Group synchronization

Group synchronization mirrors in the user directory the group hierarchies that are in the LDAP directory.

When you set the group-sync-enabled option (in the config-ldap-group-sync command), the user directory synchronizes groups from the LDAP directory. Synchronizing groups relieves the administrator of the responsibility of managing group memberships. Assigning licenses and privileges to Spotfire groups is still accomplished in the Administrator Manager in Spotfire Analyst.

Synchronized LDAP groups cannot be manually modified in the user directory. Synchronized groups can be placed into manually created groups in the user directory, and thereby be granted permissions. If an LDAP group has been synchronized and it is removed from the list of groups to synchronize, it keeps the members from the last synchronization, but becomes an ordinary group that can be modified in Spotfire.

Note: The user directory does not support cyclic group memberships, where the ancestor of a group is also a descendant of the same group. If the user directory detects a group membership cycle, it will be broken up arbitrarily.

When configuring the groups to be synchronized, specify either the group account names or the distinguished names. The account names and the distinguished names may contain an asterisk (*) as a wildcard character. This wildcard behaves just like the asterisk wildcard in standard LDAP search filters.

It is also possible to specify the distinguished name of an LDAP container containing one or more groups. All those groups will then be synchronized. It is possible to mix all variants.

Note: If the Group synchronization enabled configuration property is set and no groups or group context names are configured, the user directory synchronizes all groups that it can find in the configured context names.

The synchronized groups can also be used to filter the set of users that are synchronized with the user directory. By enabling the filter-users-by-groups option, only users that are members of at least one of the synchronized groups are synchronized with the user directory.