UniFi Identity Enterprise - Streamline AD/LDAP User Imports with Profile and Lifecycle Management
The Profile and Lifecycle Management (i.e., AD and LDAP) is an add-on that syncs user properties from AD/LDAP to Identity Enterprise, streamlining user directory management and simplifying user import.
Requirements
- The Owner has applied for Profile and Lifecycle Management (i.e., AD and LDAP) in their Identity Enterprise Manager (YOUR_SUBDOMAIN.ui.com/cloud) > Settings > Plan & Billing > Workspace Feature Usage > Apply for Plan Add-Ons.
- You have integrated AD/LDAP with Identity Enterprise. See instructions for AD and LDAP.
Enable Profile and Lifecycle Management
Once enabled, the deactivated or reactivated AD/LDAP users will be synced to Identity Enterprise for streamlined management.
- Go to your Identity Enterprise Manager > Organization > Directory Integration > Directory, and select a directory server.
- Go to Provisioning > Profile and Lifecycle Management > Allow AD/LDAP to Manage UniFi Identity Enterprise Users and tick the Profile and Lifecycle Management.
- Set When a User Is Deactivated in AD/LDAP to Do Nothing or Deactivate the user in Identity Enterprise.
- Set When a User Is Reactivated in LDAP to Reactivate the Identity Enterprise User if Their Status Is Suspended or Reactivate the Identity Enterprise User if Their Status Is Deactivated.
- Click Save Changes.
Sync AD/LDAP Users to Identity Enterprise Groups
Once Profile and Lifecycle Management is enabled, you can then add user import rules to sync AD/LDAP users to specified Identity Enterprise groups.
- Go to your Identity Enterprise Manager > Organization > Directory Integration > Directory, and select a directory server.
- Go to Settings > User Import Rules and click Add Rule.
- Enter the rule name, set the conditions, and add Identity Enterprise groups.
- Click Save.
Enable Import Safeguard
Once enabled, the user import feature will be suspended if the number of deactivated users in any import task exceeds the specified percentage. This prevents accidental user deactivation. Admins can resume this feature at any time.
- Go to your Identity Enterprise Manager > Organization > Directory Integration > Directory, and select a directory server.
- Go to Provisioning > Import Safeguard > Suspend User Import Feature, tick When Any Import Task's Ratio of Deactivated Users Exceeds __ %, and specify a percentage.
- Click Save Changes.
Manage Attribute Mapping
Attribute Mapping aligns user properties from AD/LDAP to Identity Enterprise. This ensures that user data, such as names, job titles, employee IDs, and phone numbers, are accurately synced to Identity Enterprise for streamlined profile management.
- Go to your Identity Enterprise Manager > Organization > Directory Integration > Directory, and select a directory server.
- Go to Provisioning > Identity Enterprise Attribute Mapping, click the ellipsis beside an attribute, and select an action:
- Edit Mapping: Change the attribute value as needed and click Save.
- Remove Mapping: Confirm to Remove the mapping between AD/LDAP and Identity Enterprise.
- Click Save Changes.