Options for Importing Users from LDAP

The following options are available when you select the Import users from LDAP option on the Import Users page. You must first apply LDAP server and search options before you can import users. For details, refer to LDAP Import - Server Options.

User Attributes Map

The User Attributes Map section enables you to map user account attributes defined in the LDAP schema to SBM user, resource, and contact attributes. The mapping assignments apply to importing and updating user records.

You must first provide LDAP server connection and search specification settings and successfully connect to the LDAP server before mapping user attributes.

SBM User Attributes
This column lists the following SBM user account attributes:
- Four user account attributes (login ID, name, telephone, and e-mail)
- All non-system, fixed-length Text fields in the Contacts table
- The Companies system field from the Contacts table
- Resource attributes, including Job Functions and Skills.
Note: SBM user accounts must have a login ID and name. If an imported user account does not contain a name value, the LDAP login ID value is added as the user's name.
Mapped LDAP User Attributes
Select an LDAP attribute to map to the SBM user attribute.
Tip: You can map attributes from multiple LDAP accounts, if necessary. To do this, map the attributes from the first LDAP account returned after you click Refresh in the LDAP Attributes Sample Data section. If this account does not contain all the attributes you need, click Refresh again to return another LDAP account. Map attributes as needed from this account, and continue to click Refresh until you have mapped all necessary attributes.

Tip: If you have multiple LDAP attributes with the same name, and you map one of the attributes to either resource Teams or resource Skills, SBM uses the values from each attribute to create multiple teams and skills. For example, if you have three objectClass attributes in LDAP (each with different values) and you map objectClass to Skills, then three different skills are added to the associated resource record.
Group Attributes
Type one or more LDAP user attributes in a comma-separated list, similarly to the group query parameters, that should be examined by SBM to create new groups when users are imported.

For example, if you select memberOf as the attribute, SBM will only use the containers in the memberOf LDAP attribute as possible groups for the new user. Each memberOf attribute on the user's LDAP account will be examined. You can select more than one attribute. Group Attributes must contain distinguished names, and the elements within those distinguished names are used as group names (subject to filtering by the Group Query Parameters, if any are specified).

For example, if you want to create groups based off the parameters in both the memberOf and productTeam attributes, you would select:
```
memberOf
productTeam
```
In LDAP, user "Joe" might have the following values for these attributes:
```
memberOf: CN=Domain Admins,DN=Users,DC=Acme,DC=com
memberOf: CN=Managers,DN=Users,DC=Acme,DC=com
productTeam:  OU=DevTeam,DC=Acme,DC=com
```
SBM would then potentially be able to use any CN, DN, or OU parameter in any attribute to create corresponding groups. You can limit the groups that will be created by specifying specific parameters instead using Group Query Parameters.
Note: If the Group Attribute field is left empty, SBM considers the entire Full Directory Name (also known as distinguishedName) as the attribute to examine (for example, CN=LDAPTest,OU=QAGroup,DC=acme,DC=com). In this case, the first parameter is ignored by SBM to avoid creating a group call "LDAPTest", which is typically a user account and not a group. Whenever the distinguishedName attribute is specified, the first parameter will be ignored.
Group Query Parameters
Enter the particular parameters you want SBM to process when attempting to create new groups. In effect, this field acts as an additional filter on the Group Attributes you specify. For example, you might only want the CNs and OUs of each attribute examined. In that case, you would enter:
```
CN,OU
```
Using the example stated for group attributes, these parameters would only create new groups based off the CNs and OUs in each attribute, which would result in the creation of the following groups:
```
Domain Admins
Managers
DevTeam
```

User Import Options

Use the following options to select a template user account, handle existing users, and, optionally, create associated contact records that are associated with the imported accounts.

Import Users as a copy of
Click Find to search for or select an SBM user account that serves as a template account for imported users. Once selected, the name, login ID, and product-access type of the selected user template account is shown in the Import Users as a copy of box. Imported accounts contain the values of mapped attributes, along with the product-access type, role assignments, group membership, privileges, preferences, application settings, notifications subscriptions, and password settings of the template account. This process is similar to copying an SBM user account.
Note: If the template user has a private report specified as a Home Page report or a Quick Link, users whose accounts are imported will receive an error when they run that report. For best results, select a template user whose application settings specify built-in or non-private level reports.
Create Associated Contacts
Select to automatically create Contact records that are associated with imported users. Contact records imported with a user account contain values for the mapped Contact table fields and the values for Contact table fields that are not listed on the User Map tab (First Name, Middle Name, Last Name, E-mail, and Phone Number).
CAUTION:
If you import an LDAP user as a contact and later want to import that LDAP user as an SBM user, a duplicate Contact record is created if the Create Associated Contacts check box is selected. If you do not select the Create Associated Contacts check box when later re-importing the contact as an SBM user, that user account will not have a Contact record associated it, even though the original Contact record remains in the system. In other words, newly imported users are not automatically associated with existing Contact records. If you import users with the Create Associated Contacts check box selected, new Contact records associated with imported users are created. This applies to users that are automatically added to SBM as well. An alternative to importing contacts as users is to utilize the "Grant Login" feature in Contacts records.
If user already exists
Select one of the following options for handling LDAP user accounts that have the same login ID as SBM accounts. The comparison of login IDs between LDAP and SBM is not case-sensitive.
- Do not modify
  Select this option to ignore LDAP user accounts that already exist in SBM.
  
  Tip: If the user already exists, but does not have an associated resource record, a new resource record is created for that user if you map any resource attributes.
- Replace mapped attributes
  Select this option to update any mapped attributes that have changed in LDAP. This option is useful for updating information in existing SBM accounts while you import new accounts from LDAP.
- Replace user
  Select this option to replace existing SBM user accounts with the mapped and template user attributes. This option is useful for quickly modifying multiple user account attributes in SBM. For example, if a user is promoted to a managerial position, you can import that user based on a template from an existing manager's account. The unique database ID for the replaced user does not change so that ownership of primary items is not affected; however, all account attributes, such as product-access type, privileges, preferences, etc., are replaced. Because this option enables you to completely overwrite an existing user's account, use this feature cautiously.
Alias
On-demand only – Use the Alias field to enter an e-mail address domain that will be appended to the Login ID for imported users. For example, if you map Bill's sAMAccountName (Bill) to Login ID and enter @acme.com in the Alias field, Bill is imported with a Login ID like bill@acme.com.

Find Candidates Options

Use this section to query LDAP for a list of potential users or contacts who can be imported into SBM. You can then select candidates to import.

Refresh
Click to initiate the search for LDAP users matching the criteria specified in the search filter. When the search is complete, the LDAP users who match the search criteria are listed. You can sort the list by clicking on the column headings.

Tip: If the desired user is not found, click Refresh in the LDAP Attributes Sample Data section, and then try again.

Note: The amount of time needed for the search depends on the speed of the connection to the LDAP server and the number of users qualified by the search.
Select All
Click to select all candidates in the list.
Clear All
Click to clear your selections.
Filter
Select a search filter or type a new search filter. The search filter you provide depends on how user accounts are organized in LDAP and the type of user accounts you want to import. For example:
- You may want to include objectClass=SBMUser (or a similar value, depending on your LDAP configuration) in your search filter to return all LDAP users classified as SBM users.
- If groups exist in your LDAP system that are similar to groups in SBM, include the group name in your search filter criteria. Other attributes such as organizational unit, department, and title might also be useful.
- Consider common traits of users as you construct search filters. For example, (telephoneNumber=555*) returns accounts in which users have phone numbers beginning with 555.
Import
Select candidates you want to import.
Exists in SBM
A disabled checkmark indicates that a user or contact matching the LDAP attributes already exists in SBM.
Login ID
Listed for user imports. Indicates the SBM login ID.
Name
Listed for user imports. Indicates the SBM user name.
First Name
Listed for contact imports.
Last Name
Listed for contact imports.