Configuring the user and group synchronization job

The user and group synchronization job is a Kubernetes cron job. You can configure the parameters for the synchronization job.

About this task

The synchronization job can be configured with the following parameters:

Parameter Default value Description
useLdapRealmFiltering false Activate only when syncUsersFromLDAP is true. Set to true if you want to enable realm filtering. A false value will not check the realm. You must have the Identity Management Service (IAM) enabled in IBM® Software Hub to set this parameter.
Note: realmName is an identity providers connection name in IBM Software Hub.
ldapPreferredRealm OpenShift This feature is activated only when syncUsersFromLDAP and useLdapRealmFiltering are enabled. The realm value can be set to a user-defined value to filter users. You must have the Identity Management Service (IAM) enabled in IBM Software Hub to set this parameter.
ignoreUsernameCase false This feature is activated only when syncUsersFromLDAP is enabled. During synchronization, if ignoreUsernameCase is set to true, the job queries the Identity Provider to retrieve additional user attributes, such as firstName and lastName, by using a case‑insensitive username match. The Identity Management Service (IAM) must be enabled in IBM Software Hub to configure this parameter.
logLevel INFO Log level can be set to INFO, DEBUG, ERROR, WARN, TRACE.
syncFromServiceInstance true By default, the synchronization runs for groups and users who are assigned to the OpenPages service instance in IBM Software Hub. If set to false, the synchronization happens directly for groups and users at the IBM Software Hub platform level.
defaultLocaleIsoCode en_US By default, all users are created in OpenPages with locale set to the value of this parameter.
defaultPreferredProfileName OpenPages Modules Master Users are created in OpenPages with Current Profile set with the value of this parameter if profiles are not already mapped to groups in OpenPages under System Configuration > Settings > Platform > CloudPak > Sync > Profiles settings.
defaultAvailableProfileNames OpenPages Modules Master

Users are created in OpenPages with Allowed Profiles set based on the value of the configured variable, provided that profiles are not already mapped to groups under System Configuration > Settings > Platform > CloudPak > Sync > Profiles. This parameter supports comma-separated values.

Assigning Profiles to a Group(s):

To assign profiles to groups, complete the following steps:

  1. Enable required registry settings.

    Ensure the following registry settings are set to true:
    • Applications/Common/Configuration/Show Hidden Settings
    • Applications/Common/Configuration/Allow Create and Delete Settings

  2. Configure profile-to-group mapping.

    Navigate to System Configuration > Settings > Platform > CloudPak > Sync > Profiles.

    Create a new setting by using the following format:
    • NAME=<openpages_user_profile_name>
    • VALUE=add <group_name_that_exists_in_CPD>
    Note: Multiple group names can be specified as comma-separated values.

  3. Assign groups and synchronize users.

    • Assign the group(s) to the OpenPages instance in IBM Software Hub. Allow the user and group synchronization job to complete.
    • Users who are members of the specified IBM Software Hub group(s) will be assigned to the corresponding OpenPages profile that is defined in step 2.
Note: Existing users also have a default profile assigned, new users get only a group profile.
cronSchedule Every 20 min:
*/20 * * * *		 A valid cron expression that specifies how frequently to run the job.
suspendCronJob True Enable or disable to suspend the synchronization job. The job can be resumed if set to False. The default value is set to False if it is not specified.
syncUsersFromLDAP False Set to True if you want the synchronization job to search for the Identity provider for additional user details such as firstName and lastName. You must have the Identity Management Service (IAM) enabled in IBM Software Hub to set this parameter.
disableSyncAllUsersFromLDAP False Set to True if you don't want the synchronization job to update existing users' LDAP information. You must have the Identity Management Service (IAM) enabled in IBM Software Hub to set this parameter.
Note: Run this operation when the cluster is quiet.

Procedure

  1. Log in to your Red Hat® OpenShift® cluster as an instance administrator. 
    ${CPDM_OC_LOGIN}
  2. Change to the project where OpenPages is installed: 
    oc project ${PROJECT_CPD_INST_OPERANDS}
  3. Run the following command: 
    oc edit OpenPagesInstance <instance_name>
  4. Under spec/customScaleConfig/userSync, add or modify the parameters.
    For example, the following snippet shows how to set the cron job to run every 10 minutes:
    customScaleConfig:
   userSync:
      cronSchedule: "*/10 * * * *"
      syncFromServiceInstance: "true"
      defaultLocaleIsoCode: "en_US"
      defaultPreferredProfileName: "OpenPages Modules Master"
      defaultAvailableProfileNames: "OpenPages Platform 2, OpenPages Platform 3, OpenPages Modules Master"
      suspendCronJob: False
      syncUsersFromLDAP: "true"
      useLdapRealmFiltering: "true"
      ldapPreferredRealm: "opldap"
      ignoreUsernameCase: "true"
    If the cron expression specified for the cronSchedule parameter is not valid, the cron job is set to run every 20 minutes.

    If you are using syncUsersFromLDAP: true and the Identity provider is configured with SAML and OIDC, then you may have to configure SCIM mapping. For more information, see Configuring single sign-on using OpenID Connect (OIDC) and Configuring single sign-on with the SAML.