Synchronizing the Users List

Creating Imprivata user accounts starts with a three-step process to set the connection and authorization parameters. You can then synchronize the database immediately, or save the settings for automated synchronization.

To synchronize to an existing Imprivata domain:

1. Click Synchronize on the Users page. The Synchronize window opens.

2. Select the domain or file that holds the user records and click Next.

3. NOTE: If the source domain is not listed, click Add New Domain.

3. Select the users to be imported:

• All users in this domain synchronizes all users in the selected domain.
• Only users in select organizational units limits the synchronization to specific organizational units (OUs) or groups.

• Select Only users in select organizational units and then click Select OUs…. The Select OUs window opens.

  The Select OUs window includes a drop-down list that enables you to control how new OUs are synchronized across the entire domain. You can select one of the following options:

  • New OUs will not be automatically selected — When selected, new OUs are not automatically selected if their parent OU is selected.
  • New OUs will be selected if their parent is selected — When selected, new child OUs will be automatically selected if their parent OU is selected.
• Only users in select groups allows you to choose typical or limited user synchronization.

• Limited synchronization allows you to select elements of an exceptionally large domain structure, and should only be used with the guidance of Imprivata Services or Support , since it can affect other EAM functionality.

• CAUTION:

  Imprivata Enterprise Access Management (formerly Imprivata OneSign) does not support synchronizing Microsoft Active Directory Universal Groups.

4. Set a user status rule: select Set user status manually to set it yourself or select Set user status to match directory status to have the user status automatically reflect the user status in the user directory. This information is updated whenever the user list is synchronized with the domain.
5. Assign user policy, enabled status, and other settings to be applied to new users that come in with this synchronization. You can apply one policy for most users, and a different policy for selected groups or OUs by using the Except feature. You can add as many exceptions as you like. Policies of existing users are unaffected.
6. If you need to generate email addresses for users who do not have them, select Auto Generate Email Address?

7. NOTE: Remember that each enabled user counts toward the license limit. If you have too many users, they all come in disabled. After importing, enable them individually up to the limit of your license. You can import by groups until you reach your license limit. See About Imprivata Licensed Features

6. By default, only name and email details about users are imported. You can import additional user details for use in reports.

Importing Additional User Attributes from the User Directory

To import additional user attributes:

1. While synchronizing users from a domain, click the Add button in the Extended User Attributes section. A three-field map opens.
2. In the Extended User Attribute Name field, enter the name of the information in the source directory.
3. In the Imprivata Meaning field, enter the Imprivata attribute that maps to the Extended User Attribute.
4. The label that will appear in the Users list is automatically filled in with the Imprivata Meaning value, but you can make edits.
5. To map additional attributes, click Add and repeat as needed.

If the parameters you set for a synchronization will be used regularly, you can automate them. You can save the settings and schedule the synchronization to occur at a later time. To synchronize right now, skip to Previewing the Synchronization.

To schedule this synchronization:

1. Select the Automate Synchronization? option. Exceptions and scheduling parameters are displayed.
2. You can skip the synchronization if any or many user accounts will be deleted, and you can program an event notification to inform you of the occurrence. Select the options if this is a concern.
3. On the next line select the frequency and time of the synchronization process. You can schedule any domain for up to one synchronization daily. Multiple domains can be scheduled for synchronization on the same day, but not at the same hour.
4. Click Preview Users to continue, or click Synchronize Now to continue without a preview, or click Save to save these settings without performing the synchronization.

5. BEST PRACTICE: Preview the synchronization before running or scheduling it.

At the assigned time, the database connection is made and the database is synchronized. If the connection cannot be made, then the synchronization fails. It will try again at the next scheduled synchronization time.

Preview the synchronization before running or scheduling it. This allows you to verify your expected result when the Imprivata database synchronizes with the directory server:

1. Click Preview Users to see a list of user accounts to be added.

2. NOTE: If you specified any groups or changed the specified groups, preview the Users To Be Removed tab to ensure user accounts are not deleted inadvertently.

2. Either click Synchronize Now to continue, or click Save to save these settings without performing the synchronization.

After you preview the synchronization, click Synchronize Now. All users in the user directory are matched against the Imprivata database. New records are created for those that are not already in the Imprivata database. Users that are no longer in the directory are removed from the user list, and preexisting user accounts are updated.

• If Imprivata cannot connect to the user directory, then the synchronization fails; it will retry the connection at the next scheduled synchronization time.
• If one or more synchronized OUs are moved or removed from the user directory but are not updated in the Select OUs window, then the synchronization will not run. The deleted groups are displayed in a dialog that allows you to update the Imprivata database and continue with the synchronization.
• If one or more synchronized groups are moved or removed from the user directory but are not updated in the Remove groups window, then the synchronization will not run. The deleted groups are displayed in a dialog that allows you to update your Imprivata database and continue with the synchronization.

When the operation is finished, the updated Users list is displayed.

When synchronizing with any directory server:

• Users who are new to the user directory and are not yet in the Imprivata database are added to the database.

• Users who are deleted from the user directory but who still have Imprivata accounts are removed from the Imprivata database.

• Users who are added to the Imprivata database but who no longer exist in the user directory are removed from the Imprivata database.

• Users who are deleted from the Imprivata database but who still exist in the user directory are added to the Imprivata database.

• User first name, last name, and email address information is updated on the Imprivata database.

• User email addresses that were entered since the last synchronization are overwritten by email address information in the AD record, if present.