Automatic sync domain users and groups

smilinger · ‎08-18-2015

When user leave the company or transfer to another department, the user should be disabled in vault automatically. Currently we need to manually run "Update Domain Group" to get the deleted user disabled in vault.

I want the following behavior in vault:

1.If a user is disabled in domain, the user should be disabled in vault.

2.If a user is deleted in domain, the user should be disabled in vault.

3.If a user is removed from a domain group, and is no longer member of any other groups in vault, the user should be disabled.

ihayesjr · ‎08-24-2015

What would you like to see if the domain group is deleted? There is a potential that all users in the group could get locked out of Vault until it is fixed.

smilinger · ‎08-29-2015

If all permissions are only directly assigned to the domain group, then it is natural that users in the domain group will get locked if the domain group is deleted, otherwise it should be OK because users are still members of some other vault groups.

jan.divis · ‎10-26-2016

Hello,

is it something new in this issue?

I'm keen on solving it too.

We are a big company. Our permissions management is based on Active Directory groups. In most of our systems we use automatic synchronization.

Regards,

Jan

philip.s · ‎02-15-2017

Senthil_Kumar · ‎09-03-2017

Thanks for sharing your Idea. We use this forum to guide product development and help users in the best way we can based on voting. We occasionally merge Ideas or archive old ones to keep the forum working properly- it ensures there is room for people to review new Ideas and that the most relevant and meaningful ones can gain votes. We’re archiving this Idea because it's been on the board for well over a year and hasn't received many votes from the community. If you want to raise it again and try to gain more support, you're welcome to do so. We’ve found that pictures and mock-ups can help get concepts across and win more votes from other users. If you have questions or see a connection between this Idea and others, let us know. - Vault product team

Senthil_Kumar · ‎09-03-2017

Curtis_Bussey · ‎07-09-2018

It would be nice to see this revived. In our case, where we have over 35 ACL groups, it becomes a chore to keep up with new users as they are added to the ACL groups. It's currently a manual update (as you know) from Vault. Seems there should be an automated way.

Thanks,

Anonymous · ‎07-09-2018

Yes, this needs to be implemented. IN larger companies that manage permissions via Active Directory, having to synchronize this becomes problematic, especially because we don't always know when users leave groups and such. If an Active Directory group is implemented in Vault that has 300 plus users across a large sub-organization at a large company (in our case a utility), we aren't going to know on a day to day basis who is taken from or added to the group since said group is managed by a whole other department in the company. We just implement the group in Vault to have certain permissions and expect Vault to pull in the users and manage said access. If a user leaves the group, we want Vault to disable the account. If it doesn't do this already (which it appears it doesn't) then this is an issue and not behavior we expected or were told would happen when Vault was implemented at our company.

Community

Automatic sync domain users and groups

Automatic sync domain users and groups

Forums Links

Submit Idea