In order to participate in the initial
import process, an identity must meet both of these criteria:
-
The identity must be included in
the import tables. If your identity information is distributed across
several authentication providers or user registries, extract information
from each source and then combine the resulting sets of tables into
one set of canonical tables.
To limit the import
tables, you can perform these tasks:
-
Define a starting point. For example,
when you extract identity information from Active Directory, you specify
a Distinguished Name as the starting point. Only identities that exist
below that Distinguished Name in the Active Directory hierarchy are
extracted.
-
Define filters. For example, when
you extract identity information from Active Directory, you can use
a filter to extract entries only for people who are members of a particular
group.
-
Make manual changes to the import
tables.
-
The identity must not already exist
in the SAS environment. You can't import an identity that has the
same name as an identity that already exists in the metadata.
CAUTION:
Do not
delete existing SAS identities in order to include them in an initial
import. When you delete a SAS identity, you lose that identity's associations
(such as access controls). Creating a new identity with the same name
does not restore those associations.
You can incorporate
a manually created identity into the synchronization process. To do
this, add an external identity on the
General tab of that identity's metadata definition.