When you configure the connection to your enterprise Active Directory or LDAP directory in the Workspace ONE Access console, you specify the users and groups to sync to Workspace ONE Access. You initially specify users and groups when you create a directory. Later, you can view and modify the users and groups from the Sync Settings > Users and Sync Settings > Groups tabs.

Keep the following considerations in mind while adding groups:

  • As a best practice, add and sync only a few groups while creating the directory. After the initial setup, you can add more groups.
  • When you add groups and sync them, only group names are synced to the directory. Users that are members of the group are not synced to the directory until the group is entitled to an application or the group name is added to an access policy rule.
    Note: You can override this restriction by selecting the Sync group members to the directory when adding group option in the Settings > Login Preferences page.
  • (Active Directory) When you sync a group, any users that do not have Domain Users as their primary group in Active Directory are not synced.
  • (LDAP Directory) If you have multiple groups with the same name in your LDAP directory, you must specify unique names for them in the groups section.

Keep the following considerations in mind while adding users:

  • Because members in groups do not sync to the directory until the group is entitled to applications or added to an access policy rule, add all users who need to authenticate before group entitlements are configured.
  • The Bind user that you specified in the Bind User Details section of the directory is not synced to the Workspace ONE Access service by default. If you want to sync the Bind user, enter the Bind user DN in the users section. After the directory is synced, you can set the role for the Bind user if required.

Procedure

  1. To navigate to the users and groups pages, choose from the following options.
    • If you are adding users and groups while creating the Workspace ONE Access directory, proceed to the Sync groups section of the wizard.
    • If you are adding or modifying users and groups after creating the Workspace ONE Access directory:
      1. Select Integrations > Directories.
      2. Click the directory you want to update.
      3. Select the Sync Settings > Groups tab.

        You can see the group DNs that you added previously as well as the groups selected for sync under each group DN.

  2. Select the groups to sync from your enterprise directory to the Workspace ONE Access directory.
    To select groups, specify one or more group DNs and select the groups under them.
    1. Click Add.
    2. In the Create Group dialog box, enter the top-level group DN, then click Add.
      For example, specify CN=users,DC=example,DC=company,DC=com.
      Tip: Entering a high-level DN such as the Base DN to search under is not recommended, as search will take a long time. Try to enter a more specific DN to search under.
      Important: Specify group DNs that are under the Base DN that you entered in the Base DN text box for the directory. If a group DN is outside the Base DN, users from that DN will be synced but will not be able to log in.
    3. If you want to select all the groups under the group DN you added, select the Select all check box.
      For example:
      The Select all option is selected for the top-level group CN=Users,DC=example,DC=com.
      If groups are added to or deleted from the group DN in the enterprise directory after the Workspace ONE Access directory is created, the changes are reflected in subsequent syncs.
    4. If you want to select specific groups under the group DN instead of selecting all of them, click Select Groups, make your selections, and click Save.
      The Select Groups option is selected for the top-level group CN=Users,DC=example,DC=com.
      You can view the group mappings in the Mapped Group Results section.
    5. Select or deselect the Sync nested group members check box, as needed.
      The Sync nested group members check box is selected by default. When this check box is selected, all the users that belong directly to the group you select as well as all the users that belong to nested groups under it are synced when the group is entitled. Note that the nested groups are not synced; only the users that belong to the nested groups are synced. In the Workspace ONE Access directory, these users will be members of the parent group that you selected for sync.

      If the Sync nested group members check box is not selected, when you specify a group to sync, all the users that belong directly to that group are synced but users that belong to nested groups under it are not synced. Deselecting this option is useful for large directory configurations where traversing a group tree is resource and time intensive. If you deselect this option, ensure that you select all the groups whose users you want to sync.

    6. Click Save in the Groups section.
  3. Navigate to the users page.
    • If you are adding users and groups while creating the directory, proceed to the Sync users section of the wizard.
    • If you are adding or modifying users and groups after creating the directory, go to the directory's Sync Settings > Users tab.
  4. Select the users to sync from your enterprise directory to the Workspace ONE Access directory.
    1. Click Add, enter the user DN, then click Add.
      For example, specify CN=username,CN=Users,OU=Sales,DC=example,DC=com.
      ""
      Important: Specify user DNs that are under the Base DN that you entered in the Base DN text box in the Add Directory page. If a user DN is outside the Base DN, users from that DN will be synced but will not be able to log in.
      To check if the user DN is valid and to see the number of users that will be synced, click the Test button in that row.
      ""
    2. Specify filters to include or exclude users from the DNs, if needed.
      See Specifying Filters for Directory Sync in Workspace ONE Access for information.
  5. Save your changes.