Product: OneSync
Audience: ClassLink Administrator
Overview
All Destinations
Username Generation
Certain destination mappings, marked as Unique, must be unique for each individual user. These include the following fields:
- Active Directory: sAMAccountName, userPrincipalName
- GSuite: primaryEmail
- Azure: userPrincipalName
If multiple users might have identical mappings for these fields, you can provide username generation rules that will map alternate values for those fields in case of conflicts. You can navigate to this module by clicking the button next to the desired mapping. To change the priority of any alternate mapping, you can click the up and down arrows. The Default mapping is highest priority. The 1st alternate is next highest priority, etc.
Configure Username Resolutions
Settings to handle username conflicts have now be added to a separate slideover tab in Advanced Settings. This new tab now has four settings for each username-type per destination:
- Auto-resolve non-unique username conflicts?: Enabling this setting will auto-resolve non-unique username conflicts.
- Resolve username conflicts with (at minimum) how many digits?: The minimum number of digits to resolve usernames to (i.e. 2 digits will resolve usernames like so: example01, example02, as opposed to example1, example2).
- Start auto-resolve from which number?: The starting number for auto-incrementation on the username.
- Increment all users' usernames?: Enabling this setting will auto-increment every username starting with the specified number.
- Cross-Domain Uniqueness: This setting can help prevent duplicate usernames across different domains and destinations. For each username type in a destination, you can set uniqueness checks in the Username Settings menu in the Cross-Domain Uniqueness tab. For example, in a GSuite destination, you can check that the primaryEmail for each user does not match any usernames in an Active Directory destination. You can check against sAMAccountName, userPrincipalName, or both. If a match is found between the two destinations, the export will fail to prevent duplicate usernames between the two destinations. If no match is found, the export will succeed. If multiple checks are added, the export will fail if a duplicate is found for at least one check.
To navigate to this tab, go to your destination's Advanced Settings tab, then click the blue "Configure" button.
Mapping Overrides
To prevent subsequent syncs from overwriting previously exported data of a specific mapping, you can click the arrows between OneSync and destination mappings to set override settings for that specific mapping. Current settings include: always map and only map when adding user. These settings can be applied to default mappings and custom mappings. In addition, toggles with the same functionality are available for enabling or disabling overrides for user account controls in Active Directory destinations.
Custom Attributes
To map to a custom attribute or property in a destination, you can first set your own attribute with the Default Mappings tab of a destination, above the destination fields. This attribute will then appear in mappings in the Default Mappings and Custom Mappings dropdowns.
For more information on GSuite custom attributes. click here.
Nightly Sync
Nightly sync is a new toggle setting in all destinations. Enabling this setting will instruct OneSync to re-evaluate collection memberships for the desired destination at midnight every night. In other words, it will double-check that a destination's collections contain the correct set of users based on the collection's conditions. After re-evaulating, Nightly Sync will queue any applicable users that meet the collections' conditions at midnight or were missed by previous exports.
This new setting can be used in conjunction with the Current_Date function to perform delayed actions based on a specific date. If you have a user property defined as a date, you can set a date-based condition using a "greater than" or "less than" relation, and the Current_Date as a value. If Nightly Sync is enabled for a destination, then any destinations using conditions with Current_Date will be re-evaluated based on the new current date at midnight.
Note: To enable this setting, navigate to the desired destination. The toggle is located in the first tab, Destination Details.
Advanced Settings for all Destination Types
- On disable action, disable users in destination?: Enabling this setting will disable users in this destination when they are disabled in OneSync. Otherwise, the user's status will remain enabled.
- On disable action, remove a user from all groups in this destination?: Enabling this setting will remove a user from all groups in this destination when they are disabled in OneSync. Otherwise, the user will remain in the group once disabled.
- Enable duplicate account prevention?: When enabled, you can select destination fields. If an exported user's fields match exactly with an existing user, the export will fail. This is meant to deter the creation of duplicate accounts and needless incrementation. Users of exports that fail in this fashion most likely have a counterpart in the destination already based on the selected fields, and can be linked together via Correlation. It is not advised to select any type of username as criteria for this setting since the exported user's username would be automatically incremented, and so wouldn't match any destination user's usernames.
- Re-create Users with broken OneSync links?: If a user was previously created but currently does not exist in the destination, this setting will tell the export functionality to automatically break the user-destination link (without using correlation) and re-create the user.
Active Directory
-
Advanced AD Fields: You can choose to display or hide more obscure, advanced AD fields in Default and Custom Mappings. Simply click the toggle in the upper right corner of both tabs.
- Advanced Settings for Active Directory Destinations
- Truncate sAMAccountNames longer than 20 characters?: When enabled, this option will allow you to truncate or trim sAMAccountNames to 20 characters or less. Otherwise, sAMAccountNames can have up to 64 characters. This option's default setting is disabled. If the truncated sAMAccountName already exists inside of your destination, OneSync will attempt to increment the truncated string if the "Auto-resolve non-unique sAMAccountName conflicts?" option is enabled. The incremented sAMAccountName will also be 20 characters or less.
- Set passwords before adding users to groups?: Since the order of account creation matters if you are using advanced password policies associated with specific groups, you can now select "set passwords before adding users to groups" if your default domain policy is more lenient than that which is applied to the user's groups and you'd like to assign a lenient password to the accounts.
GSuite
- Active Directory/GSuite Password Synchronization: OneSync does not currently offer the ability to sync passwords from Active Directory to GSuite. However, Google offers a tool to sync passwords which can be found here.
- Google Cloud Directory Sync (GCDS): Google offers a tool to sync your Active Directory and GSuite accounts. Click here for more information.
CSV Destinations
- Advanced Settings for CSV Destinations
- On disable action, delete user row from CSV?: Enabling this setting will delete a user and its properties from the CSV when that user is disabled. Disabling this setting will create an "Enabled" column in the CSV. Disabled users will then have this "Enabled" property set to "False" if they are disabled. When this setting is disabled, it will not bring back deleted users. These users must be Enabled and then re-exported back to the destination.
Updated: Mar 2019