HP Identity Driven Manager Software Licenses User Manual
Page 60
2-38
Getting Started
User Session Information
An Access Policy Group is created for each selected Active Directory
group, and all users that belong to the selected groups will be imported
from the Active Directory server. into the appropriate Access Policy
Group. Changes to users in the selected groups will be imported (synchro-
nized) as long as the Active Directory Synchronization is enabled.
Operating Notes:
■
If a user belongs to more than one Active Directory group, the user is
imported into the IDM Access Policy Group with the highest priority
(set in User Directory Settings Preferences).
■
If an Active Directory group is deleted while Active Directory
synchronization is enabled, the associated Access Policy Group is
deleted. If that group is the priority IDM Access Policy Group for a
user who belongs to more than one Active Directory group, the user
is automatically reassigned to the next highest priority Access Policy
Group. Users who do not belong to more than one Active Directory
group are reassigned to the default Access Policy Group for the
Realm.
■
If an Active Directory group is deleted while Active Directory
synchronization is disabled, the associated Access Policy Group is
NOT deleted when synchronization is enabled. However, all users will
be reassigned to other groups (next highest priority or default Access
Policy Group for the Realm) as part of the resynchronization process.
■
Users deleted from Active Directory while synchronization is
disabled are assigned to the default Access Policy group during the
resynchronization process (instead of being deleted). This prevents
users who were added by another method from being deleted.
■
Within a Realm, Access Policy Group names must be unique. If Access
Policy Groups are being created manually within the same Realm, use
naming conventions to ensure these names do not conflict with Active
Directory group names.
■
Performance for the import from Active Directory to IDM varies
depending on your environment. Using a 1.86 GHz processor with
2MB RAM, importing 20,000 Active Directory users in 75 groups takes
approximately 65 minutes. A similar test that imported 10,000 of
20,000 users by selecting 2 of the 75 groups completed in 30 minutes.
■
Once the initial synchronization is completed, IDM monitors all
changes to the Active Directory which much less system resources.
If Active Directory synchronization is disabled or IDM is restarted, all
groups must be resynchronized.