How user imports in UBA synchronizes imported data to a reference table
Synchronizing imported data when you import users, causes some data to be stored and other data to be updated.
When each user import has completed the step to download data from the defined source (LDAP, reference table, or CSV file), UBA searches the data that was retrieved from the source and parse it through a normalization process, which takes each record that is received and maps attributes from the source to a set of normalized fields. The fields are display_name, full_name, city, state, country, custom_group, dept, domain, email, job_title, manager. These fields are normalized as configured from the tab in the display fields section.
If a display field has multiple attributes listed, the first attribute in the list is used to populate the normalized field in the reference table. Should an attribute from the import source contain a list of values, then the first value in the list will be used to populate the normalized field in the reference table. For example, if the display field 'Department' is configured to be set from imported attribute 'dept' and 'section' in that order, then the value for 'dept' will be stored in the reference table. Continuing the previous example, if 'dept' contained values 'Engineering' and 'Devops' in that order, then 'Engineering' will be stored in the reference table under the 'department' normalized field. Similarly, the user coalescing fields that are defined for the aliases section in the user import tuning page will be used to map each 'username' found to id, id1, id2, etc., up to the number of attributes in the aliases list. If no aliases are matched from the imported data, the user is not added to the reference table.
On initial run, or when the option to synchronize the data is added to an existing configuration, all values found by that import (and only that import) are added, the users are not coalesced and will not look like the users in UBA exactly. If the import configured supports additional polling (like LDAP) then on each delta poll only the newly discovered records are added. UBA will never completely rebuild the reference table from data. Therefore, if elements in the reference table are manually removed, they will not be automatically added back.