Provisioning allows admins to auto-sync Pyramid's user accounts with security groups defined in Authentication Providers that support user provisioning. The engine runs periodically and provides a fast, automated, and convenient method for synchronizing users in Pyramid with users in the provider.
Note: Provisioning is only active when the Authentication Provider is one of Active Directory, Azure Active Directory, Open LDAP, or SAML or OpenID where Provider Provisioning Settings are configured.
Note: This feature is only available in the Enterprise Edition.
- Use the Task Manager to see a list of all provisioning tasks
Schedule List
The Auto Provisioning Jobs page lists all the scheduled provisioning jobs:
Overhead menu
The menu options in this panel (highlighted in blue above) are:
- Configure Provisioning: Which takes you to the Provisioning page, where you can configure the Provisioning service. For more information, see Provisioning.
- Add New Job: Which opens the New Schedule panel, so that you can add a new provisioning task. For more information, see below.
- Run Now: Run all jobs immediately. Before the jobs are run, a warning is shown indicating that all jobs will be run and that the timer will be reset.
Time to next schedule
- Time to next schedule: (Orange arrow.) Describes the time until the next scheduled job runs.
Scheduled jobs list
Each auto provisioning job in the list has the following details:
- Actions: You can use the Actions options (purple highlight above) to edit or delete the scheduled job, show the schedule's cached list of users, or clear the cached list.
- Domain: The Pyramid domain.
- Group Name: The Authentication Provider group to sync.
- License: The license type that will be given to this group of users.
- Tenant: The tenant the users will belong to.
- Role: The role the users will be assigned.
- Profile: The profile the users will be assigned.
- Admin Type: The admin type for the users.
Add New Provisioning Jobs
Set up a provisioning job to create new users in Pyramid by pulling users automatically from the Authentication Provider and assigning those users a specific Tenant, Profile, and so on in Pyramid.
Click Add new job to add a new provisioning task to the system in the New Schedule panel:
- Group Name: Select the Authentication Provider group that will form the member source for this task:
- An option on the drop-down is New Group. Select this option to open the Search Criteria fields at the bottom of the panel (blue highlight below). You can use these search fields to locate and select the user group that you are interested in.
- Seat Type: Choose the license type that will be allocated to the users generated from this task.
- Tenant: Choose the tenant the users should belong to.
- Role to Add: Select which role the users will be added to.
- Admin Type: Select which Admin type the users should have.
- Profile: Select the Profile the users should be assigned. Profiles are configured under Access, in the Profiles tab, and determines the actions that users can and can't perform.
- Provisioned: This option indicates the provisioning "type" that the users should be added with:
- Full: A "Fully Provisioned" (or "Full") user can only be updated using the provisioning process. Administrators will not be able to edit the user's main details in the Users page, but they can change the user details on the Authentication Provider and run the provisioning process again to sync the Pyramid user. Note: This does not affect secondary details.
- Differential: A "Differential" user can be edited in the Users page in Pyramid as needed. Warning: If a Differential user is deleted from your Authentication Provider, they will also be automatically deleted from Pyramid.
Click Save (orange arrow) to commit the task.
Grant Domain Admin Rights
Pyramid supports two Admin types: Enterprise Admins and Domain Admins. While Enterprise Admins have complete access to the entire system and its settings, Domain Admins are granted access to specified parts of the system. In a multitenant environment, Domain Admins are limited to actions WITHIN the tenancy they belong to, while Enterprise Admins can work across tenants.
When you add users (either using Search or when running an Auto Provisioning job), you can assign the relevant Domain Admin rights using the Admin Rights checkboxes (see blue highlight, below), which are shown when you select Domain Admin from the Admin Type drop-down (purple arrow).
- Click here for more information about Domain Admin Rights.
Edit Provisioning Jobs
Where your provisioning jobs are running on a schedule, you may want to change the details between provisioning runs; for example, to grant all Domain Admins administrative access to the Logs in Admin Console, after they had previously not been granted that right.
To edit your provisioning job, click Edit in the Actions column above (green arrow on top image). The options that you use to edit your job open in the Edit Schedule panel, which contains all the same options as the New Schedule panel.
Existing Users
Where the provisioned users were previously created by the scheduled provisioning task, they cannot be "downgraded" on an update. This means that a provisioning job that previously made your users into Enterprise Admins cannot then make the same users into Domain Admins on the next scheduled run. Updates apply to Fully provisioned users.
Delete Provisioning Jobs
When you delete the schedule that is running your Provisioning Job, you also need to decide what to do with any users that were created by that Job.
- You can keep the users and detach them from the provisioning process (making them into "Manual" users that you can manage in the Users page)
- You can disable the users
- You can delete them (and their content).
Warning: This process is not reversible. If you delete your users and need to recreate them, you will need to do so either manually or by setting up a new provisioning schedule.
From the Action items in the Auto Provisioning Jobs table:
- Click Delete .
- Choose how to handle the users associated with the job:
- Keep - Indicates that you do not want to delete the users. You want to reclassify them as "Manual" so that they can be maintained in the Users page as needed. This action detaches the users from the provisioning process, but leaves them in Pyramid in the active state.
- Disable - Also indicates that you do not want to delete the users. Again, the users will be reclassified as "Manual" and detached from the provisioning process. In this case, however, the users will also be disabled. You can re-enable them in the Users page.
- Delete - This last option deletes the users associated with the provisioning job from Pyramid. When users are deleted by this process, all of their private data (the discoveries, publications, and so on that are stored in their My Content Folder) are "soft deleted." Soft deleted files are moved into the Deleted users content folder and can be restored by an admin if needed. ,
If the scheduled job was previously run and users were created, the Delete Provisioning Job dialog opens:
The scheduled provisioning job is deleted and the users associated with that job are handled as specified.
User Management Considerations
Duplicate users
It is possible that the same user appears in multiple groups; for example, the groups DEV and QA on your Authentication Provider may include some users who work across both teams. Where the provisioning job is set up to assign those groups different properties when they are provisioned in Pyramid (all DEV users will be domain admins and all QA users will be non-admins, say), the individual users are treated as if they are only in the group with the "higher" rights (in this case, as if they are only in DEV).
First Pyramid checks the Admin types for the target groups; if the Admin type is Enterprise for one group and either Domain or None for the other, the user is added as part of the Enterprise Group. If the Admin groups are the same, then the check moves on to License, then User Type, and finally (where the groups are the same in all these regards) the Time Stamp for schedule creation.
Removal from Groups
If you are using provisioning to sync your user groups from your Authentication Provider to Pyramid, removing a user from a group will cause that user to be deleted from Pyramid. This is not the case if the user continues to exist in another group. In this case, the user in Pyramid is preserved.