows you to use the TLS (SSL) encryption to establish and
maintain the connection.
l Switch to TLS/SSL after establishing connection: Establishes the
connection without using the TLS (SSL) encryption. Then, after the connection
has been established, enables the TLS (SSL) encryption.
l Verify TLS/SSL certificate: Specifies whether or not to check the TLS (SSL)
certificate on the server.
l Use paged search: Specifies whether or not to use paged search for the
connection. When selecting this check box, you can set a page size limit in the
text box below.
l To test the connection with the new parameters, click Test connection.

Specify directory partitions for a Generic LDAP directory

service connection
Allows you to specify the directory partitions you want to participate in the synchronization
operations by selecting the check boxes next to such directory partitions. You can also use
the following additional options:
l Select all: Selects the check boxes next to all directory partitions in the list.
l Add: Adds a new directory partition to the list.
l Remove: Removes currently selected directory partition from the list.
l To test the connection with the new parameters, click Test connection.

Specify naming attributes for a Generic LDAP directory

service connection
Every object in an LDAP directory service has a naming attribute from which the object
name is formed. When you create a connection to an LDAP directory service, a default
naming attribute is selected for each object type in the data system. You can use the
Specify Naming Attributes item to view the naming attribute currently selected for each
object type in the data system and optionally specify a different naming attribute.
This expandable item provides following options:

Active Roles 8.1.3 Synchronization Service Administration Guide

124
 l Default naming attribute: Displays the default naming attribute set for the
currently selected object type.
l Add: Adds a new naming attribute for the selected object type.
l Edit: Allows you to edit the name of the naming attribute currently specified for the
selected object type.
l Remove: Removes the currently selected entry from the list.

Specify attributes to identify objects for a Generic LDAP

directory service connection
This expandable item provides the following options that allow you to specify the
attributes with which you wish to uniquely identify each object in the connected LDAP
directory service:
l Available attributes: Lists the attributes that are available in the external data
system. Use this list to select the attributes whose values you want to use to
generate a unique identifier for each object in the external data system. You can filter
attributes by typing in the text box at the top of this list. To select multiple attributes,
hold down CTRL and click to select attributes in the list.
l UniqueID attributes: Lists the attributes whose values are currently used to
generate a unique identifier for each object in the external data system.
l Add->: Moves the selected attributes from the Available attributes list to the
UniqueID attributes list.
l <-Remove: Moves the selected attributes from the UniqueID attributes list to the
Available attributes list.
l Constructed UniqueID: Displays a combination of the attributes whose values will
make up a unique identifier for each object in the external data system.

Specify password sync parameters for LDAP

directory service
To synchronize passwords in an LDAP directory service connected to Synchronization
Service through the Generic LDAP Connector, you must specify the following parameters:
l The target object type for which you want to synchronize passwords.
l The object attribute for storing passwords in the LDAP directory service.

To specify the target object type and attribute for storing passwords

1. Click the Connection settings link below the LDAP directory service connection for
which you want to specify the target object type and attribute for storing passwords.
2. Open the Password tab.

Active Roles 8.1.3 Synchronization Service Administration Guide

125
 3. Make sure the Synchronize and manage passwords check box is selected.
4. Use the Synchronize passwords for objects of this type option to specify the
object type in LDAP directory service for which you want to synchronize passwords.
5. Use the Store password in this attribute option to specify the attribute in which
you want to store passwords.
6. Click Save.

Working with an OpenLDAP directory

service
This section describes how to create or modify a connection to an OpenLDAP directory
service so that Synchronization Service could work with data in that data system.
To create a connection to an OpenLDAP directory service, use the OpenLDAP Connector
of the Active Roles Synchronization Service.
The OpenLDAP Connector supports the following features:

Table 49: OpenLDAP Connector – Supported features

Feature Supported

Bidirectional synchronization Yes

Specifies whether you can both read and write data in the connected data
system.

Delta processing mode No

Specifies whether the connection can process only the data that has
changed in the connected data system since the last synchronization
operation. This reduces the overall synchronization duration.

Password synchronization Yes

Specifies whether you can synchronize user passwords from an Active
Directory (AD) domain to the connected data system.

Creating an OpenLDAP directory service

connection
You can create a new OpenLDAP directory service connection in the Synchronization
Service Console.

Active Roles 8.1.3 Synchronization Service Administration Guide

126
To create a new OpenLDAP connection

1. In the Synchronization Service Console, open the Connections tab.

2. Click Add connection, then use the following options:
l Connection name: Type a descriptive name for the connection.
l Use the specified connector: Select OpenLDAP Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l Server: Type the fully qualified domain name of the computer running an
OpenLDAP directory service to which you want to connect.
l Port: Type the number of the communication port used by the OpenLDAP
server to which you want to connect.
l Access LDAP directory service using: Type the user name and password of
the account with which you want to access the OpenLDAP directory service.
Ensure the account has sufficient permissions to perform the operations you
want (Read, Write) on objects in the OpenLDAP directory service.
l Advanced: Click this button to specify a number of advanced options to access
the OpenLDAP directory service. For example, you can select an authentication
method to access the directory service, configure TLS/SSL usage for the
connection, and select whether or not you want to use paged search.
l From this Authentication method list, select one of the following methods:
l Anonymous: Allows you to establish the connection without passing
credentials.
l Basic: Specifies to use basic authentication.
l Microsoft Negotiate: Specifies to use Microsoft Negotiate
authentication.
l NTLM: Specifies to use Windows NT Challenge/Response authentication.
l Digest: Specifies to use Digest Access authentication.
l Sicily: Employs a negotiation mechanism (Sicily) to choose the Microsoft
Network Authentication Service, Distributed Password Authentication, or
NTLM method.
l Distributed Password Authentication: Specifies to use DPA
authentication.
l Microsoft Network Authentication Service: Specifies to
authenticate with Microsoft Network Authentication Service.
l External: Specifies to use an external authentication method for the
connection.
l Kerberos: Specifies to use Kerberos authentication.
You can also use the following check boxes:

Active Roles 8.1.3 Synchronization Service Administration Guide

127
 l Use TLS/SSL: Allows you to use the TLS (SSL) encryption to establish
and maintain the connection.
l Switch to TLS/SSL after establishing connection: Establishes the
connection without using the TLS (SSL) encryption. Then, after the
connection has been established, enables the TLS (SSL) encryption.
l Verify TLS/SSL certificate: Specifies whether or not to check the TLS
(SSL) certificate on the server.
l Use paged search: Specifies whether or not to use paged search for
the connection. When selecting this check box, you can set a page size
limit in the text box below.
l To test the connection with the new parameters, click Test connection.
5. To complete the configuration of the OpenLDAP directory service connection,
click Finish.

After establishing a connection, you can define attributes to name objects in the data
system. For more information, see Modifying an existing Generic LDAP directory
service connection

Modifying an existing OpenLDAP directory

service connection
You can modify the various settings for an existing OpenLDAP directory service connection,
such as the directory service server, communication port, access credentials, and the
attributes used for naming objects in the OpenLDAP directory service.
Every object in an OpenLDAP directory service has a naming attribute from which the
object name is formed. When you create a connection to an OpenLDAP directory service, a
default naming attribute is selected for each object type in the data system. You can view
the default naming attribute currently selected for each object type in the data system and
optionally specify a different naming attribute.

To modify connection settings

1. In the Synchronization Service Console, open the Connections tab.

2. Click Connection settings below the existing OpenLDAP connection you want
to modify.
3. On the Connection Settings tab, click an appropriate item to expand it and use the
options it provides.
You can expand the following items:
l Specifying connection settings for an OpenLDAP directory service connection
l Specifying naming attributes for an OpenLDAP directory service connection
4. Click Save.

Active Roles 8.1.3 Synchronization Service Administration Guide

128
Specifying connection settings for an OpenLDAP
directory service connection
The Specify connection settings option provides the following settings that allow you to
modify the connection settings:
l Server: Type the fully qualified domain name of the computer running an OpenLDAP
directory service to which you want to connect.
l Port: Type the number of the communication port used by the OpenLDAP server to
which you want to connect.
l Access LDAP directory service using: Type the user name and password of the
account with which you want to access the OpenLDAP directory service. Ensure the
account has sufficient permissions to perform the operations you want (Read, Write)
on objects in the OpenLDAP directory service.
l Advanced: Click this button to specify a number of advanced options to access the
OpenLDAP directory service. For example, you can select an authentication method
to access the directory service, configure TLS/SSL usage for the connection, and
select whether or not you want to use paged search.
l From this Authentication method list, select one of the following methods:
l Anonymous: Allows you to establish the connection without passing
credentials.
l Basic: Specifies to use basic authentication.
l Microsoft Negotiate: Specifies to use Microsoft Negotiate authentication.
l NTLM: Specifies to use Windows NT Challenge/Response authentication.
l Digest: Specifies to use Digest Access authentication.
l Sicily: Employs a negotiation mechanism (Sicily) to choose the Microsoft
Network Authentication Service, Distributed Password Authentication, or
NTLM method.
l Distributed Password Authentication: Specifies to use DPA authentication.
l Microsoft Network Authentication Service: Specifies to authenticate with
Microsoft Network Authentication Service.
l External: Specifies to use an external authentication method for the
connection.
l Kerberos: Specifies to use Kerberos authentication.
You can also use the following check boxes:
l Use TLS/SSL: Allows you to use the TLS (SSL) encryption to establish and
maintain the connection.
l Switch to TLS/SSL after establishing connection: Establishes the
connection without using the TLS (SSL) encryption. Then, after the connection
has been established, enables the TLS (SSL) encryption.

Active Roles 8.1.3 Synchronization Service Administration Guide

129
 l Verify TLS/SSL certificate: Specifies whether or not to check the TLS (SSL)
certificate on the server.
l Use paged search: Specifies whether or not to use paged search for the
connection. When selecting this check box, you can set a page size limit in the
text box below.
l To test the connection with the new parameters, click Test connection.

Specifying naming attributes for an OpenLDAP directory

service connection
The Specify naming attributes option allows you to specify a naming attribute for each
object type in the connected OpenLDAP directory service data system. The option provides
the following settings:
l Default naming attribute: Displays the default naming attribute set for the
currently selected object type.
l Add: Adds a new naming attribute for the selected object type.
l Edit: Allows you to edit the name of the naming attribute currently specified for the
selected object type.
l Remove: Removes the currently selected entry from the list.

Working with IBM DB2

This section describes how to create or modify a connection to IBM DB2 so that
Synchronization Service could work with data in that data system.
To create a connection to IBM DB2, you need to use Synchronization Service in conjunction
with a special connector called IBM DB2 Connector. This connector is included in the
Synchronization Service package.
The IBM DB2 Connector supports the following features:

Table 50: IBM DB2 Connector – Supported features

Feature Supported

Bidirectional synchronization Yes

Specifies whether you can both read and write data in the connected data
system.

Delta processing mode No

Specifies whether the connection can process only the data that has
changed in the connected data system since the last synchronization
operation. This reduces the overall synchronization duration.

Active Roles 8.1.3 Synchronization Service Administration Guide

130
Feature Supported

Password synchronization Yes

Specifies whether you can synchronize user passwords from an Active
Directory (AD) domain to the connected data system.

Creating an IBM DB2 connection

To create a new connection

1. On the system where Synchronization Service is installed, install IBM Data Server
Client supplied with the IBM DB2 version with which you plan to work.
2. In the Synchronization Service Console, open the Connections tab.
3. Click Add connection, then use the following options:
l Connection name: Type a descriptive name for the connection.
l Use the specified connector: Select IBM DB2 Connector.
4. Click Next.
5. On the Specify connection settings page, use the following options:
l IBM DB2 server: Type or select the fully qualified domain name of the IBM
DB2 computer that hosts the database you want to participate in data
synchronization operations. You can click Refresh to get a list of available IBM
DB2 servers.
l Access IBM DB2 server using: Type the user name and password with
which you want to access the IBM DB2 server.
l Connect to database: Type the name of the database to which you want to
connect on the IBM DB2 server.
l Advanced: Optionally, you can click this button to specify additional
parameters you want to add to the connection string that will be used to
access the IBM DB2 server. In the dialog box that opens, click Add
Parameter to specify the name and value of the parameter you want to add
to the connection string.
l To test the connection with the new parameters, click Test connection.
6. Click Next.
7. On the Specify how to select and modify data page, use the following options:
l Use data from this table: Allows you to select a database table that includes
the data you want to participate in the synchronization operations. You can
click Preview to preview the database table you have selected.
l Use an SQL query to specify data: Allows you to compose an SQL query

Active Roles 8.1.3 Synchronization Service Administration Guide

131
 that provides a more flexible way for specifying the data for synchronization.
For example, you can use this option to specify multiple database tables.
l Configure Settings: Click this button to specify settings for modifying data in
the connected system during synchronization operations. For example, you can
specify the database tables in which you want to insert, update, or delete data
during synchronization operations.
8. On the Specify attributes to identify objects page, use the following options:
l Available attributes: Lists the attributes that are available in the external
data system. Use this list to select the attributes whose values you want to use
to generate a unique identifier for each object in the external data system. You
can filter attributes by typing in the text box at the top of this list. To select
multiple attributes, hold down CTRL and click to select attributes in the list.
l UniqueID attributes: Lists the attributes whose values are currently used to
generate a unique identifier for each object in the external data system.
l Add->: Moves the selected attributes from the Available attributes list to
the UniqueID attributes list.
l <-Remove: Moves the selected attributes from the UniqueID attributes list
to the Available attributes list.
l Constructed UniqueID: Displays a combination of the attributes whose
values will make up a unique identifier for each object in the external
data system.
9. Click Finish to create a connection to the IBM DB2 system.

Modifying an existing IBM DB2 connection

To modify connection settings

1. In the Synchronization Service Console, open the Connections tab.

2. Click Connection settings below the existing IBM DB2 connection you want
to modify.
3. On the Connection Settings tab, click an appropriate item to expand it and use the
options it provides.
You can expand the following items:
l Specify connection settings for an IBM DB2 connection
l Specify how to select and modify data for an IBM DB2 connection
l Advanced
l Specify attributes to identify objects for an IBM DB2 connection
4. Click Save.

Active Roles 8.1.3 Synchronization Service Administration Guide

132
Specify connection settings for an IBM DB2 connection
This expandable item provides the following options that allow you to modify the
connection settings:
l IBM DB2 server: Type or select the fully qualified domain name of the IBM DB2
computer that hosts the database you want to participate in data synchronization
operations. You can click Refresh to get a list of available IBM DB2 servers.
l Access IBM DB2 server using: Type the user name and password with which you
want to access the IBM DB2 server.
l Connect to database: Type the name of the database to which you want to connect
on the IBM DB2 server.
l Advanced: Optionally, you can click this button to specify additional parameters you
want to add to the connection string that will be used to access the IBM DB2 server.
In the dialog box that opens, click Add Parameter to specify the name and value of
the parameter you want to add to the connection string.
l To test the connection with the new parameters, click Test connection.

Specify how to select and modify data for an IBM

DB2 connection
This expandable item provides the following options that allow you to specify the data you
want to participate in the synchronization:
l Use data from this table: Allows you to select a database table that includes the
data you want to participate in the synchronization operations. You can click
Preview to preview the database table you have selected.
l Use an SQL query to specify data: Allows you to compose an SQL query that
provides a more flexible way for specifying the data for synchronization. For
example, you can use this option to specify multiple database tables.
l Configure Settings: Click this button to specify settings for modifying data in the
connected system during synchronization operations. For example, you can specify
the database tables in which you want to insert, update, or delete data during
synchronization operations.

Advanced
Allows you to configure the running timeout for all SQL queries you specified in the
connection settings (for example, those specified in the Specify How to Select and
Modify Data option). Use the SQL query execution timeout box to type the timeout
value you want to use.

Active Roles 8.1.3 Synchronization Service Administration Guide

133
Specify attributes to identify objects for an IBM DB2
connection
This expandable item provides the following options that allow you to specify the attributes
with which you want to uniquely identify each object in the connected data system:
l Available attributes: Lists the attributes that are available in the external data
system. Use this list to select the attributes whose values you want to use to
generate a unique identifier for each object in the external data system. You can filter
attributes by typing in the text box at the top of this list. To select multiple attributes,
hold down CTRL and click to select attributes in the list.
l UniqueID attributes: Lists the attributes whose values are currently used to
generate a unique identifier for each object in the external data system.
l Add->: Moves the selected attributes from the Available attributes list to the
UniqueID attributes list.
l <-Remove: Moves the selected attributes from the UniqueID attributes list to the
Available attributes list.
l Constructed UniqueID: Displays a combination of the attributes whose values will
make up a unique identifier for each object in the external data system.

Working with IBM AS/400

This section describes how to create or modify a connection to IBM AS/400 Directory
so that Synchronization Service could work with IBM AS/400 Directory data in that
data system.
To create a connection to IBM AS/400 Directory, you need to use Synchronization Service
in conjunction with a special connector called IBM AS/400 Directory Connector. This
connector is included in the Synchronization Service package.
The IBM AS/400 Directory Connector supports the following features:

Table 51: IBM AS/400 Connector – Supported features

Feature Supported

Bidirectional synchronization Yes

Specifies whether you can both read and write data in the connected data
system.

Delta processing mode No

Specifies whether the connection can process only the data that has
changed in the connected data system since the last synchronization
operation. This reduces the overall synchronization duration.

Password synchronization Yes

Active Roles 8.1.3 Synchronization Service Administration Guide

134
Feature Supported

Specifies whether you can synchronize user passwords from an Active

Directory (AD) domain to the connected data system.

Prerequisites
l The IBM AS/400 server must have LDAP directory services installed and configured.
l An LDAP service account must be created on your IBM AS/400 server which has the
appropriate permissions to administer users and groups on this platform.

Creating an IBM AS/400 connection

To create a new connection

1. In the Synchronization Service Console, open the Connections tab.

2. Click Add connection, then use the following options:
l Connection name: Type a descriptive name for the connection.
l Use the specified connector: Select IBM AS/400 Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l Server: Type or select the fully qualified DNS name of the IBM AS/400 server
running the LDAP service.
l Port: Type the IBM AS/400 LDAP communication port number in use by
the service.
l User name: Specify the fully distinguished name (DN) of the account under
which the application will access the IBM AS/400 LDAP directory service.
l Password: specify the password of the user account under which the
application will access the IBM AS/400 LDAP directory service. We recommend
that you select the SSL check box if synchronizing sensitive data between
connectors.
l To test the connection with the new parameters, click Test connection.
5. Click Next.
6. Click Finish to create a connection to the IBM AS/400 system.

Active Roles 8.1.3 Synchronization Service Administration Guide

135
Modifying an existing IBM AS/400 connection
To modify connection settings

1. In the Synchronization Service Console, open the Connections tab.

2. Click Connection Settings below the existing IBM AS/400 connection you
want to modify.
3. On the Connection Settings tab, click Specify connection settings to expand it
and use the following options.
l Server: Type or select the fully qualified DNS name of the IBM AS/400 server
running the LDAP service.
l Port: Type the IBM AS/400 LDAP communication port number in use by
the service.
l User name: Specify the fully distinguished name (DN) of the account under
which the application will access the IBM AS/400 LDAP directory service.
l Password: specify the password of the user account under which the
application will access the IBM AS/400 LDAP directory service. We recommend
that you select the SSL check box if synchronizing sensitive data between
connectors.
l To test the connection with the new parameters, click Test connection.
4. Click Save.

Additional considerations for an IBM AS/400

connection
This topic briefs about the additional points to consider when configuring the IBM
AS/400 connector.

Using groups with IBM AS/400

The IBM AS/400 operating system does not have any concept of groups as discrete entities.
Instead, an administrator creates a user profile which is used as a group profile. Other user
profiles are then linked to this using the GrpPrf or SupGrpPrf parameters of the ChgUsrPrf
command. The GrpPrf value maps to the os400-grpprf attribute in the IBM AS/400 schema,
while the SupGrpPrf value maps to the os400-supgrpprf attribute. The IBM AS/400 Quick
Connect mappings must be defined for users and groups to enable full user and group
synchronization.

Optional IBM AS/400 account unlock during password reset function

You can optionally unlock a user's IBM AS/400 account at the same time as performing a
password reset. This functionality is switched off by default and can be enabled by editing
the connector's configuration file as follows:

Active Roles 8.1.3 Synchronization Service Administration Guide

136
 1. Edit the <Program Files folder>\One Identity\Active
Roles\7.4\SyncService\AS400Connector_ConnectorConfig.xml file.
2. Add the following lines just before the </ConnectorInfo> which appears on the last
line of the file:

<SelfConfig>
<EnableAccount>true</EnableAccount>
</SelfConfig>

NOTE: Only the value true will enable the new functionality.

The LDAP password request sent to IBM AS/400 will then also include a request to modify
the account status (os400-status=*ENABLED)).
The configuration file is read every time an LDAP connection is made to the IBM AS/400, so
the new value will be picked up for the next set of synchronizations.
NOTE: If you edited ConnectorConfig.xml to implement the optional unlock of a user's
IBM AS/400 account at the same time as performing a password reset in an earlier
version of the connector for IBM AS/400, then you will need to repeat that edit after
installing a later version.

Working with IBM RACF

To create a connection to IBM RACF connector, you need to use Synchronization Service in
conjunction with a special connector called IBM RACF Connector. This connector is included
in the Synchronization Service package.
The IBM RACF Connector supports the following features:

Table 52: IBM RACF Connector – Supported features

Feature Supported

Bidirectional synchronization Yes

Specifies whether you can both read and write data in the connected data
system.

Delta processing mode No

Specifies whether the connection can process only the data that has
changed in the connected data system since the last synchronization
operation. This reduces the overall synchronization duration.

Password synchronization Yes

Specifies whether you can synchronize user passwords from an Active
Directory (AD) domain to the connected data system.

Active Roles 8.1.3 Synchronization Service Administration Guide

137
Prerequisites
l The IBM mainframe must have LDAP directory services installed and configured.
l The IBM RACF connector can be installed on Microsoft Windows Server 2016 or later.

NOTE: There is an 8 character limit for user and group names on IBM RACF. The
character limit is also applicable to the passwords on IBM RACF.

Creating an IBM RACF connection

To create a new connection

1. In the Synchronization Service Console, open the Connections tab.

2. Click Add connection, then use the following options:
l Connection name: Type a descriptive name for the connection.
l Use the specified connector: Select IBM RACF Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l Server: Type the fully qualified DNS name of the IBM RACF server running the
LDAP service. Type the fully qualified DNS name of the IBM RACF server
running the LDAP service.
l Port: Type the fully qualified DNS name of the IBM RACF server running the
LDAP service.
l User name: Specify the fully distinguished name (DN) of the account that the
application will use to access the IBM RACF LDAP directory service
l Password: Specify the password of the user account that the application will
use to access the IBM RACF LDAP directory service.
l To test the connection with the new parameters, click Test connection.
5. Click Next.
6. Click Finishto create a connection to IBM RACF connector.

Modifying an IBM RACF connection

To create a new connection

1. In the Synchronization Service Console, open the Connections tab.

2. Click Connection Settings below the existing IBM RACF connection you want
to modify.

Active Roles 8.1.3 Synchronization Service Administration Guide

138
 3. On the Connection Settings tab, click Specify connection settings to expand it
and use the following options.
l Server: Type the fully qualified DNS name of the IBM RACF server running the
LDAP service. Type the fully qualified DNS name of the IBM RACF server
running the LDAP service.
l Port: Type the fully qualified DNS name of the IBM RACF server running the
LDAP service.
l User name: Specify the fully distinguished name (DN) of the account that the
application will use to access the IBM RACF LDAP directory service
l Password: Specify the password of the user account that the application will
use to access the IBM RACF LDAP directory service.
l To test the connection with the new parameters, click Test connection.
4. Click Save.

Example of mapping for dataset information

The IBM RACF connector can be used to synchronize IBM RACF dataset information. The
LDAPX exit must be installed and configured for this functionality to be supported.
The examples in this topic shows how IBM RACF dataset information can be synchronized.
IBM RACF dataset names contain asterisk (*) characters and as such cannot be
synchronized to Active Directory which does not allow asterisk characters in names. As
such, the example shows a synchronization to a Microsoft SQL database. It is assumed that
Microsoft SQL Server and Microsoft SQL Server Manager have been installed and
configured.

Creating SQL database and table

Using Microsoft SQL Server Manager, create a database called IBM RACF_Datasets.
Within that database, create a table called Datasets with the following columns:

Column Name Data Type

Audit nchar(100)

Create_Group nchar(10)

Owner nchar(10)

UACC nchar(10)

UID (database key) nchar(100)

Create a connection to this database and table with the ARSS Microsoft SQL Server
Connector.

Active Roles 8.1.3 Synchronization Service Administration Guide

139
Povisioning datasets
To synchronize the SQL table to IBM RACF follow the steps provided here.

To synchronize the SQL table to IBM RACF

1. Navigate to the Workflows tab.

2. Click Add sync workflow.
3. Enter IBM RACF Datasets and click OK.
4. Click IBM RACF Datasets workflow.
5. Click Add synchronization step.
6. Click Creation and then Next.
7. From the Source connected system section and click Specify.
8. Select your Microsoft SQL Server Connector and click Finish.
The SQL source object type is currently set to sql-Object. Do not change this value.
9. Click Next.
10. In the Target connected system field, click Specify and then locate your IBM
RACF connector and click Finish.
11. The object type in the Target object system field is populated automatically by
Synchronization Service to racfUser. Change this to racfDataset.
12. Click Next.
13. In the Specify provisioning rules section, click Forward Sync Rule.
14. In the Source attribute field, click Attribute locate UID and click OK.
15. In the Target attribute field, click Attribute, locate racfDataset and click OK.
16. Repeat these steps so that the following five items are mapped:

SQL Attribute IBM RACF Attribute

Owner racfOwner

UACC racfUacc

Create_Group racfCreateGroup

Audit racfAudit

UID racfDataset

17. Click OK.

18. Click Finish to complete the synchronization.

Active Roles 8.1.3 Synchronization Service Administration Guide

140
Updating datasets
To synchronize the SQL table to IBM RACF

1. Navigate to the Sync Workflows tab, select IBM RACF Datasets and click OK.
2. Click Add synchronization step.
3. Click Update and then click Next.
4. From the Source connected system section and click Specify.
5. Select your Microsoft SQL Server Connector and click Finish.
The SQL source object type is currently set to sql-Object. Do not change this value.
6. Click Next.
7. In the Target connected system field, click Specify and then locate your IBM
RACF connector and click Finish.
8. The object type in the Target object system field is populated automatically by
Synchronization Service to racfUser. Change this to racfDataset.
9. Click Next.
10. In the Specify provisioning rules section, click Forward Sync Rule.
11. In the Source attribute field, click Attribute locate UID and click OK.
12. In the Target attribute field, click Attribute, locate racfDataset and click OK.
13. Repeat these steps so that the following five items are mapped:

SQL Attribute IBM RACF Attribute

Owner racfOwner

UACC racfUacc

Create_Group racfCreateGroup

Audit racfAudit

UID racfDataset

14. Click OK.

15. Click Finish to complete the synchronization.

Active Roles 8.1.3 Synchronization Service Administration Guide

141
Deprovisioning datasets
To deprovision datasets

1. Navigate to the Workflows tab and select IBM RACF Datasets.

2. Click Add synchronization step.
3. Click Deprovision and then click Next.
4. From the Source connected system section and click Specify.
5. Select your Microsoft SQL Server Connector and click Finish.
6. Select Source object is deleted or is out of synchronization scope option in
the Deprovision target objects if section.
7. Optionally, configure the Source object meets the following criteria.
8. Click Next.
9. In the Target connected system field, click Specify and then locate your IBM
RACF connector and click Finish.
10. The object type in the Target object system field is populated automatically by
Synchronization Service to racfDataset.
11. Click Next.
12. Select Delete target object.
13. Click Finish to complete the synchronization.

Working with TSO command

The IBM RACF connector can be used to run any command in the Time Sharing Option
(TSO) environment on the target IBM mainframe. The LDAPX exit must be installed and
configured for this functionality to be supported.
The TSO command is run using an Active Roles Synchronization Service synchronization
step to create an object of type ldapxtsocmd on the target IBM RACF system and supplying
the name of the TSO command or script to be run in the attribute racfprogrammername.
When the step is run, the IBM RACF connector intercepts the create command and instead
sends an LDAP search command with the required parameters via the LDAP protocol.
The LDAPX exit intercepts this request, extracts the TSO command information and runs
the command. The LDAP response is constructed, containing the results obtained from
running the command. The IBM RACF connector receives this LDAP response, extracts the
results and saves them in a text file that can be examined later.
No object is created during the synchronization step so it can be run indefinitely, each time
executing the TSO command stored in the racfprogrammername attribute from the same or
any other synchronization step.
The following example shows a method of issuing a TSO command using synchronisation
from Active Directory (AD).

Active Roles 8.1.3 Synchronization Service Administration Guide

142
 1. Using Active Directory Users and Computers, create a container in AD that can
be filtered on by the ARSS. For example, create an organisational unit container
called TSO Commands.
2. Create a dummy computer object within this container with name TSOCMD and
description field set to the string STATUS. The TSO command STATUS will return
the current system status.
3. Create a workflow called Run TSO Command.
4. Within this workflow, create a synchronization step item as follows:
a. Synchronization step type: Create
b. Source object: Active Directory, specified container as created above, name
starts with TSOCMD.
c. Target connector: IBM RACF
d. Object type: ldapxtsocmd
e. Mapping: from AD Description attribute to IBM RACF
racfprogrammername attribute
5. Save the step.
6. Run the synchronization step. There should be one item to be created with the
following properties:
l objecttype: ldapxtsocmd
l racfprogrammername: STATUS
7. Perform the synchronization step.
8. The LDAP command will be sent and interpreted by the LDAPX exit to run the
TSO command.
9. Once complete, the synchronization step will show as being successful.
10. The output from running the command can be found in the following text file:
<ARSS installation folder>\SyncService\TSOCommandOutput\YYDDMM.txt, where,
YYMMDD represents the date when the command was run.
11. The text file will contain the output returned from IBM RACF having run the
STATUS command.
12. Multiple commands run on the same day will have their output appended to the same
daily text file.

Working with MySQL database

This section describes how to create or modify a connection to a MySQL database so that
Synchronization Service could work with data in that data system.
To create a MySQL database connection, use the MySQL Connector of the Active Roles
Synchronization Service.
The MySQL Connector supports the following features:

Active Roles 8.1.3 Synchronization Service Administration Guide

143
Table 53: MySQL Connector – Supported features

Feature Supported

Bidirectional synchronization Yes

Specifies whether you can both read and write data in the connected data
system.

Delta processing mode No

Specifies whether the connection can process only the data that has
changed in the connected data system since the last synchronization
operation. This reduces the overall synchronization duration.

Password synchronization Yes

Specifies whether you can synchronize user passwords from an Active
Directory (AD) domain to the connected data system.

Creating a MySQL database connection

You can create a new MySQL database connection in theSynchronization Service Console.

Prerequisites

Before configuring the connector, make sure that the Connector/NET fully-managed
ADO.NET driver is installed on the machine running the Synchronization Service.

To create a new connection

1. In the Synchronization Service Console, open the Connections tab.

2. Click Add connection, then use the following options:
l Connection name: Type a descriptive name for the connection.
l Use the specified connector: Select MySQL Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l MySQL server: Type the fully qualified domain name of the MySQL server that
hosts the MySQL database that you want to participate in data synchronization
operations.
l Access MySQL server using: Type the user name and password of the
account with which you want to access MySQL server. Ensure the account has
sufficient permissions to perform operations (Read, Write) on objects in the
database to which you want to connect.
l Connect to database: Type the name of the database to which you want to
connect on the MySQL server.

Active Roles 8.1.3 Synchronization Service Administration Guide

144
 l Advanced: Click this button to specify additional parameters you want to add
to the connection string that will be used to access the MySQL server. In the
dialog box that opens, click the Add Parameter button to specify the name and
value of the parameter you want to add to the connection string.
l To test the connection with the new parameters, click Test connection.
5. Click Next.
6. On the Specify how to select and modify data page, use the following options:
l Use data from this table: Allows you to select a database table that includes
the data you want to participate in the synchronization operations. You can
click Preview to preview the database table you have selected.
l Use an SQL query to specify data: Allows you to compose an SQL query
that provides a more flexible way for specifying the data for synchronization.
For example, you can use this option to specify multiple database tables.
l Configure Settings: Click this button to specify settings for modifying data in
the connected system during synchronization operations. For example, you can
specify the database tables in which you want to insert, update, or delete data
during synchronization operations.
7. Click Next.
8. On the Specify attributes to identify objects page, use the following options:
l Available attributes: Lists the attributes that are available in the external
data system. Use this list to select the attributes whose values you want to use
to generate a unique identifier for each object in the external data system. You
can filter attributes by typing in the text box at the top of this list. To select
multiple attributes, hold down CTRL and click to select attributes in the list.
l UniqueID attributes: Lists the attributes whose values are currently used to
generate a unique identifier for each object in the external data system.
l Add->: Moves the selected attributes from the Available attributes list to
the UniqueID attributes list.
l <-Remove: Moves the selected attributes from the UniqueID attributes list
to the Available attributes list.
l Constructed UniqueID: Displays a combination of the attributes whose
values will make up a unique identifier for each object in the external
data system.
9. To complete the configuration of the MySQL database connection, click Finish.

Modifying an existing MySQL database connection

You can modify the settings of an existing MySQL Connector with theSynchronization
Service Console.

Active Roles 8.1.3 Synchronization Service Administration Guide

145
To modify connection settings

1. In the Synchronization Service Console, open the Connections tab.

2. Click Connection settings below the existing MySQL connection you want to
modify.
3. On the Connection Settings tab, click an appropriate item to expand it and use the
options it provides.
You can expand the following items:
l Specifying connection settings for a MySQL database connection
l Specifying how to select and modify data for a MySQL database connection
l Advanced
l Specifying attributes to identify objects for a MySQL database connection
4. Click Save.

Specifying connection settings for a MySQL database

connection
The Specify connection settings option provides the following options that allow you to
modify the connection settings:
l MySQL server: Type the fully qualified domain name of the MySQL server that hosts
the MySQL database that you want to participate in data synchronization operations.
l Access MySQL server using: Type the user name and password of the account
with which you want to access MySQL server. Ensure the account has sufficient
permissions to perform operations (Read, Write) on objects in the database to which
you want to connect.
l Connect to database: Type the name of the database to which you want to connect
on the MySQL server.
l Advanced: Click this button to specify additional parameters you want to add to the
connection string that will be used to access the MySQL server. In the dialog box that
opens, click the Add Parameter button to specify the name and value of the
parameter you want to add to the connection string.
l To test the connection with the new parameters, click Test connection.

Specifying how to select and modify data for a MySQL

database connection
The Specify how to select and modify data setting provides the following options that
allow you to specify the data you want to participate in the synchronization:
l Use data from this table: Allows you to select a database table that includes the
data you want to participate in the synchronization operations. You can click

Active Roles 8.1.3 Synchronization Service Administration Guide

146
 Preview to preview the database table you have selected.
l Use an SQL query to specify data: Allows you to compose an SQL query that
provides a more flexible way for specifying the data for synchronization. For
example, you can use this option to specify multiple database tables.
l Configure Settings: Click this button to specify settings for modifying data in the
connected system during synchronization operations. For example, you can specify
the database tables in which you want to insert, update, or delete data during
synchronization operations.

Advanced
Allows you to configure the running timeout for all SQL queries you specified in the
connection settings (for example, those specified in the Specify How to Select and
Modify Data option). Use the SQL query execution timeout box to type the timeout
value you want to use.

Specifying attributes to identify objects for a MySQL

database connection
The Specify attributes to identify objects setting provides the following options that
allow you to specify the attributes with which you want to uniquely identify each object in
the connected data system:
l Available attributes: Lists the attributes that are available in the external data
system. Use this list to select the attributes whose values you want to use to
generate a unique identifier for each object in the external data system. You can filter
attributes by typing in the text box at the top of this list. To select multiple attributes,
hold down CTRL and click to select attributes in the list.
l UniqueID attributes: Lists the attributes whose values are currently used to
generate a unique identifier for each object in the external data system.
l Add->: Moves the selected attributes from the Available attributes list to the
UniqueID attributes list.
l <-Remove: Moves the selected attributes from the UniqueID attributes list to the
Available attributes list.
l Constructed UniqueID: Displays a combination of the attributes whose values will
make up a unique identifier for each object in the external data system.

Working with an OLE DB-compliant

relational database
This section describes how to create or modify a connection to an OLE DB-compliant
relational database so that Synchronization Service could work with data in that database.

Active Roles 8.1.3 Synchronization Service Administration Guide

147
To create a connection to an OLE DB-compliant relational database, use the OLE DB
Connector of the Active Roles Synchronization Service.

Table 54: OLE DB Connector – Supported features

Feature Supported

Bidirectional synchronization No
Specifies whether you can both read and write data in the NOTE: By using OLE DB
connected data system. Connector, you can only
read data in the
connected data system.

Delta processing mode No

Specifies whether the connection can process only the data
that has changed in the connected data system since the last
synchronization operation. This reduces the overall
synchronization duration.

Password synchronization No
Specifies whether you can synchronize user passwords from
an Active Directory (AD) domain to the connected data
system.

Creating an OLE DB-compliant relational

database connection
You can create a new OLE DB-compliant database connection in the Synchronization
Service Console.

To create a new OLE DB-compliant relational database connection

1. In the Synchronization Service Console, open the Connections tab.

2. Click Add connection, then use the following options:
l Connection name: Type a descriptive name for the connection.
l Use the specified connector. Select OLE DB Connector.
3. Click Next.
4. Use the Connection string text box to type the connection parameters to access the
OLE DB-compliant relational database. Alternatively, you can click Configure to
specify the connection parameters by using a dialog provided by Windows.
5. Click Next.

Active Roles 8.1.3 Synchronization Service Administration Guide

148
 6. On the Specify how to select and modify data page, use the following options:
l Use data from this table: Allows you to select a database table that includes
the data you want to participate in the synchronization operations. You can
click Preview to preview the database table you have selected.
l Use an SQL query to specify data: Allows you to compose an SQL query
that provides a more flexible way for specifying the data for synchronization.
For example, you can use this option to specify multiple database tables.
7. Click Next.
8. On the Specify attributes to identify objects page, use the following options:
l Available attributes: Lists the attributes that are available in the external
data system. Use this list to select the attributes whose values you want to use
to generate a unique identifier for each object in the external data system. You
can filter attributes by typing in the text box at the top of this list. To select
multiple attributes, hold down CTRL and click to select attributes in the list.
l UniqueID attributes: Lists the attributes whose values are currently used to
generate a unique identifier for each object in the external data system.
l Add->: Moves the selected attributes from the Available attributes list to
the UniqueID attributes list.
l <-Remove: Moves the selected attributes from the UniqueID attributes list
to the Available attributes list.
l Constructed UniqueID: Displays a combination of the attributes whose
values will make up a unique identifier for each object in the external
data system.
9. To finish configuring the connection to the OLE DB-compliant relational database,
click Finish.

Modifying an existing OLE DB-compliant data

source connection
You can modify an existing OLE DB-compliant database connection in the Active Roles
Synchronization Service Console.

To modify the connection settings of an OLE DB Connector

1. In the Synchronization Service Console, open the Connections tab.

2. Click Connection settings below the existing OLE DB-compliant relational database
connection you want to modify.
3. On the Connection Settings tab, click an appropriate item to expand it and use the
options it provides.
You can expand the following items:

Active Roles 8.1.3 Synchronization Service Administration Guide

149
 l Specifying connection settings for an OLE DB-compliant relational
database connection
l Specifying how to select data for an OLE DB-compliant relational
database connection
l Advanced
l Specifying attributes to identify object for an OLE DB-compliant relational
database connection
4. For more information on these settings, see the applicable subsections.
5. When you are finished, click Save.

Specifying connection settings for an OLE DB-compliant

relational database connection
Use the Connection string text box to type the connection parameters to access the OLE
DB-compliant relational database. Alternatively, you can click Configure to specify the
connection parameters by using a dialog provided by Windows.

Specifying how to select data for an OLE DB-compliant

relational database connection
The Specify how to select data setting provides the following options that allow you to
specify the data you want to participate in the synchronization:
l Use data from this table: Allows you to select a database table that includes the
data you want to participate in the synchronization operations. You can click
Preview to preview the database table you have selected.
l Use an SQL query to specify data: Allows you to compose an SQL query that
provides a more flexible way for specifying the data for synchronization. For
example, you can use this option to specify multiple database tables.

Advanced
Allows you to configure the running timeout for all SQL queries you specified in the
connection settings (for example, those specified in the Specify How to Select and
Modify Data option). Use the SQL query execution timeout box to type the timeout
value you want to use.

Specifying attributes to identify object for an OLE DB-

compliant relational database connection
The Specify attributes to identify object provides the following options that allow you
to specify the attributes with which you want to uniquely identify each object in the

Active Roles 8.1.3 Synchronization Service Administration Guide

150
connected data system:
l Available attributes: Lists the attributes that are available in the external data
system. Use this list to select the attributes whose values you want to use to
generate a unique identifier for each object in the external data system. You can filter
attributes by typing in the text box at the top of this list. To select multiple attributes,
hold down CTRL and click to select attributes in the list.
l UniqueID attributes: Lists the attributes whose values are currently used to
generate a unique identifier for each object in the external data system.
l Add->: Moves the selected attributes from the Available attributes list to the
UniqueID attributes list.
l <-Remove: Moves the selected attributes from the UniqueID attributes list to the
Available attributes list.
l Constructed UniqueID: Displays a combination of the attributes whose values will
make up a unique identifier for each object in the external data system.

Working with SharePoint

This section describes how to create or modify a connection to Microsoft SharePoint so that
Synchronization Service could work with data in that data system.
To create a connection to Microsoft SharePoint, use the Sharepoint Connector of Active
Roles Synchronization Service.
The SharePoint Connector supports the following features:

Table 55: SharePoint Connector – Supported features

Feature Supported

Bidirectional synchronization Yes

Specifies whether you can both read and write data in the connected data
system.

Delta processing mode No

Specifies whether the connection can process only the data that has
changed in the connected data system since the last synchronization
operation. This reduces the overall synchronization duration.

Password synchronization No
Specifies whether you can synchronize user passwords from an Active
Directory (AD) domain to the connected data system.

Creating a SharePoint connection

You can create a new SharePoint connection in the Synchronization Service Console.

Active Roles 8.1.3 Synchronization Service Administration Guide

151
To create a new SharePoint connection

1. Ensure that you have installed the SharePoint Connector on the SharePoint server
you want to work with.
2. In the Synchronization Service Console, open the Connections tab.
3. Click Add connection, then use the following options:
l Connection name: Type a descriptive name for the connection.
l Use the specified connector. Select SharePoint Connector.
4. Click Next.
5. To check that the connector can access SharePoint, on the Specify connection
settings page, click the Test Connection.
6. If the test succeeds, click Finish to create a connection.

SharePoint data supported for data

synchronization
The following table lists the data objects and data operations supported by the
SharePoint Connector.
Synchronization Service provides special attributes for each supported SharePoint object
type, allowing you to read or write data in SharePoint. You can access and use these
attributes from the Synchronization Service Console, for example, when selecting the
source and target attributes to include in the synchronization operation.

Table 56: Supported objects and operations

Object Read Create Delete Update

AlternateURL Yes No No No
Allows you to read data related to an incoming
URL and the zone with which it is associated.

ClaimProvider Yes No No No
Allows you to read data related to a claim
provider.

Farm Yes No No No
Allows you to work with a SharePoint farm.

Group Yes Yes Yes Yes

Allows you to work with a group on a
SharePoint website.

Language Yes No No No
Allows you to work with a language used in

Active Roles 8.1.3 Synchronization Service Administration Guide

152
Object Read Create Delete Update

SharePoint.

Policy Yes Yes Yes Yes

Allows you to work with a policy assigned to a
user or group.

PolicyRole Yes Yes Yes Yes

Allows you to work with the rights possessed
by a policy role.

Prefix Yes No No No
Allows you to work with a relative URL that
determines segments of the URL under which
sites may be created.

RoleAssignment Yes Yes Yes Yes

Allows you to work with role assignments for a
user or group.

RoleDefinition Yes Yes Yes Yes

Allows you to work with a role definition,
including name, description, management
properties, and a set of rights.

Site Yes Yes Yes Yes

Allows you to work with site collections in an
Internet Information Services (IIS) web
application.

User Yes Yes Yes Yes

Allows you to work with a user in SharePoint.

Web Yes Yes Yes Yes

Allows you to work with a SharePoint website.

WebApplication Yes No No Yes

Allows you to work with an IIS load-balanced
web application installed on a server farm.

WebTemplate Yes No No No
Allows you to work with a site definition
configuration or a web template used to create
SharePoint sites.

The following sections describe the attributes provided by Synchronization Service and
describe what data you can read or write in SharePoint by using a particular attribute.

Active Roles 8.1.3 Synchronization Service Administration Guide

153
AlternateURL object attributes
In a SharePoint connection, the Synchronization Service supports the following attributes
of the AlternateURL object with the following synchronization operations.

Table 57: AlternateURL object attributes

Attribute Type Description Supported

operations

Id Single-valued, Gets the object ID. Read

string
IncomingUrl Single-valued, Gets the incoming URL that is Read
string associated with the zone from
which the request originated.
Parent Single-valued, Gets the parent of the object. Read
string, reference
(WebApplication
object)
Uri Single-valued, Gets the incoming URL associated Read
string with the zone from which the
request originated, in the form of
an URI.
UrlZone Single-valued, Gets the zone that is associated Read
string with the alternate request URL.

ClaimProvider object attributes

In a SharePoint connection, the Synchronization Service supports the following attributes
of the ClaimProvider object with the following synchronization operations.

Table 58: ClaimProvider object attributes

Attribute Type Description Supported

operations

AssemblyName Single-valued, Gets the name of the assembly Read

string that implements the claims
provider.
Description Single-valued, Gets the description of the claims Read
string provider.
DisplayName Single-valued, Gets the display name of the Read
string claims provider.
Id Single-valued, Gets the object ID. Read

Active Roles 8.1.3 Synchronization Service Administration Guide

154
Attribute Type Description Supported
operations

string
IsEnabled Single-valued, Gets whether the claims provider Read
Boolean is enabled.
IsUsedByDefault Single-valued, Gets whether the claims provider Read
Boolean applies by default to all web
applications and zones.
IsValid Single-valued, Gets whether the claims provider Read
Boolean is valid.
IsVisible Single-valued, Gets whether the claims provider Read
Boolean is visible.
Parent Single-valued, Gets the parent of the object. Read
string, reference
(Farm object)
TypeName Single-valued, Gets the type of the object. Read
string

Farm object attributes

In a SharePoint connection, the Synchronization Service supports the following attributes
of the Farm object with the following synchronization operations.

Table 59: Farm object attributes

Attribute Type Description Supported

operations

BuildVersion Single- Gets the build Read

valued, version of the
string SharePoint
server farm.
CanBackupRestoreAsConfiguration Single- Gets whether Read
valued, the farm can
Boolean participate in a
configuration-
only backup or
restore.
CanRenameOnRestore Single- Gets whether Read
valued, the farm can be
Boolean renamed
during its
restore.

Active Roles 8.1.3 Synchronization Service Administration Guide

155
Attribute Type Description Supported
operations

CanSelectForBackup Single- Gets whether Read

valued, the farm can be
Boolean selected for
backup.
CanSelectForRestore Single- Gets whether Read
valued, the farm can be
Boolean selected for
restore in the
Central
Administration
user interface.
DaysBeforePasswordExpirationToSendEmai Single- Gets the Read
l valued, number of days
integer before
password
expiration
when a
notification
email is sent.
DefaultServiceAccount Single- Gets the Read
valued, default service
string account.
EncodedFarmId Single- Gets the farm Read
valued, identifier.
integer
Id Single- Gets the object Read
valued, ID.
string
Name Single- Gets the farm Read
valued, name.
string
Parent Single- Gets the parent Read
valued, of the object.
string
PasswordChangeEmailAddress Single- Gets the email Read
valued, address that
string receives
password
change
notification

Active Roles 8.1.3 Synchronization Service Administration Guide

156
Attribute Type Description Supported
operations

messages.
PasswordChangeGuardTime Single- Gets the time Read
valued, interval (in
integer seconds) that
is used to wait
for other
computers’
response
during
password
change
operations.
PasswordChangeMaximumTries Single- Gets the Read
valued, maximum
integer allowed
number of
password
change
attempts
before the
operation fails.
PersistedFileChunkSize Single- Gets the chunk Read
valued, size used to
integer transfer files to
or from the
configuration
database
during a read
or write
operation.
Products Multivalued, Gets the Read
string identifiers of
products
installed in the
farm.
ServerDebugFlags Multivalued, Gets server Read
integer debug flags.
Servers Multivalued, Gets the Read
string physical
servers that
are included in

Active Roles 8.1.3 Synchronization Service Administration Guide

157
Attribute Type Description Supported
operations

the farm.
TimerService Single- Gets the timer Read
valued, service that is
string used by the
farm.
TraceSessionGuid Single- Gets the GUID Read
valued, that is used for
string trace session
registration.
UseMinWidthForHtmlPicker Single- Gets the HTML Read
valued, select control.
Boolean
UserLicensingEnabled Single- Gets whether Read
valued, user licensing
Boolean is enabled.
XsltTransformTimeOut Single- Gets the Read
valued, timeout period
integer (in seconds) for
a customized
XSLT
transformation
operation.

Group object attributes

In a SharePoint connection, the Synchronization Service supports the following attributes
of the Group object with the following synchronization operations.

Table 60: Group object attributes

Attribute Type Description Supported

operations

AllowMembersEditMembership Single-valued, Gets or sets Read, write

Boolean whether group (update only)
membership can be
modified by the
group members.
AllowRequestToJoinLeave Single-valued, Gets or sets Read, write
Boolean whether users can (update only)
request to join or
leave the group.

Active Roles 8.1.3 Synchronization Service Administration Guide

158
Attribute Type Description Supported
operations

AutoAcceptRequestToJoinLeave Single-valued, Gets or sets Read, write

Boolean whether users are (update only)
automatically added
or removed from
the group upon their
request.
CanCurrentUserEditMembership Single-valued, Gets whether the Read
Boolean current user can
modify membership
of the group.
CanCurrentUserManageGroup Single-valued, Gets whether the Read
Boolean current user can
manage the group.
CanCurrentUserViewMembership Single-valued, Gets whether the Read
Boolean current user can
view a list of group
members.
ContainsCurrentUser Single-valued, Gets whether the Read
Boolean group contains the
current user.
Description Single-valued, Gets or sets the Read, write
string group description. (update only)
DistributionGroupAlias Single-valued, Gets the distribution Read
string group alias for the
group.
DistributionGroupEmail Single-valued, Gets the distribution Read
string group email.
DistributionGroupErrorMessage Single-valued, Gets the last error Read
string message
encountered during
an asynchronous
distribution group
operation.
ExplicitlyContainsCurrentUser Single-valued, Gets whether the Read
Boolean group explicitly
contains the current
user as a direct
member.
Id Single-valued, Gets the object ID. Read

Active Roles 8.1.3 Synchronization Service Administration Guide

159
Attribute Type Description Supported
operations

string
LoginName Single-valued, Gets the login name Read
string of the group.
Name Single-valued, Gets or sets the Read, write
string name of the group.
OnlyAllowMembersViewMembership Single-valued, Gets or sets Read, write
Boolean whether only group (update only)
members can view
the list of members
for the group.
Owner Single-valued, Gets or sets the Read, write
string, group owner. A (create only)
reference group owner can be
(User or Group a user or another
object) group.
Parent Single-valued, Gets the parent of Read
string, the object.
reference
(Site object)
RequestToJoinLeaveEmailSetting Single-valued, Gets or sets the Read, write
string email address that (update only)
receives requests to
join or leave the
group.
Users Multivalued, Gets or sets the Read, write
string, users that are (update only)
reference members of the
(User object) group.
Xml Single-valued, Gets the group Read
string properties in the
XML string format.

Language object attributes

In a SharePoint connection, the Synchronization Service supports the following attributes
of the Language object with the following synchronization operations.

Active Roles 8.1.3 Synchronization Service Administration Guide

160
Table 61: Language object attributes

Attribute Type Description Supported

operations

DisplayName Single- Gets the language name displayed on Read

valued, string the user interface.
Id Single- Gets the object ID. Read
valued, string
LanguageTag Single- Gets the language tag. Read
valued, string
Parent Single- Gets the parent of the object. Read
valued, string

Policy object attributes

In a SharePoint connection, the Synchronization Service supports the following attributes
of the Policy object with the following synchronization operations.

Table 62: Policy object attributes

Attribute Type Description Supported

operations

Alias Single-valued, Gets the alias of the object. Read

string
DisplayName Single-valued, Gets or sets the display name Read, write
string of the policy. (update only)
Id Single-valued, Gets the object ID. Read
string
IsSystemUser Single-valued, Gets or sets whether the user Read, write
Boolean identified by the policy is (update only)
represented as a system
account in the user interface.
Parent Single-valued, Gets the parent of the object. Read
string, reference
(WebApplication
object)
PolicyRoleBindings Single-valued, Gets or sets policy roles for Read, write
string, reference the policy. (update only)
(PolicyRole
object)
UrlZone Single-valued, Gets or sets the originating Read, write

Active Roles 8.1.3 Synchronization Service Administration Guide

161
Attribute Type Description Supported
operations

string zone of an incoming request. (create only)

UserName Single-valued, Gets the user name of the Read, write
string user or group associated with (create only)
the policy.

PolicyRole object attributes

In a SharePoint connection, the Synchronization Service supports the following attributes
of the PolicyRole object with the following synchronization operations.

Table 63: PolicyRole object attributes

Attribute Type Description Supported

operations

DenyRightsMask Multivalued, string Gets or sets the rights which Read, write
the policy role denies. (update only)
Description Single-valued, string Gets or sets the policy role Read, write
description. (update only)
GrantRightsMask Multivalued, string Gets or sets the rights which Read, write
the policy role grants. (update only)
Id Single-valued, string Gets the policy role GUID. Read
IsSiteAdmin Single-valued, Gets or sets whether the Read, write
Boolean policy role grants site (update only)
collection administrator
status.
IsSiteAuditor Single-valued, Gets or sets whether the Read, write
Boolean policy role grants site (update only)
collection auditor status.
Name Single-valued, string Gets or sets the policy role Read, write
name. (update only)
Parent Single-valued, string, Gets the parent of the object. Read
reference
(WebApplication
object)
Type Single-valued, string Gets the type of the policy Read
role.
Xml Single-valued, string Gets the policy role in the Read
XML string format.

Active Roles 8.1.3 Synchronization Service Administration Guide

162
Prefix object attributes
In a SharePoint connection, the Synchronization Service supports the following attributes
of the Prefix object with the following synchronization operations.

Table 64: Prefix object attributes

Attribute Type Description Supported

operations

Id Single-valued, string Gets the object ID. Read

Name Single-valued, string Gets the server-relative URL of Read
the prefix without the leading
forward slash.
Parent Single-valued, string, Gets the parent of the object. Read
reference
(WebApplication object)
PrefixType Single-valued, string Gets the type of the prefix. Read

RoleAssignment object attributes

In a SharePoint connection, the Synchronization Service supports the following attributes
of the RoleAssignment object with the following synchronization operations.

Table 65: RoleAssignment object attributes

Attribute Type Description Supported

operations

Alias Single-valued, Gets the object alias. Read

string
Id Single-valued, Gets the object ID. Read
string
Member Single-valued, Gets the user or group Read
string, reference for the role assignment.
(Role or Group
This attribute is
object)
required to create a new
RoleAssignment object
in SharePoint.
Parent Single-valued, Gets the parent for the Read
string, reference role assignment.
(Web object)
RoleDefinitionBindings Single-valued, Gets the role definition Read, write
string, reference bindings for the role (update only)

Active Roles 8.1.3 Synchronization Service Administration Guide

163
Attribute Type Description Supported
operations

(RoleDefinition assignment.
object)

RoleDefinition object attributes

In a SharePoint connection, the Synchronization Service supports the following attributes
of the RoleDefinition object with the following synchronization operations.

Table 66: RoleDefinition object attributes

Attribute Type Description Supported

operations

BasePermissions Multivalued, Gets or sets the base permissions for Read, write
string a role definition. (update only)
Description Single-valued, Gets or sets the role definition Read, write
string description. (update only)
Hidden Single-valued, Gets whether the role definition is Read
Boolean displayed in the user interface.
Id Single-valued, Gets the object identifier. Read
string
Members Multivalued, Gets or sets role assignments for the Read, write
string, role definition. (update only)
reference
Name Single-valued, Gets or sets the role definition name. Read, write
string
Order Single-valued, Gets or sets the order in which to Read, write
string display the permission levels in the (update only)
user interface.
Parent Single-valued, Gets the object parent. Read
string,
reference
Type Single-valued, Gets the role definition type. Read
string
Xml Single-valued, Gets the role definition permission in Read
string the XML format.

Active Roles 8.1.3 Synchronization Service Administration Guide

164
Site object attributes
In a SharePoint connection, the Synchronization Service supports the following attributes
of the Site object with the following synchronization operations.

Table 67: Site object attributes

Attribute Type Description Suppor

ted
operati
ons

AdministrationSiteType Single- Gets or sets the Read,

valued, administration site types write
string supported by SharePoint. (update
only)
AllowDesigner Single- Gets or sets the Site Read,
valued, Collection Allow Designer write
Boolean property. (update
only)
AllowExternalEmbedding Single- Gets or sets the external Read,
valued, domain embedding for the write
string site collection. (update
only)
AllowMasterPageEditing Single- Gets whether master page Read
valued, editing is allowed.
Boolean
AllowRevertFromTemplate Single- Gets or sets whether Read,
valued, reverting from a template is write
Boolean allowed. (update
only)
AllowRssFeeds Single- Gets whether the site Read
valued, collection allows RSS feeds.
Boolean
AllowSelfServiceUpgrade Single- Gets or sets whether upgrade Read,
valued, is allowed. write
Boolean (update
only)
AllowSelfServiceUpgradeEvaluati Single- Gets or sets whether upgrade Read,
on valued, evaluation site collection can write
Boolean be created. (update
only)
AllowUnsafeUpdates Single- Gets or sets whether updates Read,
valued, to the database are allowed write

Active Roles 8.1.3 Synchronization Service Administration Guide

165
Attribute Type Description Suppor
ted
operati
ons

Boolean without security validation. (update

only)
ApplicationRightsMask Multivalue Gets the rights mask for the Read
d, string parent web application of the
site collection.
Archived Single- Gets or sets whether the site Read,
valued, is in archived mode. write
Boolean (update
only)
AuditLogTrimmingCallout Single- Gets or sets the class name of Read,
valued, the object that performs write
string audit log trimming. (update
only)
AuditLogTrimmingRetention Single- Gets or sets the period (in Read,
valued, days) during which the audit write
integer log data is retained. (update
only)
AverageResourceUsage Single- Gets the average resource Read
valued, usage of the site collection for
string the specified number of days.
BrowserDocumentsEnabled Single- Gets whether the documents Read
valued, can be viewed in a web
Boolean browser.
CanUpgrade Single- Gets whether the object is Read
valued, upgradeable.
Boolean
CatchAccessDeniedException Single- Gets or sets whether Read,
valued, SharePoint handles Access write
Boolean denied exceptions. (update
only)
CertificationDate Single- Gets the confirmation date Read
valued, and time for the automatic
DateTime deletion of the site collection.
CompatibilityLevel Single- Gets the major version Read
valued, number of the site collection.
integer This version number is used
to perform compatibility

Active Roles 8.1.3 Synchronization Service Administration Guide

166
Attribute Type Description Suppor
ted
operati
ons

checks.
ContentDatabase Single- Gets the content database Read
valued, associated with the site
string collection.
CurrentChangeToken Single- Gets the change token that is Read
valued, used to write the next change
string to the site collection.
CurrentResourceUsage Single- Gets the resource usage for Read
valued, the site collection.
string
DeadWebNotificationCount Single- Gets the number of Read
valued, notifications that were sent
integer about the websites that are
not in use within the site
collection.
DenyPermissionsMask Multivalue Gets or sets the deny Read,
d, string permission mask for all site write
users, including the site (update
administrator. only)
EvalSiteId Single- Gets the identifier of the Read
valued, upgrade evaluation site
string collection, if it was created for
(GUID) the site collection.
ExpirationDate Single- Gets or sets the date after Read,
valued, which an upgrade evaluation write
DateTime site collection gets (update
automatically deleted. only)
FileNotFoundUrl Single- Gets the URL to the file not Read,
valued, found page. write
string (update
The HTTP requests where the
only)
resource cannot be found are
redirected to this URL.
HasAppPrincipalContext Single- Gets whether the object is Read
valued, running within an application
Boolean principal context.
HideSystemStatusBar Single- Gets whether the system Read

Active Roles 8.1.3 Synchronization Service Administration Guide

167
Attribute Type Description Suppor
ted
operati
ons

valued, status bar of the site is

Boolean hidden.
HostHeaderIsSiteName Single- Gets whether the host header Read
valued, is used to uniquely identify
Boolean the site collection.
HostName Single- Gets the name of the server Read
valued, that hosts the site collection.
string
Id Single- Gets the object ID. Read
valued,
string
IISAllowsAnonymous Single- Gets a value that indicates Read
valued, whether Internet Information
Boolean Services (IIS) allows
anonymous access.
Impersonating Single- Gets the impersonation Read
valued, status of the object.
Boolean
InheritAllowSelfServiceUpgradeE Single- Gets or sets whether to Read,
valuationSetting valued, inherit the write
Boolean AllowSelfServiceUpgradeEva (update
luationSetting value from only)
the parent.
InheritAllowSelfServiceUpgradeS Single- Gets or sets whether to Read,
etting valued, inherit the write
Boolean AllowSelfServiceUpgradeSett (update
ing value from the parent. only)
InvitedUserMaximumLevel Single- Description is not available. Read,
valued, write
integer (update
only)
IsEvalSite Single- Gets or sets whether the Read,
valued, object is an upgrade write
Boolean evaluation site collection. (update
only)
IsReadLocked Single- Gets or sets whether the site Read,
valued, collection is unavailable for write

Active Roles 8.1.3 Synchronization Service Administration Guide

168
Attribute Type Description Suppor
ted
operati
ons

Boolean Read access. (update

only)
Language Single- Description is not available. Read,
valued, write
integer,
reference
LastContentModifiedDate Single- Gets the date and time (in Read
valued, UTC) when the site content
DateTime was last modified.
LastSecurityModifiedDate Single- Gets the date and time (in Read
valued, UTC) when the site collection
DateTime security settings were last
modified.
LockIssue Single- Gets or sets the comment Read,
valued, that was written when the write
string site collection was locked. (update
only)
MaintenanceMode Single- Gets whether the site is in Read
valued, maintenance mode.
Boolean
NeedsUpgrade Single- Gets or sets whether the site Read,
valued, requires upgrading. write
Boolean (update
only)
OutgoingEmailAddress Single- Gets or sets the outgoing Read,
valued, email address for the site. write
string (update
only)
Owner Single- Gets or sets the site collection Read,
valued, owner. write
string, (create
NOTE: This attribute is
reference only)
required to create a new
(User
site collection in
object)
SharePoint.
OwnerEmail Single- Gets or sets the site collection Read,
valued, owner email address. write
string

Active Roles 8.1.3 Synchronization Service Administration Guide

169
Attribute Type Description Suppor
ted
operati
ons

Parent Single- Gets the parent of the object. Read

valued,
string,
reference
(
WebApplic
ation
object)
Port Single- Gets the port number used by Read
valued, the virtual server that hosts
integer the site collection.
PortalName Single- Gets or sets the portal name. Read,
valued, write
string (update
only)
PortalUrl Single- Gets or sets the portal URL. Read,
valued, write
string (update
only)
PrimaryUri Single- Gets the portal URI. Read
valued,
string
QuotaID Single- Gets of sets the quota ID. Read,
valued, write
integer (update
only)
ReadLocked Single- Gets or sets whether the site Read,
valued, is unavailable for Read write
Boolean access. (update
only)
ReadOnly Single- Gets or sets whether the site Read,
valued, collection is read-only and write
Boolean unavailable for Write access. (update
only)
ResourceQuotaExceeded Single- Gets whether the resource Read
valued, quota limit for the site
Boolean collection has been exceeded
since the last daily quota

Active Roles 8.1.3 Synchronization Service Administration Guide

170
Attribute Type Description Suppor
ted
operati
ons

reset operation.
ResourceQuotaExceededNotificati Single- Gets whether a resource Read
onSent valued, quota exceeded notification
Boolean was sent since the last daily
quota reset operation for the
site collection.
ResourceQuotaWarningNotificatio Single- Gets whether a resource Read
nSent valued, quota exceeded warning was
Boolean sent since the last daily quota
reset operation for the site
collection.
SchemaVersion Single- Gets the site collection Read
valued, version number for upgrade
string compatibility checks.
SecondaryContact Single- Description is not available. Read,
valued, write
string, (update
reference only)
(User
object)
ServerRelativeUrl Single- Gets or sets the server- Read,
valued, relative URL of the root write
string website. (update
only)
ShareByEmailEnabled Single- Gets or sets whether the Read,
valued, users are allowed to grant write
Boolean access permissions to guests, (update
so that they could access the only)
site collection resources.
ShareByLinkEnabled Single- Gets or sets whether the Read,
valued, users are allowed to share write
Boolean the site collection documents (update
by providing hyperlinks to only)
those documents.
ShowURLStructure Single- Gets or sets whether to show Read,
valued, the site collection URL write
Boolean structure. (update
only)

Active Roles 8.1.3 Synchronization Service Administration Guide

171
Attribute Type Description Suppor
ted
operati
ons

SourceSiteId Single- Gets the source site ID for an Read

valued, upgrade evaluation site
string collection.
(GUID)
StorageMaximumLevel Single- Gets or sets the maximum Read,
valued, disk space limit used by the write
LargeInte site. (update
ger only)
StorageWarningLevel Single- Gets or sets the storage Read,
valued, warning level, sent to write
LargeInte administrators before (update
ger reaching the maximum limit only)
of the available site storage
space.
SyndicationEnabled Single- Gets or sets whether RSS Read,
valued, syndication is enabled for the write
Boolean site collection. (update
only)
SystemAccount Single- Gets the system account of Read
valued, the site collection.
string,
reference
(User
object)
TrimAuditLog Single- Gets or sets whether to Read,
valued, delete old data from the audit write
Boolean log. (update
only)
UpgradeReminderDate Single- Specifies the date after which Read
valued, site administrators receive a
DateTime reminder to upgrade the site.
Upgrading Single- Gets whether a site upgrade Read
valued, is currently in progress.
Boolean
Url Single- Gets or sets the full URL of Read,
valued, the root website of the site write
string collection. The URL contains (create
the host name and port only)

Active Roles 8.1.3 Synchronization Service Administration Guide

172
Attribute Type Description Suppor
ted
operati
ons

number.
NOTE: This attribute is
required to create a new
site collection in
SharePoint.
UserCodeEnabled Single- Gets whether the user code Read
valued, service is enabled for the site
Boolean collection.
UserCodeMaximumLevel Single- Gets or sets the maximum Read,
valued, allowed resource usage for write
string the site. (update
only)
UserCodeWarningLevel Single- Gets or sets the warning limit Read,
valued, of the resource usage. When write
string this limit is exceeded, a (update
warning email will be sent to only)
site administrators.
UserDefinedWorkflowsEnabled Single- Gets or sets whether user- Read,
valued, defined workflows are write
Boolean enabled for the site (update
collection. only)
UserIsSiteAdminInSystem Single- Gets whether the current Read
valued, user is a site collection
Boolean administrator.
UserToken Single- Gets the user token Read
valued, associated with the site
binary collection
WarningNotificationSent Single- Gets whether a warning Read
valued, notification has been sent.
Boolean
WebTemplate Single- Description is not available. Read,
valued, write
string
WriteLocked Single- Gets whether the site Read
valued, collection is unavailable for
Boolean Write access.

Active Roles 8.1.3 Synchronization Service Administration Guide

173
Attribute Type Description Suppor
ted
operati
ons

Zone Single- Gets the URL zone that was Read

valued, used when creating the site
string object.

User object attributes

In a SharePoint connection, the Synchronization Service supports the following attributes
of the User object with the following synchronization operations.

Table 68: User object attributes

Attribute Type Description Supported

operations

Alias Single- Gets the alias of Read

valued, string the object.
AllowBrowseUserInfo Single- Gets or sets Read, write
valued, whether the user (update only)
Boolean can view
information about
other users of the
website.
Email Single- Gets or sets the Read, write
valued, string email address of (update only)
the user.
Groups Multivalued, Gets the groups in Read
string, which the object is
reference a member.
(Group object)
Id Single- Gets the object ID. Read
valued, string
IsApplicationPrincipal Single- Gets whether the Read
valued, user is an
Boolean application
principal.
IsDomainGroup Single- Gets whether the Read
valued, user is a domain
Boolean group.
IsHiddenInUI Single- Gets whether the Read

Active Roles 8.1.3 Synchronization Service Administration Guide

174
Attribute Type Description Supported
operations

valued, user is hidden in

Boolean the user interface.
IsShareByEmailGuestUser Single- Gets or sets Read, write
valued, whether the user (update only)
Boolean is shared by email
guest user.
IsSiteAdmin Single- Gets or sets Read, write
valued, whether the user (update only)
Boolean is a site collection
administrator.
IsSiteAuditor Single- Gets whether the Read
valued, user is a site
Boolean collection auditor.
IsUserSettingsSyncedWithProvider Single- Gets or sets Read, write
valued, whether user (update only)
Boolean settings have been
synchronized with
External Settings
Provider.
LoginName Single- Gets or sets login Read, write
valued, string name of the user. (create only)
Name Single- Gets or sets the Read, write
valued, string display name of (update only)
the user.
Notes Single- Gets or sets notes Read, write
valued, string for the user. (update only)
Parent Single- Gets the parent of Read
valued, the object.
string,
reference
(Site object)
RawSid Single- Gets the system Read
valued, ID of the user.
binary
RequireRequestToken Single- Gets or sets Read, write
valued, whether the user (update only)
Boolean requires a request
token.

Active Roles 8.1.3 Synchronization Service Administration Guide

175
Attribute Type Description Supported
operations

Sid Single- Gets the security Read

valued, string identifier (SID) of
the user's network
account.
SystemUserKey Single- Gets the user key Read
valued, string specific to the
configuration.
UserId Single- Gets the identifier Read
valued, string of the user and the
issuer of that
identifier.
UserToken Single- Gets the token Read
valued, that identifies the
binary authentication
process for the
user.
Xml Single- Gets information Read
valued, string about the user in
the XML format.

Web object attributes

In a SharePoint connection, the Synchronization Service supports the following attributes
of the Web object with the following synchronization operations.

Table 69: Web object attributes

Attribute Type Description Support

ed
operatio
ns

AllowAnonymousAccess Single- Gets whether Read

valued, anonymous access
Boolean is allowed for the
website.
AllowAutomaticASPXPageIndexing Single- Gets or sets Read,
valued, whether to index write
Boolean the .aspx page of (update
the website for only)
search operations.

Active Roles 8.1.3 Synchronization Service Administration Guide

176
Attribute Type Description Support
ed
operatio
ns

AllowDesignerForCurrentUser Single- Gets whether the Read

valued, current user is
Boolean allowed to use the
designer for the
website.
AllowMasterPageEditingForCurrentUser Single- Gets whether the Read
valued, current user is
Boolean allowed to edit
master pages.
AllowRevertFromTemplateForCurrentUser Single- Gets whether the Read
valued, current user is
Boolean allowed to revert
from the website
template.
AllowRssFeeds Single- Gets whether the Read
valued, website allows RSS
Boolean feeds.
AllowUnsafeUpdates Single- Gets whether Read,
valued, database updates write
Boolean are allowed without (update
security validation. only)
AllWebTemplatesAllowed Single- Gets whether all Read
valued, available web
Boolean templates (returned
by the
GetAvailableWebTem
plates method) are
allowed.
AlternateCssUrl Single- Gets or sets the URL Read,
valued, pointing at an write
string alternate CSS file (update
for the website. only)
AlternateHeader Single- Gets or sets the URL Read,
valued, pointing at an write
string alternate .aspx (update
page that is used only)
for rendering the
top navigation area
on the website.

Active Roles 8.1.3 Synchronization Service Administration Guide

177
Attribute Type Description Support
ed
operatio
ns

AnonymousPermMask64 Multivalue Gets or sets base Read,

d, string permissions for write
anonymous users of (update
the website. only)
AnonymousState Single- Gets or sets the Read,
valued, level of access for write
string anonymous users of (update
the website. only)
AppDatabaseName Single- Gets the name of Read
valued, the application
string database
associated with the
website.
AppDatabaseServerReferenceId Single- Gets the ID of the Read
valued, server on which the
string database is located.
(GUID)
AppDatabaseTargetApplicationId Single- Gets the ID of the Read
valued, target application.
string
AppInstanceId Single- Gets the ID of the Read
valued, App instance the
string website represents.
(GUID)
ASPXPageIndexed Single- Gets whether the Read
valued, automatic indexing
Boolean of the website .aspx
pages is enabled.
AssociatedMemberGroup Single- Gets or sets the Read,
valued, users who can be write
string, contributors of the
reference website.
(Group
object)
AssociatedOwnerGroup Single- Gets or sets the Read,
valued, associated owner write
string, groups of the (update
reference website. only)

Active Roles 8.1.3 Synchronization Service Administration Guide

178
Attribute Type Description Support
ed
operatio
ns

(Group
object)
AssociatedVisitorGroup Single- Gets or sets the Read,
valued, associated visitor write
string, group of the
reference website.
(Group
object)
Author Single- Gets or sets the Read,
valued, user who created write
string, the website.
reference
(User
object)
CacheAllSchema Single- Gets or sets Read,
valued, whether caching of write
Boolean all schemas of the (update
website is enabled. only)
ClientTag Single- Gets or sets the Read,
valued, client cache control write
string number for the (create
(integer) website. only)
Configuration Single- Gets the ID of the Read
valued, site definition
string configuration that
(integer) was used to create
the website or the
template from
which the website
was created.
Created Single- Gets or sets the Read,
valued, date and time when write
string the website was (update
(DateTime) created. only)
CurrencyLocaleID Single- Gets or sets the Read,
valued, identifier of the write
string currency that is (update
(integer) used on the only)
website.

Active Roles 8.1.3 Synchronization Service Administration Guide

179
Attribute Type Description Support
ed
operatio
ns

CurrentChangeToken Single- Gets the token that Read

valued, is used for logging
string ( the next change to
SPChangeTo the website.
ken)
CurrentUser Single- Gets the current Read
valued, user of the website.
string,
reference
(User
object)
CustomJavaScriptFileUrl Single- Gets or sets the URL Read,
valued, pointing at the write
string custom JavaScript (update
file used by the only)
CustomJsUrl web
control.
CustomMasterUrl Single- Gets or sets the URL Read,
valued, pointing to a write
string custom master (update
page for the only)
website.
CustomUploadPage Single- Gets or sets the Read,
valued, path to a custom write
string application page for (update
uploading files. only)
Description Single- Gets or sets the Read,
valued, description for the write
string website. (update
only)
DocumentLibraryCalloutOfficeWebAppPrev Single- Gets whether the Read
iewersDisabled valued, WAC previewers are
Boolean disabled for the
Document Library
Callouts.
EffectiveBasePermissions Multivalue Gets the effective Read
d, string base permissions
assigned to the
current user.

Active Roles 8.1.3 Synchronization Service Administration Guide

180
Attribute Type Description Support
ed
operatio
ns

EffectivePresenceEnabled Single- Gets whether Read

valued, effective presence
Boolean information is
enabled for the
website.
EnableMinimalDownload Single- Gets or sets Read,
valued, whether Minimal write
Boolean Download Strategy (update
is enabled for the only)
website.
ExcludeFromOfflineClient Single- Gets or sets Read,
valued, whether to write
Boolean download data from (update
the website to the only)
client during offline
synchronization.
ExecuteUrl Single- Gets the URL that is Read
valued, called after
string instantiating the
site definition for
business solutions.
Exists Single- Gets a value that Read
valued, indicates whether
Boolean the website exists.
FileDialogPostProcessorId Single- Gets or sets the ID Read,
valued, for the user write
string interface element (update
(GUID) used for web views only)
in the file dialogs
and forms of
document libraries.
FirstUniqueAncestorWeb Single- Gets the first Read
valued, unique website that
string, has unique
reference permissions.
(Web
object)
FirstUniqueRoleDefinitionWeb Single- Gets the website Read

Active Roles 8.1.3 Synchronization Service Administration Guide

181
Attribute Type Description Support
ed
operatio
ns

valued, that defines role

string, definitions for the
reference current website.
(Web
object)
HasUniqueRoleAssignments Single- Gets or sets Read,
valued, whether the object write
Boolean has unique role (create
assignments or only)
inherits its
assignments from a
parent.
HasUniqueRoleDefinitions Single- Gets whether the Read
valued, object has unique
Boolean role assignments,
including those
inherited from a
parent object.
HideSiteContentsLink Single- Gets or sets Read,
valued, whether a link to write
Boolean site contents is (update
available in the site only)
actions menu (the
gear icon).
Id Single- Gets the object ID. Read
valued,
string
IncludeSupportingFolders Single- Gets or sets Read,
valued, whether supporting write
Boolean folders for files or (update
folders in the only)
website are
included in
enumeration
operations for these
files or folders.
IndexedPropertyKeys Multivalue Gets the property Read
d, string keys for properties
that need to be

Active Roles 8.1.3 Synchronization Service Administration Guide

182
Attribute Type Description Support
ed
operatio
ns

exposed through
the Site Data Web
Service.
IsADAccountCreationMode Single- Gets whether user Read
valued, accounts are
Boolean created
automatically in
Active Directory
when users are
invited to the
website.
IsADEmailEnabled Single- Gets whether email Read
valued, for AD DS is
Boolean enabled on the
website.
IsAppWeb Single- Gets whether the Read
valued, website is a
Boolean container for an
application.
IsMultilingual Single- Gets or sets Read,
valued, whether the write
Boolean website has a (update
multilingual user only)
interface enabled.
IsRootWeb Single- Gets whether the Read
valued, website is the top-
Boolean level site in the site
collection.
Language Single- Gets or sets the Read,
valued, locale identifier of write
reference the default (create
(Language language for the only)
object) website.
LastItemModifiedDate Single- Gets or sets the Read,
valued, date and time when write
string the last (update
(DateTime) modification was only)
made to an item on
the website.

Active Roles 8.1.3 Synchronization Service Administration Guide

183
Attribute Type Description Support
ed
operatio
ns

Locale Single- Gets the locale that Read

valued, is used to show
string ( time, currency, and
CultureInf numeric data on the
o) website.
MasterPageReferenceEnabled Single- Gets whether Read
valued, master page
Boolean referencing is
enabled for the
website.
MasterUrl Single- Gets or sets the URL Read,
valued, pointing at the write
string master page for the (update
website. only)
Name Single- Gets or sets the Read,
valued, name of the write
string website. (update
only)
NoCrawl Single- Gets or sets Read,
valued, whether searching write
Boolean is disabled for the (update
website. only)
NonHostHeaderUrl Single- Gets the full URL of Read
valued, the website.
string
OverwriteTranslationsOnChange Single- Gets or sets Read,
valued, whether text write
Boolean changes made by (update
user in the default only)
language
automatically
overwrite existing
translations in all
other languages.
Parent Single- Gets the parent of Read
valued, the object.
string,
reference
(Site

Active Roles 8.1.3 Synchronization Service Administration Guide

184
Attribute Type Description Support
ed
operatio
ns

object)
ParserEnabled Single- Gets or sets Read,
valued, whether parsing is write
Boolean enabled for (update
document libraries only)
of the website.
PortalMember Single- Gets whether the Read
valued, website is
Boolean associated with a
portal site.
PortalName Single- Gets the name of Read
valued, the portal site
string associated with the
website.
PortalSubscriptionUrl Single- Gets the URL that is Read
valued, used for alerts
string within the portal.
PortalUrl Single- Gets the URL that Read
valued, points to the portal
string site associated with
the website.
PresenceEnabled Single- Gets or sets Read,
valued, whether inline write
Boolean presence (update
information is only)
enabled for the
website.
Provisioned Single- Gets or sets Read,
valued, whether the write
Boolean website has been (update
provisioned. only)
QuickLaunchEnabled Single- Gets or sets Read,
valued, whether the Quick write
Boolean Launch area is (update
enabled and only)
available on the
website.

Active Roles 8.1.3 Synchronization Service Administration Guide

185
Attribute Type Description Support
ed
operatio
ns

RecycleBinEnabled Single- Gets whether the Read

valued, Recycle Bin is
Boolean enabled for the
website.
RequestAccessEmail Single- Gets or sets the Read,
valued, email address to write
string which access (update
requests are sent. only)
RequestAccessEnabled Single- Gets whether it is Read
valued, required to send a
Boolean request in order to
get access to the
website.
RequireDynamicCanary Single- Gets whether the Read
valued, canary is required
Boolean for all requests to
the UrlZone.
SaveSiteAsTemplateEnabled Single- Gets or sets Read,
valued, whether the write
Boolean website can be (update
saved as a only)
template.
ServerRelativeUrl Single- Gets or sets the Read,
valued, website URL in a write
string server-relative (update
format. only)
ShowUrlStructureForCurrentUser Single- Gets whether the Read
valued, current user is
Boolean allowed to view the
file structure of the
website.
Site Single- Gets the parent site Read
valued, collection for the
string, website.
reference
(Site
object)
SiteClientTag Single- Gets the client Read

Active Roles 8.1.3 Synchronization Service Administration Guide

186
Attribute Type Description Support
ed
operatio
ns

valued, cache control

string number for the site
collection.
SiteLogoDescription Single- Gets or sets the Read,
valued, description of the write
string website logo. (update
only)
SiteLogoUrl Single- Gets or sets the Read,
valued, absolute URL write
string pointing at the (update
website logo. only)
SupportedUICultures Multivalue Gets information Read
d, string ( about the cultures
CultureInf supported by the
o) website.
SyndicationEnabled Single- Gets or sets Read,
valued, whether RSS is write
Boolean enabled for the (update
website. only)
ThemedCssFolderUrl Single- Gets or sets the URL Read,
valued, pointing to the write
string folder that holds the (update
CSS file that is used only)
to display the
website.
Title Single- Gets or sets the Read,
valued, website title. write
string (update
only)
TreeViewEnabled Single- Gets or sets Read,
valued, whether Tree View write
Boolean is enabled in the (update
website user only)
interface.
UICulture Single- Gets the default Read
valued, language for the
string ( website.
CultureInf

Active Roles 8.1.3 Synchronization Service Administration Guide

187
Attribute Type Description Support
ed
operatio
ns

o)
UIVersion Single- Gets or sets the Read,
valued, current version write
string number of the user (update
(integer) interface. only)
Url Single- Gets or sets the Read,
valued, absolute URL of the write
string website. (create
only)
UserIsSiteAdmin Single- Gets whether the Read
valued, user has
Boolean administrator rights
on the website.
UserIsWebAdmin Single- Gets whether the Read
valued, user is a member of
Boolean the Administrator
group for the
website.
WebTemplate Single- Gets the name of Read
valued, the site definition or
string template that was
used to create the
website.
WebTemplateId Single- Gets or sets the ID Read,
valued, of the template or write
string definition that was (create
(integer) used to create the only)
website.

WebApplication object attributes

In a SharePoint connection, the Synchronization Service supports the following attributes
of the WebApplication object with the following synchronization operations.

Active Roles 8.1.3 Synchronization Service Administration Guide

188
Table 70: WebApplication object attributes

Attribute Type Description Support

ed
operatio
ns

AlertsEnabled Single- Gets or sets Read,

valued, whether alerts are write
Boolean allowed in the web (update
application. only)
AlertsLimited Single- Gets or sets Read,
valued, whether a limit is write
Boolean imposed on the (update
number of lists and only)
list items for which
alerts can be
created.
AlertsMaximum Single- Gets or sets the Read,
valued, maximum number write
integer of lists and list items (update
for which a single only)
user can create
alerts.
AlertsMaximumQuerySet Single- Gets or sets the Read,
valued, maximum number write
integer of records in a query (update
set that is only)
associated with an
alert object.
AllowAccessToWebPartCatalog Single- Gets or sets Read,
valued, whether sites in the write
Boolean Web application can (update
use Web Parts only)
located in the global
catalog.
AllowAnalyticsCookieForAnonymousUsers Single- Gets or sets Read,
valued, whether analytics write
Boolean cookies are allowed (update
for anonymous only)
users.
AllowContributorsToEditScriptableParts Single- Gets or sets Read,
valued, whether the write
Boolean contributors are (update
allowed to edit only)

Active Roles 8.1.3 Synchronization Service Administration Guide

189
Attribute Type Description Support
ed
operatio
ns

scriptable Web
Parts.
AllowDesigner Single- Gets or sets Read,
valued, whether websites write
Boolean within the web (update
application can be only)
edited with
SharePoint
Designer.
AllowedInlineDownloadedMimeTypes Multivalue Gets the MIME Read
d, string content types that
are not force-
downloaded to the
computer of the
user.
Files not listed in
this attribute value
are considered to be
script files and can
interact with the
web application on
the user’s behalf.
AllowHighCharacterListFolderNames Single- Gets or sets Read,
valued, whether non- write
Boolean alphanumeric (update
characters are only)
allowed in the list
folder names that
are generated
automatically.
AllowMasterPageEditing Single- Gets or sets Read,
valued, whether the users write
Boolean are allowed to edit (update
master pages. only)
AllowOMCodeOverrideThrottleSettings Single- Gets or sets Read,
valued, whether custom write
Boolean object model code is (update
allowed to override only)
the throttle

Active Roles 8.1.3 Synchronization Service Administration Guide

190
Attribute Type Description Support
ed
operatio
ns

settings.
AllowPartToPartCommunication Single- Gets or sets Read,
valued, whether the Web write
Boolean application allows (update
communication only)
between different
Web Parts.
AllowRevertFromTemplate Single- Gets or sets Read,
valued, whether customized write
Boolean sites can be rolled (update
back to their base only)
templates.
AllowSelfServiceUpgradeEvaluation Single- Gets or sets Read,
valued, whether upgrade write
Boolean evaluation site (update
collections can be only)
created.
AllowSilverlightPrompt Single- Gets or sets Read,
valued, whether UI write
Boolean elements that (update
require Microsoft only)
Silverlight prompt
the user to
download and install
Silverlight.
AlwaysProcessDocuments Single- Gets or sets Read,
valued, whether documents write
Boolean to be returned are (update
always processed only)
by document
parsers.
ApplicationPrincipalMaxRights Multivalue Gets or sets the Read,
d, string maximum rights write
that any application (update
principal user has in only)
the web application.
AutomaticallyDeleteUnusedSiteCollection Single- Gets or sets Read,
s valued, whether to write
Boolean (update

Active Roles 8.1.3 Synchronization Service Administration Guide

191
Attribute Type Description Support
ed
operatio
ns

automatically delete only)

unused site
collections.
BlockedFileExtensions Multivalue Gets the list of file Read
d, string name extensions
that are forbidden
for download from
the sites within the
web application.
BrowserCEIPEnabled Single- Gets or sets Read,
valued, whether the write
Boolean Customer (update
Experience only)
Improvement
Program is enabled
in the web browser.
CanRenameOnRestore Single- Gets whether the Read
valued, web application can
Boolean be renamed during
its restore.
CanSelectForBackup Single- Gets or sets Read,
valued, whether the web write
Boolean application can be (update
backed up. only)
CanSelectForRestore Single- Gets or sets Read,
valued, whether the web write
Boolean application can be (update
restored. only)
CascadeDeleteMaximumItemLimit Single- Gets or sets the Read,
valued, maximum number write
integer of items that can be (update
checked in a only)
Cascade or Restrict
delete operation.
CascadeDeleteTimeoutMultiplier Single- Gets or sets the cost Read,
valued, per item deleted in a write
integer referential integrity (update
delete operation. only)

Active Roles 8.1.3 Synchronization Service Administration Guide

192
Attribute Type Description Support
ed
operatio
ns

CellStorageWebServiceEnabled Single- Gets or sets Read,

valued, whether the Web write
Boolean service named (update
WebSvcCellStorage only)
is enabled.
ChangeLogExpirationEnabled Single- Gets or sets Read,
valued, whether change write
Boolean logs get deleted (update
after the retention only)
period set in the
ChangeLogRetention
Period property
expires.
ChangeLogRetentionPeriod Single- Gets or sets the Read,
valued, period (in days) write
string during which the (update
( change logs are only)
TimeSpan) retained.
CrossDomainPhotosEnabled Single- Gets or sets Read,
valued, whether cross- write
Boolean domain photos are (update
enabled. only)
CustomAppErrorLimit Single- Gets or sets the Read,
valued, maximum number write
integer of calls that the Web (update
application can only)
make each 24 hours
to log custom
errors.
DailyStartUnthrottledPrivilegedOperatio Single- Gets or sets the Read,
nsHour valued, hour (in the local write
integer time zone) when the (update
unthrottled daily only)
time window starts.
DailyStartUnthrottledPrivilegedOperatio Single- Gets or sets the Read,
nsMinute valued, minute (in the local write
integer time zone) when the (update
unthrottled daily only)
time window starts.

Active Roles 8.1.3 Synchronization Service Administration Guide

193
Attribute Type Description Support
ed
operatio
ns

DailyUnthrottledPrivilegedOperationsDur Single- Gets or sets the Read,

ation valued, period (in hours) write
integer during which the (update
unthrottled daily only)
time window
remains open.
DaysToShowNewIndicator Single- Gets or sets the Read,
valued, period (in days) write
integer during which the (update
New icon is only)
displayed next to
new list items.
DefaultQuotaTemplate Single- Gets or sets the Read,
valued, default quota write
string template applicable (update
to all site only)
collections.
DefaultServerComment Single- Gets the default Read
valued, comment for the
string Internet
Information
Services (IIS)
website.
This default
comment is used in
situations where a
comment is not
specified by the web
application.
DefaultTimeZone Single- Gets or sets the Read,
valued, default time zone write
integer for the web (update
application. only)
DisableCoauthoring Single- Gets or sets Read,
valued, whether co- write
Boolean authoring using (update
Microsoft Office is only)
disabled.
DisplayName Single- Gets the display Read

Active Roles 8.1.3 Synchronization Service Administration Guide

194
Attribute Type Description Support
ed
operatio
ns

valued, name of the web

string application.
DocumentLibraryCalloutOfficeWebAppPrevi Single- Gets or sets Read,
ewersDisabled valued, whether the write
Boolean Document Library (update
Callout’s WAC only)
previewers are
disabled.
EmailToNoPermissionWorkflowParticipants Single- Gets or sets Read,
Enabled valued, whether users that write
Boolean have no site (update
permissions receive only)
a notification email
when they are
assigned workflow
tasks.
EnabledClaimProviders Multivalue Reserved for Read
d, string internal use.
EventHandlersEnabled Single- Gets or sets Read,
valued, whether event write
Boolean handlers are (update
enabled for the Web only)
application.
EventLogRetentionPeriod Single- Gets or sets the Read,
valued, period (in days) write
string during which the (update
( event logs are only)
TimeSpan) retained.
ExternalUrlZone Single- Gets or sets the URL Read,
valued, zone for cross- write
string firewall access. (update
only)
ExternalWorkflowParticipantsEnabled Single- Gets or sets Read,
valued, whether external write
Boolean users can (update
participate in a only)
workflow if they
have a document
copy.

Active Roles 8.1.3 Synchronization Service Administration Guide

195
Attribute Type Description Support
ed
operatio
ns

FileNotFoundPage Single- Gets or sets the Read,

valued, name of the HTML write
string file that contains the (update
error information to only)
be displayed in a
situation where a
file is not found.
ForceseekEnabled Single- Gets or sets Read,
valued, whether the write
Boolean FORCESEEK hint is (update
enabled. only)
Id Single- Gets or sets the Read,
valued, object ID. write
string
IncomingEmailServerAddress Single- Gets or sets the Read,
valued, name of the email write
string server that is used (update
to receive incoming only)
email messages.
InheritDataRetrievalSettings Single- Gets or sets Read,
valued, whether the web write
Boolean application inherits (update
data retrieval only)
settings from the
central
administration
application.
IsAdministrationWebApplication Single- Gets or sets Read,
valued, whether the web write
Boolean application is the (update
central only)
administration
application.
MasterPageReferenceEnabled Single- Gets or sets Read,
valued, whether site write
Boolean administrators can (update
enable dynamic only)
master page
referencing for the

Active Roles 8.1.3 Synchronization Service Administration Guide

196
Attribute Type Description Support
ed
operatio
ns

web application
pages.
MaximumFileSize Single- Gets or sets the Read,
valued, maximum file size write
integer limit for files to be (update
uploaded. only)
MaxItemsPerThrottledOperation Single- Gets or sets the Read,
valued, count of items at write
integer which throttling (update
begins for list only)
operations.
MaxItemsPerThrottledOperationOverride Single- Gets or sets the Read,
valued, maximum count of write
integer items for which (update
throttling is not only)
enabled if the
current user is an
administrator or
auditor.
MaxItemsPerThrottledOperationWarningLev Single- Gets or sets the Read,
el valued, warning level for the write
integer number of items in (update
list operations. only)
MaxQueryLookupFields Single- Gets or sets the Read,
valued, maximum number write
integer of lookup fields that (update
may be included in a only)
list item query.
MaxSizeForSelfServiceEvalSiteCreationMB Single- Gets or sets the Read,
valued, maximum possible write
LargeInte size (in MB) of a site (update
ger collection for which only)
the creation of
evaluation sites is
permitted through
self-service.
MaxUniquePermScopesPerList Single- Gets or sets the Read,
valued, maximum number write
integer unique scopes that (update

Active Roles 8.1.3 Synchronization Service Administration Guide

197
Attribute Type Description Support
ed
operatio
ns

can be in a list. only)

MetaWeblogAuthenticationEnabled Single- Gets or sets Read,
valued, whether write
Boolean authentication via (update
the MetaWeblog API only)
is enabled for the
web application.
MetaWeblogEnabled Single- Gets or sets Read,
valued, whether the write
Boolean MetaWeblog API is (update
enabled for the web only)
application.
OfficialFileName Single- Gets or sets the Read,
valued, name of the Records write
string Repository Web (update
Service that is used only)
to get the official
file.
OfficialFileUrl Multivalue Gets the URL of the Read
d, string Recovery
Repository Web
Service that is used
to get the official
file.
OutboundMailCodePage Single- Gets or sets the Read,
valued, default code page write
integer that is used for (update
sending emails. only)
OutboundMailReplyToAddress Single- Gets or sets the Read,
valued, default reply email write
string address to be used (update
in email messages. only)
OutboundMailSenderAddress Single- Gets or sets the Read,
valued, default sender’s write
string email address to be (update
displayed in the only)
From field of
outgoing email
messages.

Active Roles 8.1.3 Synchronization Service Administration Guide

198
Attribute Type Description Support
ed
operatio
ns

Parent Single- Gets or sets the Read,

valued, parent of the object. write
string
PresenceEnabled Single- Gets or sets Read,
valued, whether presence write
Boolean information is (update
enabled in the web only)
application.
ReadOnlyMaintenanceLink Single- Gets or sets a link to Read,
valued, the upgrade write
string maintenance page. (update
only)
RecycleBinCleanupEnabled Single- Gets or sets Read,
valued, whether recycle bin write
Boolean cleanup is enabled. (update
only)
RecycleBinEnabled Single- Gets or sets Read,
valued, whether the Recycle write
Boolean Bin is enabled. (update
only)
RecycleBinRetentionPeriod Single- Gets or sets the Read,
valued, period (in days) write
integer during which (update
deleted items are only)
retained in the
Recycle Bin.
RenderingFromMetainfoEnabled Single- Gets or sets Read,
valued, whether page write
Boolean roundtrip (update
optimization is only)
enabled.
RequireContactForSelfServiceSiteCreatio Single- Gets or sets Read,
n valued, whether self-service write
Boolean site creation (update
requires contact only)
information of the
site owner.
ScopeExternalConnectionsToSiteSubscript Single- No description Read,

Active Roles 8.1.3 Synchronization Service Administration Guide

199
Attribute Type Description Support
ed
operatio
ns

ions valued, available. write

Boolean (update
only)
SecondStageRecycleBinQuota Single- Gets or sets the Read,
valued, storage quota (in write
integer per cent) available (update
to the second stage only)
Recycle Bin.
SelfServiceCreateIndividualSite Single- Gets or sets Read,
valued, whether self-service write
Boolean should create an (update
individual site or a only)
site collection.
SelfServiceCreationParentSiteUrl Single- Gets or sets the Read,
valued, parent site URL write
string under which (update
children sites are to only)
be created.
SelfServiceCreationQuotaTemplate Single- Gets or sets the Read,
valued, quota template to write
string be used when (update
creating site only)
collections.
SelfServiceSiteCreationEnabled Single- Gets or sets Read,
valued, whether sites can be write
Boolean created by using (update
self-service in the only)
Web application.
SelfServiceSiteCustomFormUrl Single- Gets or sets the Read,
valued, custom form URL to write
string be used when (update
creating sites only)
through self-
service.
SendLoginCredentialsByEmail Single- Gets or sets Read,
valued, whether the login write
Boolean credentials of (update
newly-created users only)
are sent to them via

Active Roles 8.1.3 Synchronization Service Administration Guide

200
Attribute Type Description Support
ed
operatio
ns

email.
SendSiteUpgradeEmails Single- Gets or sets Read,
valued, whether to send an write
Boolean email notification (update
once a site upgrade only)
completes.
SendUnusedSiteCollectionNotifications Single- Gets or sets Read,
valued, whether to sent write
Boolean notifications to the (update
owners of unused only)
sites.
ShowStartASiteMenuItem Single- Gets or sets Read,
valued, whether the Start a write
Boolean new site menu (update
command is only)
available.
ShowURLStructure Single- Gets or sets Read,
valued, whether the users write
Boolean are allowed to see (update
the file structure of only)
the websites.
StorageMetricsProcessingDuration Single- Gets or sets the Read,
valued, maximum duration write
integer (in second) for the (update
processing of metric only)
changes for
documents.
SuiteBarBrandingElementHtml Single- Gets or sets the Read,
valued, HTML snippet that is write
string displayed in the (update
SuiteBarBrandingEl only)
ement control.
SyndicationEnabled Single- Gets or sets Read,
valued, whether syndication write
Boolean is enabled. (update
only)
TypeName Single- Gets the type of Read
valued, object for the web

Active Roles 8.1.3 Synchronization Service Administration Guide

201
Attribute Type Description Support
ed
operatio
ns

string application.
UnthrottledPrivilegedOperationWindowEna Single- Gets or sets Read,
bled valued, whether to enable write
Boolean unthrottled daily (update
time window. When only)
this attribute is set
to TRUE, large list
operations are not
throttled when they
occur within the
time window.
UnusedSiteNotificationPeriod Single- Gets the time period Read
valued, during which the
string site was unused.
(
TimeSpan)
UnusedSiteNotificationsBeforeDeletion Single- Gets or sets the Read,
valued, number of site write
integer deletion (update
notifications that only)
must be sent before
an unused site gets
deleted.
UpgradeEvalSitesRetentionDays Single- Gets or sets the Read,
valued, period (in days) write
integer since the evaluation (update
site creation date only)
after which the
evaluation site gets
deleted.
UpgradeMaintenanceLink Single- Gets or sets a link Read,
valued, pointing to the write
string upgrade (update
maintenance page. only)
UpgradeReminderDelay Single- Gets or sets the Read,
valued, number of days by write
integer which the site (update
collection only)
administrator can

Active Roles 8.1.3 Synchronization Service Administration Guide

202
Attribute Type Description Support
ed
operatio
ns

put off the upgrade

reminder.
When this attribute
value is set to 0, the
status notification
shows that an
upgrade is required.
UseClaimsAuthentication Single- Gets or sets Read,
valued, whether claims write
Boolean authentication is (update
enabled. only)
UseExternalUrlZoneForAlerts Single- Gets or sets Read,
valued, whether to use an write
Boolean external URL zone in (update
emails providing only)
information about
alerts.
If this attribute is
set to TRUE and a
cross-firewall URL
zone is configured,
then that zone is
used in the emails
containing alerts.
If this attribute is
set to TRUE, and no
cross-firewall URL
zone is configured,
then the emails
containing alerts
use the default zone
URL for the web
application.
UserDefinedWorkflowMaximumComplexity Single- Gets or sets the Read,
valued, maximum number write
integer of activities and (update
bindings that a only)
user-defined
workflow can have.

Active Roles 8.1.3 Synchronization Service Administration Guide

203
Attribute Type Description Support
ed
operatio
ns

UserDefinedWorkflowsEnabled Single- Gets or sets Read,

valued, whether the users write
Boolean can create (update
workflows in the only)
web application.
UserPhotoErrorExpiration Single- Gets or sets the Read,
valued, period (in hours) write
string upon which the (update
(Double) error window for only)
photos expires.
UserPhotoExpiration Single- Gets or sets the Read,
valued, period (in hours) write
string upon which the (update
(Double) photo expires. only)
UserPhotoImportEnabled Single- Gets or sets Read,
valued, whether photo write
Boolean import is enabled. (update
only)
UserPhotoOnlineImportEnabled Single- Gets or sets Read,
valued, whether photo write
Boolean import is enabled (update
for Exchange only)
Online.
WebFileExtensions Multivalue Gets the list of file Read
d, string name extensions
that identify web
files.

WebTemplate object attributes

In a SharePoint connection, the Synchronization Service supports the following attributes
of the WebTemplate object with the following synchronization operations.

Table 71: WebTemplate object attributes

Attribute Type Description Supported

operations

AllowGlobalFeatureAssociations Single- Gets whether global Read

valued, feature associations are

Active Roles 8.1.3 Synchronization Service Administration Guide

204
Attribute Type Description Supported
operations

Boolean allowed on sites

created with the web
template.
CompatibilityLevel Single- Gets the web template Read
valued, compatibility level.
integer
Description Single- Gets the web template Read
valued, description.
string
DisplayCategory Single- Gets the name of the Read
valued, category to which the
string web template belongs.
Id Single- Gets or sets the object Read, write
valued, ID. (create only)
string
IDWebTemplate Single- Gets the web template Read
valued, ID.
integer
IsCustomTemplate Single- Gets whether this is a Read
valued, custom web template.
Boolean
IsFarmWideTemplate Single- Gets whether the web Read
valued, template is a farm-wide
Boolean template and can be
used to create sites
across the entire
SharePoint farm.
IsHidden Single- Gets whether the web Read
valued, template is hidden from
Boolean the user interface.
IsRootWebOnly Single- Gets whether the web Read
valued, template can only be
Boolean applied to the root site
in the site collection.
IsSubWebOnly Single- Gets whether the web Read
valued, template is only
Boolean applicable to subsites
within the site
collection.

Active Roles 8.1.3 Synchronization Service Administration Guide

205
Attribute Type Description Supported
operations

IsUnique Single- Gets whether the site Read

valued, created from the web
Boolean template inherits from
its parent.
Lcid Single- Gets the locale Read
valued, identifier of the web
integer template.
Name Single- Gets the internal name Read
valued, of the web template.
string
Parent Single- Gets or sets the parent Read, write
valued, of the object. (create only)
string,
reference
(Web
object)
ProvisionAssembly Single- Gets the name of the Read
valued, assembly that
string implements the class
which contains logic for
provisioning sites
created through the
web template.
ProvisionClass Single- Gets the name of the Read
valued, class which provides
string logic for provisioning
sites created through
the web template.
ProvisionData Single- Gets the data that is Read
valued, passed to the site
string provisioning handler
when creating sites.
SupportsMultilingualUI Single- Gets whether it is Read
valued, possible to enable
Boolean alternate user interface
languages for the sites
created from the web
template.
Title Single- Gets the display name Read
valued, of the web template.

Active Roles 8.1.3 Synchronization Service Administration Guide

206
Attribute Type Description Supported
operations

string
UserLicensingId Single- Gets the per-user Read
valued, license.
string
VisibilityFeatureDependencyId Single- Gets the GUID of the Read
valued, feature on which the
string web template depends.

Considerations for creating objects in SharePoint

When creating objects in SharePoint, consider the following:
l RoleAssignment object: To create this object, you must populate the value of the
Member attribute for the object. Since Member is a reference attribute, you can
only populate its value by configuring a value generation rule. For more information
about value generation rules, see Using value generation rules.
l Site object: To create this object, you must populate the values of attributes URL
and Owner for the object.

Working with Microsoft 365

To create a connection to Microsoft 365, you must use Synchronization Service in
conjunction with a special connector called Microsoft 365 Connector (formerly known
as Office 365 Connector). This connector is included in the Synchronization
Service package.
The Microsoft 365 Connector supports the following features:

Table 72: Microsoft 365 Connector – Supported features

Feature Supported

Bidirectional synchronization Yes

Specifies whether you can both read and write data in the connected data
system.

Delta processing mode No

Specifies whether the connection can process only the data that has
changed in the connected data system since the last synchronization
operation. This reduces the overall synchronization duration.

Active Roles 8.1.3 Synchronization Service Administration Guide

207
Feature Supported

Password synchronization No
Specifies whether you can synchronize user passwords from an Active
Directory (AD) domain to the connected data system.

Secure Sockets Layer (SSL) data encryption Yes

Specifies whether the connector can use SSL to encrypt data transmitted
between Active Roles Synchronization Service and the connected data
system.

Creating a Microsoft 365 connection

With the Microsoft 365 connector, you can configure data synchronization connections
for the Microsoft 365 service.
You can create an M365 connector by configuring an Azure application in the
Synchronization Service Console:
l To create and configure an M365 connector with manual configuration, see Creating
a Microsoft 365 connector with manual configuration.
l To create and configure an M365 connector with automatic configuration, see
Creating a Microsoft 365 connector with automatic configuration.

Creating a Microsoft 365 connector with manual

configuration
With the Microsoft 365 connector, you can configure data synchronization connections
for the Microsoft 365 service.
You can create an M365 connector by configuring an Azure application manually in the
Synchronization Service Console. One Identity recommends using Manual configuration
if you want to use an existing Azure application for the connection.

To create a new M365 connector with manual configuration

1. In the Synchronization Service Console, open the Connections tab.

2. Click Add connection, then use the following options:
l Connection name: Type a descriptive name for the connection.
l Use the specified connector: Select Microsoft 365 Connector.
3. Click Next.
4. To use an existing Azure application, select Manual configuration.
NOTE: Alternatively, to use and update an existing Azure application, you can also
select Auto configuration. Under Auto configuration, click Log in to Azure,

Active Roles 8.1.3 Synchronization Service Administration Guide

208
 then select the Tenant environment type of the Azure tenant. After logging in to
Azure with your tenant, the Tenant ID, Application ID, Certificate thumbprint
and Tenant environment type parameters will be automatically filled in.
5. Enter the Tenant ID, Application ID and Certificate thumbprint of the Azure
tenant as they appear on the Azure portal. Then, select the Tenant Environment
Type of the Azure tenant.
6. To test the connection with the new parameters, click Test connection.
7. To finish creating a connection to Microsoft 365, click Finish.

Creating a Microsoft 365 connector with automatic

configuration
With the Microsoft 365 connector, you can configure data synchronization connections
for the Microsoft 365 service.
You can create an M365 connector by configuring an Azure application automatically in the
Synchronization Service Console. One Identity recommends using Auto configuration if
you want to create a new Azure application for the connection.

To create a new M365 connector with automatic configuration

1. In the Synchronization Service Console, open the Connections tab.

2. Click Add connection, then use the following options:
l Connection name: Type a descriptive name for the connection.
l Use the specified connector: Select Microsoft 365 Connector.
3. Click Next.
4. To create a new Azure application or update an existing one, select Auto
configuration.
NOTE: If you have more than one Azure Active Directory (Azure AD) service in your
Azure tenant, select I have more than one Azure AD in my Azure tenant, and
use the Tenant ID field to specify the GUID of the Azure AD for which you want to
set up synchronization. For more information, see Finding the GUID (Tenant ID) of
an Azure AD for Azure BackSync.
5. Select one of the following options based on the number of Azure AD services in your
Azure tenant:
l I have one Azure AD in my Azure tenant.
l I have more than one Azure AD in my Azure tenant.
6. Authenticate your access to Azure AD:
l If you have selected I have one Azure AD in my Azure tenant, to
authenticate your access to Azure AD, click Log in to Azure, and from the
Select Environment Type drop-down, select the environment type of your

Active Roles 8.1.3 Synchronization Service Administration Guide

209
 Azure tenant.
l If you have selected I have more than one Azure AD in my Azure tenant,
in Tenant ID, enter the GUID of the Azure AD for which you want to set up
synchronization.
TIP: For more information on how to find the GUID of an Azure AD service,
see Finding the GUID (Tenant ID) of an Azure AD for Azure BackSync.
After specifying the tenant ID, to authenticate your access to Azure AD, click
Log in to Azure, and in the Select Environment Type drop-down, select
the environment of your Azure tenant.
NOTE: If you select I have more than one Azure AD in my Azure
tenant, the Log in to Azure button will be enabled only if you specify a
well-formed Azure AD GUID in the Tenant ID text box.
You can now create or update the Azure application in Azure AD.
7. Azure application name: Enter the name of the new or existing Azure application.
8. To create or update the Azure application in Azure AD, click Create or update
Azure application.
The created or updated Azure application has the following directory roles
assigned to it:
l Directory Writers
l Exchange Administrator
l User Administrator
The following permissions are also added, for which you must give admin consent:
l Sign in and read user profile
l Manage Exchange As Application
NOTE: You may need to set additional permissions depending on your needs.
9. To give admin consent for the permissions of the Azure application, click Consent.
Then, in the Azure Tenant Consent dialog, click Accept.
10. To test the connection with the new parameters, click Test connection.
11. To finish creating a connection to Microsoft 365, click Finish.

Modifying a Microsoft 365 connection

With the Microsoft 365 connector, you can configure data synchronization connections
for the Microsoft 365 service.
You can modify the settings of an existing M365 connector in the Synchronization
Service Console:
l To modify the manually configured settings of an M365 connector, see Modifying the
manual configuration settings of a Microsoft 365 connector.

Active Roles 8.1.3 Synchronization Service Administration Guide

210
 l To modify the automatically configured settings of an M365 connector, see Modifying
the automatic configuration settings of a Microsoft 365 connector.

Modifying the manual configuration settings of a

Microsoft 365 connector
You can modify the manual configuration settings of an existing M365 connector in the
Synchronization Service Console.

To modify the manual configuration settings of an M365 connector

1. In the Synchronization Service Console, open the Connections tab.

2. Click Connection settings under the existing Microsoft 365 connection you
want to modify.
3. On the Connection Settings tab, click Specify connection settings to expand it
and use the following options.
4. To use an existing Azure application, select Manual configuration.
NOTE: Alternatively, to use and update an existing Azure application, you can also
select Auto configuration. Under Auto configuration, click Log in to Azure,
then select the Tenant environment type of the Azure tenant. After logging in to
Azure with your tenant, the Tenant ID, Application ID, Certificate thumbprint
and Tenant environment type parameters will be automatically filled in.
5. Enter the Tenant ID, Application ID and Certificate thumbprint of the Azure
tenant as they appear on the Azure portal. Then, select the Tenant Environment
Type of the Azure tenant.
6. To test the connection with the new parameters, click Test connection.
7. To modify the connection settings, click Save.

Modifying the automatic configuration settings of a

Microsoft 365 connector
You can modify the automatic configuration settings of an existing M365 connector in the
Synchronization Service Console.

To modify the auto configuration settings of an M365 connector

1. In the Synchronization Service Console, open the Connections tab.

2. Click Connection settings under the existing Microsoft 365 connection you
want to modify.
3. On the Connection Settings tab, click Specify connection settings to expand it
and use the following options.

Active Roles 8.1.3 Synchronization Service Administration Guide

211
4. To create a new Azure application or update an existing one, select Auto
configuration.
NOTE: If you have more than one Azure Active Directory (Azure AD) service in your
Azure tenant, select I have more than one Azure AD in my Azure tenant, and
use the Tenant ID field to specify the GUID of the Azure AD for which you want to
set up synchronization. For more information, see Finding the GUID (Tenant ID) of
an Azure AD for Azure BackSync.
5. Select one of the following options based on the number of Azure AD services in your
Azure tenant:
l I have one Azure AD in my Azure tenant.
l I have more than one Azure AD in my Azure tenant.
6. Authenticate your access to Azure AD:
l If you have selected I have one Azure AD in my Azure tenant, to
authenticate your access to Azure AD, click Log in to Azure, and from the
Select Environment Type drop-down, select the environment type of your
Azure tenant.
l If you have selected I have more than one Azure AD in my Azure tenant,
in Tenant ID, enter the GUID of the Azure AD for which you want to set up
synchronization.
TIP: For more information on how to find the GUID of an Azure AD service,
see Finding the GUID (Tenant ID) of an Azure AD for Azure BackSync.
After specifying the tenant ID, to authenticate your access to Azure AD, click
Log in to Azure, and in the Select Environment Type drop-down, select
the environment of your Azure tenant.
NOTE: If you select I have more than one Azure AD in my Azure
tenant, the Log in to Azure button will be enabled only if you specify a
well-formed Azure AD GUID in the Tenant ID text box.
7. Azure application name: Enter the name of the new or existing Azure application.
8. To create or update the Azure application in Azure AD, click Create or update
Azure application.
The created or updated Azure application has the following directory roles
assigned to it:
l Directory Writers
l Exchange Administrator
l User Administrator
The following permissions are also added, for which you must give admin consent:
l Sign in and read user profile
l Manage Exchange As Application
NOTE: You may need to set additional permissions depending on your needs.

Active Roles 8.1.3 Synchronization Service Administration Guide

212
 9. To give admin consent for the permissions of the Azure application, click Consent.
Then, in the Azure Tenant Consent dialog, click Accept.
10. To test the connection with the new parameters, click Test connection.
11. To modify the connection settings, click Save.

Microsoft 365 data supported out of the box

The next table lists the Microsoft 365 object types supported by the Microsoft 365
Connector out of the box and provides information about the operations you can perform
on these objects by using the Microsoft 365 Connector.

Table 73: Supported objects and operations

Object Read Create Delete Update

ClientPolicy Yes No No No
Allows you to work with client policies in Skype
for Business Online. You can use client policies
to determine the features of Skype for
Business Online that are available to users.
For more information on what data you can
read and write, see ClientPolicy object
attributes.

ConferencingPolicy Yes No No No
Allows you to work with conferencing policies
in Skype for Business Online. You can use
conferencing policies to determine the
features available to the users participating in
a conference.
For more information on what data you can
read and write, see ConferencingPolicy object
attributes.

Contact Yes Yes Yes Yes

Allows you to work with external contact
properties in Microsoft 365.
For more information on what data you can
read and write, see Contact object attributes.

DistributionGroup Yes Yes Yes Yes

Allows you to work with distribution group
properties in Microsoft 365.
For more information on what data you can
read and write, see DistributionGroup object

Active Roles 8.1.3 Synchronization Service Administration Guide

213
Object Read Create Delete Update

attributes.

Domain Yes No No No
Allows you to retrieve information about
domains in Microsoft 365.
For more information on what data you can
retrieve, see Domain object attributes.

DynamicDistributionGroup Yes Yes Yes Yes

Allows you to work with dynamic distribution
group properties in Microsoft 365.
For more information on what data you can
read and write, see DynamicDistributionGroup
object attributes.

ExternalAccessPolicy Yes No No No
Allows you to work with external access
policies in Skype for Business Online.
For more information on what data you can
read and write, see ExternalAccessPolicy
object attributes.

HostedVoicemailPolicy Yes No No No
Allows you to work with voice mail policies in
Skype for Business Online.
For more information on what data you can
read and write, see HostedVoicemailPolicy
object attributes.

LicensePlanService Yes No No No
Allows you to retrieve information related to
the license plans and services that are
currently in use in Microsoft 365.
For more information on what data you can
read and write, see LicensePlanService object
attributes.

Mailbox Yes Yes Yes Yes

Allows you to work with Exchange Online
mailboxes in Microsoft 365.
For more information on what data you can
read and write, see Mailbox object attributes.

MailUser Yes Yes Yes Yes

Active Roles 8.1.3 Synchronization Service Administration Guide

214
Object Read Create Delete Update

Allows you to work with mail user properties in

Microsoft 365.
For more information on what data you can
read and write, see MailUser object attributes.

PresencePolicy Yes No No No
Allows you to work with presence policies in
Skype for Business Online.
For more information on what data you can
read and write, see PresencePolicy object
attributes.

SecurityGroup Yes Yes Yes Yes

Allows you to work with security group
properties in Microsoft 365.
For more information on what data you can
read and write, see SecurityGroup objects
attributes.

SPOSite Yes Yes Yes Yes

Allows you to work with the properties of site
collections in SharePoint Online.
For more information on what data you can
read and write, see SPOSite object attributes.

SPOSiteGroup Yes Yes Yes Yes

Allows you to work with groups inside site
collections in SharePoint Online.
For more information on what data you can
read and write, see SPOSiteGroup object
attributes.

SPOWebTemplate Yes No No No
Allows you to work with web templates in
SharePoint Online.
For more information on what data you can
read and write, see SPOWebTemplate object
attributes.

SPOTenant Yes No No Yes

Allows you to work with SharePoint Online
organization.
For more information on what data you can

Active Roles 8.1.3 Synchronization Service Administration Guide

215
Object Read Create Delete Update

read and write, see SPOTenant object

attributes.

User Yes Yes Yes Yes

Allows you to read and write user properties in
Microsoft 365.
For more information on what data you can
read and write, see User object attributes.

VoicePolicy Yes No No No
Allows you to read or write data related to
voice policies in Skype for Business Online.
For more information on what data you can
read and write, see VoicePolicy object
attributes.

Microsoft 365 Group Yes Yes Yes Yes

Allows you to read or write data related to
Microsoft 365 group.
For more information on what data you can
read and write, see Microsoft 365 group
attributes.

ClientPolicy object attributes

Table 74: ClientPolicy object attributes

Attribute Description Supported

operations

Anchor Gets the Anchor property value of the policy. Read

Description Gets the policy description. Read
Identity Gets the unique identifier assigned to the policy. Read
Members Gets the users who have been assigned the Read
policy.
ObjectID Gets the unique object identifier (GUID). Read

Active Roles 8.1.3 Synchronization Service Administration Guide

216
ConferencingPolicy object attributes

Table 75: ConferencingPolicy object attributes

Attribute Description Supported

operations

Anchor Gets the Anchor property value of the policy. Read

Description Gets the policy description. Read
Identity Gets the unique identifier assigned to the policy. Read
Members Gets the users who have been assigned the Read
policy.
ObjectID Gets the unique object identifier (GUID). Read

Contact object attributes

Table 76: Contact object attributes

Attribute Description Supporte

d
operatio
ns

AcceptMessagesOnlyFrom Gets or sets the senders that can send Read,

email messages to the contact. Write
This reference attribute can take
senders in any of the following formats:
l Alias
l Canonical name
l Display name
l DN
l Exchange DN
l GUID
l Name
l Primary SMTP email address

This reference attribute accepts the

following object types:
l MailUser
l Mailbox
l Contact

Active Roles 8.1.3 Synchronization Service Administration Guide

217
Attribute Description Supporte
d
operatio
ns

AcceptMessagesOnlyFromDLMembers Gets or sets the distribution groups Read,

whose members are allowed to send Write
email messages to the contact.
This reference attribute can take
distribution groups in any of the
following formats:
l Canonical name
l Display name
l DN
l GUID
l Legacy Exchange DN
l Name
l Primary SMTP email address

This reference attribute accepts the

following object types:
l DistributionGroup
l DynamicDistributionGroup

AcceptMessagesOnlyFromSendersOr Gets or sets the senders who can send Read,

Members email messages to the contact. Write
This reference attribute can take
senders in any of the following formats:
l Canonical name
l Display name
l Distinguished name (DN)
l GUID
l Legacy Exchange DN
l Name
l Primary SMTP email address

This reference attribute accepts the

following object types:
l Contact
l DistributionGroup

Active Roles 8.1.3 Synchronization Service Administration Guide

218
Attribute Description Supporte
d
operatio
ns
l DynamicDistributionGroup
l Mailbox
l MailUser

Alias Gets or sets the alias of the mail- Read,

enabled contact. Write
AllowUMCallsFromNonUsers Gets or sets whether to exclude or Read,
include the contact in directory Write
searches.
This attribute can take one of the
following values:
l None: Specifies to exclude the
contact from directory searches.
l SearchEnabled: Specifies to
include the contact in directory
searches.
AssistantName Gets or sets the name of the contact’s Read,
assistant. Write
BypassModerationFromSendersOrMe Gets or sets the senders whose Read,
mbers messages bypass moderation for the Write
contact.
This reference attribute can take any of
the following values for the senders:
l Canonical name
l Display name
l Distinguished name (DN)
l GUID
l Name
l Legacy Exchange DN
l Primary SMTP email address
l Moderation does not apply to the
senders designated as
moderators for the contact.
l This reference attribute accepts
the following object types:

Active Roles 8.1.3 Synchronization Service Administration Guide

219
Attribute Description Supporte
d
operatio
ns
l Contact
l DistributionGroup
l DynamicDistributionGroup
l Mailbox
l MailUser

City Gets or sets the city of the contact. Read,

Write
Company Gets or sets the company of the Read,
contact. Write
CountryOrRegion Gets or sets the country or region of the Read,
contact. Write
CreateDTMFMap Gets or sets whether to create a dual- Read,
tone multi-frequency (DTMF) map for Write
the contact.
This attribute can take one of the
following values:
l TRUE: Specifies to create a DTMF
map for the contact.
l FALSE: Specifies not to create a
DTMF map for the contact.

Active Roles 8.1.3 Synchronization Service Administration Guide

220
Attribute Description Supporte
d
operatio
ns

CustomAttribute1 Get or set the additional custom values Read,

you specify. Write
CustomAttribute2

CustomAttribute3

CustomAttribute4

CustomAttribute5

CustomAttribute6

CustomAttribute7

CustomAttribute8

CustomAttribute9

CustomAttribute10

CustomAttribute11

CustomAttribute12

CustomAttribute13

CustomAttribute14

CustomAttribute15

Department Gets or sets the department of the Read,

contact. Write
DisplayName Gets or sets the name displayed in Read,
Microsoft 365 for the mail-enabled Write
contact.
EmailAddresses Gets or sets the email alias of the Read,
contact. Write
ExtensionCustomAttribute1 Get or set the additional custom values Read,
you specify. These attributes are Write
ExtensionCustomAttribute2
multivalued. To specify multiple values,
ExtensionCustomAttribute3 use a comma as a separator.

ExtensionCustomAttribute4

ExtensionCustomAttribute5

ExternalDirectoryObjectId Gets the GUID of the contact. Read

ExternalEmailAddress Gets or sets the contact’s e-mail Read,

Active Roles 8.1.3 Synchronization Service Administration Guide

221
Attribute Description Supporte
d
operatio
ns

address. Write
Fax Gets or sets the fax number of the Read,
contact. Write
FirstName Gets or sets the first name of the mail- Read,
enabled contact. Write
GrantSendOnBehalfTo Gets or sets the distinguished name Read,
(DN) of other senders that can send Write
messages on behalf of the contact.
This reference attribute only accepts the
following object type:
l Mailbox

HiddenFromAddressListsEnabled Gets or sets whether or not Microsoft Read,

365 hides the contact from the address Write
lists.
This attribute can take one of the
following values:
l TRUE: Specifies to hide the contact
from the address lists.
l FALSE (default): Specifies to
display the contact in the address
lists.
HomePhone Gets or sets the home phone number of Read,
the contact. Write
Initials Gets or sets the initials of the mail- Read,
enabled contact. Write
LastName Gets or sets the last name of the mail- Read,
enabled contact. Write
MacAttachmentFormat Gets or sets the Apple Macintosh Read,
operating system attachment format for Write
messages sent to the contact.
This attribute can take the following
values:
l BinHex
l UuEncode

Active Roles 8.1.3 Synchronization Service Administration Guide

222
Attribute Description Supporte
d
operatio
ns
l AppleSingle
l AppleDouble

MailTip Gets or sets the message displayed to Read,

senders when they start writing an Write
email message to the contact.
MailTipTranslations Gets or sets the MailTip message Read,
translations in additional languages. Write
This attribute accepts the following
format:
<LanguageLocale>:<MailTipMessageTran
slation>
A MailTip message translation cannot
exceed 250 characters.
Manager Gets or sets the manager of the contact. Read,
Write
MaxRecipientPerMessage Gets or sets the maximum number of Read,
recipients to which the contact can Write
address a message.
MessageBodyFormat Gets or sets the message body format Read,
for messages sent to the contact. Write
The values this attribute can write
depend on the value in the
MessageFormat attribute.
When the value in the MessageFormat is
Mime, the MessageBodyFormat attribute
can write the following values:
l Text
l Html
l TextAndHtml

When the value in the MessageFormat is

Text, the MessageBodyFormat attribute
can only write the Text value.
MessageFormat Gets or sets the message format for Read,
messages sent to the contact. Write

Active Roles 8.1.3 Synchronization Service Administration Guide

223
Attribute Description Supporte
d
operatio
ns

This attribute can take the following

values:
l Text
l Mime

MobilePhone Gets or sets the mobile phone number Read,

of the contact. Write
ModeratedBy Gets or sets the moderators who are Read,
moderating the messages sent to the Write
contact. To specify multiple moderators,
use a comma as a separator.
This reference attribute is required if
you set the value of the
ModerationEnabled attribute to TRUE.
This reference attribute accepts the
following object types:
l Mailbox
l MailUser

ModerationEnabled Gets or sets whether moderation is Read,

enabled for the contact. Write
This attribute can take one of the
following values:
l TRUE
l FALSE

Name Gets or sets the name of the mail- Read,

enabled contact. Write
Notes Gets or sets notes about the contact. Read,
Write
ObjectID Gets the unique object identifier Read
(GUID).
Office Gets or sets the office of the contact. Read,
Write
OtherFax Gets or sets the alternate fax number of Read,
the contact. Write

Active Roles 8.1.3 Synchronization Service Administration Guide

224
Attribute Description Supporte
d
operatio
ns

OtherHomePhone Gets or sets the alternate home phone Read,

number of the contact. Write
Pager Gets or sets the pager of the contact. Read,
Write
Phone Gets or sets the work phone number of Read,
the contact. Write
PhoneticDisplayName Gets or sets a phonetic pronunciation of Read,
the value specified in the DisplayName Write
attribute for the contact.
PostalCode Gets or sets the postal code of the Read,
contact. Write
PostOfficeBox Gets or sets the post office box number Read,
of the contact. Write
RejectMessagesFrom Gets or sets the senders whose Read,
messages to the contact are rejected. Write
This attribute can take senders in one of
the following formats:
l Alias
l Canonical name
l Display name
l Distinguished name (DN)
l GUID
l Name
l Legacy Exchange DN
l Primary SMTP email address

This reference attribute accepts the

following object types:
l Contact
l Mailbox

RejectMessagesFromDLMembers Gets or sets the distribution groups Read,

whose members cannot send email Write
messages to the contact (their
messages are rejected).

Active Roles 8.1.3 Synchronization Service Administration Guide

225
Attribute Description Supporte
d
operatio
ns

This reference attribute can take

distribution groups in one of the
following formats:
l Alias
l Canonical name
l Display name
l Distinguished name (DN)
l GUID
l Legacy Exchange DN
l Name
l Primary SMTP email address

This reference attribute accepts the

following object types:
l DistributionGroup
l DynamicDistributionGroup

RejectMessagesFromSendersOrMemb Gets or sets the senders that cannot Read,

ers send email messages to the contact Write
(their messages are rejected).
This reference attribute can take any of
the following values for the senders:
l Alias
l Canonical name
l Display name
l Distinguished name (DN)
l GUID
l Name
l Legacy Exchange DN
l Primary SMTP email address

This reference attribute accepts the

following object types:
l Contact
l DistributionGroup

Active Roles 8.1.3 Synchronization Service Administration Guide

226
Attribute Description Supporte
d
operatio
ns
l DynamicDistributionGroup
l Mailbox

RequireSenderAuthenticationEnab Gets or sets whether the senders that Read,

led send messages to this contact must be Write
authenticated.
This attribute can take one of the
following values:
l TRUE
l FALSE

SecondaryAddress Gets or sets the secondary address for Read,

the contact if it has Unified Messaging Write
enabled.
SecondaryDialPlan Gets or sets a secondary Unified Read,
Messaging dial plan for the contact. Write
SendModerationNotifications Gets or sets whether to send status Read,
notifications to users when a message Write
they sent to the moderated distribution
group is rejected by a moderator.
This attribute can take one of the
following values:
l Always: Specifies that
notifications are sent to all
senders.
l Internal: Specifies that
notifications are only sent to the
senders internal to your
organization.
l Never: Specifies that all status
notifications are disabled.
SimpleDisplayName Gets or sets an alternate description of Read,
the contact in a situation where a Write
limited set of characters is allowed.
The limited set of characters includes
ASCII characters from 26 to 126.
StateOrProvince Gets or sets the state or province of the Read,

Active Roles 8.1.3 Synchronization Service Administration Guide

227
Attribute Description Supporte
d
operatio
ns

contact. Write
StreetAddress Gets or sets the street address of the Read,
contact. Write
TelephoneAssistant Gets or sets the phone number of the Read,
contact’s assistant. Write
Title Gets or sets the title of the contact. Read,
Write
UMCallingLineIds Gets or sets telephone numbers or Read,
telephone extensions that can be Write
mapped to the contact if it has Unified
Messaging enabled.
To specify multiple telephone numbers
use a comma as a separator.
This attribute only accepts values that
have less than 128 characters.
UMDtmfMap Gets or sets whether to create a user- Read,
defined DTMF map for the contact if it Write
has Unified Messaging enabled.
UseMapiRichTextFormat Gets or sets a format for the MAPI Rich Read,
Text Format messages sent to the Write
contact.
This attribute can take one of the
following values:
l Never: Specifies to convert all
messages sent to the contact to
the plain text format.
l Always: Specifies to always use
the MAPI Rich Text Format (RTF)
for the messages sent to the
contact.
l UseDefaultSettings: Specifies to
use the message format set in the
MAPI client that sent the message
to the contact.
UsePreferMessageFormat Gets or sets whether the message Read,
format specified for the contact Write

Active Roles 8.1.3 Synchronization Service Administration Guide

228
Attribute Description Supporte
d
operatio
ns

overrides any global settings (such as

those configured for the remote
domain).
This attribute can take one of the
following values:
l TRUE: Specifies that the message
format set for the mail user
overrides any global settings.
l FALSE: Specifies that global
settings have precedence over
the mail format set for the mail
user.
WebPage Gets or sets the web page address of Read,
the contact. Write
WindowsEmailAddress Gets or sets the email address of the Read,
contact stored in Active Directory. Write

DistributionGroup object attributes

Table 77: DistributionGroup object attributes

Attribute Description Supporte

d
operatio
ns

AcceptMessagesOnlyFrom Gets or sets the senders that can send Read,

email messages to the distribution Write
group.
This reference attribute can take
senders in any of the following formats:
l Alias
l Canonical DN
l Display name
l Distinguished name (DN)
l Domain\account
l GUID

Active Roles 8.1.3 Synchronization Service Administration Guide

229
Attribute Description Supporte
d
operatio
ns
l Immutable ID
l Legacy Exchange DN
l SMTP address
l User principal name

This reference attribute accepts the

following object types:
l MailUser
l Mailbox
l Contact

AcceptMessagesOnlyFromDLMembers Gets or sets the distribution groups Read,

whose members are allowed to send Write
email messages to the distribution
group.
This reference attribute can take
distribution groups in any of the
following formats:
l Alias
l Canonical DN
l Display name
l Distinguished name (DN)
l Domain\account
l GUID
l Immutable ID
l Legacy Exchange DN
l SMTP address
l User principal name

This reference attribute accepts the

following object types:
l DistributionGroup
l DynamicDistributionGroup

AcceptMessagesOnlyFromSendersOr Gets or sets the senders who can send Read,

Members email messages to the distribution Write

Active Roles 8.1.3 Synchronization Service Administration Guide

230
Attribute Description Supporte
d
operatio
ns

group.
This attribute can take senders in any of
the following formats:
l Alias
l Canonical DN
l Display name
l Distinguished name (DN)
l Domain\account
l GUID
l Immutable ID
l Legacy Exchange DN
l SMTP address
l User principal name

This reference attribute accepts the

following object types:
l Contact
l DistributionGroup
l DynamicDistributionGroup
l Mailbox
l MailUser

Alias Gets or sets the alias of the distribution Read,

group. Write
BypassModerationFromSendersOrMe Gets or sets the senders whose Read,
mbers messages bypass moderation for the Write
distribution group.
This reference attribute can take
senders in any of the following formats:
l Alias
l Canonical DN
l Display name
l Distinguished name (DN)

Active Roles 8.1.3 Synchronization Service Administration Guide

231
Attribute Description Supporte
d
operatio
ns
l Domain\account
l GUID
l Immutable ID
l Legacy Exchange DN
l SMTP address
l User principal name

This reference attribute accepts the

following object types:
l Contact
l DistributionGroup
l DynamicDistributionGroup
l Mailbox
l MailUser

BypassNestedModerationEnabled Gets or sets whether moderators of Read,

parent groups are allowed to moderate Write
nested groups for which moderation is
enabled.
This attribute can take one of the
following values:
l TRUE: Specifies that email
messages approved by parent
group moderators bypass any
moderation in nested groups.
l FALSE: Specifies that email
messages approved by parent
group moderators still can be
moderated in nested groups.
CreateDTMFMap Sets whether to create a dual-tone Write
multi-frequency (DTMF) map for the
distribution group.
This attribute can take one of the
following values:
l TRUE: Specifies to create a DTMF
map for the distribution group.

Active Roles 8.1.3 Synchronization Service Administration Guide

232
Attribute Description Supporte
d
operatio
ns
l FALSE: Specifies not to create a
DTMF map for the distribution
group.
CustomAttribute1 Get or set the additional custom values Read,
you specify. Write
CustomAttribute2

CustomAttribute3

CustomAttribute4

CustomAttribute5

CustomAttribute6

CustomAttribute7

CustomAttribute8

CustomAttribute9

CustomAttribute10

CustomAttribute11

CustomAttribute12

CustomAttribute13

CustomAttribute14

CustomAttribute15

Description Gets or sets the description of the Read,

distribution group. Write
DisplayName Gets or sets the display name of the Read,
distribution group. Write
EmailAddresses Gets or sets the email alias of the Read,
distribution group. Write
ExtensionCustomAttribute1 Get or set the additional custom values Read,
you specify. These attributes are Write
ExtensionCustomAttribute2
multivalued. To specify multiple values,
ExtensionCustomAttribute3 use a comma as a separator.

ExtensionCustomAttribute4

ExtensionCustomAttribute5

Active Roles 8.1.3 Synchronization Service Administration Guide

233
Attribute Description Supporte
d
operatio
ns

GrantSendOnBehalfTo Gets or sets the senders that can send Read,

messages on behalf of the distribution Write
group.
This reference attribute can take
senders in any of the following formats:
l Alias
l Canonical DN
l Display name
l Distinguished name (DN)
l Domain\account
l GUID
l Immutable ID
l Legacy Exchange DN
l SMTP address
l User principal name

This reference attribute only accepts the

following object type:
l Mailbox

HiddenFromAddressListsEnabled Gets or sets whether or not Microsoft Read,

365 hides the distribution group from Write
the address lists.
This attribute can take one of the
following values:
l TRUE: Specifies to hide the
distribution group from the
address lists.
l FALSE (default): Specifies to
display the distribution group in
the address lists.
IgnoreNamingPolicy Sets whether or not to ignore the Write
naming policy applicable to the
distribution groups created in the
organization.
This attribute can take one of the

Active Roles 8.1.3 Synchronization Service Administration Guide

234
Attribute Description Supporte
d
operatio
ns

following values:
l TRUE: Specifies to ignore the
applicable naming policy.
l FALSE: Specifies to use the
applicable naming policy.
IsSecurity Gets or sets whether the distribution Read,
group is a security distribution group. Write
NOTE:
This
attribute
allows
you to
write
data
only
when
you use
the
Microsof-
t 365
Connect-
or to
perform
a create
opera-
tion in
Microsof-
t 365.
MailTip Gets or sets the message displayed to Read,
senders when they start writing an Write
email message to the distribution
group.
MailTipTranslations Gets or sets the MailTip message Read,
translations in additional languages. Write
This attribute accepts the following
format:
<LanguageLocale>:<MailTipMessageTran
slation>

Active Roles 8.1.3 Synchronization Service Administration Guide

235
Attribute Description Supporte
d
operatio
ns

A MailTip message translation cannot

exceed 250 characters.
ManagedBy Gets or sets the owner of the Read,
distribution group. Write
This reference attribute accepts the
following object types:
l Mailbox
l MailUser

Member Gets or sets the members of the Read,

distribution group by using their Object Write
IDs.
NOTE:
This
attribute
only
allows
you to
write
data
when
you use
the
Microsof-
t 365
Connect-
or to
perform
an
update
opera-
tion in
Microsof-
t 365.
MemberDepartRestriction Gets or sets the restrictions applicable Read,
to the members who want to leave the Write
distribution group.
This attribute can take one of the
following values:
l Open

Active Roles 8.1.3 Synchronization Service Administration Guide

236
Attribute Description Supporte
d
operatio
ns
l Closed
l ApprovalRequired

MemberJoinRestriction Gets or sets the restrictions applicable Read,

to the members who want to join the Write
distribution group.
This attribute can take one of the
following values:
l Open
l Closed
l ApprovalRequired

Member Gets or sets the members of the Read,

distribution group Write
ModeratedBy Gets or sets the users who are Read,
moderating the messages sent to the Write
distribution group. To specify multiple
users, use a comma as a separator.
This reference attribute can take users
in any of the following formats:
l Alias
l Canonical DN
l Display name
l Distinguished name (DN)
l Domain\account
l GUID
l Immutable ID
l Legacy Exchange DN
l SMTP address
l User principal name

This attribute is required if you set the

value of the ModerationEnabled
attribute to TRUE.
This reference attribute accepts the
following object types:

Active Roles 8.1.3 Synchronization Service Administration Guide

237
Attribute Description Supporte
d
operatio
ns
l Mailbox
l MailUser

ModerationEnabled Gets or sets whether moderation is Read,

enabled for the distribution group. Write
This attribute can take one of the
following values:
l TRUE
l FALSE

Name Gets or sets the name of the distribution Read,

group. Write
Notes Gets or sets notes about the distribution Read,
group. Write
NOTE:
This
attribute
allows
you to
write
data
only
when
you use
the
Microsof-
t Office
365
Connect-
or to
create
an
object in
Microsof-
t 365.
ObjectID Gets the unique object identifier Read
(GUID).
PrimarySmtpAddress Gets or sets primary SMTP address of Read,
the distribution group. Write

Active Roles 8.1.3 Synchronization Service Administration Guide

238
Attribute Description Supporte
d
operatio
ns

PrimarySmtpAddress Gets or sets the primary email address Read,

of the distribution group. Write
RejectMessagesFrom Gets or sets the senders whose Read,
messages to the distribution group are Write
rejected.
This attribute can take senders in one of
the following formats:
l Alias
l Canonical DN
l Display name
l Distinguished name (DN)
l Domain\account
l GUID
l Immutable ID
l Legacy Exchange DN
l SMTP address
l User principal name

This reference attribute accepts the

following object types:
l Contact
l Mailbox

RejectMessagesFromDLMembers Gets or sets the distribution groups Read,

whose members cannot send email Write
messages to the distribution group
(their messages are rejected).
This reference attribute can take
distribution groups in one of the
following formats:
l Alias
l Canonical DN
l Display name
l Distinguished name (DN)
l Domain\account

Active Roles 8.1.3 Synchronization Service Administration Guide

239
Attribute Description Supporte
d
operatio
ns
l GUID
l Immutable ID
l Legacy Exchange DN
l SMTP address
l User principal name

This reference attribute accepts the

following object types:
l DistributionGroup
l DynamicDistributionGroup

RejectMessagesFromSendersOrMemb Gets or sets the senders that cannot Read,

ers send email messages to the distribution Write
group (their messages are rejected).
This reference attribute can take
senders in one of the following formats:
l Alias
l Canonical DN
l Display name
l Distinguished name (DN)
l Domain\account
l GUID
l Immutable ID
l Legacy Exchange DN
l SMTP address
l User principal name

This reference attribute accepts the

following object types:
l Contact
l DynamicDistributionGroup
l DistributionGroup
l Mailbox

ReportToManagerEnabled Gets or sets whether delivery reports Read,

Active Roles 8.1.3 Synchronization Service Administration Guide

240
Attribute Description Supporte
d
operatio
ns

are sent to the manager of the Write

distribution group.
This attribute can take one of the
following values:
l TRUE
l FALSE

ReportToOriginatorEnabled Gets or sets whether delivery reports Read,

are sent to the senders who sent email Write
messages to the distribution group.
RequireSenderAuthenticationEnab Gets or sets whether the senders that Read,
led send messages to this distribution Write
group must be authenticated.
This attribute can take one of the
following values:
l TRUE
l FALSE

SendModerationNotifications Gets or sets whether to send status Read,

notifications to senders when a Write
message they send to the moderated
distribution group is rejected by a
moderator.
This attribute can take one of the
following values:
l Always: Specifies that
notifications are sent to all
senders.
l Internal: Specifies that
notifications are only sent to the
senders internal to your
organization.
l Never: Specifies that all status
notifications are disabled.
SendOofMessageToOriginatorEnabl Gets or sets a value that specifies Read,
ed whether or not to deliver out-of-office Write
messages to the user who sent an email
message to the distribution group.

Active Roles 8.1.3 Synchronization Service Administration Guide

241
Attribute Description Supporte
d
operatio
ns

This attribute can take one of the

following values:
l TRUE
l FALSE

SimpleDisplayName Gets or sets an alternate description of Read,

the distribution group in a situation Write
where a limited set of characters is
allowed.
The limited set of characters includes
ASCII characters from 26 to 126.
UMDtmfMap Gets or sets whether to create a user- Read,
defined DTMF map for the distribution Write
group if it has Unified Messaging
enabled.
WindowsEmailAddress Gets or sets the email address of the Read,
distribution group stored in Active Write
Directory.

Domain object attributes

Table 78: Domain object attributes

Attribute Description Supported

operations

Authentication Gets the authentication method with which the Read

domain in Microsoft 365 authenticates users.
This attribute can take one of the following values:
l Managed: Indicates that the domain uses
Microsoft 365 authentication.
l Federated: Indicates that the domain uses
Single Sign-on (SSO) to authenticate users.

DomainName Gets the domain name in Microsoft 365. Read

DomainServices Gets the Microsoft 365 services available in the Read

domain.

IsDefault Gets whether the domain is default in Microsoft 365. Read

Active Roles 8.1.3 Synchronization Service Administration Guide

242
Attribute Description Supported
operations

IsInitial Gets whether the domain is initial in Microsoft 365. Read

ObjectID Gets the unique object identifier (GUID). Read

Status Gets whether the domain is verified with Microsoft Read

365. This attribute can take one of the following
values:
l Verified: Indicates that the domain is verified.
l Unverified: Indicates that the domain is not
verified.

DynamicDistributionGroup object attributes

Table 79: DynamicDistributionGroup object attributes

Attribute Description Supported operations

AcceptMessagesOnlyFrom Gets or sets the Read, Write

senders that can send
email messages to the
dynamic distribution
group.
This reference attribute
can take senders in any
of the following
formats:
l Alias
l Canonical name
l Display name
l DN
l Exchange DN
l GUID
l Name
l Primary SMTP
email address

This reference attribute

accepts the following
object types:
l MailUser

Active Roles 8.1.3 Synchronization Service Administration Guide

243
Attribute Description Supported operations
l Mailbox
l Contact

AcceptMessagesOnlyFromDLMem Gets or sets the Read, Write

bers distribution groups
whose members are
allowed to send email
messages to the
dynamic distribution
group.
This reference attribute
accepts any of the
following values for the
distribution groups:
l DN
l Canonical name
l GUID
l Name
l Display name
l Legacy Exchange
DN
l Primary SMTP
email address

This reference attribute

accepts the following
object types:
l DistributionGro
up
l DynamicDistribu
tionGroup

AcceptMessagesOnlyFromSende Gets or sets the Read, Write

rsOrMembers senders who can send
email messages to the
dynamic distribution
group.
This reference attribute
can take any of the
following values for the
senders:

Active Roles 8.1.3 Synchronization Service Administration Guide

244
Attribute Description Supported operations
l DN
l Canonical name
l GUID
l Name
l Display name
l Alias
l Exchange DN
l Primary SMTP
email address

This reference attribute

accepts the following
object types:
l Contact
l DistributionGro
up
l DynamicDistribu
tionGroup
l Mailbox
l MailUser

Alias Gets or sets the alias of Read, Write

the dynamic
distribution group.
BypassModerationFromSenders Gets or sets the Read, Write
OrMembers senders whose
messages bypass
moderation for the
dynamic distribution
group.
This reference attribute
can take any of the
following values for the
senders:
l DN
l Canonical name
l GUID
l Name

Active Roles 8.1.3 Synchronization Service Administration Guide

245
Attribute Description Supported operations
l Display name
l Legacy Exchange
DN
l Primary SMTP
email address

The values in this

attribute do not apply
to the senders that are
the moderators of the
dynamic distribution
group.
This reference attribute
accepts the following
object types:
l Contact
l DistributionGro
up
l DynamicDistribu
tionGroup
l Mailbox
l MailUser

Active Roles 8.1.3 Synchronization Service Administration Guide

246
Attribute Description Supported operations

ConditionalCustomAttribute1 Allow you to get or set Read, Write

recipients based on the
ConditionalCustomAttribute2
corresponding
ConditionalCustomAttribute3 CustomAttribute<Numbe
r> value.
ConditionalCustomAttribute4
For example,
ConditionalCustomAttribute5 ConditionalCustomAttr
ibute1 corresponds to
ConditionalCustomAttribute6
CustomAttribute1,
ConditionalCustomAttribute7 ConditionalCustomAttr
ibute2 corresponds to
ConditionalCustomAttribute8 CustomAttribute2, and
ConditionalCustomAttribute9 so on.

ConditionalCustomAttribute1
0

ConditionalCustomAttribute1
1

ConditionalCustomAttribute1
2

ConditionalCustomAttribute1
3

ConditionalCustomAttribute1
4

ConditionalCustomAttribute1
5

ConditionalDepartment Uses the Department Read, Write

field to get or set the
NOTE: When writing data
recipients used to build
using this attribute, you
the dynamic
cannot use the
distribution group.
RecipientFilter attribute to
A comma that write data.
separates values of this
multivalued attribute
acts as the OR
operator.
ConditionalStateOrProvince Uses the Read, Write
State/Province field
to get or set the
recipients used to build
the dynamic

Active Roles 8.1.3 Synchronization Service Administration Guide

247
Attribute Description Supported operations

distribution group.
A comma that
separates values of this
multivalued attribute
acts as the OR
operator.
CustomAttribute1 Get or set the Read, Write
additional custom
CustomAttribute2
values you specify.
CustomAttribute3

CustomAttribute4

CustomAttribute5

CustomAttribute6

CustomAttribute7

CustomAttribute8

CustomAttribute9

CustomAttribute10

CustomAttribute11

CustomAttribute12

CustomAttribute13

CustomAttribute14

CustomAttribute15

DisplayName Gets or sets the display Read, Write

name of the dynamic
distribution group.
EmailAddresses Gets or sets the email Read, Write
addresses of the
dynamic distribution
group. When specifying
two or more email
addresses in this
multivalued attribute,
use a comma as a
separator.
GrantSendOnBehalfTo Gets or sets the Read, Write

Active Roles 8.1.3 Synchronization Service Administration Guide

248
Attribute Description Supported operations

distinguished name
(DN) of other senders
that can send
messages on behalf of
the dynamic
distribution group.
This reference attribute
only accepts the
following object type:
l Mailbox

IncludedRecipients Gets or sets the Read, Write

recipient types used to
build the dynamic
distribution group.
This attribute can take
the following values:
l AllRecipients
l MailContacts
l MailGroups
l MailUsers
l MailboxUsers
l Resources
l None

NOTE: You can use

combinations of
these values, except
the AllRecipients
value. No other value
can be used along
with the
AllRecipients value.
LdapRecipientFilter Gets the recipient filter Read
that was created by
using the
RecipientFilter
attribute.
ManagedBy Gets or sets the owner Read, Write
of the dynamic
distribution group.

Active Roles 8.1.3 Synchronization Service Administration Guide

249
Attribute Description Supported operations

This reference attribute

accepts the following
object types:
l Mailbox
l MailUser

ManagedBy Gets or sets the name Read, Write

of the mail-enabled
user, group, or contact
displayed on the
Managed by tab of the
Active Directory object.
This reference attribute
accepts the name in
one of the following
formats:
l Alias
l Canonical DN
l Display Name
l Distinguished
Name (DN)
l Domain\Account
l GUID
l Immutable ID
l Legacy Exchange
DN
l SMTP Address
l User Principal
Name

This reference attribute

accepts the following
object types:
l Mailbox
l MailUser

ModeratedBy Gets or sets the users Read, Write

who are moderating
the messages sent to
the dynamic

Active Roles 8.1.3 Synchronization Service Administration Guide

250
Attribute Description Supported operations

distribution group.
To specify multiple
users, use a comma as
a separator.
This reference attribute
is required if you set
the value of the
ModerationEnabled
attribute to TRUE.
This reference attribute
accepts the following
object types:
l Mailbox
l MailUser

ModerationEnabled Gets or sets whether Read, Write

moderation is enabled
for the dynamic
distribution group.
This attribute can take
one of the following
values:
l TRUE
l FALSE

Name Gets or sets the name Read, Write

of the dynamic
distribution group.
Notes Gets or sets comments Read, Write
for the dynamic
distribution group.
ObjectID Gets the unique object Read
identifier (GUID).
PhoneticDisplayName Gets or sets a phonetic Read, Write
pronunciation of the
value specified in the
DisplayName attribute.
PrimarySmtpAddress Gets or sets the Read, Write
primary return SMTP
email address of the

Active Roles 8.1.3 Synchronization Service Administration Guide

251
Attribute Description Supported operations

dynamic distribution
group. You can use this
attribute if the group
has two or more SMTP
email addresses.
RecipientContainer Gets or sets the Read, Write
recipients used to build
the dynamic
distribution group,
based on their location
in Active Directory.
This attribute can take
the canonical name of
the Active Directory
Organizational Unit
(OU) or domain where
the recipients reside.
When this attribute is
omitted, the local
container is used.
RecipientFilter Gets or sets the mail- Read, Write
enabled recipients to be
When writing data using this
included in the dynamic
attribute, you cannot use any
distribution group. This
of the following attributes to
attribute accepts
write data:
OPATH filtering syntax.
l IncludedRecipients
Syntax example:
l ConditionalCompany
((Company -eq
'MyCompany') -and l ConditionalCustomAttrib
(City -eq 'London')) ute<Number>
l ConditionalDepartment
l ConditionalStateOrProvi
nce

RejectMessagesFrom Gets or sets the Read, Write

senders whose
messages to the
dynamic distribution
group are rejected.
This reference attribute
can take senders in one
of the following

Active Roles 8.1.3 Synchronization Service Administration Guide

252
Attribute Description Supported operations

formats:
l Alias
l Canonical DN
l Display name
l Distinguished
name (DN)
l Domain\account
l GUID
l Immutable ID
l Legacy Exchange
DN
l SMTP address
l User principal
name

This reference attribute

accepts the following
object types:
l Contact
l Mailbox

RejectMessagesFromDLMembers Gets or sets the Read, Write

distribution groups
whose members cannot
send email messages
to the dynamic
distribution group
(their messages are
rejected).
This reference attribute
can take distribution
groups in one of the
following formats:
l Alias
l Canonical DN
l Display name
l Distinguished
name (DN)
l Domain\account

Active Roles 8.1.3 Synchronization Service Administration Guide

253
Attribute Description Supported operations
l GUID
l Immutable ID
l Legacy Exchange
DN
l SMTP address
l User principal
name

This reference attribute

accepts the following
object types:
l DistributionGro
up
l DynamicDistribu
tionGroup

RejectMessagesFromSendersOr Gets or sets the Read, Write

Members senders that cannot
send email messages
to the dynamic
distribution group
(their messages are
rejected).
This reference attribute
can take senders in one
of the following
formats:
l Alias
l Canonical DN
l Display name
l Distinguished
name (DN)
l Domain\account
l GUID
l Immutable ID
l Legacy Exchange
DN
l SMTP address
l User principal

Active Roles 8.1.3 Synchronization Service Administration Guide

254
Attribute Description Supported operations

name

This reference attribute

accepts the following
object types:
l Contact
l DistributionGro
up
l DynamicDistribu
tionGroup
l Mailbox

ReportToManagerEnabled Gets or sets a value Read, Write

that specifies whether
or not to send delivery
reports to the dynamic
distribution group
manager.
This Boolean attribute
can take one of the
following values:
l TRUE: Indicates
that delivery
reports are
enabled.
l FALSE (default):
Indicates that
delivery reports
are disabled.
ReportToOriginatorEnabled Gets or sets a value Read, Write
that specifies whether
or not to send a
delivery reports to the
user who sent an email
message to the
dynamic distribution
group.
This Boolean attribute
can take one of the
following values:
l TRUE: Indicates
that delivery

Active Roles 8.1.3 Synchronization Service Administration Guide

255
Attribute Description Supported operations

reports are
enabled.
l FALSE (default):
Indicates that
delivery reports
are disabled.
SendModerationNotifications Gets or sets whether or Read, Write
not to send a
notification to the
sender whose message
to the moderated
dynamic distribution
group is rejected by a
moderator.
This attribute can take
one of the following
values:
l Always:
Indicates that
moderation
notifications are
sent to all
senders.
l Internal:
Indicates that
moderation
notifications are
sent to the
internal senders
only.
l Never: Indicates
that moderation
notifications are
disabled.
SendOofMessageToOriginatorE Gets or sets a value Read, Write
nabled that specifies whether
or not to deliver out-of-
office messages to the
user who sent an e-
mail message to the
dynamic distribution
group.

Active Roles 8.1.3 Synchronization Service Administration Guide

256
Attribute Description Supported operations

This attribute can take

one of the following
values:
l TRUE
l FALSE

ExternalAccessPolicy object attributes

Table 80: ExternalAccessPolicy object attributes

Attribute Description Supported

operations

Anchor Gets the Anchor property value of the policy. Read

Description Gets the policy description. Read
Identity Gets the unique identifier assigned to the policy. Read
Members Gets the users who have been assigned the Read
policy.
ObjectID Gets the unique object identifier (GUID). Read

HostedVoicemailPolicy object attributes

Table 81: HostedVoicemailPolicy object attributes

Attribute Description Supported

operations

Anchor Gets the Anchor property value of the policy. Read

Description Gets the policy description. Read
Identity Gets the unique identifier assigned to the policy. Read
Members Gets the users who have been assigned the Read
policy.
ObjectID Gets the unique object identifier (GUID). Read

Active Roles 8.1.3 Synchronization Service Administration Guide

257
LicensePlanService object attributes

Table 82: LicensePlanService object attributes

Attribute Description Supported

operations

AssignedLicenses Gets the number of used licenses in Read

Microsoft 365. This number includes
both valid and expired licenses that are
currently assigned.
ExpiredLicenses Gets the number of expired licenses in Read
Microsoft 365.
ObjectID Gets the unique object identifier Read
(GUID).
PlanDisplayName Gets the name of the currently used Read
license plan name in the form it is
displayed on the Microsoft 365
graphical user interface.
PlanName Gets the name of the currently used Read
license plan in the form it is returned
by the Windows PowerShell cmdlets for
Microsoft 365.
ReducedFunctionalityLicenses Gets the number of licenses that are Read
currently in the reduced functionality
mode (RFM).
RelatedAttributeName Gets the name of the attribute in the Read
Microsoft 365 Connector schema that
allows you to work (for example, read
and write) with the specified Microsoft
365 service.
ServiceDisplayName Gets the license service name in the Read
form it is displayed on the Microsoft
365 graphical user interface. Service
names are the names of the check
boxes displayed under a license plan.
ServiceName Gets the license service name in the Read
form it is returned by the Windows
PowerShell cmdlets for Microsoft 365.
ValidLicenses Gets the number of valid licenses in Read
Microsoft 365. This number includes
both assigned and available licenses.

Active Roles 8.1.3 Synchronization Service Administration Guide

258
Mailbox object attributes

Table 83: Mailbox object attributes

Attribute Description Supporte

d
operatio
ns

AcceptMessagesOnlyFrom Gets or sets the senders that can send Read,

email messages to the specified Write
mailbox.
This reference attribute accepts any of
the following values for the distribution
groups:
l DN
l Canonical name
l GUID
l Name
l Display name
l Alias
l Exchange DN
l Primary SMTP email address

This reference attribute accepts the

following object types:
l MailUser
l Mailbox
l Contact

AcceptMessagesOnlyFromDLMembers Gets or sets the distribution groups Read,

whose members are allowed to send Write
email messages to the specified
mailbox.
This reference attribute accepts any of
the following values for the distribution
groups:
l DN
l Canonical name
l GUID
l Name
l Display name

Active Roles 8.1.3 Synchronization Service Administration Guide

259
Attribute Description Supporte
d
operatio
ns
l Legacy Exchange DN
l Primary SMTP email address

This reference attribute accepts the

following object types:
l DistributionGroup
l DynamicDistributionGroup

AcceptMessagesOnlyFromSendersOr Gets or sets the senders who can send Read,

Members email messages to the specified Write
mailbox.
This reference attribute can take any of
the following values for the senders:
l DN
l Canonical name
l GUID
l Name
l Display name
l Alias
l Exchange DN
l Primary SMTP email address

This reference attribute accepts the

following object types:
l Contact
l DistributionGroup
l DynamicDistributionGroup
l Mailbox
l MailUser

Alias Gets or sets the alias of the mailbox Read,

user. Write
ApplyMandatoryProperties Sets whether to modify the mandatory Write
properties of a legacy mailbox.
For example, you can use this attribute
to remove the legacyMailbox tag from a

Active Roles 8.1.3 Synchronization Service Administration Guide

260
Attribute Description Supporte
d
operatio
ns

legacy mailbox residing on an Exchange

Server 2010 or check whether this tag
exists on the mailbox.
This attribute can take one of the
following values:
l TRUE: Specifies that the
legacyMailbox tag does not exist
on the mailbox.
l FALSE: Specifies that the
legacyMailbox tag exists on the
mailbox.
ArchiveName Gets or sets the name of the archive Read,
mailbox. This is the name displayed on Write
the user interface in Microsoft Office
Outlook Web App and Microsoft
Outlook.
AuditAdmin Gets or sets the operations to log for Read,
administrators. Write
This attribute can take the following
values:
l None
l Update
l Copy
l Move
l MoveToDeletedItems
l SoftDelete
l HardDelete
l FolderBind
l SendAs
l SendOnBehalf
l MessageBind

To enable mailbox audit logging, set the

value of the AuditEnabled attribute to
TRUE.

Active Roles 8.1.3 Synchronization Service Administration Guide

261
Attribute Description Supporte
d
operatio
ns

AuditDelegate Gets or sets the operations to log for Read,

delegate users. Write
This attribute can take the following
values:
l None
l Update
l Move
l MoveToDeletedItems
l SoftDelete
l HardDelete
l FolderBind
l SendAs
l SendOnBehalf

To enable mailbox audit logging, set the

value of the AuditEnabled attribute to
TRUE.
AuditEnabled Gets or sets whether mailbox audit Read,
logging is enabled or disabled. If Write
mailbox audit logging is enabled, the
operations specified in the AuditAdmin,
AuditDelegate, and AuditOwner
attributes are logged.
This attribute can take one of the
following values:
l TRUE: Specifies that mailbox audit
logging is enabled.
l FALSE: Specifies that mailbox
audit logging is disabled.
AuditLogAgeLimit Gets or sets the retention period for the Read,
mailbox audit logs. Logs whose age Write
exceeds the specified retention period
are deleted.
This attribute accepts the following
format for the retention period:

Active Roles 8.1.3 Synchronization Service Administration Guide

262
Attribute Description Supporte
d
operatio
ns

DD.HH:MM:SS
The maximum value this attribute can
accept is 24855.03:14:07

Example 1
30.05:00:00
Specifies to retain the mailbox audit
logs for 30 days and 5 hours.

Example 2
00.00:00:00
The mailbox audit logs are never
deleted.
BypassModerationFromSendersOrMe Gets or sets the senders whose Read,
mbers messages bypass moderation for the Write
mailbox.
This reference attribute can take any of
the following values for the senders:
l DN
l Canonical name
l GUID
l Name
l Display name
l Legacy Exchange DN
l Primary SMTP email address

The values in this attribute do not apply

to the senders that are the moderators
of the mailbox.
This reference attribute accepts the
following object types:
l Contact
l DistributionGroup
l DynamicDistributionGroup

Active Roles 8.1.3 Synchronization Service Administration Guide

263
Attribute Description Supporte
d
operatio
ns
l Mailbox
l MailUser

CalendarRepairDisabled Gets or sets whether the calendar items Read,

in the mailbox can be repaired by the Write
Calendar Repair Assistant.
This attribute can take one of the
following values:
l TRUE: Specifies that repair
operations are enabled.
l FALSE: Specifies that repair
operations are disabled.
CalendarVersionStoreDisabled Gets or sets whether to log calendar Read,
changes in the mailbox. Write
This attribute can take one of the
following values:
l TRUE: Specifies that calendar
changes are logged.
l FALSE: Specifies that calendar
changes are not logged.
CreateDTMFMap Sets whether to create a dual-tone Write
multi-frequency map for the mailbox
user.

Active Roles 8.1.3 Synchronization Service Administration Guide

264
Attribute Description Supporte
d
operatio
ns

CustomAttribute1 Get or set the additional custom values Read,

you specify. Write
CustomAttribute2

CustomAttribute3

CustomAttribute4

CustomAttribute5

CustomAttribute6

CustomAttribute7

CustomAttribute8

CustomAttribute9

CustomAttribute10

CustomAttribute11

CustomAttribute12

CustomAttribute13

CustomAttribute14

CustomAttribute15

DeliverToMailboxAndForward Gets or sets whether this mailbox Read,

receives forwarded messages in case Write
message forwarding to another address
is configured for the mailbox.
This attribute can take one of the
following values:
l TRUE: Specifies that messages are
delivered to this mailbox and to
the forwarding address.
l FALSE: Specifies that messages
are delivered to the forwarding
address only and not to this
mailbox.
DisplayName Gets or sets the display name of the Read,
user account associated with the Write
mailbox.

Active Roles 8.1.3 Synchronization Service Administration Guide

265
Attribute Description Supporte
d
operatio
ns

EmailAddresses Gets or sets all the proxy addresses of Read,

the mailbox. The proxy addresses also Write
include the primary SMTP address.
When writing proxy addresses using
this attribute, make sure the specified
addresses are valid, because the
addresses are not validated by
Exchange.
EndDateForRetentionHold Gets or sets the retention hold end date Read,
for messaging records management Write
(MRM).
To enable or disable retention hold, use
the RetentionHoldEnabled attribute.
ExternalDirectoryObjectId Gets the GUID of the user to whom the Read
mailbox belongs.
ExternalOofOptions Gets or sets whether Out of Office Read,
message is sent to external senders. Write
This attribute can take one of the
following values:
l External
l InternalOnly

ExtensionCustomAttribute1 Get or set the additional custom values Read,

you specify. These attributes are Write
ExtensionCustomAttribute2
multivalued.
ExtensionCustomAttribute3

ExtensionCustomAttribute4

ExtensionCustomAttribute5

ForwardingAddress Gets or sets a forwarding address for Read,

the mailbox. Write
ForwardingSmtpAddress Gets or sets a forwarding SMTP address Read,
for the mailbox. Write
GrantSendOnBehalfTo Gets or sets the distinguished name Read,
(DN) of other senders that can send Write
messages on behalf of the mailbox.
This reference attribute only accepts the

Active Roles 8.1.3 Synchronization Service Administration Guide

266
Attribute Description Supporte
d
operatio
ns

following object type:

l Mailbox

HiddenFromAddressListsEnabled Gets or sets whether this mailbox is Read,

hidden from address lists. Write
This attribute can take one of the
following values:
l TRUE: Specifies that the mailbox is
hidden from address lists.
l FALSE: Specifies that the mailbox
is shown in address lists.
ImmutableId Gets or sets a unique immutable ID in Read,
the form of an SMTP address. Write
IsEquipment Gets or sets whether the mailbox Read,
belongs to a piece of equipment. Write
This attribute can take one of the
following values:
l TRUE: Indicates that the mailbox is
an equipment mailbox.
l FALSE: Indicates that the mailbox
is not an equipment mailbox.
IsRegular Gets or sets whether the mailbox Read,
belongs to a user. Write
This attribute can take one of the
following values:
l TRUE: Indicates that the mailbox
belongs to a user.
l FALSE: Indicates that the mailbox
does not belong to a user.
IsRoom Gets or sets whether the mailbox Read,
belongs to a room. Write
This attribute can take one of the
following values:
l TRUE: Indicates that the mailbox
belongs to a room.

Active Roles 8.1.3 Synchronization Service Administration Guide

267
Attribute Description Supporte
d
operatio
ns
l FALSE: Indicates that the mailbox
does not belong to a room.
IsShared Gets or sets whether the mailbox is Read,
shared. Write
This attribute can take one of the
following values:
l TRUE: Indicates that the mailbox is
shared.
l FALSE: Indicates that the mailbox
is not shared.
IssueWarningQuota Gets or sets the mailbox size at which a Read,
warning message is sent to the mailbox Write
user.
To specify a mailbox size, use an integer
value. To disable warning, set the value
of this attribute to Unlimited.
The value set on a mailbox by using this
attribute overrides the value specified
for the entire mailbox database.
IsValid Gets whether or not the mailbox object Read
is configured correctly.
This attribute can take one of the
following values:
l TRUE: Indicates that the mailbox
object is configured correctly.
l FALSE: Indicates that the mailbox
object is not configured correctly.
Languages Gets or sets preferred languages for the Read,
mailbox in the order of their priority. Write
LitigationHoldDate Gets or sets the date when the mailbox Read,
is placed on litigation hold. This date is Write
only used for informational or reporting
purposes.
LitigationHoldDuration Gets or sets the litigation hold duration Read,
for the mailbox in days. Write

Active Roles 8.1.3 Synchronization Service Administration Guide

268
Attribute Description Supporte
d
operatio
ns

LitigationHoldEnabled Gets or sets whether litigation hold is Read,

enabled for the mailbox. When a Write
mailbox is on litigation hold, messages
cannot be deleted from the mailbox.
This attribute can take one of the
following values:
l TRUE: Specifies that litigation hold
is enabled.
l FALSE: Specifies that litigation
hold is not enabled.
LitigationHoldOwner Gets or sets the user who put the Read,
mailbox on litigation hold. Write
MailboxPlan Gets or sets the mailbox plan name Read,
associated with the mailbox. When Write
setting a mailbox plan name, make sure
that plan name exists for the
organization in which the mailbox
resides.
MailTip Gets or sets the message displayed to Read,
senders when they start writing an Write
email message to this recipient.
MailTipTranslations Gets or sets the MailTip message Read,
translations in additional languages. Write
This attribute accepts the following
format:
<LanguageLocale>:<MailTipMessageTran
slation>
A MailTip message translation cannot
exceed 250 characters.
MessageTrackingReadStatusEnable Gets or sets whether the read status of Read,
d sent messages is provided to the Write
senders who sent messages to this
mailbox.
This attribute can take one of the
following values:
l TRUE

Active Roles 8.1.3 Synchronization Service Administration Guide

269
Attribute Description Supporte
d
operatio
ns
l FALSE

ModeratedBy Gets or sets the users who are Read,

moderating the messages sent to the Write
mailbox. To specify multiple users, use
a comma as a separator.
This reference attribute is required if
you set the value of the
ModerationEnabled attribute to TRUE.
This reference attribute accepts the
following object types:
l Mailbox
l MailUser

ModerationEnabled Gets or sets whether moderation is Read,

enabled for the mailbox. Write
This attribute can take one of the
following values:
l TRUE
l FALSE

Name Gets or sets the name of the mailbox Read,

user. This is the name that displays in Write
the Active Directory Users and
Computers tool.
ObjectID Gets the unique object identifier Read
(GUID).
Office Gets or sets the Microsoft Office Read,
attribute for the mailbox. Write
Password Sets the password for the user account Write
associated with the mailbox.
PrimarySmtpAddress Gets or sets the originating email Read,
address displayed to the external Write
recipients of a message sent from the
mailbox.
ProhibitSendQuota Gets or sets the mailbox size at which Read,
the mailbox user can no longer send Write
messages.

Active Roles 8.1.3 Synchronization Service Administration Guide

270
Attribute Description Supporte
d
operatio
ns

To specify a mailbox size, use an integer

value. To disable the send quota, set
the value of this attribute to Unlimited.
The value set on a mailbox by using this
attribute overrides the value specified
for the entire mailbox database.
ProhibitSendReceiveQuota Gets or sets the mailbox size at which Read,
the mailbox user can no longer send or Write
receive messages.
To specify a mailbox size, use an integer
value. To disable the send and receive
quota, set the value of this attribute to
Unlimited.
The value set on a mailbox by using this
attribute overrides the value specified
for the entire mailbox database.
RejectMessagesFrom Gets or sets the senders whose Read,
messages are rejected by the mailbox. Write
This reference attribute accepts the
following object types:
l Contact
l Mailbox

RejectMessagesFromDLMembers Gets or sets the distribution groups Read,

whose members cannot send email Write
messages to the mailbox (their
messages are rejected).
This reference attribute accepts the
following object types:
l DistributionGroup
l DynamicDistributionGroup

RejectMessagesFromSendersOrMemb Gets or sets the senders that cannot Read,

ers send email messages to the mailbox Write
(their messages are rejected).
This attribute can take any of the
following values for the recipients:

Active Roles 8.1.3 Synchronization Service Administration Guide

271
Attribute Description Supporte
d
operatio
ns
l DN
l Canonical name
l GUID
l Name
l Display name
l Alias
l Exchange DN
l Primary SMTP email address

This reference attribute accepts the

following object types:
l Contact
l DistributionGroup
l DynamicDistributionGroup
l Mailbox

RequireSenderAuthenticationEnab Gets or sets whether senders must be Read,

led authenticated. Write
This attribute can take one of the
following values:
l TRUE
l FALSE

ResourceCapacity Gets or sets the maximum number of Read,

people that can be accommodated by Write
the room to which the mailbox belongs.
ResourceCustom Gets or sets additional information Read,
about the resource. Write
RetainDeletedItemsFor Gets or sets for how long to keep Read,
deleted items. Write
This attribute accepts the following
format:
DD.HH:MM:SS

Example

Active Roles 8.1.3 Synchronization Service Administration Guide

272
Attribute Description Supporte
d
operatio
ns

10.00:00:00
Specifies to retain deleted items for 10
days 00 hours 00 minutes and 00
seconds.
RetentionComment Gets or sets a comment on user’s hold Read,
status. This comment is displayed in Write
Outlook.
You can only write the value of this
attribute if the value of the
RetentionHoldEnabled attribute is set to
TRUE.
RetentionHoldEnabled Gets or sets whether retention hold is Read,
enabled for messaging retention Write
policies.
This attribute can take one of the
following values:
l TRUE
l FALSE

RetentionPolicy Gets or sets the name of a retention Read,

policy to be applied to the folders and Write
mail items in this mailbox.
RetentionUrl Gets or sets the URL of a Web site Read,
providing additional details about the Write
organization's messaging retention
policies.
RoleAssignmentPolicy Gets or sets the management role Read,
assignment policy to assign to the Write
mailbox when it is created or enabled.
If the assignment policy name you want
to specify contains spaces, use
quotation marks around the name.
If you omit this attribute when creating
or enabling a mailbox, the default
assignment policy is used.
If you do not want to assign an
assignment policy, set an empty value

Active Roles 8.1.3 Synchronization Service Administration Guide

273
Attribute Description Supporte
d
operatio
ns

in this attribute.
RulesQuota Gets or sets the limit for the size of rules Read,
for the mailbox. Write
Qualify the value you specify in this
attribute by appending B (bytes) or KB
(kilobytes). Unqualified values are
treated as bytes. The maximum value
this attribute accepts is 256 KB.
SecondaryAddress Sets the secondary address used by the Write
UM-enabled user.
SecondaryDialPlan Sets a secondary UM dial plan to use. Write
SendModerationNotifications Gets or sets whether to send status Read,
notifications to users when a message Write
they sent to the moderated distribution
group is rejected by a moderator.
This attribute can take one of the
following values:
l Always: Specifies that
notifications are sent to all
senders.
l Internal: Specifies that
notifications are only sent to the
internal senders in your
organization.
l Never: Specifies that all status
notifications are disabled.
SharingPolicy Gets or sets the sharing policy Read,
associated with the mailbox. Write
SimpleDisplayName Gets or sets an alternate description of Read,
the mailbox in a situation where a Write
limited set of characters is allowed. The
limited set of characters includes ASCII
characters 26 through 126.
SingleItemRecoveryEnabled Gets or sets whether to enable or Read,
disable the purging of recovery items. Write
This attribute can take one of the

Active Roles 8.1.3 Synchronization Service Administration Guide

274
Attribute Description Supporte
d
operatio
ns

following values:
l TRUE: Specifies to disable the
purging of recovery items.
l FALSE: Specifies to enable the
purging of recovery items.
UMDtmfMap Gets or sets whether to create a user- Read,
defined DTMF map for the user if it has Write
Unified Messaging enabled.
UsageLocation Gets a two-letter country code that Read
defines the location of the user. Usage
location determines the services
available to the user.
For example:
l FR
l GB
l NL
UserCertificate Gets or sets the digital certificate used Read,
to sign email messages of the user. Write
UserPrincipalName Gets or sets the logon name of the Read,
mailbox user. Write
UserSMimeCertificate Gets or sets the SMIME certificate used Read,
to sign email messages of the user. Write

MailUser object attributes

Table 84: MailUser object attributes

Attribute Description Supporte

d
operatio
ns

AcceptMessagesOnlyFrom Gets or sets the senders that can send Read,

email messages to the specified mail Write
user.
This reference attribute can take
senders in any of the following formats:

Active Roles 8.1.3 Synchronization Service Administration Guide

275
Attribute Description Supporte
d
operatio
ns
l Alias
l Canonical name
l Display name
l DN
l Exchange DN
l GUID
l Name
l Primary SMTP email address

This reference attribute accepts the

following object types:
l MailUser
l Mailbox
l Contact

AcceptMessagesOnlyFromDLMembers Gets or sets the distribution groups Read,

whose members are allowed to send Write
email messages to the specified mail
user.
This reference attribute can take
distribution groups in any of the
following formats:
l Canonical name
l Display name
l DN
l GUID
l Legacy Exchange DN
l Name
l Primary SMTP email address

This reference attribute accepts the

following object types:
l DistributionGroup
l DynamicDistributionGroup

AcceptMessagesOnlyFromSendersOr Gets or sets the senders who can send Read,

Active Roles 8.1.3 Synchronization Service Administration Guide

276
Attribute Description Supporte
d
operatio
ns

Members email messages to the mail user. Write

This reference attribute can take
senders in any of the following formats:
l Alias
l Canonical name
l Display name
l DN
l GUID
l Name
l Legacy Exchange DN
l Primary SMTP email address

This reference attribute accepts the

following object types:
l Contact
l DistributionGroup
l DynamicDistributionGroup
l Mailbox
l MailUser

Alias Gets or sets the alias of the mail user. Read,

Write
ArchiveName Gets the name of the archive mailbox. Read
This is the name displayed on the user
interface in Microsoft Office Outlook
Web App and Microsoft Outlook.
BypassModerationFromSendersOrMe Gets or sets the senders whose Read,
mbers messages bypass moderation for the Write
mail user.
This reference attribute can take any of
the following values for the senders:
l Alias
l Canonical name
l Display name

Active Roles 8.1.3 Synchronization Service Administration Guide

277
Attribute Description Supporte
d
operatio
ns
l DN
l GUID
l Name
l Legacy Exchange DN
l Primary SMTP email address

Moderation does not apply to the

senders designated as moderators for
the mail user.
This reference attribute accepts the
following object types:
l Contact
l DistributionGroup
l DynamicDistributionGroup
l Mailbox
l MailUser

CalendarVersionStoreDisabled Gets or sets whether to log calendar Read,

changes for the mail user. Write
This attribute can take one of the
following values:
l TRUE: Specifies that calendar
changes are logged.
l FALSE: Specifies that calendar
changes are not logged.
CreateDTMFMap Sets whether to create a dual-tone Write
multi-frequency map for the mail user.

Active Roles 8.1.3 Synchronization Service Administration Guide

278
Attribute Description Supporte
d
operatio
ns

CustomAttribute1 Get or set the additional custom values Read,

you specify. Write
CustomAttribute2

CustomAttribute3

CustomAttribute4

CustomAttribute5

CustomAttribute6

CustomAttribute7

CustomAttribute8

CustomAttribute9

CustomAttribute10

CustomAttribute11

CustomAttribute12

CustomAttribute13

CustomAttribute14

CustomAttribute15

DeliverToMailboxAndForward Gets whether messages sent to the mail Read

user are forwarded to another address
in case message forwarding is
configured.
This attribute can take one of the
following values:
l TRUE: Specifies that messages are
delivered to the mail user and to
the forwarding address.
l FALSE: Specifies that messages
are delivered to the forwarding
address only.
DisplayName Gets or sets the display name of the Read,
mail user. Write
EmailAddresses Gets or sets the email alias of the mail Read,
user. Write

Active Roles 8.1.3 Synchronization Service Administration Guide

279
Attribute Description Supporte
d
operatio
ns

EndDateForRetentionHold Gets the retention hold end date for Read

messaging records management
(MRM).
To enable or disable retention hold, use
the RetentionHoldEnabled attribute.
ExtensionCustomAttribute1 Get or set the additional custom values Read,
you specify. These attributes are Write
ExtensionCustomAttribute2
multivalued. To specify multiple values,
ExtensionCustomAttribute3 use a comma as a separator.

ExtensionCustomAttribute4

ExtensionCustomAttribute5

ExternalDirectoryObjectId Gets the GUID of the mail user. Read

ExternalEmailAddress Gets or sets an email address outside of Read,
the mail user’s organization. Messages Write
sent to the mail user are delivered to
this external address.
FederatedIdentity Allows you to associate an on-premises Write
Active Directory user with the Microsoft
365 mail user.
ForwardingAddress Gets the forwarding address for the mail Read
user.
GrantSendOnBehalfTo Gets or sets the distinguished name Read,
(DN) of other senders that can send Write
messages on behalf of the mail user.
This reference attribute only accepts the
following object type:
l Mailbox

HiddenFromAddressListsEnabled Gets or sets whether the mail user is Read,

hidden from address lists. Write
This attribute can take one of the
following values:
l TRUE: Specifies that the mail user
is hidden from address lists.
l FALSE: Specifies that the mail user

Active Roles 8.1.3 Synchronization Service Administration Guide

280
Attribute Description Supporte
d
operatio
ns

is shown in address lists.

ImmutableId Gets or sets a unique immutable ID in Read,
the form of an SMTP address. Write
LitigationHoldDate Gets the date when the mail user’s Read
mailbox is placed on litigation hold.
LitigationHoldEnabled Gets whether litigation hold is enabled Read
for the mail user’s mailbox. When a
mailbox is on litigation hold, messages
cannot be deleted from the mailbox.
This attribute can take one of the
following values:
l TRUE: Specifies that litigation hold
is enabled.
l FALSE: Specifies that litigation
hold is not enabled.
LitigationHoldOwner Gets the user who enabled litigation Read
hold on the mailbox. This attribute can
only be used for informational or
reporting purposes.
MacAttachmentFormat Gets or sets the Apple Macintosh Read,
operating system attachment format for Write
messages sent to the mail user.
This attribute can take the following
values:
l BinHex
l UuEncode
l AppleSingle
l AppleDouble

MailTip Gets or sets the message displayed to Read,

senders when they start writing an Write
email message to the mail user.
MailTipTranslations Gets or sets the MailTip message Read,
translations in additional languages. Write
This attribute accepts the following
format:

Active Roles 8.1.3 Synchronization Service Administration Guide

281
Attribute Description Supporte
d
operatio
ns

<LanguageLocale>:<MailTipMessageTran
slation>
A MailTip message translation cannot
exceed 250 characters.
MessageBodyFormat Gets or sets the message body format Read,
for messages sent to the mail user. Write
The values this attribute can take
depend on the value in the
MessageFormat attribute.
When the value in the MessageFormat is
Mime, the MessageBodyFormat attribute
can take the following values:
l Text
l Html
l TextAndHtml

When the value in the MessageFormat is

Text, the MessageBodyFormat attribute
can only take the Text value.
MessageFormat Gets or sets the message format for Read,
messages sent to the mail user. Write
This attribute can take the following
values:
l Text
l Mime

ModeratedBy Gets or sets the moderators who are Read,

moderating the messages sent to the Write
distribution group. To specify multiple
moderators, use a comma as a
separator.
This reference attribute is required if
you set the value of the
ModerationEnabled attribute to TRUE.
This reference attribute accepts the
following object types:
l Mailbox

Active Roles 8.1.3 Synchronization Service Administration Guide

282
Attribute Description Supporte
d
operatio
ns
l MailUser

ModerationEnabled Gets or sets whether moderation is Read,

enabled for the distribution group. Write
This attribute can take one of the
following values:
l TRUE
l FALSE

Name Gets or sets the name of the mail user. Read,

Write
ObjectID Gets the unique object identifier Read
(GUID).
Password Sets the password for the mail user. Write
RejectMessagesFrom Gets or sets the senders whose Read,
messages to the mail user are rejected. Write
This attribute can take senders in one of
the following formats:
l Alias
l Canonical name
l Display name
l DN
l GUID
l Name
l Legacy Exchange DN
l Primary SMTP email address

This reference attribute accepts the

following object types:
l Contact
l Mailbox

RejectMessagesFromDLMembers Gets or sets the distribution groups Read,

whose members cannot send email Write
messages to the mail user (such
messages are rejected).

Active Roles 8.1.3 Synchronization Service Administration Guide

283
Attribute Description Supporte
d
operatio
ns

This reference attribute can take

distribution groups in one of the
following formats:
l Alias
l Canonical name
l Display name
l DN
l GUID
l Legacy Exchange DN
l Name
l Primary SMTP email address

This reference attribute accepts the

following object types:
l DistributionGroup
l DynamicDistributionGroup

RequireSenderAuthenticationEnab Gets or sets whether the senders that Read,

led send messages to this mail user must Write
be authenticated.
This attribute can take one of the
following values:
l TRUE
l FALSE

RetainDeletedItemsFor Gets for how long to keep deleted items Read

for the mail user.
This attribute accepts the following
format:
DD.HH:MM:SS
For example:
10.00:00:00
Specifies to retain deleted items for 10
days 00 hours 00 minutes and 00
seconds.

Active Roles 8.1.3 Synchronization Service Administration Guide

284
Attribute Description Supporte
d
operatio
ns

RetentionComment Gets the comment on the mail user’s Read

hold status. This comment is displayed
in Outlook.
You can only write the value of this
attribute if the value of the
RetentionHoldEnabled attribute is set to
TRUE.
RetentionHoldEnabled Gets whether retention hold is enabled Read
for messaging retention policies.
This attribute can take one of the
following values:
l TRUE
l FALSE

RetentionUrl Gets the URL of a web page providing Read

additional details about the
organization's messaging retention
policies.
SecondaryAddress Sets the secondary address used by the Write
Unified Messaging-enabled user.
SecondaryDialPlan Sets a secondary Unified Messaging dial Write
plan for the mail user.
SendModerationNotifications Gets or sets whether to send status Read,
notifications to users when a message Write
they sent to the moderated distribution
group is rejected by a moderator.
This attribute can take one of the
following values:
l Always: Specifies that
notifications are sent to all
senders.
l Internal: Specifies that
notifications are only sent to the
senders internal to your
organization.
l Never: Specifies that all status
notifications are disabled.

Active Roles 8.1.3 Synchronization Service Administration Guide

285
Attribute Description Supporte
d
operatio
ns

SimpleDisplayName Gets or sets an alternate description of Read,

the mailbox in a situation where a Write
limited set of characters is allowed.
The limited set of characters includes
ASCII characters from 26 to 126.
SingleItemRecoveryEnabled Gets whether the purging of recovery Read
items is enabled.
This attribute can take one of the
following values:
l TRUE: Specifies to disable the
purging of recovery items.
l FALSE: Specifies to enable the
purging of recovery items.
StartDateForRetentionHold Gets the start date for retention hold. Read
To use this attribute, you must set the
RetentionHoldEnabled attribute to TRUE.
UMDtmfMap Gets or sets whether to create a user- Read,
defined DTMF map for the mail user if it Write
has Unified Messaging enabled.
UsageLocation Gets a two-letter country code that Read
defines the location of the mail user.
Usage location determines the services
available to the mail user.
For example:
l FR
l GB
l NL
UseMapiRichTextFormat Gets or sets a format for the MAPI Rich Read,
Text Format messages sent to the mail Write
user.
NOTE:
l Never: Specifies to convert all You can
messages sent to the mail user to only
the plain text format. write
data by
l Always: Specifies to always use
using
the MAPI Rich Text Format (RTF)

Active Roles 8.1.3 Synchronization Service Administration Guide

286
Attribute Description Supporte
d
operatio
ns

for the messages sent to the mail this

user. attribute
when
l UseDefaultSettings: Specifies to
updating
use the message format set in the
an
MAPI client that sent the message
existing
to the mail user.
object in
Microsof-
t 365.
UsePreferMessageFormat Gets or sets whether the message Read,
format specified for the mail user Write
overrides any global settings (such as
those configured for the remote
domain).
This attribute can take one of the
following values:
l TRUE: Specifies that the message
format set for the mail user
overrides any global settings.
l FALSE: Specifies that global
settings have precedence over
the mail format set for the mail
user.
UserPrincipalName Gets or sets the user principal name Read,
(UPN) of the mail user. Write
WindowsEmailAddress Gets or sets the email address for the Read,
mail user stored in Active Directory. Write

PresencePolicy object attributes

Table 85: PresencePolicy object attributes

Attribute Description Supported

operations

Anchor Gets the Anchor property value of the policy. Read

Description Gets the policy description. Read
Identity Gets the unique identifier assigned to the policy. Read

Active Roles 8.1.3 Synchronization Service Administration Guide

287
Attribute Description Supported
operations

Members Gets the users who have been assigned the Read
policy.
ObjectID Gets the unique object identifier (GUID). Read

SecurityGroup objects attributes

Table 86: SecurityGroup attributes

Attribute Description Supported

operations

Description Gets or sets the description of the security Read, Write

group.
DisplayName Gets or sets the display name of the security Read, Write
group.
Members Gets or sets the members of the security group. Read, Write
ObjectID Gets the unique object identifier (GUID). Read

SPOSite object attributes

Table 87: SPOSite attributes

Attribute Description Supported

operations

AllowSelfServiceUpgrade Gets or sets whether the site collection Read, Write

administrators can upgrade this site
collection.
CompatibilityLevel Gets the major version number of the site Read
collection. This version number is used to
perform compatibility checks.
Groups Gets or sets the site collection groups. Read, Write
This attribute is required to create a site
collection in SharePoint Online.
LastContentModifiedDate Gets the date when the site collection Read
content was last modified.
LocaleId Gets or sets the Locale ID (LCID) for the Read, Write
site collection.

Active Roles 8.1.3 Synchronization Service Administration Guide

288
Attribute Description Supported
operations

LockIssue Gets or sets the comment that was written Read

when the site collection was locked.
LockState Gets or sets a lock state for the site Read, Write
collection. This attribute can take one of
the following values:
l NoAccess: All traffic to the site
collection is blocked. Traffic to sites
that have this lock state is
redirected to the URL set in the
NoAccessRedirectUrl attribute of
the SPOTenant object. If no URL is
set in that attribute, a 404 error is
returned.
l Unlock: All traffic to the site
collection is allowed.
ObjectID Gets the unique object identifier (GUID). Read
Owner Gets or sets the owner of the site Read, Write
collection.
This attribute is required to create a site
collection in SharePoint Online.
ResourceQuota Gets or sets the server resource quota for Read, Write
the site collection.
ResourceQuotaWarningLevel Gets or sets the warning level for the site Read, Write
collection. When the resource usage for
the site collection reaches the specified
warning level, a notification email is sent.
ResourceUsageAverage Gets average resource usage for the site Read
collection.
ResourceUsageCurrent Gets the current resource usage for the Read
site collection.
Status No description available. Read, Write
StorageQuota Gets or sets the storage quota limit for the Read, Write
site collection.
This attribute is required to create a site
collection in SharePoint Online.
StorageQuotaWarningLevel Gets or sets the storage warning level for Read, Write
the site collection.

Active Roles 8.1.3 Synchronization Service Administration Guide

289
Attribute Description Supported
operations

In SharePoint Online, you can view the

current storage warning level in the site
collection properties.
StorageUsageCurrent Gets the current storage usage for the site Read
collection.
Template Gets or sets the template for the site Read, Write
collection.
TimeZoneId Gets or sets the identifier of the time zone Read, Write
for the site collection.
Title Gets or sets the title of the site collection. Read, Write
Url Gets or sets the website address (URL). In Read, Write
SharePoint Online, you can view the
website address in the site collection
properties.
This attribute is required to create a site
collection in SharePoint Online.
WebsCount No description available. Read

SPOSiteGroup object attributes

Table 88: SPOSiteGroup attributes

Attribute Description Supported

operations

LoginName Gets or sets the name of the group. Read, Write

ObjectID Gets the unique object identifier (GUID). Read
Owner Gets or sets the owner in the group. Read, Write
PermissionLevels Gets or sets permission levels for the group. Read, Write
Site Gets or sets the name of the site collection to Read, Write
which the group belongs.
Users Gets or sets users in the group. Read, Write

Active Roles 8.1.3 Synchronization Service Administration Guide

290
SPOWebTemplate object attributes

Table 89: SPOWebTemplate attributes

Attribute Description Supported

operations

CompatibilityLevel Gets the compatibility level of the web Read

template.
Description Gets the description of the web template. Read
DisplayCategory Gets the name of the category to which the Read
web template belongs.
LocaleID Gets the Locale ID (LCID) of the web template. Read
Name Gets the name of the web template. Read
ObjectID Gets the unique object identifier (GUID). Read
Title Gets the title of the web template. Read

SPOTenant object attributes

Table 90: SPOTenant attributes

Attribute Description Supported

operations

ExternalServicesEnabled Gets or sets the maximum compatibility Read, Write

level for new sites. (update only)
MinCompatibilityLevel Gets or sets the minimum compatibility level Read, Write
for new sites. (update only)
NoAccessRedirectUrl Gets or sets the redirect URL for the SPOSite Read, Write
object whose LockState attribute value is set (update only)
to NoAccess.
ObjectID Gets the unique object identifier (GUID). Read
ResourceQuota Gets or sets the server resource quota Read, Write
available to the organization. (update only)
ResourceQuotaAllocated Gets or sets the server resource quota limit Read, Write
for the organization. (update only)
StorageQuota Gets or sets the storage quota available to Read, Write
the organization. (update only)
StorageQuotaAllocated Gets or sets the storage quota limit for the Read, Write
organization. (update only)

Active Roles 8.1.3 Synchronization Service Administration Guide

291
User object attributes
The Microsoft 365 Connector provides the following attributes for the User object in
Microsoft 365:
l Attributes Related to License Plans and Services
l Other attributes

Attributes Related to License Plans and Services

These attributes allow you to get or set the license plans and services available to the user
in Microsoft 365. The attributes support Read and Write operations.
The names and display names of these attributes are formed dynamically according to the
following patterns:

Table 91: Naming patterns for attributes

Item Naming pattern Examples

Attribute <LicensePlanNameOnGUI> - <ServiceNameOnGUI> Microsoft 365 Plan

display E3 - Office Web
In this pattern:
name Apps
LicensePlanNameOnGUI is the license plan name as it is
Microsoft 365 Plan
displayed on the Microsoft 365 user interface.
K2 - Exchange
ServiceNameOnGUI is the service name as it is displayed Online Kiosk
below the corresponding license plan on the Microsoft
365 user interface.

Attribute <LicensePlanName>-<ServiceName> ENTERPRISEPACK-

name SHAREPOINTWAC
In this pattern:
DESKLESSWOFFPACK-
LicensePlanName is the license plan name in the form
EXCHANGE_S_
used by the Microsoft 365 cmdlets for Windows
DESKLESS
PowerShell.
ServiceName is the service name in the corresponding
license plan. The service name is displayed in the form
used by the Microsoft 365 cmdlets for Windows
PowerShell.

These attributes can take one of the following values:

l True: Specifies that the service is selected in the corresponding license plan in
Microsoft 365.
l False: Specifies that the service is selected in the corresponding license plan in
Microsoft 365.

If necessary, you can modify the display names of Microsoft 365 license plans and services
that appear in the Synchronization Service Console. These display names are part of the
Office 365 Connector schema and saved in the O365LicensePlansServices.xml file located

Active Roles 8.1.3 Synchronization Service Administration Guide

292
in the Synchronization Service installation folder (by default, this is %ProgramFiles%\One
Identity\Active Roles\7.4\SyncService).
For example, you may need to modify the name of a license plan or service in the Microsoft
365 Connector schema when the corresponding name changes in the Microsoft 365 user
interface and therefore the related attribute display name becomes outdated in the
Synchronization Service Console.

To modify the display names of attributes in the Microsoft 365 Connector

schema

1. Open the O365LicensePlansServices.xml file located in the Synchronization Service

installation folder.
2. In the appropriate XML elements, modify the values of the PlanDisplayName and
ServiceDisplayName attributes as necessary. See the table below for more
information about the XML elements used in the file.
3. When you are finished, click OK.

Table 92: XML elements

XML Description Example

element

<Plan> Defines the name and display name <Plan PlanName="STANDARDPACK"

of the attribute related to a PlanDisplayName="Microsoft Office
particular Microsoft 365 license plan 365 Plan E1"/>
in the Microsoft 365 Connector
schema.
This element has the following
attributes:
l PlanName: The license plan
name in the form used by the
Microsoft 365 cmdlets for
Windows PowerShell.
l PlanDisplayName: The
license plan name as it
displays in the
Synchronization Service
Console.
<Service> Defines the name and display name <Service
of the attribute related to a ServiceName="OFFICESUBSCRIPTION"
particular Microsoft 365 service in ServiceDisplayName="Office
the Microsoft 365 Connector Professional Plus" />
schema.
This element has the following
attributes:

Active Roles 8.1.3 Synchronization Service Administration Guide

293
XML Description Example
element
l ServiceName: The service
name in the form used by the
Microsoft 365 cmdlets for
Windows PowerShell.
l ServiceDisplayName: The
service name as it displays in
the Synchronization Service
Console.

Other attributes

Table 93: Other attributes

Attribute Description Supported

operations

AllowUMCallsFromNonUsers Gets or sets whether to exclude or Read, Write

include the user in directory searches.
This attribute can take one of the
following values:
l None: Specifies to exclude the user
from directory searches.
l SearchEnabled: Specifies to include
the user in directory searches.
AlternateEmailAddresses Gets or sets the alternate email Read, Write
addresses of the user.
AssistantName Gets or sets the name of the user’s Read, Write
assistant.
BlockCredential Gets or sets whether or not the user can Read, Write
sign in and use Microsoft 365 services.
This attribute can take one of the
following values:
l TRUE: Specifies that user’s Microsoft
Online Services ID is disabled and
the user cannot sign in and use
Microsoft 365 services.
l FALSE (default): Specifies that
user’s Microsoft Online Services ID
is enabled and the user can sign in
and use Microsoft 365 services.

Active Roles 8.1.3 Synchronization Service Administration Guide

294
Attribute Description Supported
operations

City Gets or sets the user’s city. Read, Write

Company Gets or sets the name of user’s company. Read, Write
Country Gets or sets the user’s country. Read, Write
CountryOrRegion Gets or sets the country or region of the Read, Write
user.
Department Gets or sets the user’s department. Read, Write
DisplayName Gets or sets the display name of the user. Read, Write
Fax Gets or sets the user’s fax number. Read, Write
FirstName Gets or sets the first name of the user. Read, Write
ForceChangePassword Gets or sets whether or not the user is Write
forced to change their password the next
NOTE: To
time the user signs in to Microsoft 365.
write data by
l TRUE: Specifies that the user must using this
change their password the next attribute, you
time the user signs in to Microsoft must at the
365. same time
write data by
l FALSE (default): Specifies that the
using the
user does not have to change their
Password
password the next time the user
attribute.
signs in to Microsoft 365.
HomePhone Gets or sets the home phone number of Read, Write
the user.
ImmutableId Gets or sets the GUID of the user in Read, Write
Microsoft 365.
This GUID is used to verify the identity of
the Active Directory user when the user
accesses Microsoft 365 by using single
sign-on.
Note that in order the Microsoft 365
Connector could read the ImmutableId
attribute value stored in Microsoft 365,
that value must be in base64 encoding
format. If the ImmutableId attribute value
has any other encoding format, the
Microsoft 365 Connector returns an error
when reading that value.
Initials Gets or sets the initials of the user. Read, Write

Active Roles 8.1.3 Synchronization Service Administration Guide

295
Attribute Description Supported
operations

LastName Gets or sets the last name of the user. Read, Write
LiveID Gets the user’s unique login ID. Read
MailboxId Gets the GUID of the user’s mailbox. Read
Manager Gets or sets the name of the user’s Read, Write
manager.
MobilePhone Gets or sets the user’s mobile phone Read, Write
number.
Name Gets or sets the name of the user. Read, Write
Notes Gets or sets notes about the user. Read, Write
ObjectID Gets the unique object identifier (GUID). Read
Office Gets or sets the user’s office. Read, Write
OtherFax Gets or sets the alternate fax number of Read, Write
the user.
OtherHomePhone Gets or sets the alternate home phone Read, Write
number of the user.
OtherTelephone Gets or sets the alternate phone number Read, Write
of the user.
Pager Gets or sets the pager of the user. Read, Write
Password Sets a password for the user. Write
PasswordNeverExpires Gets or sets whether or not the user’s Read, Write
password periodically expires.
This attribute can take one of the
following values:
l TRUE (default): Specifies that the
user’s password never expires.
l FALSE: Specifies that the user’s
password periodically expires.
Phone Gets or sets the phone number of the Read, Write
user.
PhoneNumber Gets or sets the user’s phone number. Read, Write
PhoneticDisplayName Gets or sets a phonetic pronunciation of Read, Write
the value specified in the DisplayName
attribute for the user.
PostalCode Gets or sets the user’s postal code. Read, Write
PostOfficeBox Gets or sets the post office box number of Read, Write

Active Roles 8.1.3 Synchronization Service Administration Guide

296
Attribute Description Supported
operations

the user.
PreferredLanguage Gets or sets the preferred language for Read, Write
the user.
RemotePowerShellEnabled Gets or sets whether remote Windows Read, Write
PowerShell cmdlets are available to the
user.
This attribute can take one of the
following values:
l TRUE
l FALSE
ResetPasswordOnNextLogon Gets or sets whether the user must reset Read, Write
their password at next logon.
This attribute can take one of the
following values:
l TRUE
l FALSE
SimpleDisplayName Gets or sets an alternate description of Read, Write
the user in a situation where a limited set
of characters is allowed.
The limited set of characters includes
ASCII characters from 26 to 126.
State Gets or sets the state where the user is Read, Write
located.
StateOrProvince Gets or sets the state or province of the Read, Write
user.
StreetAddress Gets or sets the user’s street address. Read, Write
Title Gets or sets the user’s title. Read, Write
UMDtmfMap Gets or sets whether to create a user- Read, Write
defined DTMF map for the user if it has
Unified Messaging enabled.
UsageLocation Gets or sets the two-letter ISO country Read, Write
designation. This attribute specifies the
user’s country where services are
consumed.
UserPrincipalName Gets or sets the user’s Microsoft Online Read, Write
Services ID.
WebPage Gets or sets the web page address of the Read, Write

Active Roles 8.1.3 Synchronization Service Administration Guide

297
Attribute Description Supported
operations

user.
WindowsEmailAddress Gets or sets the email address of the user Read, Write
stored in Active Directory.

VoicePolicy object attributes

Table 94: VoicePolicy object attributes

Attribute Description Supported

operations

Anchor Gets the Anchor property value of the policy. Read

Description Gets the policy description. Read
Identity Gets the unique identifier assigned to the policy. Read
Members Gets the users who have been assigned the Read
policy.
ObjectID Gets the unique object identifier (GUID). Read

Microsoft 365 group attributes

Table 95: Microsoft 365 group attributes

Attribute Description Supported

operations

AcceptMessagesOnlyFromSendersOrMembers Gets or sets the senders Read, Write

who can send email
messages to the Microsoft
365 group.
This attribute can take
senders in any of the
following formats. For
example:
l Name
l Alias
l Distinguished name
(DN)
l Email address

Active Roles 8.1.3 Synchronization Service Administration Guide

298
Attribute Description Supported
operations

AccessType The AccessType parameter Read, Write

specifies the privacy type
for the Microsoft 365 group.
The acceptable values are:
l Public
l Private

Alias Gets or sets the alias of the Read, Write

Microsoft 365 group.
AlwaysSubscribeMembersToCalendarEvents Controls the default Read, Write
subscription settings of the
new members that are
added to the Microsoft 365
group.
AuditLogAgeLimit Gets or sets the retention Read, Write
period for the mailbox audit
logs. Logs whose age
exceeds the specified
retention period are
deleted.
AutoSubscribeNewMembers Specifies if you have to Read, Write
automatically subscribe
new members that are
added to the Microsoft 365
Group to conversations and
calendar events.
CalendarMemberReadOnly Specifies if you have to set Read
read-only Calendar
permissions to the Microsoft
365 group for members of
the group.
Classification Specifies the classification Read
for the Microsoft 365 Group.

Active Roles 8.1.3 Synchronization Service Administration Guide

299
Attribute Description Supported
operations

CustomAttribute1 Get or set the additional Read, Write

custom values you specify.
CustomAttribute2

CustomAttribute3

CustomAttribute4

CustomAttribute5

CustomAttribute6

CustomAttribute7

CustomAttribute8

CustomAttribute9

DataEncryptionPolicy Specifies the data Read

encryption policy that is
applied to the Microsoft 365
group.
DisplayName Gets or sets the display Read, Write
name of the Microsoft 365
group.
EmailAddresses Get all the Microsoft 365 Read
proxy addresses of the
mailbox. The proxy
addresses also include the
primary SMTP address.
ExtensionCustomAttribute1 Get or set the additional Read, Write
custom values you specify.
ExtensionCustomAttribute2
These attributes are
ExtensionCustomAttribute3 multivalued.

ExtensionCustomAttribute4

ExtensionCustomAttribute5

GrantSendOnBehalfTo Specifies the sender who Read, Write

can send on behalf of this
Microsoft 365 group.
HiddenFromAddressListsEnabled Gets or sets whether this Read, Write
mailbox is hidden from
address lists.
HiddenFromExchangeClientsEnabled Specifies if the Microsoft Read, Write

Active Roles 8.1.3 Synchronization Service Administration Guide

300
Attribute Description Supported
operations

365 Group is hidden from

the Outlook clients
connected to Microsoft 365.
Language Gets or sets preferred Read, Write
languages for the Microsoft
365 group.
MailboxRegion This is reserved for internal Read
Microsoft use.
MailTip Gets or sets the message Read
displayed to senders when
they start writing an email
message to this recipient.
MailTipTranslations Gets or sets the MailTip Read
message translations in
additional languages.
MaxReceiveSize Specifies the maximum size Read, Write
of an email message that
can be sent to this group
MaxSendSize Specifies the maximum size Read, Write
of an email message that
can be sent by this group.
ModeratedBy Gets or sets the users who Read, Write
are moderating the
messages sent to the
Microsoft 365 group.
ModerationEnabled Gets or sets whether Read, Write
moderation is enabled for
the Microsoft 365 group.
Notes Gets or sets notes about the Read, Write
user.
PrimarySmtpAddress Gets or sets primary SMTP Read, Write
address of the Microsoft
365 group.
RejectMessagesFromSendersOrMembers Gets or sets the senders Read, Write
that cannot send email
messages to the Microsoft
365 group. The messages
sent are rejected.

Active Roles 8.1.3 Synchronization Service Administration Guide

301
Attribute Description Supported
operations

RequireSenderAuthenticationEnabled Gets or sets if the senders Read, Write

that send messages to this
Microsoft 365 group must
be authenticated.
SubscriptionEnabled Specifies if the Read, Write
subscriptions to
conversations and calendar
events are enabled for the
Microsoft 365 group.
UnifiedGroupWelcomeMessageEnabled Specifies if the option to Read, Write
send the system-generated
welcome messages to users
who are added as members
to the Microsoft 365 group
should be enable or
disabled.

Objects and attributes specific to Microsoft 365

services
In the Microsoft 365 connection settings, you can select the services you want to work with,
such as SharePoint Online, Exchange Online, or Skype for Business Online.
The next table describes the object types and attributes that become available in the
Synchronization Service Console user interface when you select a particular check box in
the connection settings. The objects and object attributes not mentioned in the table are
always available in the Synchronization Service Console user interface.

Table 96: Objects and attributes specific to Microsoft 365 services

Check box Related objects Related attributes

SharePoint SPOSiteGroup All

Online
SPOWebTemplate All
SPOTenant All

Exchange Contact All

Online
DistributionGroup All
DynamicDistributionGroup All
User Manager

Active Roles 8.1.3 Synchronization Service Administration Guide

302
Check box Related objects Related attributes

Skype for ClientPolicy All

Business
ConferencingPolicy All
Online
ExternalAccessPolicy All
HostedVoicemailPolicy All
VoicePolicy All
PresencePolicy All
User l AudioVideoDisabled
l ClientPolicy
l ConferencingPolicy
l Enabled
l EnterpriseVoiceEnabled
l ExchangeArchivingPolicy
l ExternalAccessPolicy
l HostedVoicemailPolicy
l LineURI
l LineServerURI
l PresencePolicy
l PrivateLine
l RegistrarPool
l RemoteCallControlTelephonyEnabled
l SipAddress
l VoicePolicy

How the Microsoft 365 Connector works with data

To read and write data in Microsoft 365, the Microsoft 365 Connector relies on the
cmdlets of the ExchangeOnlineManagement Windows PowerShell module. As a result, the
connector can only work with data supported by the cmdlets of that module.

Active Roles 8.1.3 Synchronization Service Administration Guide

303
Working with Microsoft Azure Active
Directory
Synchronization Service reads and writes data in Microsoft Azure Active Directory by using
an Azure application in your Microsoft Azure Active Directory environment. To create a
connection to Microsoft Azure Active Directory, use the Microsoft Azure AD Connector
of the Active Roles Synchronization Service.
The Microsoft Azure AD Connector supports the following features:

Table 97: Microsoft Azure AD Connector – Supported features

Feature Supported

Bidirectional synchronization Yes

Specifies whether you can both read and write data in the connected data
system.

Delta processing mode No

Specifies whether the connection can process only the data that has
changed in the connected data system since the last synchronization
operation. This reduces the overall synchronization duration.

Password synchronization No
Specifies whether you can synchronize user passwords from an Active
Directory (AD) domain to the connected data system.

Secure Sockets Layer (SSL) data encryption Yes

Specifies whether the connector can use SSL to encrypt data transmitted
between Active Roles Synchronization Service and the connected data
system.

Creating a Microsoft Azure Active Directory

connection
Synchronization Service reads and writes data in Microsoft Azure Active Directory by using
an Azure application in your Microsoft Azure Active Directory environment. To create a
connection to Microsoft Azure Active Directory, use the Microsoft Azure AD Connector
of the Active Roles Synchronization Service.
You can create an Azure AD connector by configuring an Azure application in the
Synchronization Service Console:
l To create and configure an Azure AD connector manual configuration, see Creating a
Microsoft Azure Active Directory connector with manual configuration.

Active Roles 8.1.3 Synchronization Service Administration Guide

304
 l To create and configure an Azure AD connector with automatic configuration, see
Creating a Microsoft Azure Active Directory connector with automatic configuration.
l To configure an Azure application for an Azure AD connector using a script, see
Configuring an Azure application for a Microsoft Azure Active Directory connection
using a script.

Creating a Microsoft Azure Active Directory connector

with manual configuration
Synchronization Service reads and writes data in Microsoft Azure Active Directory by using
an Azure application in your Microsoft Azure Active Directory environment. To create a
connection to Microsoft Azure Active Directory, use the Microsoft Azure AD Connector
of the Active Roles Synchronization Service.
You can create an Azure AD connector by configuring an Azure application manually in the
Synchronization Service Console. One Identity recommends using Manual configuration
if you want to use an existing Azure application for the connection.

To create a new Azure AD connector with manual configuration

1. In the Synchronization Service Console, open the Connections tab.

2. Click Add connection, then use the following options:
l Connection name: Type a descriptive name for the connection.
l Use the specified connector: Select Azure AD Connector.
3. Click Next.
4. To use an existing Azure application, select Manual configuration.
NOTE: Alternatively, to use and update an existing Azure application, you can also
select Auto configuration. Under Auto configuration, click Log in to Azure,
then select the Tenant environment type of the Azure tenant. After logging in to
Azure with your tenant, the Tenant ID, Application ID, Certificate thumbprint
and Tenant environment type parameters will be automatically filled in.
5. Enter the Tenant ID, Application ID and Certificate thumbprint of the Azure
tenant as they appear on the Azure portal. Then, select the Tenant Environment
Type of the Azure tenant.
6. To test the connection with the new parameters, click Test connection.
7. To finish creating a connection to Azure AD, click Finish.

Creating a Microsoft Azure Active Directory connector

with automatic configuration
Synchronization Service reads and writes data in Microsoft Azure Active Directory by using
an Azure application in your Microsoft Azure Active Directory environment. To create a
connection to Microsoft Azure Active Directory, use the Microsoft Azure AD Connector
of the Active Roles Synchronization Service.

Active Roles 8.1.3 Synchronization Service Administration Guide

305
You can create an Azure AD connector by configuring an Azure application automatically in
the Synchronization Service Console. One Identity recommends using Auto
configuration if you want to create a new Azure application for the connection.

To create a new Azure AD connector with automatic configuration

1. In the Synchronization Service Console, open the Connections tab.

2. Click Add connection, then use the following options:
l Connection name: Type a descriptive name for the connection.
l Use the specified connector: Select Azure AD Connector.
3. Click Next.
4. To create a new Azure application or update an existing one, select Auto
configuration.
NOTE: If you have more than one Azure Active Directory (Azure AD) service in your
Azure tenant, select I have more than one Azure AD in my Azure tenant, and
use the Tenant ID field to specify the GUID of the Azure AD for which you want to
set up synchronization. For more information, see Finding the GUID (Tenant ID) of
an Azure AD for Azure BackSync.
5. Select one of the following options based on the number of Azure AD services in your
Azure tenant:
l I have one Azure AD in my Azure tenant.
l I have more than one Azure AD in my Azure tenant.
6. Authenticate your access to Azure AD:
l If you have selected I have one Azure AD in my Azure tenant, to
authenticate your access to Azure AD, click Log in to Azure, and from the
Select Environment Type drop-down, select the environment type of your
Azure tenant.
l If you have selected I have more than one Azure AD in my Azure tenant,
in Tenant ID, enter the GUID of the Azure AD for which you want to set up
synchronization.
TIP: For more information on how to find the GUID of an Azure AD service,
see Finding the GUID (Tenant ID) of an Azure AD for Azure BackSync.
After specifying the tenant ID, to authenticate your access to Azure AD, click
Log in to Azure, and in the Select Environment Type drop-down, select
the environment of your Azure tenant.
NOTE: If you select I have more than one Azure AD in my Azure
tenant, the Log in to Azure button will be enabled only if you specify a
well-formed Azure AD GUID in the Tenant ID text box.
7. Azure application name: Enter the name of the new or existing Azure application.
8. To create or update the Azure application in Azure AD, click Create or update
Azure application.

Active Roles 8.1.3 Synchronization Service Administration Guide

306
 The created or updated Azure application has the following directory roles
assigned to it:
l Directory Writers
l Exchange Administrator
l User Administrator
The following permissions are also added, for which you must give admin consent:
l Sign in and read user profile
l Manage Exchange As Application
NOTE: You may need to set additional permissions depending on your needs.
9. To give admin consent for the permissions of the Azure application, click Consent.
Then, in the Azure Tenant Consent dialog, click Accept.
10. To test the connection with the new parameters, click Test connection.
11. To finish creating a connection to Azure AD, click Finish.

Configuring an Azure application for a Microsoft Azure

Active Directory connection using a script
Synchronization Service reads and writes data in Microsoft Azure Active Directory by using
an Azure application in your Microsoft Azure Active Directory environment.
To create an Azure AD connection by configuring an Azure application using a Windows
PowerShell script, perform the following steps.

To configure an Azure application for an Azure Active Directory connection using

a Windows PowerShell script

1. Create an application in any domain of your Microsoft Azure Active Directory

environment. The application must have sufficient permissions to read and write data
in Microsoft Azure Active Directory.
You can assign the required permissions to the application by running a Windows
PowerShell script. To run the script, you need to install Microsoft Azure PowerShell on
your computer.

Active Roles 8.1.3 Synchronization Service Administration Guide

307
 Script example

# Replace <ClientId> with the Client ID of the Active Roles Azure AD

Connector Application (example format: 455ad643-332g-32h7-q004-
8ba89ce65ae26)

$Id = “<ClientId>”

# Prompt for Microsoft Azure AD Global Admin credentials.

Connect-AzureAD

# Get the Principal ID of the Active Roles Azure AD Connector

Application and save it to the $servicePrincipal variable

$servicePrincipal = Get-AzureADServicePrincipal -All $true | Where-

Object {$_.AppId -eq $Id}

# Get the required role ID from the Active Roles Azure AD Connector
Application and save it to the $roleId variable

$roleId = (Get-AzureADDirectoryRole | Where-Object {$_.displayName -

eq 'Company Administrator'}).ObjectId

# Assign the required permissions to the Active Roles Azure AD

Connector Application

Add-AzureADDirectoryRoleMember -ObjectId $roleId -RefObjectId

$servicePrincipal.ObjectId

2. Open the application properties and copy the following information:

l Tenant ID
l Application ID
l Certificate thumbprint
3. When creating a new Microsoft Azure Active Directory connection or modifying an
existing one in the Synchronization Service Console, enter the Tenant ID,
Application ID, and Certificate thumbprint of the Azure tenant as they appear on
the Azure portal. For more information, see Creating a Microsoft Azure Active
Directory connection.

Active Roles 8.1.3 Synchronization Service Administration Guide

308
Modifying a Microsoft Azure Active Directory
connection
Synchronization Service reads and writes data in Microsoft Azure Active Directory by using
an Azure application in your Microsoft Azure Active Directory environment. To create a
connection to Microsoft Azure Active Directory, use the Microsoft Azure AD Connector
of the Active Roles Synchronization Service.
You can modify the settings of an existing Azure AD connector in the Synchronization
Service Console.
l To modify the manually configured settings of an Azure AD connector, see Modifying
the manual configuration settings of a Microsoft Azure Active Directory connector.
l To modify the automatically configured settings of an Azure AD connector, see
Modifying the automatic configuration settings of a Microsoft Azure Active
Directory connector.

Modifying the manual configuration settings of a

Microsoft Azure Active Directory connector
You can modify the manual configuration settings of an existing Azure AD connector in the
Synchronization Service Console.

To modify the manual configuration settings of a Azure AD connector

1. In the Synchronization Service Console, open the Connections tab.

2. Click Connection settings under the existing Azure AD connection you want
to modify.
3. On the Connection Settings tab, click Specify connection settings to expand it
and use the following options.
4. To use an existing Azure application, select Manual configuration.
NOTE: Alternatively, to use and update an existing Azure application, you can also
select Auto configuration. Under Auto configuration, click Log in to Azure,
then select the Tenant environment type of the Azure tenant. After logging in to
Azure with your tenant, the Tenant ID, Application ID, Certificate thumbprint
and Tenant environment type parameters will be automatically filled in.
5. Enter the Tenant ID, Application ID and Certificate thumbprint of the Azure
tenant as they appear on the Azure portal. Then, select the Tenant Environment
Type of the Azure tenant.
6. To test the connection with the new parameters, click Test connection.
7. To modify the connection settings, click Save.

Active Roles 8.1.3 Synchronization Service Administration Guide

309
Modifying the automatic configuration settings of a
Microsoft Azure Active Directory connector
You can modify the automatic configuration settings of an existing Azure AD connector in
the Synchronization Service Console.

To modify the auto configuration settings of an Azure AD connector

1. In the Synchronization Service Console, open the Connections tab.

2. Click Connection settings under the existing Azure AD connection you want
to modify.
3. On the Connection Settings tab, click Specify connection settings to expand it
and use the following options.
4. To create a new Azure application or update an existing one, select Auto
configuration.
NOTE: If you have more than one Azure Active Directory (Azure AD) service in your
Azure tenant, select I have more than one Azure AD in my Azure tenant, and
use the Tenant ID field to specify the GUID of the Azure AD for which you want to
set up synchronization. For more information, see Finding the GUID (Tenant ID) of
an Azure AD for Azure BackSync.
5. Select one of the following options based on the number of Azure AD services in your
Azure tenant:
l I have one Azure AD in my Azure tenant.
l I have more than one Azure AD in my Azure tenant.
6. Authenticate your access to Azure AD:
l If you have selected I have one Azure AD in my Azure tenant, to
authenticate your access to Azure AD, click Log in to Azure, and from the
Select Environment Type drop-down, select the environment type of your
Azure tenant.
l If you have selected I have more than one Azure AD in my Azure tenant,
in Tenant ID, enter the GUID of the Azure AD for which you want to set up
synchronization.
TIP: For more information on how to find the GUID of an Azure AD service,
see Finding the GUID (Tenant ID) of an Azure AD for Azure BackSync.
After specifying the tenant ID, to authenticate your access to Azure AD, click
Log in to Azure, and in the Select Environment Type drop-down, select
the environment of your Azure tenant.
NOTE: If you select I have more than one Azure AD in my Azure
tenant, the Log in to Azure button will be enabled only if you specify a
well-formed Azure AD GUID in the Tenant ID text box.
7. Azure application name: Enter the name of the new or existing Azure application.

Active Roles 8.1.3 Synchronization Service Administration Guide

310
 8. To create or update the Azure application in Azure AD, click Create or update
Azure application.
The created or updated Azure application has the following directory roles
assigned to it:
l Directory Writers
l Exchange Administrator
l User Administrator
The following permissions are also added, for which you must give admin consent:
l Sign in and read user profile
l Manage Exchange As Application
NOTE: You may need to set additional permissions depending on your needs.
9. To give admin consent for the permissions of the Azure application, click Consent.
Then, in the Azure Tenant Consent dialog, click Accept.
10. To test the connection with the new parameters, click Test connection.
11. To modify the connection settings, click Save.

Microsoft Azure Active Directory data supported

for synchronization
The next table lists the Microsoft Azure Active Directory object types supported by the
Microsoft Azure AD Connector. The table also provides information about the operations
you can perform on these objects by using the Microsoft Azure AD Connector.

Table 98: Supported objects and operations

Object Read Create Delete Update

User Yes Yes Yes Yes

Group Yes Yes Yes Yes

The following sections describe the attributes provided by the Microsoft Azure AD
Connector. By using these attributes, you can read and/or write data related to a particular
object in Microsoft Azure Active Directory.

Microsoft Azure AD user attributes supported for data

synchronization
The Microsoft Azure AD Connector of the Active Roles Synchronization Service supports
the following Azure Active Directory (Azure AD) user attributes for data synchronization.

Active Roles 8.1.3 Synchronization Service Administration Guide

311
NOTE: When configuring a data synchronization mapping rule with the Microsoft Azure
AD Connector, consider that the following user attributes are currently not supported
and cannot be queried via the Microsoft Graph API:
l aboutMe
l birthday
l contacts
l hireDate
l interests
l mySite
l officeLocation
l pastProjects
l preferredName
l responsibilites
l schools
l skills

This means that although these user attributes are visible, they cannot be set in a
mapping rule.

Table 99: Azure AD user attributes supported for data synchronization

Attribute Description Supported

operations

accountEnabled Gets or sets whether the user account is Read, Write

enabled.
NOTE: This attribute is required when
creating a user.
city Gets or sets the user city. Read, Write
country Gets or sets the user country. Read, Write
department Gets or sets the user department. Read, Write
dirSyncEnabled Gets or sets whether the user was Read, Write
synchronized from the on-premises
Active Directory Domain Services (AD
DS).
directReports Gets the direct reports of the user. Read
displayName Gets or sets the user name in the address Read, Write
book.
NOTE: This attribute is required when
creating a user.

Active Roles 8.1.3 Synchronization Service Administration Guide

312
Attribute Description Supported
operations

facsimileTelephoneNumber Gets or sets the user fax number. Read, Write

givenName Gets or sets the given name of the user. Read, Write
jobTitle Gets or sets the user job title. Read, Write
lastDirSyncTime Gets the time when the user was last Read
synchronized with the on-premises AD
DS.
mail Gets or sets the primary e-mail address Read, Write
of the user.
mailNickName Gets or sets the mail alias of the user. Read, Write
NOTE: This attribute is required when
creating a user.
manager Gets or sets the manager of the user. Read, Write
memberOf Gets the group membership of the user. Read
mobile Gets or sets the mobile phone number o Read, Write
the user.
objectId Gets the unique identifier of the user. Read
objectType Gets the object type of the user. Read
otherMails Gets or sets other e-mail addresses for Read, Write
the user.
passwordPolicies Gets or sets password policies applicable Read, Write
to the user.
passwordProfile Gets or sets the password profile of the Read, Write
user.
NOTE: This attribute is required when
creating a user.
physicalDeliveryOfficeName Gets or sets the office location of the Read, Write
user.
postalCode Gets or sets the postal code of the user. Read, Write
preferredLanguage Gets or sets the preferred language of Read, Write
the user.
provisionedPlans Gets the provisioned plans of the user. Read
provisioningErrors Gets the errors encountered when Read
provisioning the user.

Active Roles 8.1.3 Synchronization Service Administration Guide

313
Attribute Description Supported
operations

proxyAddresses Gets the known address entries of the Read

user.
state Gets or sets the state or province of the Read, Write
user.
streetAddress Gets or sets the street address of the Read, Write
user.
surname Gets or sets the family name of the user. Read, Write
telephoneNumber Gets or sets the telephone number of the Read, Write
user.
thumbnailPhoto Gets or sets the thumbnail photo of the Read, Write
user.
usageLocation Gets or sets the usage location, that is Read, Write
the geographical location where the user
is located and operating from.
userPrincipalName Gets or sets the user principal name of Read, Write
the user.
NOTE: This attribute is required when
creating a user.

Microsoft Azure AD group attributes supported for data

synchronization
The Microsoft Azure AD Connector of the Active Roles Synchronization Service supports
the following Azure Active Directory (Azure AD) group attributes for data synchronization.
NOTE: When configuring a data synchronization mapping rule with the Microsoft Azure
AD Connector, consider that the following group attributes are currently not supported
and cannot be queried via the Microsoft Graph API:
l acceptedSenders
l allowExternalSenders
l autoSubscribeNewMembers
l hasMembersWithLicenseErrors
l hideFromAddressLists
l hideFromOutlookClients
l isSubscribedByMail
l membersWithLicenseErrors

Active Roles 8.1.3 Synchronization Service Administration Guide

314
 l rejectedSenders
l unseenCount

This means that although these group attributes are visible, they cannot be set in a
mapping rule.

Table 100: Azure AD group attributes supported for data synchronization

Attribute Description Supported

operations

description Gets or sets the group description. Read, Write

dirSyncEnabled Gets whether the group was synchronized from Read
the on-premises Active Directory Domain Services
(AD DS).
displayName Gets or sets the display name of the group. Read, Write
NOTE: This attribute is required when creating a
group.
lastDirSyncTime Gets the time when the group was last Read
synchronized with the on-premises AD DS.
mail Gets or sets the e-mail address of the group. Read, Write
mailEnabled Gets or sets whether the group is mail-enabled. Read, Write
NOTE: This attribute is required when creating a
group.
mailNickName Gets or sets the mail alias of the group. Read, Write
NOTE: This attribute is required when creating a
group.
members Gets or sets the members of the group. Read, Write
objectId Gets the unique identifier of the group. Read
objectType Gets the object type of the group. Read
provisioningErrors Gets the errors encountered when provisioning Read
the group.
proxyAddresses Gets the known address entries of the group. Read
securityEnabled Gets or sets whether the group is a security Read, Write
group.
NOTE: This attribute is required when creating a
group.

Active Roles 8.1.3 Synchronization Service Administration Guide

315
Configuring data synchronization with the
SCIM Connector
With the SCIM Connector, you can configure inbound data synchronization connections
for the following SCIM-based One Identity Starling Connect connectors:
l PingOne
l Workday HR

NOTE: Consider the following when planning to configure a connection with the
SCIM Connector:
l The SCIM Connector is tested to support the Starling Connect PingOne and
Workday HR connectors. To configure a connection for import-based workflows to
the SCIM 2.0-based SuccessFactors HR 8.0 or ServiceNow 2.0 Starling connectors,
use the Generic SCIM Connector instead. For more information, see Configuring
data synchronization with the Generic SCIM Connector.
l The SCIM Connector supports only the standard schema of the SCIM protocol. It
does not support extended schemas, and therefore cannot handle user-made
custom attributes.

For the list of Active Roles Synchronization Service connector features that the SCIM
Connector supports or does not support, see the following table.

Table 101: SCIM Connector – Supported features

Feature Supported

Bidirectional synchronization No
Specifies whether you can both read and write data in the connected data
system.

Delta processing mode No

Specifies whether the connection can process only the data that has
changed in the connected data system since the last synchronization
operation. This reduces the overall synchronization duration.

Password synchronization No
Specifies whether you can synchronize user passwords from an Active
Directory (AD) domain to the connected data system.

Secure Sockets Layer (SSL) data encryption Yes

Specifies whether the connector can use SSL to encrypt data transmitted
between Active Roles Synchronization Service and the connected data
system.

For more information on the SCIM protocol, see the official SCIM site, or the following IETF
RFC documents:

Active Roles 8.1.3 Synchronization Service Administration Guide

316
 l IETF RFC-7642: System for Cross-domain Identity Management: Definitions,
Overview, Concepts, and Requirements
l IETF RFC-7643: System for Cross-domain Identity Management: Core Schema
l IETF RFC-7644: System for Cross-domain Identity Management: Protocol

Objects and operations supported by the SCIM

Connector
This section lists the data objects supported by the SCIM Connector, along with the data
operations you can perform on those objects via the SCIM Connector.

Table 102: Supported objects and operations for

SCIM v2.0

Object Read Create Delete Update

Core user Yes Yes Yes Yes

Group Yes Yes Yes Yes
Enterprise Yes Yes Yes Yes

Table 103: Supported objects and operations for SCIM v1.1

Object Read Create Delete Update

User Yes Yes Yes Yes

Group Yes Yes Yes Yes

Creating a SCIM connection with the SCIM

Connector
You can configure an Active Roles Synchronization Service connection to the PingOne and
Workday HR connectors of Starling Connect with the SCIM Connector.

To configure a connection to a Starling Connect connector with the SCIM

Connector

1. In the Synchronization Service Console, open the Connections tab.

2. Click Add connection, then use the following options:
l Connection name: Type a descriptive name for the connection.
l Use the specified connector: Select SCIM Connector.
3. Click Next.

Active Roles 8.1.3 Synchronization Service Administration Guide

317
4. On the Specify connection settings page, under SCIM settings, configure the
following connection options:
l SCIM version: Select the SCIM protocol version to use for the connection. The
SCIM Connector supports protocol versions V2 and V1.1.
l SCIM URL: Specify the the base URL of the Starling Connect connector to
which you want to connect.
l Authentication type: Select the authentication type. The SCIM Connector
supports Basic, OAuth and API Key-based authentication. The contents of
the Authentication parameters section are populated dynamically based on
the authentication type you select in this setting.
5. Under Authentication parameters, configure the applicable options:
l If you use Basic authentication, provide a valid User name and Password.
NOTE: The PingOne connector of Starling uses the API key as the User
name and the API token as the Password.
l If you use OAuth authentication, configure the settings applicable to the
selected Grant type.

Table 104: SCIM Connector OAuth authentication settings

Grant type Setting Description

password Token URL Specify the URL of the token.

User name Specify the user name.

Password Specify the password.

Client ID Specify the client ID used for login.

Client Specify the client secret.

secret

client_ Token URL Specify the URL of the token.

credentials
Client ID Specify the client ID used for login.

Client Specify the client secret.

secret

Bearer_ Bearer Specify the bearer token for the connection.

Token token
NOTE: Connections using a bearer token
have a time-limit, specified by the token
provider. Once this time limit is reached, the
connection ends. To establish a new connec-
tion session, you must create a new bearer
token.

Active Roles 8.1.3 Synchronization Service Administration Guide

318
 l If you use API Key authentication, specify the API Key and Token for the
connection.
6. (Optional) To connect to the Workday HR connector of Starling with the configured
SCIM Connector, select Load workday schema. Selecting this option will result in
the configured SCIM Connector using the Workday schema instead of the standard
SCIM schema.
NOTE: Select Load workday schema only if you want to connect to the Workday
HR connector of Starling. Attempting to connect to the PingOne connector with this
setting enabled will result in the SCIM Connector failing to synchronize data.
7. (Optional) To configure additional authentication parameters (such as a region ID or
organization ID) for the SCIM Connector, click Add additional parameters. Then,
use the Additional authentication parameters settings to specify additional
Plain text parameters or Masked parameters. To save the parameters, click OK.
8. To verify that the specified settings are correct, click Test Connection.
9. To create the connection, click Finish.

Viewing or modifying the settings of a SCIM

Connector
You can view or modify an existing connection based on the SCIM Connector with Active
Roles Synchronization Service. Modifying a SCIM Connector is typically required if any
change occurs in the SCIM-based Starling Connect connectors to which the Active Roles
Synchronization Service connection was originally configured.

To view or modify an existing SCIM Connector connection

1. In the Synchronization Service Console, open the Connections tab.

2. Click Connection settings below the existing SCIM connection you want to modify.
3. On the Connection Settings tab, click the Specify connection settings item to
expand it and update the required settings.
For more information on the available settings, see Creating a SCIM connection with
the SCIM Connector.
4. To apply your changes, click Save.

Configuring data synchronization with the

Generic SCIM Connector
With the Generic SCIM Connector, you can configure inbound data synchronization
connections for a set of SCIM 2.0-based One Identity Starling Connect connectors:

Active Roles 8.1.3 Synchronization Service Administration Guide

319
 NOTE: Consider the following when planning to configure a SCIM-based data synchron-
ization connector:
l The Generic SCIM Connector was tested with the following Starling Connect
connectors:
l Pipedrive 1.0
l ServiceNow 2.0
l SuccessFactors HR 8.0 and 9.0
l WorkdayHR 3.0
l Zendesk 1.0
While the Generic SCIM Connector may work with other SCIM 2.0-based
Starling Connect connectors, One Identity tested it to work only with those connect-
ors and connector versions.
l To configure a connection to the PingOne connector of Starling Connect, use the
SCIM Connector of Active Roles Synchronization Service. For more information,
see Configuring data synchronization with the SCIM Connector.

For the list of Active Roles Synchronization Service connector features that the Generic
SCIM Connector supports or does not support, see the following table.

Table 105: Generic SCIM Connector – Supported features

Feature Supported

Bidirectional synchronization No
Specifies whether you can both read and write data in the connected data
system.

Delta processing mode No

Specifies whether the connection can process only the data that has
changed in the connected data system since the last synchronization
operation. This reduces the overall synchronization duration.

Password synchronization No
Specifies whether you can synchronize user passwords from an Active
Directory (AD) domain to the connected data system.

Secure Sockets Layer (SSL) data encryption Yes

Specifies whether the connector can use SSL to encrypt data transmitted
between Active Roles Synchronization Service and the connected data
system.

For more information on the SCIM protocol, see the official SCIM site, or the following IETF
RFC documents:

Active Roles 8.1.3 Synchronization Service Administration Guide

320
 l IETF RFC-7642: System for Cross-domain Identity Management: Definitions,
Overview, Concepts, and Requirements
l IETF RFC-7643: System for Cross-domain Identity Management: Core Schema
l IETF RFC-7644: System for Cross-domain Identity Management: Protocol

Configuring the Generic SCIM Connector for

Starling Connect connections
You can configure an Active Roles Synchronization Service connection to the following
Starling Connect connectors with the Generic SCIM Connector:
l Pipedrive 1.0
l ServiceNow 2.0
l SuccessFactors HR 8.0 and 9.0
l WorkdayHR 3.0
l Zendesk 1.0

Prerequisites

Before configuring the connection, make sure that the following conditions are met:
l Your organization must have an active Starling Connect account.
l The Starling connector to which you want to connect must be already configured in
Starling Connect.
l If your organization is using a proxy server for outbound connections, make sure that
the system level proxy settings are properly configured.
To configure system-level proxy settings, navigate to one of the following Windows
configuration pages:
l Control Panel > Internet Settings > Connections > LAN Settings
l Settings > Network and Internet > Proxy
l You are aware of the specific implementation details (such as the supported objects
and operations) of the Starling Connect connector you want to connect to. For more
information, see the connector-specific sections of the Starling Connect Active Roles
Administration Guide.

To configure a connection to a Starling Connect connector with the Generic

SCIM Connector

1. In the Active Roles Synchronization Service, navigate to Connections > Add

Connection.

Active Roles 8.1.3 Synchronization Service Administration Guide

321
 Figure 4: Active Roles Synchronization Service Console – Adding a new
connection via Connections > Add connection

2. In the Name connection and select connector step, specify a custom

Connection name. Then, to load the SCIM-specific connector settings, from the
Use the specified connector drop-down list, select Generic: SCIM Connector.

Figure 5: Add Connection – Specifying the connection name and

connector type

3. (Optional) If you want to use a remote connector for the configured connection,
configure Remote connector access as described in Creating a connection using a
remotely installed connector. To continue, click Next.
4. To continue, click Next.
The Connection settings step of the Generic SCIM Connector appears.

Active Roles 8.1.3 Synchronization Service Administration Guide

322
 Figure 6: Generic SCIM Connector – General, authentication and
implementation settings

5. Under General settings, specify the base SCIM URL of the Starling Connect
connector to which you want to connect.
TIP: To check the base SCIM URL of the Starling Connect connector, in Starling
Connect, navigate to Connectors > Active Connectors, select the SCIM-
based connector to which you want to connect, then copy the value of the
SCIM URL property.
6. Under Authentication settings, to enable the authentication scheme options
required by the supported Starling Connect connectors, select the Starling
authentication scheme, then configure the following settings:
l Token endpoint URL: Specifies the full path of the Starling connector
token endpoint.
TIP: To find the token endpoint URL of the Starling Connect connector, in
Starling Connect, navigate to Connectors > Active Connectors, and copy
the value of the SCIM Token Endpoint URL property.
l Client ID: Specifies the SCIM client ID.
TIP: To find the SCIM client ID of the Starling Connect connector, in Starling
Connect, navigate to Connectors > Active Connectors, and copy the value
of the SCIM Client ID property.
l Client secret: Specifies the SCIM client secret.
TIP: To find the SCIM client secret of the Starling Connect connector, in
Starling Connect, navigate to Connectors > Active Connectors, and copy
the value of the Show SCIM Client Secret text box.
7. Under Implementation plugin, to enable the pre-made connection implementation
for the supported Starling Connect connectors, select Starling batch 1 - v2.0.
NOTE: The Starling batch 1 - v2.0 implementation plugin is backwards compat-
ible with Starling batch 1 - v1.0, originally released in Active Roles 7.6.1.
The Generic SCIM Connector was tested with the following Starling Connect
connectors:

Active Roles 8.1.3 Synchronization Service Administration Guide

323
 l Pipedrive 1.0
l ServiceNow 2.0
l SuccessFactors HR 8.0 and 9.0
l WorkdayHR 3.0
l Zendesk 1.0
While the Generic SCIM Connector may work with other SCIM 2.0-based Starling
Connect connectors, One Identity tested it to work only with those connectors and
connector versions.
For the list of SCIM attributes supported by Starling Connect for these connectors,
see the Pipedrive, ServiceNow, SuccessFactorsHR and Zendesk chapters of the
Starling Connect Active Roles Administration Guide.
8. Configure the following Starling Connect connection settings as required by the
Starling Connect connector to which you want to connect.
l Import uses direct query: When selected, Active Roles Synchronization
Service queries every synchronized object separately by their ID. Select this
setting when configuring a connection to the Starling Connect ServiceNow 2.0,
Zendesk 1.0, or similar connectors.
NOTE: Consider the following when using this setting:
l Selecting this setting decreases synchronization speed considerably.
However, you must select this setting to read all object attributes for
Starling Connect ServiceNow 2.0, or to read certain resource types or
attributes for Zendesk 1.0.
l Do not enable this setting when configuring the Generic SCIM
Connector for other supported Starling Connect connectors, as it has
no effect on the results of import data synchronization.
l Query only synced attributes: To improve performance, certain Starling
Connect connectors allow to query only parameters that are specifically defined
for synchronization. If you enable this setting, Synchronization Service sets the
?attributes=attrName query parameter according to IETF RFC-7644, so that
Starling Connect will retrieve the attributes specified in the sync workflow.
NOTE: Select this setting if you configure a connection for the Starling
Connect Pipedrive 1.0 or Zendesk 1.0 connectors.
l Starling cursor-based pagination: Certain Starling Connect connectors use
a cursor-based pagination method (as defined by Cursor-based Pagination of
SCIM Resources) instead of the protocol-defined index-based pagination.
When configuring a connection to such a Starling Connector, select this setting
to override the standard pagination method.
NOTE: Select this setting if you configure a connection to the Starling
Connect Pipedrive 1.0, WorkdayHR 3.0 or Zendesk 1.0 connectors.
l Max degree of parallelism: If Import uses direct query is enabled, this
setting specifies the maximum number of threads that Synchronization Service

Active Roles 8.1.3 Synchronization Service Administration Guide

324
 Console can run in parallel for the direct query of each object in the response
list (that is, how many entries can Synchronization Service Console query
simultaneously).
TIP: One Identity recommends testing the value optimal for your envir-
onment, and setting it as low as possible. Specifying a value of 1 means no
parallelism is configured.
NOTE: Consider the following when using this setting:
l This setting works only if Import uses direct query is enabled.
Active Roles Synchronization Service will ignore any value specified
for Max degree of parallelism if Import uses direct query is
not selected.
l Setting the value of Max degree of parallelism too high may result
in connector service instability.
9. Check the implementation plugin information indicated on-screen. Make sure that
the Supported Features, the Target Service Providers and the supported
Starling Connect connector versions will meet the requirements of your planned
mapping rule and/or synchronization workflow.
10. To verify that the specified authentication settings are correct, click Test
Connection.
NOTE: Clicking Test Connection verifies only if the authentication settings for the
SCIM metadata endpoint connection are correct, and if Active Roles Synchron-
ization Service can fetch the SCIM schemas and query the resourceTypes metadata
from the configured SCIM service.
When testing the connection, Active Roles Synchronization Service does not query
any actual resource objects. Because of this, testing may finish successfully even if
the connection is down between Starling Connect and the third-party service
provider (for example, SuccessFactors HR), preventing the import of actual data
during synchronization later.
TIP: If testing fails, Active Roles Synchronization Service will highlight the settings
that it detects as incorrect. Check and fix those settings, then try again. If testing
fails again, then:
l Check your network connectivity.
l Check if the Starling Connect service is available.
l Make sure that the Starling Connect connector you specified during config-
uration is still active and working.
l If you use a proxy server, make sure that the system-level proxy settings are
properly configured.
11. If testing completed successfully, create the new SCIM connection to the Starling
Connect connector by clicking Finish.

After Active Roles Synchronization Service created the connection, you can use it to
configure SCIM-based data synchronization by setting up one or more mapping rules and
synchronization workflows.

Active Roles 8.1.3 Synchronization Service Administration Guide

325
 l For an example SCIM-based mapping rule, see Creating object mapping between a
SCIM connection and an SQL connection.
l For an example SCIM-based synchronization workflow, see Creating a sync workflow
for synchronizing data from a SCIM-based Starling Connect connector.
l For a PowerShell script example for synchronizing complex multi-value objects from
a SCIM source system, see Synchronizing complex multi-value objects from a SCIM
source system.

Viewing or modifying the settings of a Generic

SCIM Connector connection
You can view or modify an existing connection based on the Generic SCIM Connector
with the Synchronization Service Console. Modifying a Generic SCIM Connector
connection is typically required if any change occurs in the SCIM-based Starling Connect
connectors to which the Active Roles Synchronization Service connection was originally
configured.

To view or modify an existing Generic SCIM Connector connection

1. In the Synchronization Service Console, click Connections.

2. In Connections, search for the connection you want to modify, then click
Connection settings.

3. (Optional) In General, modify the custom Connection name.

Active Roles 8.1.3 Synchronization Service Administration Guide

326
4. (Optional) In Connection Settings, modify the following settings as you need:
l Token endpoint URL: Specifies the full path of the Starling connector
token endpoint.
TIP: To find the token endpoint URL of the Starling Connect connector, in
Starling Connect, navigate to Connectors > Active Connectors, and copy
the value of the SCIM Token Endpoint URL property.
l Client ID: Specifies the SCIM client ID.
TIP: To find the SCIM client ID of the Starling Connect connector, in Starling
Connect, navigate to Connectors > Active Connectors, and copy the value
of the SCIM Client ID property.
l Client secret: Specifies the SCIM client secret.
TIP: To find the SCIM client secret of the Starling Connect connector, in
Starling Connect, navigate to Connectors > Active Connectors, and copy
the value of the Show SCIM Client Secret text box.
l Import uses direct query: When selected, Active Roles Synchronization
Service queries every synchronized object separately by their ID. Select this
setting when configuring a connection to the Starling Connect ServiceNow 2.0,
Zendesk 1.0, or similar connectors.
NOTE: Consider the following when using this setting:
l Selecting this setting decreases synchronization speed considerably.
However, you must select this setting to read all object attributes for
Starling Connect ServiceNow 2.0, or to read certain resource types or
attributes for Zendesk 1.0.
l Do not enable this setting when configuring the Generic SCIM
Connector for other supported Starling Connect connectors, as it has
no effect on the results of import data synchronization.
l Query only synced attributes: To improve performance, certain Starling
Connect connectors allow to query only parameters that are specifically defined
for synchronization. If you enable this setting, Synchronization Service sets the
?attributes=attrName query parameter according to IETF RFC-7644, so that
Starling Connect will retrieve the attributes specified in the sync workflow.
NOTE: Select this setting if you configure a connection for the Starling
Connect Pipedrive 1.0 or Zendesk 1.0 connectors.
l Starling cursor-based pagination: Certain Starling Connect connectors use
a cursor-based pagination method (as defined by Cursor-based Pagination of
SCIM Resources) instead of the protocol-defined index-based pagination.
When configuring a connection to such a Starling Connector, select this setting
to override the standard pagination method.
NOTE: Select this setting if you configure a connection to the Starling
Connect Pipedrive 1.0, WorkdayHR 3.0 or Zendesk 1.0 connectors.

Active Roles 8.1.3 Synchronization Service Administration Guide

327
 l Max degree of parallelism: If Import uses direct query is enabled, this
setting specifies the maximum number of threads that Synchronization Service
Console can run in parallel for the direct query of each object in the response
list (that is, how many entries can Synchronization Service Console query
simultaneously).
TIP: One Identity recommends testing the value optimal for your envir-
onment, and setting it as low as possible. Specifying a value of 1 means no
parallelism is configured.
NOTE: Consider the following when using this setting:
l This setting works only if Import uses direct query is enabled.
Active Roles Synchronization Service will ignore any value specified
for Max degree of parallelism if Import uses direct query is
not selected.
l Setting the value of Max degree of parallelism too high may result
in connector service instability.
5. (Optional) In Scope, modify the scope of objects included in the data
synchronization process of the connection. For more information on the Scope
settings, see Modifying synchronization scope for a connection.
6. (Optional) In Connection Handlers, create, update or remove any automated data
synchronization operations for the connection. For more information on the
Connection Handlers settings, see Using connection handlers.
7. To apply your changes, click Save and Continue.

Using connectors installed remotely

In some cases, you need to configure a connection to an external data system which is
separated by a firewall from the computer running Synchronization Service. To implement
this scenario, you can install an instance of Synchronization Service and built-in connectors
on a remote computer and switch this Synchronization Service instance to remote mode.
This will allow the Synchronization Service instance running in the local mode to
communicate with the remotely installed instance and connectors via a single port.
Consider a scenario where you want to synchronize data between two Active Directory
domains that are separated by a firewall. In this case, you can install one Synchronization
Service instance in the local mode in the first domain, then deploy another
Synchronization Service instance in the remote mode in the other domain. Then, ensure
the firewall allows traffic on the port used for communications between the
Synchronization Service instances.

Active Roles 8.1.3 Synchronization Service Administration Guide

328
Installing Synchronization Service and built-
in connectors remotely
To use connectors remotely, you need to install Synchronization Service and built-in
connectors on a required remote computer and switch the installed instance of
Synchronization Service to remote mode. For more information on installing
Synchronization Service, see Installing Synchronization Service.

To set Synchronization Service in remote mode

1. Start the Synchronization Service Console.

2. Follow the steps in the wizard that starts automatically to configure
Synchronization Service.
3. On the Service Account and Mode page, do the following and click Finish:
l Enter the account under which you want Synchronization Service to run.
l Select the remote mode for this instance of Synchronization Service.

Creating a connection using a remotely

installed connector
To create a connection using a remotely installed connector

1. Start the Synchronization Service Console.

2. On the Connections tab, click Add connection.
3. In the Connection name text box, type a descriptive name for the connection.
4. From the Use the specified connector list, select the connector you want to use.
5. Click to expand the Remote connector access element, and then use the
following options:
l Use remote connector: Select this check box to use the connector installed
on a remote computer.
l Connector host: Type the Fully Qualified Domain Name (FQDN) of the
computer on which the Synchronization Service in the remote mode and the
corresponding connector are installed.
l Port: Type the port number on which you want the Synchronization Service to
access the remote connector. By default, this is port 8080.
l Connect using: Specify an account under which to access the remote
connector. The account must be a local administrator on the computer where
the remote connector is installed. Select one of the following:

Active Roles 8.1.3 Synchronization Service Administration Guide

329
 l Synchronization Service account: Allows you to access the remote
connector using the account under which Synchronization Service is
running locally.
l Windows account: Allows you to type the user name and password of
the account with which you want to access the remote connector.
l Verify Settings: Click this button to verify that Synchronization Service can
access the remote connector using the settings you have specified.
6. Follow the instructions of the wizard to complete the connection creation.

Creating a connection
To create a connection

1. In the Synchronization Service Console, open the Connections tab.

2. Click Add connection.
3. On the wizard page that opens, use the following options:
l Connection name: Type a descriptive name for the connection being created.
l Use the specified connector: From this list, select the connector you
want to use.
l Remote connector access: Expand this element to specify settings to access
the connector installed on a remote computer. For more information, see Using
connectors installed remotely.
4. Follow the steps in the wizard to create a connection.

For information on the options you can use in the subsequent steps of the wizard, see the
section for the connector you have selected.

Renaming a connection
You can rename any existing data connection in the Active Roles Synchronization
Service Console.

To rename a connection

1. In the Synchronization Service Console, open the Connections tab.

2. Click the name of the existing connection you want to rename.
3. On the General tab, edit the connection name in the Connection name box.
4. Click Save.

Active Roles 8.1.3 Synchronization Service Administration Guide

330
Deleting a connection
To delete a connection

1. In the Synchronization Service Console, open the Connections tab.

2. Locate the connection you want to delete, and then click Delete connection for that
connection.
3. When prompted, confirm that you want to delete the connection.

Modifying synchronization scope for a

connection
For each connected data system, you can modify the scope of objects participating in the
data synchronization operations.

To modify the synchronization scope

1. In the Synchronization Service Console, open the Connections tab.

2. Locate the connection for which you want to modify the synchronization scope, then
click Synchronization scope.
3. Use the following options to modify the synchronization scope:
l Include objects from selected containers only: Select the check boxes
next to the containers that hold the objects you want to participate in data
synchronization operations.
NOTE: This option may be unavailable for some types of connected data
systems, such as Microsoft SQL Server or Oracle Database.
l Objects must meet these conditions: Set up a list of conditions that
objects must meet in order to participate in data synchronization operations.
4. When you are finished, click Save.

Using connection handlers

Connection handlers allow you to automatically perform specific actions on connected data
systems before, after, or instead of specific data synchronization operations (such as
create, modify, move, rename, delete, or password synchronization). When creating a
connection handler, you can specify the action you want to perform and set the conditions
for triggering the action.

Active Roles 8.1.3 Synchronization Service Administration Guide

331
By default, Synchronization Service includes only one built-in handler type that can run
your custom PowerShell script to perform the action you want. However, you can also
implement your own custom handler types.
IMPORTANT: If the predefined connection handler is configured to run your PowerShell
script instead of a data synchronization operation, the script must return a system
entry object.
To create, modify, or delete handlers for a connection, use the Connection Handlers tab
in the connection settings:

Figure 7: Connection Handlers

This tab provides the following elements:

l Add handler: Starts a wizard that helps you add a new connection handler. By
default, the wizard creates a new handler that allows you to run your
PowerShell script.
l Disable: Disables the connection handler.
l Enable: Enables the connection handler.
l Move up: Moves the connection handler one position up in the list.
l Move down: Moves the connection handler one position down in the list.
l Delete: Deletes the connection handler.

To create a connection handler

1. In the Synchronization Service Console, open the Connections tab.

2. Click the name of the connection for which you want to create a handler, then click
the Connection Handlers tab.
3. Click Add handler, then follow the steps in the wizard to create your handler.

Active Roles 8.1.3 Synchronization Service Administration Guide

332
To modify a connection handler

1. In the Synchronization Service Console, open the Connections tab.

2. Click the name of the connection for which you want to modify a handler, then click
the Connection Handlers tab.
3. Click the name of the handler you want to modify, then modify the handler settings
as necessary. When you are finished, click OK.
4. You can also do the following:
l Change the order in which handlers are activated: Synchronization
Service activates handlers in the order in which they appear in the list. To
move a handler in the list, use the Move up and Move down links below
the handler.
l Disable or enable handlers: You can enable or disable existing handlers. To
do so, use the Enable or Disable link below the handler.
5. When you are finished, click Save.

To delete a connection handler

1. In the Synchronization Service Console, open the Connections tab.

2. Click the name of the connection for which you want to delete a handler, then click
the Connection Handlers tab.
3. Click Delete below the handler you want to delete.

Specifying password synchronization

settings for a connection
For each connected data system that supports password synchronization, you can set
password synchronization settings. These settings allow you to enable or disable password
synchronization and manage passwords in the data system by using One Identity
Password Manager.
Optionally, you can use the password synchronization settings to specify a custom
Windows PowerShell script you want to run each time the password synchronization
completes for the connected data system.

To specify password synchronization settings

1. In the Synchronization Service Console, open the Connections tab.

2. Click the name of the connection for which you want to modify password
synchronization settings.
3. Open the Password tab, and use the following options to modify the password
synchronization settings as necessary:

Active Roles 8.1.3 Synchronization Service Administration Guide

333
 l Synchronize and manage passwords: Allows you to enable or disable
password synchronization for this connection. Selecting this check box also
allows you to manage passwords in the connected data system by using One
Identity Password Manager. For more information on Password Manager, see
https://www.oneidentity.com/products/password-manager/.
l Synchronize passwords for objects of this type: Allows you to specify an
object type that will participate in password synchronization. Click Select next
to this text box, then specify the object type you want.
NOTE: This option is only available for certain types of connected systems,
such as the LDAP directory service.
l Password synchronization method: Allows you to select a password
synchronization method.
NOTE: This option is only available for certain types of connected systems,
such as LDAP directory service.
You can select one of the following methods:
l Write password to this attribute: Displays the object attribute in
which the object password will be stored. To specify a different attribute,
click Select next to the text box in this option.
l Use LDAP extended operation: Allows you to automate the
synchronization of user passwords in the connected data system
regardless of the form of the authentication identity or the password
storage mechanism used (for example, in the case of non-directory
storage of passwords).
l Configure Query: Allows you to use an SQL query to specify the data
you want to participate in the password synchronization. Click
Configure, then type your SQL query.
NOTE: This option is only available for certain types of connected
systems, such as LDAP directory service or Oracle Database.
4. When you are finished, click Save.

Active Roles 8.1.3 Synchronization Service Administration Guide

334
 5

Synchronizing identity data

To synchronize identity data between connected data systems, you can use sync workflows
and synchronization steps. A sync workflow is a set of data synchronization operations
called synchronization steps. A sync workflow can include one or more steps. Each
synchronization step defines a synchronization operation to be run between the source and
target connected data systems. To manage sync workflows and their steps, you can use the
Sync Workflows in the Synchronization Service Console.
You can configure a synchronization step to perform one of the following operations:
l Creation: Creates objects in the target data system based on the changes made to
specific objects in the source data system. When creating a new object in the target
data system, Synchronization Service generates initial values for the object
attributes using the attribute population rules you have configured.
l Update: Modifies object attributes in the target data system based on the changes
made to specific objects in the source data system. To specify the objects that will
participate in the update operation you can use object mapping rules. For more
information, see Mapping objects.
l Deprovision: Modifies or removes objects in the target data system after their
counterparts have been disconnected from the source data system. Synchronization
Service can be configured to remove target objects permanently or change them to a
specific state. To specify the objects that will participate in the deprovision operation
you can use object mapping rules. For more information, see Mapping objects.

When configuring a synchronization step you can specify the following:

l Containers to which you want to create or move objects.
l Settings to generate names for objects being created or modified.
l Settings to synchronize group memberships.
l Settings to synchronize attribute values.

To synchronize identity data between two data systems, you need to create a sync
workflow, populate the workflow with synchronization steps, and then run the sync
workflow manually or schedule the sync workflow run. The following figure illustrates how
Synchronization Service synchronizes identity data in connected data systems:

Active Roles 8.1.3 Synchronization Service Administration Guide

335
Synchronizing identity data
Figure 8: Identity Data Synchronization

Running a sync workflow causes Synchronization Service to read data in the source and
target data systems according to the settings in the sync workflow steps and prepare a list
of changes to be made in the target system. Then, you can commit these changes to the
target data system.
Running a sync workflow manually allows you to review a list of changes before committing
them to the target data system. A scheduled sync workflow run always commits changes to
the target data system automatically.
You can configure as many sync workflows as needed, each performing its own set of
synchronization steps.

Creating a sync workflow

To create a sync workflow

1. In the Synchronization Service Console, open the Sync Workflows tab.

2. Click Add sync workflow.
3. In the Sync workflow name text box, type a name for the sync workflow
being created.
4. Click OK.
The new workflow appears on the Sync Workflows tab.
NOTE: After you created a sync workflow, you must populate it with one or more
synchronization steps. For more information, see Synchronizing identity data.

Active Roles 8.1.3 Synchronization Service Administration Guide

336
Synchronizing identity data
Running a sync workflow
After you created a sync workflow and populated it with one or more steps, you can run
the sync workflow. Before running a sync workflow, you can select the workflow steps
you want to run. You can run a sync workflow either manually, or automatically on a
recurring schedule.

Running a sync workflow manually

This method allows you to select specific steps in a sync workflow and run them. You can
also specify how you want to commit the changes to the target data system: automatically
or manually. With the manual method you can review a list of changes before committing
them to decide whether or not you want these changes in the target system.

To run a sync workflow manually

1. In the Synchronization Service Console, open the Sync Workflows tab.

2. Click the name of the sync workflow you want to run.
3. Click Run now.
4. Select the check boxes next to the sync workflow steps you want to run.
5. If you want to automatically commit the changes made by the sync workflow run,
select the Automatically commit changes check box. If you want to review the
changes before committing them, leave this check box cleared.
6. Click one of the following to run the sync workflow:
l Full Run: With this option, Synchronization Service retrieves the data required
to run the sync workflow from the connected data systems.
l Quick Run: With this option, Synchronization Service first tries to run the sync
workflow by using the data that is available in the local cache. If the local cache
is missing or cannot be used to run the sync workflow, then Synchronization
Service retrieves the required data from the connected data systems.

Running a sync workflow on a recurring

schedule
This method allows you to create a recurring schedule to automatically run specific steps in
a sync workflow.
When scheduling a sync workflow, you can choose the workflow steps to run, specify how
frequently you want to run the steps, and set the date and time when you want the run
schedule to come into effect. If you have two or more Synchronization Service instances

Active Roles 8.1.3 Synchronization Service Administration Guide

337
Synchronizing identity data
installed in your environment, you can also select a Synchronization Service instance to be
used for running the sync workflow.
A scheduled sync workflow automatically commits changes to the target data system.

To run a sync workflow on a recurring schedule

1. In the Synchronization Service Console, open the Sync Workflows tab.

2. Click Schedule below the name of the sync workflow you want to run on a
recurring schedule.
3. In the dialog that opens, select Schedule the task to run, then specify a schedule.
4. If there are several Synchronization Service instances deployed in your environment,
under Run the task on, select the computer that hosts the Synchronization Service
instance you want to use for running the sync workflow.
5. Expand Sync Workflow Steps, and then select the workflow steps you want to run
on the schedule.
6. To activate the schedule, click OK.

Disabling a sync workflow run schedule

To disable a sync workflow run schedule

1. In the Synchronization Service Console, open the Sync Workflows tab.

2. Click Schedule below the sync workflow for which you want to disable the
run schedule.
3. In the dialog that opens, clear the Schedule the task to run check box.
4. To disable the schedule, click OK.

Renaming a sync workflow

To rename a sync workflow

1. In the Synchronization Service Console, open the Sync Workflows tab.

2. Click Rename below the sync workflow.
3. In the Sync workflow name text box, type a new workflow name.
4. Click OK to apply the change.

Active Roles 8.1.3 Synchronization Service Administration Guide

338
Synchronizing identity data
Deleting a sync workflow
To delete a sync workflow

1. In the Synchronization Service Console, open the Sync Workflows tab.

2. Click Delete below the sync workflow.
3. When prompted, confirm that you want to delete the sync workflow.

Adding a creating step

You can create a synchronization connection between two object types of two connected
data systems in a sync workflow with the Add synchronization step < Creation setting.
Typically, you need to specify a creation step either when configuring a new sync workflow,
or must configure a new synchronization connection between two new object types in an
existing sync workflow.

To add a creating step

1. In the Synchronization Service Console, open the Sync Workflows tab.

2. Click the name of the sync workflow in which you want to add a creating step.
If necessary, create a new sync workflow. For more information, see Creating a
sync workflow.
3. Click Add synchronization step.
4. Select Creation, then click Next.
5. Specify the source system by using these options:
l Source connected system: Allows you to choose a source data system for
the creation operation. Click Specify to select a data system connected earlier
or add and select a new data system.
l Source object type: Allows you to specify the object type you want to use as
a source for the creation operation. Click Select to specify an object type.
l Creation Criteria: Allows you to narrow the scope of source data system
objects that participate in the creating step. To specify the containers that
hold the source objects you want to participate in the step, expand
Creation Criteria. You can also specify additional conditions to include
objects into the scope.
6. Click Next.
7. Specify the creation target by using these options:
l Target connected system: Allows you to choose a target data system for the
creation operation. To select a data system connected earlier or add and select

Active Roles 8.1.3 Synchronization Service Administration Guide

339
Synchronizing identity data
 a new data system, click Specify.
l Target object type: Allows you to specify the target data system object type
to which you want to create objects from the source data system. To specify an
object type, click Select.
l Target container: Allows you to specify the target data system container in
which you want to create objects. Click the down arrow on the button, and then
select one of the following:
l Browse: Click to locate and select a single target container.
l PowerShell Script: Click to compose a PowerShell script that calculates
the target container name.
l Rule: Click to configure a set of rules for selecting target containers.
l Use Mapping: Click to define a target container based on the mapping
of the source object.
l Clear: Click to use an empty value.
l Rules to generate unique object name: Allows you to set up a list of rules
to generate a unique name for each object being created. For more
information, see Generating object names by using rules.
8. Click Next.
9. Specify rules to create objects into the target data system. You can use the
following options:
l Initial Attribute Population Rules: Expand this element to specify how you
want to populate the attributes of created objects. For more information, see
Modifying attribute values by using rules.
l Initial Password: Expand this element to specify an initial password for each
created object.
l User Account Options: Expand this element to specify settings for the user
accounts to be created.
10. To add the creating step, click Finish.

You can modify the settings of an existing synchronization step. For more information, see
Modifying an existing sync workflow step.

Creating an update step

You can update an existing synchronization step between two object types of two
connected data systems in a sync workflow with the Add synchronization step <
Update setting.

Active Roles 8.1.3 Synchronization Service Administration Guide

340
Synchronizing identity data
To create an updating step

1. In the Synchronization Service Console, open the Sync Workflows tab.

2. Click the name of the sync workflow in which you want to create an updating step.
If necessary, create a new sync workflow. For more information, see Creating a
sync workflow.
3. Click Add synchronization step.
4. Select Update, then click Next.
5. Specify the update operation source by using these options:
l Source connected system: Allows you to choose a source data system for
the update operation. To select a data system connected earlier or add and
select a new data system, click Specify.
l Source object type: Allows you to specify the data system object type you
want to use as a source for the update operation. To specify an object type,
click Select.
l Updating Criteria: Allows you to narrow the scope of source data system
objects that will participate in the updating step. To specify the containers that
hold the source objects you want to participate in the step, expand Updating
Criteria. You can also specify additional criteria for selecting source objects.
6. Click Next.
7. Specify an update target by using these options:
l Target connected system: Allows you to choose a target connected system
for the update operation. To select a data system connected earlier or add and
select a new data system, click Specify.
l Target object type: Allows you to specify what type of objects you want to
update in the target data system. To specify an object type, click Select.
8. Click Next.
9. Specify rules to update objects in the target data system. You can use the
following options:
l Rules to Modify Object Attributes: Allows you to set up a list of rules to
modify object attributes in the target data system. For more information, see
Modifying attribute values by using rules.
l Rules to Move Objects: Expand this option to specify the location to which
you want to move objects. Click the down arrow on the button, and then select
one of the following:
l Browse: Click to locate and select a single target container.
l PowerShell Script: Click to compose a PowerShell script that calculates
the target container name.
l Rule: Click to configure a set of rules for selecting target containers.

Active Roles 8.1.3 Synchronization Service Administration Guide

341
Synchronizing identity data
 l Use Mapping: Click to define a target container based on the mapping
of the source object.
l Clear: Click to use an empty value.
l Rules to Rename Objects: Allows you to view or change the list of rules used
to rename target objects. For more information, see Generating object names
by using rules.
10. Click Finish to create the updating step.

You can modify the settings of an existing synchronization step. For more information, see
Modifying an existing sync workflow step.

Creating a deprovisioning step

You can create a deprovisioning step between two object types of two connected data
systems in a sync workflow with the Add synchronization step < Deprovision setting.
Creating a deprovisioning step instead of a deletion step is typically recommended to allow
you reprovisioning the affected data objects later.

To create a deprovisioning step

1. In the Synchronization Service Console, open the Sync Workflows tab.

2. Click the name of the sync workflow in which you want to create a
deprovisioning step.
If necessary, create a new sync workflow. For more information, see Creating a
sync workflow.
3. Click Add synchronization step.
4. Select Deprovision, then click Next.
5. Specify a deprovisioning source and criteria by using the following options:
l Source connected system: Allows you to choose a source data system for
the deprovision operation. To select a data system connected earlier or add and
select a new data system, click Specify.
l Source object type: Allows you to specify the data system object type you
want to use as a source for the deprovision operation. To specify an object
type, click Select.
l Deprovision target objects if: Allows you to specify criteria for
deprovisioning objects in the target data system.
6. Click Next.
7. Specify a deprovisioning target by using the following options:
l Target connected system: Allows you to choose a target data system for the
deprovision operation. To select a data system connected earlier or add and

Active Roles 8.1.3 Synchronization Service Administration Guide

342
Synchronizing identity data
 select a new data system, click Specify.
l Target object type: Allows you to specify what type of objects you want to
deprovision in the target data system. To specify an object type, click Select.
8. Click Next.
9. Select a method to deprovision objects in the target data system. You can select
Delete target objects to delete target objects or Modify target objects to modify
target objects using the rules configured in the following options:
l Rules to Modify Object Attributes: Allows you to set up a list of rules to
modify object attributes in the target data system. For more information, see
Modifying attribute values by using rules.
l Rules to Move Objects: Expand this option to specify the location to which
you want to move objects. Click the down arrow on the button, and then select
one of the following:
l Browse: Click to locate and select a single target container.
l PowerShell Script: Click to compose a PowerShell script that calculates
the target container name.
l Rule: Click to configure a set of rules for selecting target containers.
l Use Mapping: Click to define a target container based on the mapping
of the source object.
l Clear: Click to use an empty value.
l Rules to Rename Objects: Allows you to view or change the list of rules used
to rename target objects. For more information, see Generating object names
by using rules.
10. Click Finish to create the deprovisioning step.

You can modify the settings of an existing synchronization step. For more information, see
Modifying an existing sync workflow step.

Modifying an existing sync workflow

step
You can modify the existing steps of sync workflows in the Synchronization Service
Console, including their general options, source and target data system settings, or
synchronization rules.

To modify an existing step

1. In the Synchronization Service Console, open the Sync Workflows tab.

2. Click the name of the sync workflow in which you want to modify a step.
3. Click the name of the step you want to modify.

Active Roles 8.1.3 Synchronization Service Administration Guide

343
Synchronizing identity data
 4. Use the following tabs to modify the step as necessary:
l General Options
l Source
l Target
l Creation Rules
l Deprovisioning Rules
l Updating Rules
l Step Handlers
For more information on these tabs, see the next subsections.
5. When you are finished, click Save to apply your changes.

General Options
The general options allow you to rename the step, specify a method for processing data in
the source and target connected systems, and specify conditions to stop data processing.
This tab has the following elements:
l Step name: Allows you to rename the step.
l Specify how to process data in connected systems: Allows you to select how to
process data during synchronization. The available methods are the following:
l Process all data: Each run of the step will process all data in the configured
synchronization scope.
l Process delta from last run: Each run of the step will process only the data
that has changed in the configured synchronization scope since the last run.
l Stop data processing if: Allows you to specify conditions that will stop data
processing in the source and target data systems when met.

Source
The Source setting allows you to view information about the source connected system and
source object type specified for the synchronization step. You can also view or modify the
criteria used to perform the creation, deprovision, or update operation in the step.
For all types of synchronization steps (creating, deprovisioning, and updating), this tab
provides the following options:
l Source connected system: Displays the name of the source data system.
l Source object type: Displays the object type that is used as a source for the
synchronization step.

Active Roles 8.1.3 Synchronization Service Administration Guide

344
Synchronizing identity data
The Source tab also provides the following options depending on the type of step
you select:
l For deprovisioning steps, the Deprovision target objects if option. This option
allows you to modify the criteria used for triggering the deprovision operation in the
target data system.
l For creation steps,the Creation Criteria option. This option allows you to modify the
scope of source data system objects that participate in the creation step. To modify
the list of containers that hold the source objects you want to participate in the step,
expand Creation Criteria. Also, you can specify additional criteria for selecting
source objects.
l For update steps, the Updating Criteria option. This option allows you to modify the
scope of the source data system objects that participate in the updating step. To
specify the containers that hold the source objects you want to participate in the
step, expand Updating Criteria. You can also specify additional criteria for selecting
source objects.

Target
The Target setting allows you to view information about the target connected system and
target object type specified for the synchronization step. For creating steps, you can use
this tab to view and modify the target container to which objects are created and rules to
generate unique names for created objects.
For all types of synchronization steps (creating, deprovisioning, and updating) this tab
provides the following elements:
l Target connected system: Displays the name of the data system that is currently
used as a target for the synchronization step.
l Target object type: Displays the object type that is currently used as a target for
the synchronization step.

For creating steps related to certain types of target data systems, this tab may also provide
any of the following additional elements:
l Target container: Allows you to specify the target data system container in which
you want to create objects from the source data system. For more information, see
Generating object names by using rules.
l Rules to generate unique object name: Allows you to set up a list of rules to
generate a unique name for each object being created. For more information, see
Generating object names by using rules.

Creation Rules
Creation rules allow you to view or modify the rules used for creating objects. This tab has
the following elements:

Active Roles 8.1.3 Synchronization Service Administration Guide

345
Synchronizing identity data
 l Initial Attribute Population Rules: Expand this element to view or modify the
rules for populating the attributes of objects being created.
l Initial Password: Expand this element to view or modify how an initial password is
generated for each object being created.
l User Account Options: Expand this element to view or modify the settings used for
creating user accounts in the result of the creation operation.

You can use this tab to import or export initial attribute population rules.

To export a population rule to a file

1. In the list of configured attribute population rules, select the rule you want to export.
2. Click More, then click Export.
3. In the Save As dialog, specify an XML file to store the rule.

To import a population rule from a file

1. Expand Initial Attribute Population Rules, click More, then click Import.
2. Use the Open dialog to open the XML file that stores the population rule to import.

Deprovisioning Rules
Deprovisioning rules allow you to select a method for deprovisioning synchronized objects.
As part of deprovisioning, you can either delete the target objects if the source objects
meet the synchronization criteria configured in the wizard, or just modify the target objects
using the following deprovisioning rules.
l Rules to Modify Object Attributes: Allows you to set up a list of rules to modify
object attributes in the target data system. For more information, see Modifying
attribute values by using rules.
l Rules to Move Objects: Expand this option to specify the location to which you
want to move objects. Click the down arrow on the button, and then select one of
the following:
l Browse: Click to locate and select a single target container.
l PowerShell Script: Click to compose a PowerShell script that calculates the
target container name.
l Rule: Click to configure a set of rules for selecting target containers.
l Use Mapping: Click to define a target container based on the mapping of the
source object.
l Clear: Click to use an empty value.
l Rules to Rename Objects: Allows you to view or change the list of rules used to
rename target objects. For more information, see Generating object names by
using rules.

Active Roles 8.1.3 Synchronization Service Administration Guide

346
Synchronizing identity data
Updating Rules
Updating rules allow you to view or modify the rules used for updating objects. This tab has
the following elements:
l Rules to Modify Object Attributes: Allows you to set up a list of rules to modify
object attributes in the target data system. For more information, see Modifying
attribute values by using rules.
l Rules to Move Objects: Expand this option to specify the location to which you
want to move objects. Click the down arrow on the button, and then select one of
the following:
l Browse: Click to locate and select a single target container.
l PowerShell Script: Click to compose a PowerShell script that calculates the
target container name.
l Rule: Click to configure a set of rules for selecting target containers.
l Use Mapping: Click to define a target container based on the mapping of the
source object.
l Clear: Click to use an empty value.
l Rules to Rename Objects: Allows you to view or change the list of rules used to
rename target objects. For more information, see Generating object names by
using rules.

Step Handlers
Step handlers allow you to create, modify, or delete handlers for a sync workflow. For more
information on how to use step handlers, see Using sync workflow step handlers. This tab
has the following elements:
l Add handler: Starts a wizard that helps you add a new handler for the sync
workflow step. By default, the wizard creates a new handler that runs your
PowerShell script.
l Disable: Disables the step handler.
l Enable: Enables the step handler.
l Move up: Moves the step handler one position up in the list.
l Move down: Moves the step handler one position down in the list.
l Delete: Deletes the step handler.

Active Roles 8.1.3 Synchronization Service Administration Guide

347
Synchronizing identity data
Deleting a sync workflow step
You can delete steps in a sync workflow. This is typically required when performing
maintenance and housekeeping on the configured sync workflows, making sure that they
do not contain any outdated or unnecessary steps.

To delete a sync workflow step

1. In the Synchronization Service Console, open the Sync Workflows tab.

2. Click the name of the sync workflow in which you want to delete a step.
3. Click Delete below the step you want to delete.
4. When prompted, confirm that you want to delete the step.

Changing the order of steps in a sync

workflow
When you run a sync workflow, its steps are performed in the order they appear in the
Synchronization Service Console. However, if necessary, you can change the order of
these steps.

To change the order of steps in a sync workflow

1. In the Synchronization Service Console, open the Sync Workflows tab.

2. Click the name of the sync workflow in which you want to change the order of steps.
3. Use the Move up and Move down links to arrange the steps as necessary.

Generating object names by using rules

When configuring a synchronization step, you can use the Rules to generate unique
object name list to specify rules for creating or modifying object names in the target
connected system. The Rules to generate unique object name list looks similar to
the following:

Active Roles 8.1.3 Synchronization Service Administration Guide

348
Synchronizing identity data
Figure 9: Add synchronization step

To configure rules for generating object names

1. Click the down arrow on the leftmost button provided below the Rules to generate
unique object name list.
2. Select a list item:
l Attribute: Allows you to select the target object attribute whose value you
want to use as the object name.
l Rule: Allows you to configure a rule to generate target object names. For
details, see Using value generation rules.
l PowerShell Script: Allows you to type a PowerShell script to generate target
object names.

When the Rules to generate unique object name list includes two or more entries,
Synchronization Service uses the uppermost rule in the list to generate the target object
name. If the generated object name is not unique, Synchronization Service uses the next
rule in the list, and so on.

To copy and paste an existing rule

1. In the Rules to generate unique object name list, right-click a rule, then select
Copy from the shortcut menu.
2. In the rules list, right-click an entry, then select Paste from the shortcut menu.

Active Roles 8.1.3 Synchronization Service Administration Guide

349
Synchronizing identity data
Modifying attribute values by using
rules
In a sync workflow step you can configure a set of rules to automatically modify attribute
values during the step run. By using these rules, you can select or generate an initial
value, transform this value if necessary, and then assign the resulting value to the object
attribute you want.

To create a rule to modify attribute values

1. In the Synchronization Service Console, open the Sync Workflows tab.

2. Click the name of the appropriate sync workflow, then click the name of the sync
workflow step.
3. Depending on the workflow step type, complete the corresponding actions:
l Creating step: Click the Creation Rules tab, and then expand the Initial
Attribute Population Rules element.
l Updating step: Click the Updating Rules tab, and then expand the Rules to
Modify Object Attributes element.
l Deprovisioning step: Click the Deprovisioning Rules tab, and then expand
the Rules to Modify Object Attributes element.
4. In the element you have expanded, click the down arrow on the leftmost button to
select a rule type:
l Forward Sync Rule: Allows you to create a rule that synchronizes attribute
values from the source to the target data system. This type of rule is available
in creating, updating, and deprovisioning steps. For more information, see
Configuring a forward sync rule.
l Reverse Sync Rule: Allows you to create a rule that synchronizes attribute
values from the target to the source data system. This type of rule is available
in creating, updating, and deprovisioning steps. For more information, see
Configuring a reverse sync rule.
l Merge Sync Rule: Allows you to create a rule that merges the values of
specified attributes between the source and the target data systems. As a
result, the attribute values in the source and the target become identical. This
type of rule is only available in updating steps. For more information, see
Configuring a merge sync rule.

Configuring a forward sync rule

A forward sync rule allows you to synchronize data from the source data system to the
target data system. To create such a rule, follow the instructions in Modifying attribute
values by using rules to select the Forward Sync Rule type. Then, configure your rule by
using the options in the dialog that opens.

Active Roles 8.1.3 Synchronization Service Administration Guide

350
Synchronizing identity data
Forward sync rule source item
This option allows you to obtain an initial value for the synchronization operation. You can
then transform the obtained initial value before assigning it to the attribute you want.
To get started, click the down arrow on the button in this option, and then select an item
from the drop-down list:
l Attribute: Allows you to select the attribute whose value you want to use.
l Rule: Allows you to obtain a value by using a value generation rule. For more
information, see Using value generation rules.
l PowerShell script: Allows you to obtain a value by running a Windows
PowerShell script.
l Text: Allows you to type a text value.
l Referenced object attribute: Allows you select an attribute of a referenced object
and use the value of the selected attribute.
l Parent object attribute: Allows you to select an attribute of a parent object and
use the value of the selected attribute.
l Empty: Generates an empty value.

Once you have explicitly selected an attribute in this option, you can click the Advanced
link to configure some advanced synchronization settings for the attribute.
For example, you can specify which characters to retrieve from the attribute value, how to
modify the retrieved value (remove white-space characters or change the capitalization),
or set how to process references in the attribute. The available settings depend on the
attribute types selected in the Source item and Target item options.

Forward sync rule target item

This option allows you to select the target attribute whose value you want to modify.
To get started, click the down arrow on the button in this option, and then select an item
from the drop-down list:
l Attribute: Allows you to select the object attribute whose value you want to modify.
l Referenced object attribute: Allows you to select the referenced object attribute
whose value you want to modify.
l Parent object attribute: Allows you to modify attribute values of objects that are
parents to the target object type selected in the sync workflow step settings.

Once you have explicitly selected an attribute in this option, you can click the Advanced
link to configure some advanced synchronization settings for the attribute.
For example, you can select how to handle the existing attribute value (overwrite or
append data to the value) or set how to process references in the attribute. The
available settings depend on the attribute types selected in the Source item and
Target item options.

Active Roles 8.1.3 Synchronization Service Administration Guide

351
Synchronizing identity data
Configuring a reverse sync rule
A reverse sync rule allows you to synchronize data from the target to the source
data system.
To create such a rule, follow the instructions in Modifying attribute values by using rules to
select the Reverse Sync Rule type. Then, configure your rule by using the options in the
dialog that opens.

Reverse sync rule source item

This option allows you to select the source attribute whose value you want to modify.
To get started, click the down arrow on the button in this option, and then select an item
from the drop-down list:
l Attribute: Allows you to select the object attribute whose value you want to modify.
l Referenced object attribute: Allows you to select the referenced object attribute
whose value you want to modify.
l Parent object attribute: Allows you to modify attribute values of objects that are
parents to the source object type selected in the sync workflow step settings.

Once you have explicitly selected an attribute in this option, you can click the Advanced
link to configure some advanced synchronization settings for the attribute.
For example, you can select how to handle the existing attribute value (overwrite or
append data to the value) or set how to process references in the attribute. The
available settings depend on the attribute types selected in the Source item and
Target item options.

Reverse sync rule target item

This option allows you to obtain an initial value for the synchronization operation. You can
then transform the obtained initial value before assigning it to the attribute you want.
To get started, click the down arrow on the button in this option, and then select an item
from the drop-down list:
l Attribute: Allows you to select the attribute whose value you want to use.
l Rule: Allows you to obtain a value by using a value generation rule. For more
information, see Using value generation rules.
l PowerShell script: Allows you to obtain a value by running a Windows
PowerShell script.
l Text: Allows you to type a text value.

Active Roles 8.1.3 Synchronization Service Administration Guide

352
Synchronizing identity data
 l Referenced object attribute: Allows you select an attribute of a referenced object
and use the value of the selected attribute.
l Parent object attribute: Allows you to select an attribute of a parent object and
use the value of the selected attribute.
l Empty: Generates an empty value.

Once you have explicitly selected an attribute in this option, you can click the Advanced
link to configure some advanced synchronization settings for the attribute.
For example, you can specify which characters to retrieve from the attribute value, how to
modify the retrieved value (remove white-space characters or change the capitalization),
or set how to process references in the attribute. The available settings depend on the
attribute types selected in the Source item and Target item options.

Configuring a merge sync rule

A merge sync rule allows you to merge attribute values between the source and the target
data system. As a result, these values become identical.
To create such a rule, follow the instructions in Modifying attribute values by using rules to
select the Merge Sync Rule type. Then, configure your rule by using the options in the
dialog that opens:
l Source item: Allows you to specify an attribute in the source data system. To select
an attribute, click Attribute.
l Target item: Allows you to specify the attribute in the target data system. To select
an attribute, click Attribute.
l Merge Settings: Allows you to select a method to merge the values of two
multivalued attributes. This link is only available if both the source and the target
attributes you have selected are multivalued.

When running a sync workflow step that has a merge sync rule configured for the first time,
Synchronization Service synchronizes attribute values from the source to the target. In
each subsequent run of the sync workflow step, the synchronization direction depends on
which attribute value (source or target) is more recent, as follows:

Table 106: Synchronization direction

More recent value Synchronization direction

Source Source => Target

Target Source <= Target

Source and target are equally recent Source => Target

Active Roles 8.1.3 Synchronization Service Administration Guide

353
Synchronizing identity data
Using value generation rules
To configure a list of rules for selecting an attribute value or generating a value, you can
use the Configure Generation Rule dialog.

Figure 10: Configure Generation Rule

To add a new rule entry

1. Click Add.
2. Configure the rule entry as appropriate. For more information, see Configuring
a rule entry.

To remove an existing rule entry

l Open the Rule entries list.
l From the Rule entries list, select the entry you want to remove, then click Remove.

Active Roles 8.1.3 Synchronization Service Administration Guide

354
Synchronizing identity data
To edit an existing rule entry

1. From the Rule entries list, select the entry you want to modify, then click Edit.
2. Configure the rule entry as appropriate. For more information, see Configuring
a rule entry.

Configuring a rule entry

This section provides instructions on how to configure a rule entry in the Define Entry
dialog that looks similar to the following:

Figure 11: Define Entry

To configure a text entry

1. Under Entry type, select Text.

2. In the Text value box, type the value.
3. Click OK.

To configure an attribute-based entry

1. Under Entry type, select Attribute.

2. Click Select to select the attribute whose value you want to use, and then click OK.

Active Roles 8.1.3 Synchronization Service Administration Guide

355
Synchronizing identity data
 3. If you want the entry to include the entire value of the attribute, select All
characters. Otherwise, click Specified characters, then specify the characters to
include in the entry.
4. (Optional) To add additional characters to the entry, click If value is shorter, add
filling characters at the end of entry value.
5. (Optional) Specify Advanced settings.
6. When finished, click OK.

Using sync workflow step handlers

Sync workflow step handlers allow you to automatically perform custom actions either
before running a workflow step or after the workflow step run results have been committed
(written) to the data system. Out of the box, Synchronization Service includes a single
predefined handler type that can automatically run your custom PowerShell script and thus
perform the desired action.
To create, modify, or delete handlers for a sync workflow step, you can use the Step
Handlers tab in the sync workflow step properties.

To create a sync workflow step handler

1. In the Synchronization Service Console, open the Sync Workflows tab.

2. Click the name of the appropriate sync workflow.
3. Click the name of the sync workflow step for which you want to create a handler, then
click Step Handlers.
4. Click Add handler, then follow the steps in the wizard to create your handler.

To modify a sync workflow step handler

1. In the Synchronization Service Console, open the Sync Workflows tab.

2. Click the name of the appropriate sync workflow.
3. Click the name of the sync workflow step whose handler you want to modify, then
click the Step Handlers tab.
4. Click the name of the handler you want to modify.
5. Modify the handler settings as necessary. When you are finished, click OK.
6. You can also do the following:
l Change the order in which handlers are activated: Synchronization
Service activates handlers in the order in which they appear in the list. To
move a handler in the list, use the Move up and Move down links below
the handler.

Active Roles 8.1.3 Synchronization Service Administration Guide

356
Synchronizing identity data
 l Disable or enable the handler: You can enable or disable existing handlers.
To do so, use the Enable or Disable link below the handler.
7. When you are finished, click Save.

To delete a sync workflow step handler

1. In the Synchronization Service Console, open the Sync Workflows tab.

2. Click the name of the appropriate sync workflow.
3. Click the name of the sync workflow step whose handler you want to delete, and then
click Step Handlers.
4. Click Delete below the handler you want to delete.

Example: Synchronizing group

memberships
This example illustrates how to configure a creating step to synchronize group
memberships from an Active Directory domain to an AD LDS (ADAM) instance. The
example demonstrates how to create rules in the step to synchronize the value of the
member attribute in the AD domain to the member attribute in AD LDS (ADAM).

To synchronize the member attribute

1. Follow the procedure of the Adding a creating step section until you reach the
Specify creation rules page.
2. In the Initial Attribute Population Rules element, click the down arrow on the
leftmost button below the list to select Forward Sync Rule.
3. In the dialog that opens, add the following pair of attributes:
l Source item: member attribute (Active Directory)
l Target item: member attribute (AD LDS)
For more information about the options in this dialog, see Configuring a
forward sync rule.
4. When you are finished, click OK.
5. Follow the steps in the wizard to complete the creating step.

Example: Synchronizing multivalued

attributes
This example illustrates how to configure a creating step to synchronize multivalued
attributes from an Active Directory domain to an AD LDS (ADAM) instance. The example

Active Roles 8.1.3 Synchronization Service Administration Guide

357
Synchronizing identity data
demonstrates how to create rules in the step to synchronize the value of the
otherTelephone attribute in the Active Directory domain to the otherTelephone
attribute in AD LDS (ADAM).

To synchronize the otherTelephone attribute

1. Follow the procedure of the Adding a creating step section until you reach the
Specify creation rules page.
2. In the Initial Attribute Population Rules element, click the down arrow on the
leftmost button below the list to select Forward Sync Rule.
3. In the dialog that opens, add the following pair of attributes:
l Source item: otherTelephone attribute (Active Directory)
l Target item: otherTelephone attribute (AD LDS)
For more information about the options in this dialog, see Configuring a
forward sync rule.
4. When you are finished, click OK.
5. Follow the steps in the wizard to complete the configuration of the creating step.

Using sync workflow alerts

The Synchronization Service provides an email notification service that allows you to inform
recipients about the completion of a sync workflow run.
For each sync workflow that includes at least one synchronization step, you can configure
multiple alerts. Then, when a sync workflow run completes, the recipients signed up for the
alert receive an email message informing them about the completion of the sync workflow
run. For example, you can use sync workflow alerts to inform recipients when a sync
workflow run completes with errors.
To manage alerts for a sync workflow, navigate to the Sync Workflows tab in the
Synchronization Service Console, and then click the Manage alerts link below the
sync workflow.
To manage outgoing mail profiles for sending sync workflow alerts, in the Synchronization
Service Console, click the Settings menu in the upper right corner, and then click the
Mail Profiles.

Creating or editing a sync workflow alert

You can create or edit email-based alerts for existing sync workflows, allowing you to send
notifications about key synchronization events, such as completing sync workflow runs or
detecting errors.

Active Roles 8.1.3 Synchronization Service Administration Guide

358
Synchronizing identity data
To create or edit an alert

1. In the Synchronization Service Console, open the Sync Workflows tab.

2. Click the Manage alerts link below the sync workflow for which you want to create
or edit an alert.
NOTE: The Manage alerts link is only available on sync workflows that include one
or more synchronization steps.
3. In the Manage Sync Workflow Alerts dialog, do one of the following:
l If you want to create a new alert, click Add under the Sync workflow
alerts list.
l If you want to edit an existing alert, select that alert in the Sync workflow
alerts list, and then click Edit under the list.
4. To specify alert settings, use the following options in the dialog that opens,
and click OK:
l When this event occurs: Select an event that will trigger the alert. You can
select one of the following:
l Sync workflow run completes (with or without errors): Triggers
the alert upon the sync workflow run completion regardless of any errors
encountered in the run.
l Sync workflow run completes with errors: Triggers the alert only
when the sync workflow run completed with errors.
l Send email to: Enter the email addresses of the recipients to which you want
to send a notification email message when the selected event occurs. When
specifying multiple email addresses, use a semicolon as a separator.
l Email message subject: Enter the text you want to include in the subject of
the notification email.
l Ignore mapping errors: Select this check box if you want the alert to skip
mapping errors in sync workflow runs. This check box is only available when
you select Sync workflow run completes with errors in the When this
event occurs option.
l Ignore non-fatal errors in: Select this check box if you want this alert to
skip non-fatal errors in sync workflow runs. A non-fatal error causes a sync
workflow run to partially succeed. A fatal error causes a sync workflow run
to fail. If you select this check box, you must also select one of the
following options:
l All sync workflow steps: Causes the alert to skip non-fatal errors in all steps
of the sync workflow.
l The specified sync workflow steps: Causes the alert to skip non-fatal
errors only in the sync workflow steps you specify. To specify multiple steps,
either enter the step numbers separated by commas (for example, 1, 3, 5), or
specify a range of steps using dash as a separator (for example, 1, 3, 5-8).

Active Roles 8.1.3 Synchronization Service Administration Guide

359
Synchronizing identity data
 NOTE: This check box is only available if you select Sync workflow run
completes with errors in the When this event occurs option.
5. Use the Send email using this outgoing mail profile list to select the settings to
be used for sending notification emails generated by the alerts in the Sync
workflow alerts list.
To configure the current outgoing mail profile, click Properties. For more
information, see Managing outgoing mail profiles.
6. When you are finished, click OK to close the Manage Sync Workflow Alerts
dialog.

Deleting a sync workflow alert

You can delete existing sync workflow alerts in the Synchronization Service Console. This is
useful for housekeeping purposes, for example when a sync workflow is modified, and its
original alarms are no longer applicable.

To delete an alert

1. In the Synchronization Service Console, open the Sync Workflows tab.

2. Click the Manage alerts link below the sync workflow for which you want to
delete an alert.
NOTE: The Manage alerts link is only available on sync workflows that include one
or more synchronization steps.
3. In the Sync workflow alerts list, select the alert you want to delete, and then click
Delete under the list.

Managing outgoing mail profiles

To create, edit, or delete an outgoing mail profile, in the Synchronization Service Console,
click Settings > Mail Profiles in the upper-right corner. Then, follow the appropriate
procedure below.

To create a profile

1. Click Add below the list of profiles, then specify the settings you want to use. For the
descriptions of the settings you can specify, see Outgoing mail profile settings.
2. When you are finished, click OK.

Active Roles 8.1.3 Synchronization Service Administration Guide

360
Synchronizing identity data
To edit a profile

1. In the list, select the outgoing mail profile you want to edit.
2. Click Edit below the list of profiles, then specify the settings you want to use. For the
description of the settings you can specify, see Outgoing mail profile settings.
3. When you are finished, click OK.

To delete a profile

1. In the list, select the outgoing mail profile you want to delete.
2. Click the Delete button below the list of profiles.

Outgoing mail profile settings

In each outgoing mail profile, you can use the following settings:
l Profile name: Enter a descriptive name with which you want to identify the profile.
l Outgoing SMTP server: Enter the fully qualified domain name of the SMTP mail
server you want to use for sending notification emails.
l This server requires an encrypted connection (SSL): Select this check box if
the specified mail server requires an encrypted connection.
l This server requires authentication: Select this check box if the specified mail
server requires authentication, then specify the user name and password with which
you want to access the server.
l Sender email address: Specify the email address you want to use as the
originating address in the notification emails.
l Sender name: Specify the sender name you want to display in the From field to the
recipients of the notification emails.

Active Roles 8.1.3 Synchronization Service Administration Guide

361
Synchronizing identity data
 6

Mapping objects

Object mapping allows you to establish one-to-one relationships between objects in two
connected data systems. By using object mapping, you can determine what objects will
participate in data synchronization operations you run between these two data systems.
Synchronization Service maps objects automatically when running the creating steps of a
sync workflow. In this case, a one-to-one relationship is automatically established between
source objects and their counterparts created in the target connected system during the
creation operation. In some cases, however, you may have to manually map objects. For
example, you should configure object mapping before running a sync workflow that
includes updating or deprovisioning steps. By doing so, you provide Synchronization
Service with the information on which objects need to be updated or deprovisioned in the
target data system.
To map objects, you can use mapping pairs and mapping rules. A mapping pair allows you
to establish a relationship between a certain object type in one connected system and its
counterpart in the other connected system. A mapping rule allows you to define the scope
of conditions where the objects belonging to the object types specified in a particular
mapping pair will be mapped. You can create multiple mapping rules for a mapping pair,
with each mapping rule defining a specific mapping condition. You have to run your
mapping rules for them to take effect. After you run a mapping rule, Synchronization
Service reads data in the connected data systems for which the rule is configured, and then
maps the objects that meet the conditions specified in the mapping rule.
The following example shows how a mapping rule works:

Active Roles 8.1.3 Synchronization Service Administration Guide

362
Mapping objects
Figure 12: Object mapping

In this example, one-to-one relationship is established between the user object John
Malcolm in Connected System 1 and the user object John Doe in Connected System
2: the first names of these user objects match, and thus the condition specified in the
mapping rule is met. Now, if you configure a sync workflow for these systems and
populate it with synchronization steps, identity information will be synchronized between
these two user objects, since they are mapped. The direction of synchronization depends
on which of these two connected data systems acts as the synchronization source and
which is the target.

How to map objects

You can map objects in two data systems to which Synchronization Service is connected.

Creating mapping pairs

In this step, you create mapping pairs that specify the types of objects you want to map in
two connected systems. You can create as many mapping pairs as required.

To create a mapping pair

1. In the Synchronization Service Console, open Mapping.

2. Click the name of the connection for which you want to map objects.
3. Click Add mapping pair.
4. On the Specify source page, next to Connected system object type, click
Select, and then select the type of object you want to map.

Active Roles 8.1.3 Synchronization Service Administration Guide

363
Mapping objects
 5. Click Next.
6. On the Specify target page:
a. Next to Target connected system, click Specify, and then specify the other
connected system where you want to map objects.
b. Next to Connected system object type, click Select, and then select the
type of object you want to map.
7. To create the mapping pair, click Finish.
Repeat the above steps to create mapping pairs for as many object types as required.

Creating mapping rules

Once you have created a mapping pair, you can configure mapping rules for that pair.
Mapping rules define the conditions where the objects that belong to the object types
specified in the mapping pair will be mapped. Synchronization Service maps objects only if
all mapping rules specified for a mapping pair are met.

To add a new mapping rule

1. In the Synchronization Service Console, open Mapping.

2. Click the name of the connection for which you want to create a mapping rule.
3. Click the mapping pair for which you want to create a mapping rule.
4. Click Add mapping rule.
5. Use the Define Mapping Rule dialog to define the condition where the objects in
the connected systems are to be mapped. To do so, click the down arrow on the
button next to each of the two provided options and select one of the following:
l Attribute: Allows you to select an attribute in the connected system.
l Rule: Allows you to set up a list of rules to generate a value for the connected
system. For more information, see Using value generation rules.
l PowerShell Script: Allows you to type a Windows PowerShell script that
generates a value for the connected system.
6. When you are finished, click OK to create the mapping rule.

Change scope for mapping rules

Each mapping rule applies to a scope of objects. By default, this scope includes all objects
that belong to the object types specified in the mapping rule. If necessary, you can narrow
the scope specified for a particular mapping rule or you can revert to the default scope.

Active Roles 8.1.3 Synchronization Service Administration Guide

364
Mapping objects
To change the scope of a mapping rule

1. In the Synchronization Service Console, open Mapping.

2. Click the name of the appropriate connection.
3. Click the appropriate mapping pair entry.
4. Locate the mapping rule whose scope you want to change. Use the following
elements provided for each mapping rule entry:
l Mapping scope for system 1: Shows the mapping rule scope applicable to
the data system shown on the left part of the mapping pair entry.
l Mapping scope for system 2: Shows the mapping rule scope applicable to
the data system shown on the right part of the mapping pair entry.
These elements can take one of the following values:
l Default: Indicates that the mapping rule applies to all objects of the
specified type.
l Custom: Indicates that the mapping rule scope is narrowed down and only
applies to some objects of the specified type.
5. Change the mapping rule scope as necessary:
a. Click the value displayed next to Mapping scope for system 1 or Mapping
scope for system 2, and then specify the scope you want to use.
b. When you are finished, click OK.

Running map operation

Once you have created mapping rules for a mapping pair, you have to run the map
operation in order to apply these rules and map objects that belong to the mapping pair.
There are two methods to run the map operation:
l Running the map operation once, manually.
l Creating a recurring schedule to automatically run the map operation on a
regular basis.
TIP: This method is recommended when you want to use Synchronization
Service to synchronize passwords from an Active Directory domain to other
connected systems.

Running the map operation once, manually

This method allows you to run your mapping rules without creating a recurring schedule.

Active Roles 8.1.3 Synchronization Service Administration Guide

365
Mapping objects
To run the map operation once, manually

1. In the Synchronization Service Console, open Mapping.

2. Click the name of the connection for which you want to run the map operation.
3. Click the mapping pair for which you want to run the map operation.
4. Click Map now.
5. In the dialog that opens, click one of the following:
l Full Map: With this option, Synchronization Service retrieves the data
required to map objects from the connected data systems.
l Quick Map: With this option, Synchronization Service first tries to map objects
by using the data that is available in the local cache. If the local cache is
missing or cannot be used to map objects, then Synchronization Service
retrieves the required data from the connected data systems.
Wait for the map operation to complete.
After the map operation is completed, the Synchronization Service Console displays a
report that provides information about the objects that participated in the map
operation. At this stage, the application does not map the objects. To map the
objects, you have to commit the map operation result.
You can click the number that is provided next to an object category name in the
report to view the details of objects that belong to that category.
6. Review the report about the objects that participated in the map operation, then click
Commit to map the objects.

Creating a recurring schedule to automatically run the map operation on

a regular basis

Running mapping rules on a recurring schedule allows you to properly map newly-created
Active Directory user objects to their counterparts in the connected systems where you
automatically synchronize passwords with the Active Directory domain. If you do not run
mapping rules on a regular basis, some passwords may become out of sync due to the
changes that inevitably occur to your environment. For example, new user objects are
created, some user objects are deleted, but Synchronization Service cannot detect these
changes and synchronize passwords for the newly-created users before you apply the
mapping rules. In this scenario, the best way to ensure Synchronization Service
synchronizes all passwords is creating a recurring schedule for applying your mapping rules
on a regular basis.

To create a recurring schedule to automatically run the map operation on a

regular basis

1. In the Synchronization Service Console, open Mapping.

2. Click the name of the connection for which you want to create a recurring
mapping schedule.

Active Roles 8.1.3 Synchronization Service Administration Guide

366
Mapping objects
 3. Click the mapping pair for which you want to run the map operation on a
recurring schedule.
4. Click Schedule mapping.
5. In the dialog that opens, select the Schedule the task to run check box, and then
specify a schedule for the map operation.
One Identity recommends that you schedule the map operation to run once in
every 6 hours.
6. If several Synchronization Service instances are installed in your environment, under
Run the task on, select the computer that hosts the instance you want to use for
running the map operation.
7. Click OK to activate the schedule.
The results of a scheduled map operation always apply automatically. As a result, you
do not have to commit the changes after the scheduled operation is completed.
When performing a scheduled map operation, Synchronization Service always
retrieves the required data from the connected data systems and never uses the data
available in the local cache.

How to unmap objects

You can unmap the objects that were mapped earlier.

To unmap objects

1. In the Synchronization Service Console, open Mapping.

2. Click the name of the connection for which you want to unmap objects.
3. Click the mapping pair that specifies the objects types you want to unmap.
4. Click Unmap now and wait until the unmap operation completes.
After the unmap operation is completed, the Synchronization Service Console
displays a report that provides information about the objects that participated in the
unmap operation. At this stage, the application does not unmap the objects. To
unmap them, you need to commit the result of the unmap operation.
To view the details of objects that belong to a given object category, you can click the
number provided next to the object category name in the report.
5. Review the report on the objects that participated in the unmap operation, and then
click Commit to unmap the objects.

Active Roles 8.1.3 Synchronization Service Administration Guide

367
Mapping objects
 7

Automated password
synchronization

If your enterprise environment has multiple data management systems, each having its
own password policy and dedicated user authentication mechanism, you may face one or
more of the following issues:
l Because users have to remember multiple passwords, they may have difficulty
managing them. Some users may even write down their passwords. As a result,
passwords can be easily compromised.
l Each time users forget one or several of their numerous access passwords, they have
to ask administrators for password resets. This increases operational costs and
translates into a loss of productivity.
l There is no way to implement a single password policy for all of the data
management systems. This too impacts productivity, as users have to log on to each
data management system separately in order to change their passwords.

With Synchronization Service, you can eliminate these issues and significantly simplify
password management in an enterprise environment that includes multiple data
management systems.
Synchronization Service provides a cost-effective and efficient way to synchronize user
passwords from an Active Directory domain to other data systems used in your
organization. As a result, users can access other data management systems using their
Active Directory domain password. Whenever a user password is changed in the source
Active Directory domain, this change is immediately and automatically propagated to other
data systems, so each user password remains in sync in the data systems at all times.
You need to connect Synchronization Service to the data systems in which you want to
synchronize passwords through special connectors supplied with Synchronization Service.

Active Roles 8.1.3 Synchronization Service Administration Guide

368
Automated password synchronization
How to automate password
synchronization
To automatically synchronize passwords from an Active Directory domain to another data
system, complete these steps:

1. Install Capture Agent on each domain controller in the Active Directory domain you
want to be the source for password synchronization operations.
Capture Agent tracks changes to the user passwords in the source Active Directory
domain and provides this information to Synchronization Service, which in turn
synchronizes passwords in the target connected systems you specify.
For more information on how to install Capture Agent, see Managing Capture Agent.
2. Connect the Synchronization Service to the Active Directory domain where you
installed Capture Agent.
Alternatively, you can configure a connection to Active Roles that manages the
source Active Directory domain.
3. Connect the Synchronization Service to the data system where you want to
synchronize user object passwords with those in the source Active Directory domain.
l For some target data systems (such as SQL Server) you must specify the
data you want to participate in the password synchronization by configuring
an SQL query.
l If the target data system is an LDAP directory service accessed via the
generic LDAP connector, you must specify the target object type for which
you want to synchronize passwords and the attribute where you want to store
object passwords.
4. Ensure that user objects in the source Active Directory domain are properly mapped
to their counterparts in the target connected system.
For more information about mapping objects, see Mapping objects.
Synchronization Service automatically maps objects between the source Active
Directory domain and the target connected system if you configure sync workflows
to manage the creation and deprovision operations between the source Active
Directory domain (or Active Roles that manages that domain) and the target
connected system.
For more information on sync workflows, see Synchronizing identity data.
5. Create a password synchronization rule for the target connected system.
For more information, see Creating a password sync rule.

After you complete the above steps, the Synchronization Service starts to automatically
track user password changes in the source Active Directory domain and synchronize
passwords in the target connected system.
If necessary, you can fine-tune the password synchronization settings by completing these
optional tasks:

Active Roles 8.1.3 Synchronization Service Administration Guide

369
Automated password synchronization
 l Modify the default Capture Agent settings.
For more information, see Configuring Capture Agent.
l Modify the default Synchronization Service settings related to password
synchronization.
For more information, see Configuring Synchronization Service.
l Specify a custom certificate for encrypting the password sync traffic between the
Capture Agent and the Synchronization Service. By default, a built-in certificate is
used for this purpose.
For more information, see Specifying a custom certificate for encrypting password
sync traffic.
l Configure the Synchronization Service to automatically run your PowerShell script
after the password synchronization is completed.
For more information, see Using PowerShell scripts with password synchronization.

Managing Capture Agent

Capture Agent is required to track changes to the user passwords in the Active Directory
domain you want to be the authoritative source for password synchronization operations.
To synchronize passwords, you must install Capture Agent on each domain controller in the
source Active Directory domain.
Whenever a password changes in the source Active Directory domain, the agent captures
that change and provides the changed password to the Synchronization Service. In turn,
the Synchronization Service uses the provided information to synchronize passwords in the
target connected systems according to your settings.

Installing Capture Agent manually

You can manually deploy Synchronization Service Capture Agent on each domain controller
in the source Active Directory domain. Alternatively, you can also perform an unattended
installation for the Capture Agent component.

To manually install Capture Agent

1. On the domain controller, open the Active Roles installation media.

2. In the installation media, navigate to the following directory:
\Solutions\Sync Service Capture Agent
3. Run the .msi file applicable to the operating system running on the domain controller.
l On a 32-bit domain controller, run SyncServiceCaptureAgent_8.1.3_x86.msi.
l On a 64-bit domain controller, run SyncServiceCaptureAgent_8.1.3_x64.msi.

Active Roles 8.1.3 Synchronization Service Administration Guide

370
Automated password synchronization
 4. Follow the instructions of the setup wizard.

To perform an unattended installation

1. On the domain controller, open the Windows Command Prompt.

2. Run the command applicable to the domain controller:
l On a 32-bit system, run the following command:
msiexec /i "<path-to-SyncServiceCaptureAgent_8.1.3_x86.msi>" /qb
INSTALLDIR="<path-to-installation-folder>" REBOOT="<Value>"
l On a 64-bit system, run the following command:
msiexec /i "<path-to-SyncServiceCaptureAgent_8.1.3_x64.msi>" /qb
INSTALLDIR="<path-to-installation-folder>" REBOOT="<reboot-value>"

These commands use the following arguments:

l (Optional) INSTALLDIR: Specifies the Capture Agent installation folder. If this
argument is not used, the Capture Agent component is installed to the following
default folder:
%ProgramFiles%\One Identity\Active Roles\8.1.3\SyncServiceCaptureAgent
l REBOOT: Specifies whether to force or suppress restart after installation with the
following available values:
l Force: Prompts to restart the system after installation.
l Suppress: Suppresses restart prompts after installation.
l ReallySuppress: Suppresses all restart prompts and restart attempts during
installation.
For more information on these values, see REBOOT property in the Microsoft
Windows Installer documentation.

Using Group Policy to install Capture Agent

You can use this method to automatically deploy Capture Agent on each domain
controller in the source Active Directory domain. This method is applicable in the
following scenarios only:

Table 107: Prerequisites by scenario

Supported scenario Prerequisites

Scenario 1: AD domain l All the domain controllers must be held in a single

includes either 32- or 64- organizational unit (for example, the built-in Domain
bit domain controllers Controllers OU).
l At least one group policy object must be linked to the
OU holding the domain controllers (for example, the

Active Roles 8.1.3 Synchronization Service Administration Guide

371
Automated password synchronization
Supported scenario Prerequisites

built-in Default Domain Controllers Policy Group

Policy object).

Scenario 2: AD domain l The domain controllers must be held in two separate

includes both 32-bit and organizational units, each containing domain controllers
64-bit domain controllers of the same bitness.
l At least one group policy object must be linked to each
of the two Organizational Units.

To install Capture Agent by using Group Policy

1. Save the SyncServiceCaptureAgent_8.1.3_x86.msi and SyncServiceCaptureAgent_

8.1.3_x64.msi files to a network share accessible from each domain controller in the
source Active Directory domain.
2. Depending on your scenario, complete the steps in the table:

Table 108: Steps by scenario

Scenario 1: AD domain includes Scenario 2: AD domain includes

either 32-bit or 64-bit domain both 32-bit and 64-bit domain
controllers controllers

1. Use Group Policy Editor to open 1. Use Group Policy Object Editor to
the group policy object linked to open the group policy object linked
the OU holding the domain to the OU holding the 32-bit
controllers on which you want to domain controllers.
install Capture Agent.
2. Do one of the following in the
2. In the Group Policy Object Editor Group Policy Object Editor console
console tree, do one of the tree:
following: l In Windows Server 2016 or
l In Windows Server 2016 or later, expand the Computer
later, expand the Configuration node, then
Computer Configuration expand Policies, and select
node, then expand Software Settings.
Policies, and select
3. In the details pane, click Software
Software Settings.
Installation, on the Action menu
3. In the details pane, click point to New, and then click
Software Installation, on the Package.
Action menu point to New, and
4. Use the dialog to open the
then click Package. SyncServiceCaptureAgent_8.1.3_
4. Use the dialog to open one of the x86.msi file.
following files:
5. In the Deploy Software dialog,
l SyncServiceCaptureAgent_ select Assigned, and then click

Active Roles 8.1.3 Synchronization Service Administration Guide

372
Automated password synchronization
 Scenario 1: AD domain includes Scenario 2: AD domain includes
either 32-bit or 64-bit domain both 32-bit and 64-bit domain
controllers controllers

8.1.3_x86.msi if all your OK.

domain controllers are 32-
6. Repeat every step for the group
bit.
policy object linked to the OU
l SyncServiceCaptureAgent_ holding the 64-bit domain
8.1.3_x64.msi if all your controllers. Use the
domain controllers are 64- SyncServiceCaptureAgent_8.1.3_
bit. x64.msi file to install Capture
Agent on these domain controllers.
5. In the Deploy Software dialog,
select Assigned, and then click
OK.

3. Run the following command at a command prompt to refresh the Group Policy
settings:
gpupdate /force

Uninstalling Capture Agent

You can delete the Active Roles Synchronization Service Capture Agent component with the
built-in tools of the operating system.

To uninstall Capture Agent

1. On the computer where Capture Agent is installed, open the list of installed
programs.
2. In the list of installed programs, select One Identity Active Roles 8.1.3 -
Synchronization Service Capture Agent x64 or One Identity Active Roles
8.1.3 - Synchronization Service Capture Agent x86.
3. To delete Capture Agent, click Uninstall.
4. Follow the on-screen instructions.

Managing password sync rules

To synchronize passwords from an Active Directory domain to other connected systems,
you need to create and configure a password synchronization rule for each target
connected system where you want to synchronize passwords.
A password synchronization rule allows you to specify the following:

Active Roles 8.1.3 Synchronization Service Administration Guide

373
Automated password synchronization
 l The Active Directory domain you want to be the source for password synchronization
operations.
l The source object type for password synchronization operations (typically, this is the
user object type in Active Directory).
l The target connected system in which you want to synchronize passwords with the
source Active Directory domain.
l The target object type for password synchronization operations.

Optionally, you can configure a password synchronization rule to modify attribute values of
the target connected system objects whose passwords are being synchronized.

Creating a password sync rule

To create a password sync rule

1. In the Synchronization Service Console, open the Password Sync tab.

2. Click Add password sync rule.
3. On the Specify source for password sync page, do the following:
a. In the Source connected system option, specify the Active Directory domain
you want to be the source for password synchronization operations.
Alternatively, you can select the Active Roles instance that manages such an
Active Roles domain.
b. In the Connected system object type option, select the object type you
want to be the source for password synchronization.
4. Click Next.
5. On the Specify target for password sync page, do the following:
a. In the Target connected system option, specify the target connected system
in which you want to synchronize passwords.
b. In the Connected system object type option, select the object type you
want to be the target for password synchronization.
c. Optionally, you can click Password Sync Settings and then use the following
tabs to configure more password sync settings:
l Password Sync Retry Options: Use this tab to specify how many
times you want Synchronization Service to retry the password
synchronization operation in the event of a password synchronization
failure. You can select one of the following options:
l Unlimited number of times: Causes Synchronization Service to
retry the password synchronization operation until it succeeds.

Active Roles 8.1.3 Synchronization Service Administration Guide

374
Automated password synchronization
 l This maximum number of times: Specify the maximum
number of times you want Synchronization Service to retry the
password synchronization operation.
l Password Transformation Script: Use this tab to type a PowerShell
script that transforms source Active Directory user passwords into
object passwords for the target connected system. Use this item if you
want the object passwords in the source and target connected systems
to be different. If you do not want to transform passwords, leave the
text box blank.
l Rules to Modify Object Attributes: Use this tab to specify rules for
modifying attribute values on the target connected system objects.
These rules will only apply to the objects on which Synchronization
Service modifies passwords in the target connected system.
d. When you are finished, click OK.
6. Click Finish to create the password sync rule.

Deleting a password sync rule

To delete a password sync rule

1. In the Synchronization Service Console, open the Password Sync tab.

2. Locate the rule you want to delete, and then click Delete this rule below the rule.

Modifying settings for a password sync rule

You can modify the following settings of an existing password sync rule:
l Specify how many times you want the Synchronization Service to retry the password
synchronization operation in the case of a password synchronization failure.
l Specify a PowerShell script to transform a source Active Directory user password into
an object password in the target connected system.
l Specify rules to modify the attributes of the target connected system objects on
which Synchronization Service changes passwords.

To modify the settings of a password sync rule

1. In the Synchronization Service Console, open the Password Sync tab.

2. Click the Password sync settings link below the password sync rule you
want to modify.
3. In the dialog that opens, use the following tabs:

Active Roles 8.1.3 Synchronization Service Administration Guide

375
Automated password synchronization
 l Password Sync Retry Options: Use this tab to specify how many times you
want Synchronization Service to retry the password synchronization operation
in the event of a password synchronization failure. You can select one of the
following options:
l Unlimited number of times: Causes Synchronization Service to retry
the password synchronization operation until it succeeds.
l This maximum number of times: Specify the maximum number of
times you want Synchronization Service to retry the password
synchronization operation.
l Password Transformation Script: Use this tab to type a PowerShell script
that transforms source Active Directory user passwords into object passwords
for the target connected system. Use this item if you want the object
passwords in the source and target connected systems to be different. If you
do not want to transform passwords, leave the text box blank.
l Rules to Modify Object Attributes: Use this tab to specify rules for
modifying attribute values on the target connected system objects. These rules
will only apply to the objects on which Synchronization Service modifies
passwords in the target connected system.
4. When you are finished, click OK to save your changes.

Fine-tuning automated password

synchronization
This section provides information about the optional tasks related to configuring the
automated password synchronization from an Active Directory domain to connected
data systems.

Configuring Capture Agent

Capture Agent has a number of parameters you can modify. After you install the agent,
each of these parameters is assigned a default value, as described in the following table:

Table 109: Capture Agent parameters

Parameter Description Default value

Maximum Determines the period of time (in 24 hours

connection hours) during which a connection
point validity between Capture Agent and
for Capture Synchronization Service remains
Agent valid.

Active Roles 8.1.3 Synchronization Service Administration Guide

376
Automated password synchronization
Parameter Description Default value

Service

Interval Determines the time interval (in 10 minutes

between minutes) during which Capture
connection Agent tries to reconnect to
retries Synchronization Service.

Maximum Determines the period of time (in 7 days

duration of a days) during which Capture Agent
connection tries to connect to Synchronization
attempt Service to send the information
about changed user passwords.
During this period Capture Agent
stores the user passwords to be
synchronized in an encrypted file.

Certificate to Specifies a certificate for encrypting By default, a built-in certificate is

encrypt the password sync data transferred used.
Capture between Capture Agent and
Agent traffic Synchronization Service.
For more information, see
Specifying a custom certificate for
encrypting password sync traffic.

Connection Define the Synchronization Service If none of these parameters is

Point 1 instances to which Capture Agent set, Capture Agent looks for
provides information about changed available instances of the
Connection
user passwords. Synchronization Service in the
Point 2
following container:
Connection CN=Active Roles Sync
Point 3 Service,CN=One
Connection Identity,CN=System,DC=<domain
Point 4 name>

Connection
Point 5

Connection
Point 6

Connection
Point 7

You can modify the default values of these parameters by using Group Policy and the
Administrative Template supplied with the Synchronization Service. The next steps assume
that all the domain controllers where the Capture Agent is installed are held within
organizational units.

Active Roles 8.1.3 Synchronization Service Administration Guide

377
Automated password synchronization
Creating and linking a Group Policy object
Create a new Group Policy object. Link the object to each organizational unit holding the
domain controllers on which the Capture Agent is installed. For more information, see the
documentation for your version of the Windows operating system.

Adding an administrative template to Group

Policy object
1. Use Group Policy Object Editor to connect to the Group Policy object you created
previously.
2. In the Group Policy Object Editor console, expand the Group Policy object, and then
do one of the following:
l In Windows Server 2016 or later, expand Computer Configuration, expand
Policies, and then select Administrative Templates.
3. On the Action menu, point to All Tasks, and click Add/Remove Templates.
The Add/Remove Templates dialog opens.
4. In the Add/Remove Templates dialog, click Add, and then use the Policy
Templates dialog to open the Administrative Template
(SyncServiceCaptureAgent.adm file) supplied with the Synchronization Service.
The SyncServiceCaptureAgent.adm file is located in the following folder of the
installation media:
\Solutions\Sync Service Capture Agent.

Using Group Policy object to modify Capture

Agent settings
1. In Windows Server 2016 or later, under Computer Configuration > Policies >
Administrative Templates > Classic Administrative Templates (ADM) >
Active Roles, select Sync Service Capture Agent Settings.
2. In the details pane, configure the appropriate Group Policy settings.
The names of Group Policy settings correspond to the names of the Capture Agent
parameters provided in the table in Configuring Capture Agent.
3. Run the following command at a command prompt for the changes to take effect:
gpupdate /force

Active Roles 8.1.3 Synchronization Service Administration Guide

378
Automated password synchronization
Modifying Synchronization Service
parameters
You can modify the default values of the Synchronization Service parameters related to
password synchronization. These parameters and their default values are described in the
next table.

Table 110: Synchronization Service parameters

Parameter Description Default

Value

Interval between The Capture Agent sends information on changes 10 minutes

attempts to reset made to Active Directory user passwords to
password Synchronization Service. After receiving this
information, Synchronization Service tries to reset
passwords in the target connected systems you
specified.
This parameter determines the time interval (in
minutes) between attempts to reset passwords in the
target connected systems.

Synchronization Synchronization Service publishes its connection 60 minutes

Service point in Active Directory.
connection point
This parameter determines the frequency of updates
update period
(in minutes) of the Synchronization Service
connection point.

Certificate to This parameter specifies the thumbprint of the By default,

encrypt Capture certificate used to encrypt the password sync traffic a built-in
Agent traffic between Capture Agent and Synchronization Service. certificate
The same certificate must be used for the Capture is used.
Agent and the Synchronization Service.

You can modify the Synchronization Service parameters using Group Policy and the
Administrative Template supplied with Synchronization Service.

To modify Synchronization Service parameters using Group Policy

1. On the computer running the Synchronization Service, start Group Policy Object
Editor, and then connect to the Local Computer Policy Group Policy object.
2. In the Group Policy Object Editor console, expand the Local Computer
Policy node, expand the Computer Configuration node, and select
Administrative Templates.
3. On the Action menu, point to All Tasks, and click Add/Remove Templates.

Active Roles 8.1.3 Synchronization Service Administration Guide

379
Automated password synchronization
 4. In the Add/Remove Templates dialog, click Add, and then use the Policy
Templates dialog to open the SyncService.adm file that holds the
Administrative Template.
By default, the SyncService.adm file is stored in the following subfolder of the Active
Roles installation:
\SyncService\Administrative Templates
5. Under Computer Configuration > Administrative Templates > Active Roles,
select Sync Service Settings, and then in the details pane, configure the
appropriate group policy settings.
The names of group policy settings correspond to the names of the Synchronization
Service parameters provided in the table in Configuring Capture Agent.
6. For the changes to take effect, refresh the Group Policy settings by running the
following command at a command prompt:
gpupdate /force

Specifying a custom certificate for

encrypting password sync traffic
By default, Synchronization Service uses a built-in certificate to encrypt password sync
traffic between the Capture Agent and the Synchronization Service. If necessary, you can
use a custom certificate for this purpose.
NOTE: Consider the following when specifying a custom certificate for encrypting
password sync traffic:
l SSL certificates signed with MD5 algorithm are not supported.
l Backward compatibility for Quick Connect v5.5 with Active Roles Synchronization
Service Capture Agent can be achieved through custom certificate signed with
SHA algorithm.

This section illustrates how to use a custom certificate for encrypting the password
synchronization traffic in Windows Server 2012.

Obtaining and installing a certificate

To obtain and install a certificate, you have to make a certificate request. There are two
methods to request a certificate in Windows Server 2012:
l Request certificates using the Certificate Request Wizard: To request
certificates from a Windows Server 2012 enterprise certification authority, you can
use the Certificate Request Wizard.
l Request certificates using the Windows Server 2012 Certificate Services
web interface: Each certification authority that is installed on a computer running

Active Roles 8.1.3 Synchronization Service Administration Guide

380
Automated password synchronization
 Windows Server 2012 has a web interface that allows the users to submit certificate
requests. By default, the web interface is accessible at http://servername/certsrv,
where servername refers to the name of the computer running Windows Server 2012.

This section provides steps to request certificates using the Windows Server 2012
Certificate Services web interface. For detailed information about the Certificate Request
Wizard, refer to the documentation on Certification Authority.

To request a certificate using the Windows 2012 Certificate Services web

interface

1. Use a web browser to open http://servername/certsrv, where servername refers to

the name of the web server running Windows Server 2012 where the certification
authority that you want to access is located.
2. On the Welcome Web page, click Request a certificate.
3. On the Request a Certificate page, click advanced certificate request.
4. On the Advanced Certificate Request page, click Create and submit a
certificate request to this CA.
5. On the page that opens, do the following:
l Select the Store certificate in the local computer certificate store
check box.
l Under Additional Options, select the PKCS10 option, and in the Friendly
Name text box, specify a name for your certificate (for example, My QC
Certificate).
Keep default values for all other options.
6. Click Submit.
7. On the Certificate Issued page, click Install this certificate.

After you install the certificate, it becomes available in the Certificates snap-in, in the
Personal > Certificates store.

Exporting the custom certificate to a file

In this step, you export the issued certificate to a file. You will need the file to install the
certificate on each domain controller running Capture Agent and on each computer running
Synchronization Service.

To export the certificate

1. On the computer where you installed the certificate in the Obtaining and installing
a certificate step, open the Certificates - Local Computers snap-in.
2. In the Console tree, expand the Personal > Certificates store.
3. In the details pane, click the issued certificate you want to export.
4. On the Action menu, point to All Tasks, and then click Export.

Active Roles 8.1.3 Synchronization Service Administration Guide

381
Automated password synchronization
 5. Step through the wizard.
6. On the Export Private Key page, select Yes, export the private key, and then
click Next.
This option is available only if the private key is marked as exportable and you have
access to the private key.
7. On the Export File Format page, do the following, and then click Next:
l To include all certificates in the certification path, select the Include all
certificates in the certification path if possible check box.
l To enable strong protection, select the Enable strong protection (requires
IE 5.0, NT 4.0 SP4 or above) check box.
8. On the Password page, in the Password text box, type a password to encrypt the
private key you are exporting. In Confirm password, type the same password
again, and then click Next.
9. On the File to Export page, use the File name text box to specify the PKCS #12 file
to which you want to export the certificate along with the private key, and click Next.
10. On the Completion page, revise the specified settings and click Finish to create the
file and close the wizard.

Importing certificate into certificates store

In this step, you import the certificate to the Personal\Certificates certificate store by
using the Certificates snap-in. You must complete this step on each domain controller
running Capture Agent and on each computer running Synchronization Service that will
participate in the password synchronization.

To import the certificate

1. Open the Certificates - Local Computers snap-in.

2. In the Console tree, click the Personal > Certificates logical store.
3. On the Action menu, point to All Tasks and then click Import.
4. Step through the wizard.
5. On the File to Import page, in File name, type the file name containing the
certificate to be imported or click Browse and to locate and select the file. When
finished, click Next.
6. On the Password page, type the password used to encrypt the private key, and then
click Next.
7. On the Certificate Store page, ensure that the Place all certificates in the
following store option is selected, and the Certificate store text box displays
Personal, and then click Next.
8. On the Completion page, revise the specified settings and click Finish to import the
certificate and close the wizard.

Active Roles 8.1.3 Synchronization Service Administration Guide

382
Automated password synchronization
Copying the certificate's thumbprint
In this step, you copy the thumbprint of your custom certificate. In the next steps, you will
need to provide the thumbprint to Capture Agent and Synchronization Service.

To copy the thumbprint of your custom certificate

1. Open the Certificates - Local Computer snap-in.

2. In the Console tree, click the Personal store to expand it.
3. Click the Certificates store to expand it.
4. In the details pane, double-click the certificate.
5. In the Certificate dialog, click the Details tab, and scroll through the list of fields to
select Thumbprint.
6. Copy the hexadecimal value of Thumbprint to the clipboard.

You will need the copied thumbprint value to configure the Capture Agent and
Synchronization Service.

Providing the certificate’s thumbprint to Capture

Agent
This step assumes that:
l The same Group Policy object is linked to each OU holding the domain controllers on
which the Capture Agent is installed. For more information on how to create and link
a Group policy object, see the documentation for your version of Windows.
l The SyncServiceCaptureAgent.adm administrative template file is linked to that Group
Policy object.

For instructions on how to add an administrative template file to a Group Policy object, see
Adding an administrative template to Group Policy object.

To provide the thumbprint to Capture Agent

On any computer joined to the domain where Capture Agent is installed, open Group Policy
Object Editor, and connect to the Group Policy object to which you added the
Administrative Template in Adding an administrative template to Group Policy object.

1. In the Group Policy Object Editor console, expand the Group Policy object, and then
expand the Computer Configuration node.
2. Expand the Administrative Templates > Active Roles node to select Sync
Service Capture Agent Settings.
3. In the details pane, double-click Certificate to encrypt Capture Agent traffic.

Active Roles 8.1.3 Synchronization Service Administration Guide

383
Automated password synchronization
 4. Select the Enabled option, and then paste the certificate’s thumbprint (the one you
copied in Copying the certificate's thumbprint) in the Thumbprint text box. When
finished, click OK.
5. For the changes to take effect, refresh the Group Policy settings by running the
following command at a command prompt:
gpupdate /force

Providing the certificate’s thumbprint to

Synchronization Service
Perform the next steps on each computer running the Synchronization Service that
participates in the password sync operations.

To provide the thumbprint to Synchronization Service

1. On the computer running the Synchronization Service, start Group Policy Object
Editor, and then connect to the Local Computer Policy Group Policy object.
2. In the Group Policy Object Editor console, expand the Local Computer
Policy node, expand the Computer Configuration node, and select
Administrative Templates.
3. On the Action menu, point to All Tasks, and click Add/Remove Templates.
4. In the Add/Remove Templates dialog, click Add, and then use the Policy
Templates dialog to open the SyncService.adm file that holds the
Administrative Template.
5. By default, the SyncService.adm file is stored in <Active Roles installation
folder>\SyncServiceCaptureAgent\Administrative Templates.
6. Under Computer Configuration > Administrative Templates > Active Roles,
select Sync Service Settings.
7. In the details pane, double-click Certificate to encrypt Capture Agent traffic.
8. Select the Enabled option, and then paste the certificate’s thumbprint (the one you
copied in Copying the certificate's thumbprint) in the Thumbprint text box. When
finished, click OK.
9. For the changes to take effect, refresh the Group Policy settings by running the
following command at a command prompt:
gpupdate /force

Active Roles 8.1.3 Synchronization Service Administration Guide

384
Automated password synchronization
Using PowerShell scripts with password
synchronization
Optionally, you can configure the Synchronization Service to run your custom PowerShell
script before, after, or instead of the password synchronization operation. To do so, create
a connection handler. For instructions, see Using connection handlers.

Example of a PowerShell script run after password synchronization

After the password synchronization is complete, the following script sends a

notification email message informing the administrator that the specified object
password has been modified in the target connected system. The message provides
the names of the source Active Directory object and its counterpart in the target
connected system.

#---- Specify the SMTP Server name in your organization ----

$SmtpServer = "smtpServerName"
$smtp = new-object system.net.mail.smtpClient($SmtpServer)
$mail = new-object System.Net.Mail.MailMessage
# ---- Set the sender mail ----
$mail.From = "yourmail@mydomain.com"
# ---- Set the destination mail ----
$mail.To.Add("Administrator@mydomain.com")
# --- Specify the message subject ----
$mail.Subject = "Password was changed"
# ---- Set the message text ----
$body = "The passwords were synchronized for the following object pair: "
$body = $body + $srcObj.Name + "->" + $dstObj.Name
$mail.Body = $body
# ---- Send mail ----
$smtp.Send($mail)

Active Roles 8.1.3 Synchronization Service Administration Guide

385
Automated password synchronization
 8

Synchronization history

Synchronization Service Console provides the Synchronization History option that allows
you to view the details of completed synchronization workflow runs, password
synchronization rule runs, and map and unmap operations.
The synchronization history also helps you troubleshoot synchronization issues by
providing information on the errors that were encountered during sync workflow runs,
password sync rule runs, or map and unmap operations.
You can also selectively clean up entries from the synchronization history.
To access the synchronization history, use the Sync History tab in the Synchronization
Service Console.

Viewing sync workflow history

You can use the Sync History tab in the Synchronization Service Console to view a list of
completed sync workflow runs.
This list provides information on:
l The names of completed synchronization workflows.
l The dates when each sync workflow run started and completed.
l Which Synchronization Service instance was used to run each synchronization
workflow.

You can click a sync workflow run entry in the list to view detailed information about the
sync workflow steps that were run, objects that participated in that run, and errors
encountered during the run, if any.

To view the details of a completed sync workflow run

1. In the Synchronization Service Console, click the Sync History tab.

2. Click Sync Workflow History.
3. If you want to filter the list of completed sync workflows, use the following elements:

Active Roles 8.1.3 Synchronization Service Administration Guide

386
Synchronization history
 l Show items completed: Use this element to specify the time period when
the sync workflows you want to view completed.
l Maximum number of items to show: Specify the maximum number of
completed sync workflows you want to view.
You can sort the list of completed sync workflows by clicking the column titles in the
list. Also you can filter the list of completed sync workflows by typing keywords in the
text boxes provided below the column titles.
4. To view detailed information about a list item, select the list item and after that
click Details.
The details provided for each list entry look similar to the following:

Figure 13: Synchronization Servce details

To view detailed information about the objects that belong to a certain object
category, click the number displayed next to the object category name in the Source
or Target column.
To view detailed information about encountered errors, click the link displaying the
number of errors.

View mapping history

You can use the Sync History tab in the Synchronization Service Console to view the
detailed information about a particular completed map or unmap operation. By doing
so, you can view a list of attributes for each object that participated in the map or
unmap operation.

To view the details of a mapped pair of objects

1. In the Synchronization Service Console, click the Sync History tab.

2. Click Mapping History.

Active Roles 8.1.3 Synchronization Service Administration Guide

387
Synchronization history
 3. If you want to filter the list of completed map and unmap operations, use the
following elements:
l Show items completed: Specify a time period when the map and unmap
operations you want to view completed.
l Maximum number of items to show: Specify the maximum number of
completed map and unmap operations you want to view.
You can sort the list of map and unmap operations by clicking the column titles. Also
you can filter the list of map and unmap operations by typing keywords in the text
boxes provided below the column titles.
4. To view detailed information about a list item, select the list item and after that
click Details.

Searching synchronization history

You can use the Sync History tab in the Synchronization Service Console to search for
completed creation, deprovision, update, and sync passwords operations in the
synchronization history.
You can search by:
l The target connected system on which the operation was run.
l The type of object that participated in the operation.
l The period when the operation completed.

To search the synchronization history for completed operations

1. In the Synchronization Service Console, click the Sync History tab.

2. Click Search.
3. Use the following options to specify your search criteria:
l Target connection: Select the connected system for which you want to
search for completed creation, deprovision, update, and sync passwords
operations.
l Object type: Select the object type for which you want to search for
completed creation, deprovision, update, and sync passwords operations.
l Show items completed: Specify the time period when the operation you
want to search for completed.
l Maximum number of items to show: Specify the maximum number of
completed creation, deprovision, update, and sync passwords operations you
want to view in the list.
You can sort the search results by clicking the column titles in the search results list.
Also, you can filter the search results by typing keywords in the text boxes provided
below the column titles.

Active Roles 8.1.3 Synchronization Service Administration Guide

388
Synchronization history
 4. To view detailed information about a list item, select the list item and after that
click Details.

Cleaning up synchronization history

You can selectively delete entries from the sync workflow history and object mapping
history. To delete entries, you can either run the cleanup operation once or you can define
a schedule to run the cleanup operation on a regular basis.

To run the cleanup operation once

1. In the Synchronization Service Console, click the Sync History tab.

2. Click Clean up now.
3. Specify the entries you want to delete.
4. Click OK to delete the entries from the synchronization history.

To create a recurring schedule for the cleanup operation

1. In the Synchronization Service Console, click the Sync History tab.

2. Click Schedule cleanup.
3. In the dialog that opens, select the Schedule the task to run check box, and then
specify a schedule for the cleanup operation.
4. If several Synchronization Service instances are deployed in your environment,
under Run the task on, select the computer that hosts the instance you want to use
for running the cleanup operation.
5. To activate the schedule, click OK.

To disable a scheduled cleanup operation

1. In the Synchronization Service Console, click the Sync History tab.

2. Click Schedule cleanup.
3. In the dialog that opens, clear the Schedule the task to run check box, and
then click OK.

Active Roles 8.1.3 Synchronization Service Administration Guide

389
Synchronization history
 9

Scenarios of use

This section provides some use case scenarios that help you familiarize yourself with
Synchronization Service. The scenarios illustrate how to create and run sync workflows and
their steps to update and create user information from a Human Resources (HR) database
represented by a delimited text file to an Active Directory domain.
The scenarios are:
l Scenario: Creating users from a .csv file to an Active Directory domain. In this
scenario, Synchronization Service creates user accounts from a Comma Separated
Values (.csv) file that includes a HR database to individual Organizational Units in an
Active Directory domain, depending on the city where each user is based.
l Scenario: Using a .csv file to update user accounts in an Active Directory domain. In
this scenario, Synchronization Service updates user accounts in an Active Directory
domain based on the changes made to the HR database saved in a Comma Separated
Values (.csv) file.
l Scenario: Synchronizing data between One Identity Manager Custom Target
Systems and an Active Directory domain. In this scenario, Quick Connect updates
data in One Identity Manager based on the changes made in Active Directory domain.
l Scenario: Deprovisioning between One Identity Manager Custom Target Systems
and an Active Directory domain. In this scenario, Quick connect deprovisioning
synchronized objects in One Identity Manager processed from the Active
Directory domain.
l Scenario: Provisioning of Groups between One Identity Manager Custom Target
Systems and an Active Directory domain. In this scenario, Quick Connect
provisions group objects to be synchronized to One Identity Manager from Active
Directory domain.
l Scenario: Enabling Delta Sync mode between One Identity Manager Custom Target
Systems and an Active Directory domain. In this scenario, Quick Connect updates
data in One Identity Manager based on the changes made in Active Directory domain
in the delta sync mode.

Before you proceed with these sample scenarios, perform the following steps:

1. Make sure you have properly configured the connection to the target Active Directory
domain in the Synchronization Service Console.

Active Roles 8.1.3 Synchronization Service Administration Guide

390
Scenarios of use
 2. Create the Employees Organizational Unit (OU) at the root of the target Active
Directory domain.
3. In the Employees OU, create the following OUs:
l New York
l Tokyo
l Amsterdam
l OtherCities

Scenario: Create users from a .csv file

to an Active Directory domain
The following scenario demonstrates how to create user accounts from a Human Resources
(HR) database to an Active Directory domain. The HR database is represented by a sample
Comma Separated Values (.csv) file. Depending on the user city, accounts will be created
in one of the following OUs:
l Employees\New York
l Employees\Tokyo
l Employees\Amsterdam
l Employees\OtherCities

TIP: You can use the Active Directory Users and Computers tool to ensure that Synchron-
ization Service has created user accounts in the Employees OU. The New York, Tokyo,
Amsterdam, and OtherCities OUs may include some disabled user accounts created by
Synchronization Service.

Creating a sync workflow

To create a sync workflow

1. In the Synchronization Service Console, open the Sync Workflows tab.

2. Click Add sync workflow.
3. In the Sync workflow name text box, type a name for the sync workflow
being created.
4. Click OK.
The new workflow appears on the Sync Workflows tab.
NOTE: After you created a sync workflow, you must populate it with one or more
synchronization steps. For more information, see Synchronizing identity data.

Active Roles 8.1.3 Synchronization Service Administration Guide

391
Scenarios of use
Adding a creating step
This section provides instructions on how to:
l Connect Synchronization Service to the source Comma Separated Values (.csv) file
and target Active Directory domain.
l Add a new creating step and configure its settings, for example, specify the object
attributes to create.
l Develop a Windows PowerShell script that returns the name of an Active Directory
container for created user accounts.
l Preview a list of user accounts to be created.

To add a creating step

1. In the Synchronization Service Console, open the Sync Workflows tab, and then
click the sync workflow you created in the Creating a sync workflow step.
2. Click Add synchronization step.
3. On the Select an action page, select Creation, and then click Next.
4. On the Specify source and criteria page, click Specify, click Add new
connected system, and then step through the wizard to add the sample Comma
Separated Values (.csv) file as a connected system:
a. Use the Connection name box to type a descriptive name for the connection
being created.
b. In the Use the specified connector list, select Delimited Text File
Connector. Click Next.
c. Click Browse to locate and select the sample Comma Separated Values (.csv)
file supplied with Synchronization Service. This file is located in the
<Synchronization Service installation folder>\Samples folder.
d. Step through the wizard until you are on the Specify attributes to identify
objects page.
e. In the Available attributes list, select Employee ID, click Add, and then
click Finish.
5. Click Next.
6. On the Specify target page, click Specify, and then step through the wizard to add
the target Active Directory domain as a connected system:
a. Use the Connection name box to type a descriptive name for the connection
being created.
b. In the Use the specified connector list, select Active Directory
Connector. Click Next.
c. Use the Domain name field to type the FQDN name of the target Active

Active Roles 8.1.3 Synchronization Service Administration Guide

392
Scenarios of use
 Directory domain. If necessary, adjust other connection settings on this page
as appropriate. Click Finish.
7. Click the down arrow on the button provided next to the Target container option.
8. In the provided list, click PowerShell Script.
9. Insert the following script sample into the dialog, and then click OK:

$userCity = $srcObj["City"]
switch ($userCity)
{
"New York" {$container = "OU=New York,OU=Employees,DC=mycompany,DC=com";
break}
"Amsterdam" {$container =
"OU=Amsterdam,OU=Employees,DC=mycompany,DC=com"; break}
"Tokyo" {$container = "OU=Tokyo,OU=Employees,DC=mycompany,DC=com";
break}
default {$container = "OU=OtherCities,OU=Employees,DC=mycompany,DC=com";
break}
}
$container

NOTE: Before using the script, change the DC=mycompany",DC=com string as appro-
priate to reflect your environment. For example, if you have created the
Employees OU in the testlab.ttt domain, use the following string:
DC=testlab,DC=ttt.
10. Click the down arrow on the leftmost button provided below the Rules to generate
unique object name list.
11. In the provided list, click Attribute.
12. Select Logon Name, and then click OK. Click Next.
13. Expand Initial Attribute Population Rules, and then create forward sync rules to
synchronize the following pairs of attributes:

Table 111: Initial attribute population rules

CSV file Synchronization Active Directory attribute

attribute direction

Logon Name => Logon Name (Pre-Windows

2000)

First Name => First Name

Last Name => Last Name

City => City

For more information on how to create rules, see Modifying attribute values by
using rules.

Active Roles 8.1.3 Synchronization Service Administration Guide

393
Scenarios of use
 14. Expand Initial Password, click Text, and type a password in the Set Password
dialog. Click OK.
15. (Optional) To modify the default options to create new user accounts, expand User
Account Options.
16. Click Finish to close the wizard.

Running the configured creating step

To run the creating step

1. On the Sync Workflows tab, click Run now.

2. In the Select sync workflow steps to run dialog, select the check box next to the
step you created, and then to run the step, click Full Run.
After the synchronization step run completes, the Synchronization Service Console
displays a report that provides information about the objects that participated in the
creating step. At this stage, the application does not commit changes to the target
Active Directory domain.

TIP: To view a list of user accounts to be created in the Employees OU, click the number
next to Objects to be created.

Committing changes to Active Directory

To commit changes to the target Active Directory domain
l Click Commit.

Scenario: Using a .csv file to update

user accounts in an Active Directory
domain
This scenario demonstrates how to update user accounts in an Active Directory domain
when the information on employees is changed in the Human Resource (HR) database held
in a Comma Separated Values (.csv) file.
NOTE: This scenario can be used only if the Employees OU already contains user
accounts created with the creating scenario described earlier in this document. Only
accounts for previously created employees will be updated.

Active Roles 8.1.3 Synchronization Service Administration Guide

394
Scenarios of use
Creating an updating step
This section explains how to create a step that updates user accounts from the HR database
to the target Active Directory domain.

To add an updating step to your existing sync workflow

1. In the Synchronization Service Console, open the Sync Workflows tab, and then
click the sync workflow you created in the Creating a sync workflow step.
2. Click Add synchronization step.
3. On the Select an action page, select Update, and then click Next.
4. On the Specify source and criteria page, do the following:
a. Click Specify, click Select existing connected system, and then select the
Comma Separated Values (.csv) file you connected in Scenario: Create users
from a .csv file to an Active Directory domain. Click Finish.
b. Make sure that the object type specified in the Source object type box
is csv-Object.
5. Click Next.
6. On the Specify target page, do the following:
a. Click Specify, and then select the Active Directory domain you connected in
Scenario: Create users from a .csv file to an Active Directory domain.
b. Make sure that the object type specified in the Target object type box is
User (user).
7. Click Next.
8. Expand Rules to Modify Object Attributes, and then create forward sync rules to
synchronize the following pairs of attributes:

Table 112: Rules to modify object attributes

CSV file attribute Synchronization direction Active Directory attribute

City => City

Department => Department

First Name => First Name

Last Name => Last Name

Telephone Number => Telephone Number

For information on how to create rules, see Modifying attribute values by using rules.
9. Click Finish.

Active Roles 8.1.3 Synchronization Service Administration Guide

395
Scenarios of use
Running the configured updating step
To run the updating step

1. On the Sync Workflows tab, click Run now.

2. In the Select sync workflow steps to run dialog, select the check box next to the
step you created, and then click OK to run the step.
After the synchronization step run completes, the Synchronization Service Console
displays a report that provides information about the objects that participated in the
updating step. At this stage, the application does not commit changes to the target
Active Directory domain.

TIP: To view a list of user accounts to be updated in the Employees OU, in the update
report, click the number next to Objects to be updated.

Committing changes to Active Directory

To commit changes to the target Active Directory domain
l Click Commit.

Scenario: Synchronizing data between

One Identity Manager Custom Target
Systems and an Active Directory
domain
Out of the box, Synchronization Service includes the One Identity Manager connector,
which allows you to access the One Identity Manager. In this scenario, the basic purpose
for the Quick Connect One Identity Manager connector is to use the connector for target
systems where there is no existing native One Identity Manager connector.
Administrators can create or configure multiple Custom Target Systems in One Identity
Manager. Each Target System has entities such as User Accounts, Groups, Container
Structure, and so on.
NOTE: One Identity Manager does not have any specific table space for target systems
that do not have a native One Identity Manager connector. The data synchronized is
placed in the One Identity Manager tablespace where the tables starts with UNS.. and end
with B, referred as UNS..B tables.
The following scenario shows how to use the Quick Connect One Identity Manager
Connector to synchronize data between One Identity Manager Custom Target Systems and
an Active Directory domain.

Active Roles 8.1.3 Synchronization Service Administration Guide

396
Scenarios of use
Creating a connection to One Identity
Manager
To create a new connection to One Identity Manager

1. In the Synchronization Service Console, open the Connections tab.

2. Click Add connection, then use the following options:
l Connection name: Type a descriptive name for the connection.
l Use the specified connector: Select One Identity Manager Connector.
3. Click Next.
4. On the Specify connection settings page, use the following options:
l Application Server URL: Specify the address of the One Identity Manager
application server to which you want to connect.
l Authentication module: Identifies the One Identity Manager authentication
module that is to be used to verify the connection’s user ID and password.
l User name: Specify the user ID for this connection.
l Password: Specify the password of the user ID for this connection.
l To test the connection with the new parameters, click Test connection.
5. Click Next.

Configuring One Identity Manager modules,

Custom Target System and Container
Information
NOTE: The One Identity Manager target systems and One Identity Manager containers
are applicable only for the Target System Base module.

To select the One Identity Manager modules, Target Systems, and Containers

1. Select the required One Identity Manager modules.

2. Select Target System Base module to synchronize data to One Identity Manager
custom target systems (UNS..B tables). This enables you to select the target object
types such as UNSAccountB, UNSGroupB, and so on.
3. Select the required One Identity Manager target system, for example, Azure.
4. Select the required One Identity Manager container, for example, Test AD.
5. Click Finish to create a connection to One Identity Manager.

Active Roles 8.1.3 Synchronization Service Administration Guide

397
Scenarios of use
Creating a workflow for provisioning
To create a workflow for provisioning data synchronization to One Identity
Manager

1. Start the Synchronization Service Console.

2. Open the Sync Workflows tab, and then click Add sync workflow.
3. Type a descriptive name, for example, AD to OneIM Sync for the workflow being
created, and then click OK to create the workflow.

Creating a provisioning step

To create a provisioning step

1. In the Synchronization Service Console, open the Sync Workflows tab, and then
click the AD to OneIM Sync workflow.
2. Click Add synchronization step.
3. On the Select an action page, select Creation, and then click Next.
4. In the Specify source and criteria dialog, click Specify, click Add new
connected system or Select existing connected system, and then step through
the wizard to add the Active Directory Test AD as a connected system.
5. Click Next.
6. In the Specify target dialog, click Specify.
7. Click Add new connected system or Select existing connected system, and
then step through the wizard to add the target One Identity Manager domain as a
connected system.
8. Click Select, to add the required target object type.
9. In the Select Object Type dialog, select the UNSAccountB object type from the
list of object types and click OK.

Specifying synchronization rules

To specify the synchronization rules:

1. In the Synchronization Service Console, open the Sync Workflows tab, and then
click the AD to OneIM Sync workflow.
2. Click Provision from Test AD to One Identity Manager Connection.
3. Click Provisioning Rules and then click Initial Attribute Population Rules.

Active Roles 8.1.3 Synchronization Service Administration Guide

398
Scenarios of use
 4. From the drop-down, select Forward Sync Rule.
5. In the Forward Sync Rule dialog, select the source attributes to be mapped to the
target attributes, and then click OK.
NOTE: For One Identity Manager workflows, the attribute configuration rule for
CN is mandatory, else a constraint violation error is displayed and the
workflow run fails.
6. Click Save and Continue.

Running the workflow

To run the provisioning step:

1. On the Sync Workflows tab, click Run now.

2. In the Select sync workflow steps to run dialog, select the check box next to the
step you created, and then to run the step, click Full Run.
After the synchronization step run completes, the Synchronization Service Console
displays a report that provides information about the objects that participated in the
provisioning step. At this stage, the application does not commit changes to the
target One Identity Manager domain.

Committing changes to One Identity

Manager
To commit the changes to One Identity Manager
l Click Commit.

An All changes committed message is displayed. The changes are committed from the
source Active Directory Test AD to the target One Identity Manager.

Verify on One Identity Manager

To verify if the data is synchronized to One Identity Manager

1. Open the Synchronization Service Console.

2. Verify that all the users from the AD are synchronized with One Identity Manager as
per the provisioning rules that were set.

Active Roles 8.1.3 Synchronization Service Administration Guide

399
Scenarios of use
Scenario: Deprovisioning between One
Identity Manager Custom Target
Systems and an Active Directory
domain
The deprovision operation in data synchronization using Synchronization Service allows
you to modify or remove objects in the target data system after their counterparts have
been disconnected from the source data system. You can configure Synchronization
Service to remove target objects permanently or change them to a specific state. To specify
the objects that will participate in the deprovision operation you can use object mapping
rules. This scenario describes how to create a deprovisioning step for a workflow to modify
or delete the synchronized objects in the target system based on the deprovisioning criteria
that is set.

To create a deprovisioning step

1. In the Synchronization Service Console, open the Sync Workflows tab, and then
click the AD to OneIM Sync workflow.
2. Click Add synchronization step.
3. In the Select an action dialog, select Deprovision, and then click Next.
4. In the Specify source and criteria dialog, click Specify, click Add new
connected system or Select existing connected system, and then step through
the wizard to add the Active Directory Test AD as a connected system.
5. Specify a deprovisioning criteria by selecting one of the following:
l Source object is deleted or out of synchronization scope
l Source object deprovisioning is initiated in connected system
l Source object meets these criteria - Add the criteria for the source
objects to be deprovisioned in the target system
6. Click Next.
7. In the Specify target dialog, click Specify.
8. Click Add new connected system or Select existing connected system, and
then step through the wizard to add the target One Identity Manager domain as a
connected system.
9. Click Select, to add the required target object type.
10. In the Select Object Type dialog, select the UNSAccountB object type from the
list of object types and click OK.
11. In the Specify deprovisioning action dialog, select the one of the following action
to deprovision:

Active Roles 8.1.3 Synchronization Service Administration Guide

400
Scenarios of use
 l Delete target objects
l Initiate the object deprovisioning in <target system>
l Modify target objects - Click Forward Synch rule and select the
attributes to modify the object attributes
12. Click Next.
Active Roles Synchronization Service then creates the deprovisioning step with the
rules for the specified deprovisioning action.

Scenario: Provisioning of groups

between One Identity Manager Custom
Target Systems and an Active
Directory domain
Synchronization Service allows you to ensure that group membership information is in sync
in all connected data systems. For example, when provisioning a group object from an
Active Directory domain to One Identity Manager domain, you can configure rules to
synchronize the Member attribute from the source to the target domain.
This scenario describes how to create a provisioning step for a workflow to synchronize
group objects between the source and target systems.

To create a group provisioning step:

1. In the Synchronization Service Console, open the Sync Workflows tab, and then
click the AD to OneIM Sync workflow.
2. Click Add synchronization step.
3. In the Select an action dialog, select Creation, then click Next.
4. In the Specify source and criteria dialog, click Specify, click Add new
connected system or Select existing connected system, then progress through
the wizard to add the Active Directory Test AD as a connected system.
5. In Specify object type field, click Select and from the Select Object type list,
select Group, then click OK.
6. In the Provisioning Criteria section, click Add.
7. In the Select Container dialog, from the containers list, select the required
container and click OK.
8. Click Next.
9. In the Specify target dialog, click Specify.

Active Roles 8.1.3 Synchronization Service Administration Guide

401
Scenarios of use
 10. Click Add new connected system or Select existing connected system, and
then step through the wizard to add the target One Identity Manager domain as a
connected system.
11. Click Select, to add the required target object type.
12. In the Select Object Type dialog, select the UNSGroupB object type from the list of
object types.
13. Click OK.
Active Roles Synchronization Service then creates the group provisioning step.

Scenario: Enabling Delta Sync mode

between One Identity Manager Custom
Target Systems and an Active
Directory domain
The Delta processing mode of the Synchronization Service allows you to synchronize
identities between the source and the target systems for only the data that has changed in
the source and target connected systems since their last synchronization.
This scenario describes how to enable the delta processing mode between the source
(Active Directory domain) and target (One Identity Manager) systems.

To enable the delta processing mode

1. Create a sync workflow for provisioning data synchronization between the source
(Active Directory) and target (One Identity Manager) system.
2. Add a creating step for the workflow to provision users from the source system to
target system.
3. Click on the synchronization step for provision of users.
4. On the General Options tab, specify the delta process mode:
a. Under Source Connected System, select Process delta from last run.
b. Under Target Connected System select Process delta from last run.
5. Click Save and continue.
NOTE: Before any data has been processed from the source to the target
system, the initial synchronization of data is always performed in the Process
all delta mode.
6. Run the configured creating step.
The data for the users added or updated to the source since the previous run, is
displayed under Processed Objects.

Active Roles 8.1.3 Synchronization Service Administration Guide

402
Scenarios of use
 10

Example of using the Generic SCIM

Connector for data synchronization
Once you configured a connection with the Generic SCIM Connector as described in
Configuring the Generic SCIM Connector for Starling Connect connections, you can
configure import-based data synchronization tasks to import data from the SCIM-based
SuccessFactors HR and ServiceNow connectors of Starling Connect to another target
system supported by Active Roles Synchronization Service.
Creating such a SCIM-based sync workflow has two main steps:

1. Mapping objects by configuring one or more mapping pairs and mapping rules.
By mapping objects, you can specify logic checks by which Active Roles
Synchronization Service can identify if two data entries stored in two separate
databases are the same or not.
l With mapping pairs, you can establish a relationship between object types in
two connected systems.
l With mapping rules, you can define the conditions on how the objects specified
in the mapping pair will be mapped during synchronization.

Example: Mapping objects by user ID

You can use object mapping, for example, to identify the same data entries
between a SuccessFactors HR database (connected to Active Roles via a
Generic SCIM Connector connection) and an SQL server (connected to
Active Roles Synchronization Service via a Microsoft SQL Server
Connector).
To do so, you can set up a mapping that compares the User ID value of the
data entries in the two systems. If the data entries in the two systems share
the same User ID, Active Roles will consider them the same.

For more information on object mapping, see Mapping objects. For an example
mapping procedure using the Generic SCIM Connector, see Creating object
mapping between a SCIM connection and an SQL connection.

Active Roles 8.1.3 Synchronization Service Administration Guide

403
 2. Setting up a sync workflow based on the configured object mapping, so that you can
automate creating, removing or deprovisioning specific data entries between the
connected systems.
For more information on sync workflows, see Synchronizing identity data. For an
example workflow configuration procedure using the Generic SCIM Connector,
see Creating a sync workflow for synchronizing data from a SCIM-based Starling
Connect connector.

The following chapters will provide an example for setting up a sync workflow that will
import data from a SuccessFactors HR database via a Generic SCIM Connector
connection, and synchronizing that data to an SQL database.

Creating object mapping between a SCIM

connection and an SQL connection
Once you configured a connection with the Generic SCIM Connector as described in
Configuring the Generic SCIM Connector for Starling Connect connections, you can
configure import-based data synchronization tasks to import data from the SCIM-based
SuccessFactors HR and ServiceNow connectors of Starling Connect to another target
system supported by Active Roles Synchronization Service.
The first step of creating this synchronization is mapping objects between the SCIM-based
source system and a target system, so that Active Roles Synchronization Service can
detect identical data entries between the two system for proper data synchronization.
By mapping objects, you can specify logic checks by which Active Roles
Synchronization Service can identify if two data entries stored in two separate
databases are the same or not.
l With mapping pairs, you can establish a relationship between object types in two
connected systems.
l With mapping rules, you can define the conditions on how the objects specified in the
mapping pair will be mapped during synchronization.

The following example procedures show how to create a mapping pair and a mapping
rule between:
l A SuccessFactors HR database connected to Active Roles Synchronization Service
with the Generic SCIM Connector. The SuccessFactors HR database will be the
source system from which Active Roles Synchronization Service imports the data.
l An SQL database connected to Active Roles Synchronization Service with the
Microsoft SQL Server Connector. The SQL database will act as the target
system to which Active Roles Synchronization Service will synchronize the
SuccessFactors HR data.

Active Roles 8.1.3 Synchronization Service Administration Guide

404
Prerequisites

You can perform the following procedures only if Active Roles Synchronization Service
already contains the following working connectors:
l A Generic SCIM Connector connecting Active Roles Synchronization Service to the
Starling Connect SuccessFactors HR connector. To configure such a connection, see
Configuring the Generic SCIM Connector for Starling Connect connections. In this
example procedure, this connection is called SCIM Connection to
SuccessFactors HR.
l A Microsoft SQL Server Connector providing connection to the SQL Server used in
this example. To configure such a connection, see Creating a Microsoft SQL Server
connection. In this example, this connection is called SQL Connection.

To configure a mapping pair between a SuccessFactors HR database and an

SQL database

1. In Active Roles Synchronization Service, navigate to Mapping, then click the SCIM
Connection to SuccessFactors HR connection.

Figure 14: Active Roles Synchronization Service – Selecting a connector for

mapping objects

2. To start configuring a new object mapping with the Add mapping pair dialog, click
Add mapping pair.
3. In the Specify source step, under Connected system object type, select the
resource object type you want the object mapping to check. In this example, we are
using the Employees data entry of the SuccessFactors HR database, so click Select,
then in the Select Object Type step, select Employees.
TIP: If the data entry is hard to find due to the length of the list, use the Filter by
name field to find it quicker.
To apply your selection, click OK, then Next.

Active Roles 8.1.3 Synchronization Service Administration Guide

405
 4. In the Specify target step, under Target connected system, configure the target
system where the other resource object type is located. To do so, click Specify, and
in the Add Connected System Wizard, select the Select existing connected
system option, then the connector of the SQL server (in this example, SQL
Connection). To apply your selection, click Finish.
5. Under Connected system object type, select sql-Object.
6. To create the mapping pair, click Finish.
7. (Optional) If needed, you can configure additional mapping pairs as well for your
sync workflow. To do so, click Add mapping pair again, and repeat the procedure.
This example procedure uses only one mapping pair.

Once the mapping pair is created, you can configure its associated mapping rule.

To configure a mapping rule between a SuccessFactors HR database and an

SQL database

1. In Active Roles Synchronization Service, navigate to Mapping, then click the SCIM
Connection to SuccessFactors HR connection.
2. The previously configured mapping pair appears. To open the available mapping pair
settings, click the Employees object type in the mapping pair.

Figure 15: Active Roles Synchronization Service – Mapping pair in a

configured SCIM connection

3. To start configuring a new mapping rule, in the Mapping pair window, click Add
mapping rule.

4. In the Define Mapping Rule window, specify the source and target resource object
types that must be equal so that Active Roles Synchronization Service can map the
data pairs. In this example, we are using the UserID attribute for this purpose both in
the SuccessFactors HR database and in the SQL database as well.

Active Roles 8.1.3 Synchronization Service Administration Guide

406
 Therefore, at the Value generated for SCIM Connection to SuccessFactors HR
by using field, click Attribute, then in the Select attribute window, select userId.
This adds the userId object value to both the source and target fields.
TIP: If the data entry is hard to find due to the length of the list, use the Filter by
name field to find it quicker.
5. To finish adding the mapping rule, click OK.

Figure 16: Active Roles Synchronization Service – Mapping rule in a

configured SCIM mapping pair

6. To start the mapping synchronization based on the configured value pair of the
mapping rule, click Map now. Active Roles Synchronization Service offers two
mapping types:
l Quick Map, using local cached data to speed up the mapping process.
l Full Map, retrieving data from the source and target data system for accuracy.
As this is the first time of running this mapping, perform a Full Map.

Once the mapping rule finishes running successfully, it will indicate the unmapped,
changed and mapped objects, along with the objects that do not meet the scope conditions
of the configured mapping rule.

Creating a sync workflow for

synchronizing data from a SCIM-based
Starling Connect connector
Once you configured a connection with the Generic SCIM Connector as described in
Configuring the Generic SCIM Connector for Starling Connect connections, you can
configure import-based data synchronization tasks to import data from the SCIM-based
SuccessFactors HR and ServiceNow connectors of Starling Connect to another target
system supported by Active Roles Synchronization Service.

Active Roles 8.1.3 Synchronization Service Administration Guide

407
The second step of creating this synchronization task is setting up a sync workflow based
on the object mapping configured in Creating object mapping between a SCIM connection
and an SQL connection. By configuring a workflow, you can automate creating, removing
or deprovisioning specific data entries between the connected systems.
The following example procedure shows how to create a workflow that creates and updates
data synchronization between:
l A SuccessFactors HR database connected to Active Roles Synchronization Service
with the Generic SCIM Connector. The SuccessFactors HR database will be the
source system from which Active Roles Synchronization Service imports the data.
l An SQL database connected to Active Roles Synchronization Service with the
Microsoft SQL Server Connector. The SQL database will act as the target
system to which Active Roles Synchronization Service will synchronize the
SuccessFactors HR data.

Prerequisites

Before performing the procedure, make sure that the following conditions are met:
l Active Roles Synchronization Service must already contain the following working
connectors:
l A Generic SCIM Connector connecting Active Roles Synchronization Service
to the Starling Connect SuccessFactors HR connector. To configure such a
connection, see Configuring the Generic SCIM Connector for Starling Connect
connections. In this example procedure, this connection is called SCIM
Connection to SuccessFactors HR.
l A Microsoft SQL Server Connector providing connection to the SQL Server
used in this example. To configure such a connection, see Creating a Microsoft
SQL Server connection. In this example, this connection is called SQL
Connection.
l The mapping pair and mapping rule configured in Creating object mapping between a
SCIM connection and an SQL connection are active and working.

To configure a data sync workflow between a SuccessFactors HR database and

an SQL database

1. In Active Roles Synchronization Service, click Sync Workflows > Add sync
workflow.

Active Roles 8.1.3 Synchronization Service Administration Guide

408
 Figure 17: Active Roles Active Roles Synchronization Service – Adding a
new sync workflow

2. In the Sync workflow name step, name the workflow (for example,
SuccessFactors HR to SQL Server), then click OK.
The new workflow then appears in the Sync Workflows tab.
3. Configure a data synchronization creation step for the workflow. To do so, in Sync
Workflows, click the name of the workflow (in this example, SuccessFactors HR
to SQL Server), then click Add synchronization step.

Figure 18: Active Roles Synchronization Service – Adding a new

synchronization step

4. In the Select an action step, select Creation, then click Next.

The Creation step of the workflow will be used to create the synchronized data
entries of the SuccessFactors HR database in the target SQL database. The Creation
step performs data synchronization only for data entries that do not exist in the
target system. Because of this, you typically run this step only once.
5. In the Specify source and criteria step, configure the following settings:
l Source connected system: Specify the SuccessFactors HR database
connection here, created with the Generic SCIM Connector. To do so, click
Specify > Select existing connected system, then select the SCIM-based
connection (in this example, SCIM Connection to SuccessFactors HR).
l Source object type: Specify the source object type here (in this example, the
Employees object type). To do so, click Select, then in the Select Object Type
window, select Employees, and click OK.

Active Roles 8.1.3 Synchronization Service Administration Guide

409
 TIP: If the data entry is hard to find due to the length of the list, use the
Filter by name field to find it quicker.
l (Optional) Creation Criteria: Specify additional conditions that the specified
source object(s) must meet for synchronization in this workflow step. This
setting is not used in this example.
6. In the Specify target step, configure the following settings:
l Target connected system: Specify the SQL Server connection here, created
with the Microsoft SQL Server Connector. To do so, click Specify > Select
existing connected system, then select the SQL Server connection (in this
example, SQL Connection).
l Target object type: Specify the target object type here. By default, when
selecting an SQL Server connection in Target connected system, Active
Roles Synchronization Service sets this setting to sql-Object, the object type
used in this example.
7. In the Specify creation rules step, configure the logic (called forward
synchronization rules) that Active Roles Synchronization Service will use to perform
first-time synchronization and copy data entries from the SuccessFactors HR
database over to the target SQL database.
To do so, specify one or more unique attributes that Active Roles Synchronization
Service can use to link the corresponding data entries in the connected
SuccessFactors HR and SQL data systems. In this example, four such SuccessFactors
HR attributes are specified: userName, userId, emails.value and
name.familyName.
To specify these creation rules:
a. Click Forward Sync Rule.
b. Click Source item > Attribute, and in the Select Object Attribute window,
search for the user name attribute in the SuccessFactors HR database (for
example, userName), then click OK.
TIP: If the data entry is hard to find due to the length of the list, use the
Filter by name field to find it quicker.
c. Click Target item > Attribute, and search for the applicable user name
attribute pair in the SQL database (for example, userName), then click OK.
TIP: If the data entry is hard to find due to the length of the list, use the
Filter by name field to find it quicker.

Active Roles 8.1.3 Synchronization Service Administration Guide

410
 Figure 19: Active Roles Synchronization Service – Mapping attributes
for a forward synchronization rule

d. To apply the forward synchronization rule created for the specified user name
attributes, click OK.
e. To configure synchronization rules for the userId, emails.value and
name.familyName SuccessFactors HR data entries too, click Forward Sync
Rule again, and repeat the previous sub-steps by selecting the source and
target attributes applicable to these data entries.
8. Once all forward synchronization rules are configured, to finish configuring the
Creation step, click Finish.

Figure 20: Active Roles Synchronization Service – Finalizing all forward

synchronization rules

This creates the Creation step as the first step of the sync workflow.

Active Roles 8.1.3 Synchronization Service Administration Guide

411
 Figure 21: Active Roles Synchronization Service – Step 1 created for the
SuccessFactors HR / SQL server workflow

9. Now that the Creation step of the workflow is configured, configure the Update
step. To do so, click Add synchronization step again.
The Update step of the workflow will be used to update existing data entries mapped
between the SuccessFactors HR database and the target SQL database. The Update
step performs data synchronization only for existing data entries: it does not create
new ones. Because of this, you typically run this step after running the Creation
step, and run only the Update step later once the data entries have been created
with the Creation step.
10. In the Select an action step, select Update, then click Next.
11. In the Specify source and criteria step, configure the following settings:
l Source connected system: Specify the SuccessFactors HR database
connection here, created with the Generic SCIM Connector. To do so, click
Specify > Select existing connected system, then select the SCIM-based
connection (in this example, SCIM Connection to SuccessFactors HR).
l Source object type: Specify the source object type here (in this example, the
Employees object type). To do so, click Select, then in the Select Object Type
window, select Employees, and click OK.
TIP: If the data entry is hard to find due to the length of the list, use the
Filter by name field to find it quicker.
l (Optional) Creation Criteria: Specify additional conditions that the specified
source object(s) must meet for synchronization in this workflow step. This
setting is not used in this example.
12. In the Specify target step, configure the following settings:
l Target connected system: Specify the SQL Server connection here, created
with the Microsoft SQL Server Connector. To do so, click Specify > Select
existing connected system, then select the SQL Server connection (in this
example, SQL Connection).
l Target object type: Specify the target object type here. By default, when
selecting an SQL Server connection in Target connected system, Active
Roles Synchronization Service sets this setting to sql-Object, the object type
used in this example.

Active Roles 8.1.3 Synchronization Service Administration Guide

412
13. In the Specify update rules step, configure the forward synchronization rules that
Active Roles Synchronization Service will use to update existing data entries in the
target SQL database from the SuccessFactors HR database. In this example, four
such attributes are specified: userName, userId, SuccessFactors HR ID (displayed
as sfid) and metadata information (displayed as meta).
To specify these creation rules:
a. Click Forward Sync Rule.
b. Click Source item > Attribute, and in the Select Object Attribute window,
search for the user name attribute in the SuccessFactors HR database (for
example, userName), then click OK.
TIP: If the data entry is hard to find due to the length of the list, use the
Filter by name field to find it quicker.
c. Click Target item > Attribute, and search for the applicable user name
attribute pair in the SQL database (for example, userName), then click OK.
TIP: If the data entry is hard to find due to the length of the list, use the
Filter by name field to find it quicker.
d. To apply the forward synchronization rule created for the specified user name
attributes, click OK.
e. To configure synchronization rules for the user ID, sfid and meta data entries
too, click Forward Sync Rule again, and repeat the previous sub-steps by
selecting the source and target attributes applicable to these data entries.
14. Once all forward synchronization rules are configured, to finish configuring the
Update step, click Finish. The configured workflow will appear, containing
both steps.
15. Start the workflow by clicking Run workflow. For the first-time run, select only
Step 1 (Creation from SCIM Connection to SuccessFactors HR to SQL
Connection), then select the running method:
l Full Run fetches all data entries specified in the workflow steps directly from
the source system. As such, One Identity recommends using this method
when running the workflow the first time, even if the process takes longer
than a Quick Run.
l Quick Run uses cached data whenever possible, and is normally faster.
The run may take several minutes to complete.

Active Roles 8.1.3 Synchronization Service Administration Guide

413
 Figure 22: Active Roles Synchronization Service – Running a configured
sync workflow for the first time

16. Once Active Roles Synchronization Service found all mapped objects, apply the
synchronization changes by clicking Commit.
Alternatively, to check detailed information about the processed objects, click the
Processed objects number. The Objects processed in window then opens, listing
all new data objects that Active Roles Synchronization Service will synchronize to the
target SQL database.

Synchronizing complex multi-value objects

from a SCIM source system
Data sync workflows that import data with a connection based on the Generic SCIM
Connector can import all three types of SCIM 2.0-based data entries:
l Simple attributes, that is, data entries with a single simple value. For example, a
user ID specified in a single string is a simple attribute.
l Complex single-value attributes, that is, data entries specified with several sub-
attributes. For example, the following name attribute is a complex single-value
attribute, specifying the name of an employee with three simple sub-attributes:

"name": {
"givenName": "Sam",
"familyName": "Smith",
"formatted": "Sam Smith"
},

The value of complex single-value attributes is the sum of the sub-attribute values.
l Complex multi-value attributes, that is, data entries with multiple complex
values, each of them specified with several simple sub-attributes. For example, the
following addresses attribute is a complex multi-value attribute, specifying several
addresses, each of them being a complex value containing several simple sub-
attributes:

Active Roles 8.1.3 Synchronization Service Administration Guide

414
 "addresses": [
{
"type": "work",
"streetAddress": "22 Example Street",
"region": "Springfield",
"postalCode": "51487",
"country": "United States",
"primary": true
},
{
"type": "home",
"streetAddress": "12 Rue Exemple",
"region": "Montreal",
"postalCode": "46179",
"country": "Canada"
}
],

However, even though sync workflows using connections set with the Generic SCIM
Connector can import all three of these value types, Active Roles Synchronization Service
does not recognize complex single-value attributes and complex multi-value attributes, as
they contain more values than what Active Roles Synchronization Service can identify for a
single data entry by default.
To import complex single-value and multi-value attributes successfully, you can use the
following methods:
l For complex single-value attributes, you can map each individual sub-attribute
of the complex single-value attribute to separate attributes in the target system. For
example, in case of the name complex single-value attribute, you can map the
givenName, familyName and formatted sub-attributes to separate name.givenName,
name.familyName, and name.formatted attributes in the target system, respectively.
l For complex multi-value attributes, you can use two methods:
l When importing complex multi-value attributes, Active Roles Synchronization
Service can take a single value (and its sub-attributes), map the sub-attributes
to a set of target values (similarly to complex single-value attributes), then
discard the rest of the complex values of the attribute.
By default, Active Roles Synchronization Service takes the primary value of
the complex multi-value attribute (marked with a specific primary sub-
attribute). If no primary value is specified within the complex multi-value
attribute, Active Roles Synchronization Service imports the first value (and its
sub-attributes) only.
NOTE: This method imports only the primary value (or the first value, if no
primary value is specified). Active Roles Synchronization Service will discard
all other values (and their sub-attributes).
l If you map a complex multi-value attribute (such as the addresses attribute
shown in the above example) when configuring a mapping rule for a workflow,

Active Roles 8.1.3 Synchronization Service Administration Guide

415
 you can configure an Active Roles Synchronization Service workflow to process
and extract every value (and their sub-attributes) of the complex multi-value
attribute with script-based attribute mapping.
The following procedure will provide an example on how to apply such a
PowerShell script to properly process the addresses complex multi-value
attribute shown in this chapter.

To configure a custom PowerShell script for a workflow to import complex

multi-value attributes

1. In the Active Roles Synchronization Service, click Sync Workflow, then click the
sync workflow that imports data from a SCIM-based source system (for example, the
SuccessFactors HR to SQL Server workflow used in Creating a sync workflow for
synchronizing data from a SCIM-based Starling Connect connector).
2. Click the first step of the workflow (in the example SuccessFactors HR to SQL
Server workflow, this is named Step 1 (Creation from SCIM Connection to
SuccessFactors HR to SQL Connection).
3. Under Creation Rules, to open the initial population rules, click Forward
Sync Rule.
4. In the Forward Sync Rule window, at the Source item setting, open the Attribute
drop-down, and click PowerShell Script.
5. In the PowerShell Script Editor, paste the following script example, and click OK:

$addressesJsonArray = $srcObj["addresses"] | ConvertFrom-Json

if ($addressesJsonArray) {
for ($i = 0; $i -lt $addressesJsonArray.Length; $i++) {
if ($addressesJsonArray[$i].type -eq "work") {
return $addressesJsonArray[$i].streetAddress + ", " +
$addressesJsonArray[$i].region + ", " + $addressesJsonArray[$i].locality
}
}
}

The example script contains the following key parts:

l $srcObj refers to the source object that the script will act on.
l $srcObj["addresses"] extracts the raw value of the addresses attribute. In this
example, this attribute is a complex multi-value SCIM attribute, so the
attribute value will be a JSON array.
l $addressesJsonArray is a .NET array object containing the values of the
complex multi-value attribute.
The rest of the script performs the following steps:

Active Roles 8.1.3 Synchronization Service Administration Guide

416
 a. It checks that the array is valid.
b. It traverses the elements of the array, and looks for the first element with a
type sub-attribute with a work value.
c. Once it finds an element with a work value type, it constructs a formatted string
from the streetAddress, region and locality sub-attributes.
d. It returns the results.
6. Use the output to parse and extract the data into other target values in the
target system.

Active Roles 8.1.3 Synchronization Service Administration Guide

417
 Appendix A

Appendix: Developing PowerShell scripts for

attribute synchronization rules

You can configure synchronization rules for such steps as creating, deprovisioning, or
update. Synchronization Service provides a user interface (Synchronization Service
Console) that allows you to set up a direct or rules-based synchronization rule
without any coding.
However, to set up a script-based synchronization rule, you must develop a Windows
PowerShell script that will build values of the target object attributes using values of the
source object attributes.
This section provides some reference materials on using the Windows PowerShell Script
Host feature and provides the sample script.

Accessing source and target objects

using built-in hash tables
Synchronization Service synchronizes data between the source and target objects using
the pre-configured synchronization rules.
In the PowerShell scripts used to set up the script-based synchronization rules, you can
employ the $srcObj and $dstObj built-in associative arrays (hash tables) that allow the
scripts to access the current values of attributes of the source and target objects,
respectively. The array keys names are names of the object attributes.
For more information about the use of the associative arrays, see the Microsoft PowerShell
Documentation.
In addition to $srcObj and $dstObj, Synchronization Service defines the $Request built-in
hash table. The $Request key names are also names of the object attributes. The $Request
hash table contains new values of the target object attributes to which the target object
attributes must be set after completing the synchronization process.
To clarify the use of built-in hash tables, let us consider the following scenario: you
synchronize between the mail attributes of user objects in an LDAP directory (source
connected system) and Active Roles (target connected system) using the following

Active Roles 8.1.3 Synchronization Service Administration Guide

Appendix: Developing PowerShell scripts for attribute 418

synchronization rules
synchronization rule: the value of the mail attribute in the target connected system must
be equal to that in the source connected system concatenated with current date.
For example, before the synchronization process started, the source object had the mail
attribute: JDoe@mail1.mycompany.com, the target object had the mail attribute:
JDoe@mail2009.mycompany.com. After the synchronization process completes, the target
user will have the following mail: JDoe@mail1.mycompany.com (5 December, 2012) (if you
performed the synchronization process on 5 December, 2012.
The following code snippet illustrates the use of built-in hash tables:

#Returns "JDoe@mail1.mycompany.com
$strSourceMail=$srcObj["mail"]
#Returns JDoe@mail2009.mycompany.com
$strTargetMail=$DstObj["mail"]
#Returns JDoe@mail1.mycompany.com (5 January, 2010)
$strNewMail=$Request["mail"]

Example script

The following script illustrates the use of $srcObj.

A creating task (creating step of a sync workflow as applied to Synchronization
Service) causes Synchronization Service to create user identity information from a
delimited text file to Active Directory using the following creating rule: the co
attribute in all created users must be set to the name of country where the user lives.
The script-based creating rule calculates the co attribute value basing on the user's
city (the City attribute in the connected data source).
The following script implements the described scenario:

# --- Retrieve the City attribute of the user object in connected data
source.
$userCity = $srcObj["City"]
# --- Determine the user's country
switch ($UserCity)
{
"New York" {$country = "United States"; break}
"Paris" {$country = "France"; break}
"Tokyo" {$country = "Japan"; break}
default {$country = "Unknown"}
}
# --- Return the user country. The script-based creating rule
# --- assigns this value to the "co" attribute in the created user object.
$country
# End of the script

Active Roles 8.1.3 Synchronization Service Administration Guide

Appendix: Developing PowerShell scripts for attribute 419

synchronization rules
 Appendix B

Appendix: Using PowerShell script to

transform passwords

You can use a Windows PowerShell script in a password sync rule to transform passwords.
This section provides some reference materials on how to write a Windows PowerShell
script for password transformation.

Accessing source object password

To synchronize passwords between the source Active Directory domain and the target
connected data system, Synchronization Service uses the password sync rules you
configure. In a password rule settings, you can type a PowerShell script that transforms
source Active Directory user passwords into object passwords for the target connected
system. For example, you can use such a script if you want the object passwords in the
source and target connected systems to be different.
When developing a PowerShell script to transform passwords, you can employ the $srcPwd
built-in associative array (hash table) that allows the scripts to access the source object
password. The $srcPwd returns a string that contains the object password.

Example script

To clarify the use of $srcPwd, consider a scenario where the target object password in
the target connected data system must include only 8 first characters of the source
object password in the source Active Directory domain.
The following scripts implements the described scenario:

Active Roles 8.1.3 Synchronization Service Administration Guide

420
Appendix: Using PowerShell script to transform passwords
if($srcPwd.length -gt 8)
{
$srcPwd.substring(0,8)
}
else
{
$srcPwd
}
# End of the script

Active Roles 8.1.3 Synchronization Service Administration Guide

421
Appendix: Using PowerShell script to transform passwords
 About us

About us

One Identity solutions eliminate the complexities and time-consuming processes often
required to govern identities, manage privileged accounts and control access. Our solutions
enhance business agility while addressing your IAM challenges with on-premises, cloud and
hybrid environments.

Active Roles 8.1.3 Synchronization Service Administration Guide

422
About us
 Contacting us

For sales and other inquiries, such as licensing, support, and renewals, visit
https://www.oneidentity.com/company/contact-us.aspx.

Active Roles 8.1.3 Synchronization Service Administration Guide

423
Contacting us
 Technical support resources

Technical support is available to One Identity customers with a valid maintenance contract
and customers who have trial versions. You can access the Support Portal at
https://support.oneidentity.com/.
The Support Portal provides self-help tools you can use to solve problems quickly and
independently, 24 hours a day, 365 days a year. The Support Portal enables you to:
l Submit and manage a Service Request
l View Knowledge Base articles
l Sign up for product notifications
l Download software and technical documentation
l View how-to videos at www.YouTube.com/OneIdentity
l Engage in community discussions
l Chat with support engineers online
l View services to assist you with your product

Active Roles 8.1.3 Synchronization Service Administration Guide

424
Technical support resources