Group synchronization

Group synchronization makes the user directory mirror the group hierarchies in the LDAP directory.

When you set the group-sync-enabled option (in the config-ldap-group-sync command), the user directory synchronizes groups from the LDAP directory. By synchronizing groups you can avoid needing to manage group memberships in Spotfire. You will still assign licenses and privileges to groups from the License and features tab for the group in the Spotfire Server administration pages (or from the Administrator Manager in the installed Spotfire client).

Synchronized LDAP groups cannot be manually modified in the user directory. Synchronized groups can be placed into manually created groups in the user directory, and thereby be granted permissions. If an LDAP group has been synchronized and it is removed from the list of groups to synchronize, it keeps the members from the last synchronization, but becomes an ordinary group that can be modified in Spotfire.

Note: The Spotfire user directory does not support cyclic group memberships (that is, where the ancestor of a group is also a descendant of the same group). If a cyclic membership is encountered, the Spotfire user directory will break a group membership cycle at any point, which might result in unexpected group memberships.

When configuring the groups to be synchronized, specify either the group account names or the distinguished names. The account names and the distinguished names can contain an asterisk (*) as a wildcard character. This wildcard behaves just like the asterisk wildcard in standard LDAP search filters.

It is also possible to specify the distinguished name of an LDAP container containing one or more groups. All those groups will then be synchronized. It is possible to mix all variants.

Note: If the Group synchronization enabled configuration property is set and no groups or group context names are configured, the user directory synchronizes all groups that it can find in the configured context names.

The synchronized groups can also be used to filter the set of users that are synchronized with the user directory. By enabling the filter-users-by-groups option, only users that are members of at least one of the synchronized groups are synchronized with the user directory.