Provisioning synchronizes Pyramid users with Authentication Provider users. If a user is added to or removed from the authentication provider, they will be updated in Pyramid as long as Auto Provisioning has been enabled in this page.
User Provisioning is only available with certain providers (IDPs) and must be configured and enabled for it to be operational.
Auto Provisioning
- Enable Auto Provisioning: Select this checkbox to enable provisioning.
- Sync Interval: Determine how frequently to sync Pyramid users with the Authentication Provider users and groups. Setting this too frequently can negatively impact both Pyramid and the Authentication Provider. If you set the sync interval to 8 hours or more, you will see additional options to set the start time:
- Start Hour: set the start time for the sync interval.
- Timezone: set the timezone for the sync interval.
- User Sync Behavior: determine what should happen to Pyramid users who have been removed from Authentication Provider:
- Remove: remove the user from Pyramid. Note that the content they created will also be removed.
- Disable: the user will be disabled, and the content they created will not be removed from Pyramid.
- Enable Cross Domain Groups: enable the use of Active Directory groups made up of users from multiple domains.
When Provisioning is enabled, the scheduled provisioning jobs will appear under the Schedules Manager. From there, you can edit the schedule, add a new scheduling job, and more.
User Group Synchronization
These settings control the methods used to synchronize the user identity data between the Pyramid environment and the authentication provider. For example, it pulls the Groups and the members of the Group (users) from the authentication provider ensuring that Pyramid is up to date with these details.
Sync Method
Select the method to use for synchronization. You can use one of two methods named Method 1 and Method 2. Method 2 is recommended, but is not available for Open LDAP or Azure Active directory where only Method 1 is available.
Method 1
Fetches all Pyramid users and adds them to the user table. This means that the table will contain all of the users, their directly assigned roles, and the roles that are assigned to their user group. You do not need to complete any additional fields to use Method 1, where it is available.
Method 2
Uses the Authentication Provider to determine which users are members of a group. Note: This method is more efficient and is recommended where it is available.
If you select Method 2 as your Sync Method, the following additional fields are made available:
- Synchronization Timeout: Set the timeout for the synchronization process to go to the Domain Controller to fetch the information. Set the value to 0 to run with no timeout. Note that running with no timeout will not notify users if there is a synchronization error.
- Support Cross Domains: Allow synchronization in cases where a group belonging to one domain has a nested group belonging to second domain. If this option is not selected, the synchronization will fail.
- via Forest (Preferred): Scans all domains.
- via Domain: Requires users to search by domain.
- Forest Domain: Select the Forest Domain. This should only be set by the administrator in cases where Forest Domain will be used.
- Use Forest Level Credentials: Override the users credentials. This is used in cases where the selected user does not have the privileges to scan the forest.
- Username: Set the Forest Level Username.
- Password: Enter the Forest Level Password.
- Use Atomic Action: Selecting this checkbox ensures that the group sync action is performed atomically. This means that there is no "partial" state; the group sync action either succeeds in its entirety or fails without any changes being applied (all or nothing).
Related information
- Auto Provisioning Jobs - Provisioning allows admins to auto-sync Pyramid's user accounts with security groups defined in some Authentication Providers. The engine runs periodically and provides a fast, automated, and convenient method for synchronizing users in Pyramid with users in Active Directory, Azure Active Directory, Open LDAP, or SAML or OpenID where Provider Provisioning Settings are configured.