When a scheduled or manual synchronization is run, LDAP will gather updated information from Microsoft Active Directory, import it into GE Digital APM, and update the corresponding Security User records. When the synchronization process is run, GE Digital APM Security User properties and status will be updated to reflect the last saved information in Microsoft Active Directory.
Note: To ensure that your GE Digital APM system is in sync with the Microsoft Active Directory system, schedule the synchronization process to run on a frequent basis (every hour or more).
The synchronization process will import to GE Digital APM only the changes (i.e., new users and updated information) that have been made in Microsoft Active Directory since the last synchronization ran, based on the Last Execution date in the job schedule item. Because only changes are imported to GE Digital APM, the more often you run the synchronization process, the faster it will be (i.e., the fewer the changes, the faster the process). If you need to perform a full update in GE Digital APM, you will need to delete and recreate the scheduled item to clear the Last Execution date. Performing a full synchronization will take longer than performing an update synchronization.
The GE Digital APM system will retrieve the information for the Microsoft Active Directory users associated with the Microsoft Active Directory domains that have been defined in GE Digital APM. The corresponding Security User records will be updated. Fields in GE Digital APM will be updated with the information in Microsoft Active Directory using LDAP Field Mapping records.
If the GE Digital APM system finds a user in Microsoft Active Directory who does not have a corresponding Security User record in GE Digital APM:
A Security User record will be created in the GE Digital APM database.
The Security User record will be linked to the Domain record that identifies the Microsoft Active Directory domain in which the user exists.
The Security User will be associated with each GE Digital APM Security Role whose name matches exactly the name of a Microsoft Active Directory Group to which that user belongs.
The Security User will be removed from each GE Digital APM Security Role whose name does not match exactly the name of a Microsoft Active Directory Group to which that user belongs.
GE Digital APM Security Users are authenticated at log-in. In addition to validating status for a user (whether the Active check box is selected in the Security User record for that user), at log-in, the GE Digital APM system initializes all the information and permissions for that user. If any of that information changes while the Security User is logged in to the GE Digital APM system, those changes will not be reflected immediately. The changes will not take effect until the user logs out of GE Digital APM and then logs back in. This behavior applies to changes made manually and automatically through the LDAP synchronization process. In other words, regardless of when or how often the LDAP synchronization process runs, changes made to a user account will not be applied until the next time a user logs in to the GE Digital APM system.
