In the VMware Identity Manager service, users and groups are identified uniquely by both their name and domain. This allows you to have multiple users or groups with the same name in different Active Directory domains. User names and group names must be unique within a domain.

User Names

The VMware Identity Manager service supports having multiple users with the same name in different Active Directory domains. User names must be unique within a domain. For example, you can have a user jane in domain eng.example.com and another user jane in domain sales.example.com.

Users are identified uniquely by both their user name and domain. The userName attribute in VMware Identity Manager is used for user names and is typically mapped to the sAMAccountName attribute in Active Directory. The domain attribute is used for domains and is typically mapped to the canonicalName attribute in Active Directory.

During directory sync, users that have the same user name but different domains are synced successfully. If there is a user name conflict within a domain, the first user is synced and an error occurs for subsequent users with the same user name.

Note:

If you have an existing VMware Identity Manager directory in which the user domain is incorrect or missing, check the domain settings and sync the directory again. See Sync Directory to Correct Domain Information.

In the admin console, you can identify users uniquely by both their user name and domain. For example:

  • In the Dashboard tab Users and Groups column, users are listed as user (domain). For example, jane (sales.example.com).

  • In the Users & Groups tab, Users page, the DOMAIN column indicates the domain to which the user belongs.

  • Reports that display user information, such as the Resource Entitlements report, include a DOMAIN column.

When end users log in to the user portal, on the login page they select the domain to which they belong. If multiple users have the same user name, each can log in successfully using the appropriate domain.

Note:

This information applies to users synced from Active Directory. If you use a third-party identity provider and have configured Just-in-Time user provisioning, see Just-in-Time User Provisioning for information. Just-in-Time user provisioning also supports multiple users with the same user name in different domains.

Group Names

The VMware Identity Manager service supports having multiple groups with the same name in different Active Directory domains. Group names must be unique within a domain. For example, you can have a group called allusers in the domain eng.example.com and another group called allusers in the domain sales.example.com.

Groups are identified uniquely by both their name and domain.

During directory sync, groups that have the same name but different domains are synced successfully. If there is a group name conflict within a domain, the first group is synced and an error occurs for subsequent groups with the same name.

In the admin console User & Groups tab, the Groups page, Active Directory groups are listed by their group name and domain. This lets you distinguish between groups that have the same name. Groups that are created locally in the VMware Identity Manager service are listed by the group name. The domain is listed as Local Users.