Cato Networks Knowledge Base

Search

How SCIM Sync Overrides Existing LDAP Groups

  • Updated

Overview

This document defines the expected behavior when syncing users/groups via SCIM when users/groups are already configured in the account either via LDAP or manually configured.

Environment

  • LDAP + SCIM Directory Services

Importing user groups via SCIM

The following scenarios describe what is expected when importing users/groups to Cato via SCIM. A few facts before diving in:

  • User groups can be imported either via LDAP or SCIM. They can include SDP users or User Awareness users. See Working with User Groups
  • User Awareness does not work via SCIM and can work only with on-prem directory services via LDAP.
  • If both SCIM and LDAP are configured in the account, SCIM takes precedence and overrides LDAP. (LDAP Sync for SDP users is therefore disabled)

 

Scenario 1: SCIM group overrides LDAP group (SDP users)

  1. LDAP groups for SDP users are synced in the account.
  2. Enable SCIM in the account.
  3. Assign Active Directory groups and users using SCIM. Start provisioning.
  4. SCIM groups override LDAP groups with the same name.
  5. SDP users are now SCIM-defined.

Scenario 2: SCIM group overrides User Awareness Group

  1. LDAP groups for User Awareness are synced in the account.
  2. Enable SCIM in the account.
  3. Assign Active Directory groups and users using SCIM. Start provisioning.
  4. SCIM groups override User Awareness groups with the same name.
  5. Both SCIM-defined SDP users and UA users remain in the same SCIM group.

Scenario 3: SCIM group overrides LDAP group containing SDP users and User Awareness users

  1. LDAP groups for SDP users are synced in the account.
  2. The same LDAP group is synced for User Awareness.
  3. Enable SCIM in the account.
  4. Assign Active Directory groups and users using SCIM. Start provisioning.
  5. SCIM groups override LDAP groups with the same name.
  6. Both SCIM-defined SDP users and UA users remain in the same SCIM group.

Scenario 4: SCIM-provisioned user overrides manually created user

  1. SDP User manually configured in the account.
  2. Enable SCIM in the account.
  3. Provision the group using SCIM that contains a user with the same email as defined in the manually created user.
  4. The SCIM-defined user overrides the manually created user.

Note: It is possible to revert back to LDAP and disable SCIM. In such a case, the users that were modified by SCIM will now be modified by LDAP again. The LDAP sync will alert of the changes applied. Remember that SCIM will override these users again if re-enabled. 

Was this article helpful?

1 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.