Mapped PLCs not present in '--users group' argument are removed if user is disabled

[adorton-adobe]

It appears that mapped PLCs are removed from a disabled user (disabled in the directory) even when those PLCs are not specified in the --users group argument.

Example-

Here are two users disabled in my test AD environment:

Test User 1 exists in my admin console, and is assigned two PLCs - All Apps and Adobe Sign

Here's the config I'm using - user-sync-config.yml.txt

And the command to run sync-

py -2 .\user-sync.pex --process-groups --users group ADOBE-SIGN

When I run the sync tool, I expect it to remove the Sign PLC, but not All Apps, since All Apps is not specified in the --user groups param. Here's the log showing that the user is removed from both PLCs:

2017-03-01 16:26:29 7716 INFO config - Using main config file: user-sync-config.yml
2017-03-01 16:26:29 7716 INFO main - ========== Start Run =======================================
2017-03-01 16:26:29 7716 INFO connector.ldap - Connecting to: ldap://10.51.19.15 using username: ldapuser
2017-03-01 16:26:30 7716 INFO connector.ldap - Connected
2017-03-01 16:26:30 7716 INFO dashboard.owning - Creating connection for org id: "5190B7C05746859A7F000101@AdobeOrg" using private key file: "C:\Users\adorton\training\user-sync\private.key"
2017-03-01 16:26:31 7716 INFO dashboard.owning - API initialized on: https://usermanagement-stage.adobe.io/v2/usermanagement
2017-03-01 16:26:31 7716 INFO processor - ---------- Start Load from Directory -----------------------
2017-03-01 16:26:31 7716 INFO processor - Building work list...
2017-03-01 16:26:31 7716 INFO connector.ldap - Loading users...
2017-03-01 16:26:31 7716 WARNING connector.ldap - No email attribute: mail for dn: CN=Administrator,CN=Users,DC=ccestestdomain,DC=com
2017-03-01 16:26:31 7716 WARNING connector.ldap - No email attribute: mail for dn: CN=itcloud,CN=Users,DC=ccestestdomain,DC=com
2017-03-01 16:26:31 7716 WARNING connector.ldap - No email attribute: mail for dn: CN=BladeLogicRSCD,CN=Users,DC=ccestestdomain,DC=com
2017-03-01 16:26:31 7716 WARNING connector.ldap - No email attribute: mail for dn: CN=ldapuser,CN=Users,DC=ccestestdomain,DC=com
2017-03-01 16:26:31 7716 WARNING connector.ldap - No email attribute: mail for dn: CN=Kevin Bhunut,CN=Users,DC=ccestestdomain,DC=com
2017-03-01 16:26:31 7716 INFO connector.ldap - Total users loaded: 0
2017-03-01 16:26:32 7716 INFO processor - Total directory users after filtering: 0
2017-03-01 16:26:32 7716 INFO processor - ---------- End Load from Directory (Total time: 0:00:00) ---
2017-03-01 16:26:32 7716 INFO processor - ---------- Start Sync Dashboard ----------------------------
2017-03-01 16:26:32 7716 INFO processor - Syncing owning...
2017-03-01 16:26:33 7716 INFO processor - Adobe User not in Directory: testuser1@ccestestdomain.com
2017-03-01 16:26:33 7716 INFO processor - Removed from Groups: set([u'adobe sign', u'all apps'])
2017-03-01 16:26:33 7716 INFO processor - Managing groups for user key: testuser1@ccestestdomain.com organization: None added: None removed: set([u'adobe sign', u'all apps'])
2017-03-01 16:26:33 7716 INFO dashboard.owning.action - Added action: {"do": [{"remove": {"product": ["adobe sign", "all apps"]}}], "requestID": "action_1", "user": "testuser1@ccestestdomain.com"}
2017-03-01 16:26:35 7716 INFO processor - ---------- End Sync Dashboard (Total time: 0:00:02) --------
2017-03-01 16:26:35 7716 INFO main - ========== End Run (Total time: 0:00:05) ===================

If I remove the All Apps mapping from my config and run through this use case again, then the All Apps PLC is not removed. Should it also be retained if it is in the config, but not specified in --users group?

[phil-levy]

The set of groups to be managed is the range of the group mapping in the config file which in this case includes All_Apps. It is not dependent on the --users groups list.

[adorton-adobe]

But I thought that --users mapped is being introduced to cover the range of group mapping in the config?

If the contents of the group mapping in the config override the contents of the --users group list, then why have the --users group param?

[adobeDan]

Further to what Phil said: you can't use the same group mapping across different sync jobs and expect that mapping to be applied only to a subset of users that are specified via the --users parameter: the mapping is applied to all users on the Adobe side. The intended approach is that every sync job with --process-groups that is restricted to a subset of users on the customer side should have its own configuration file, that file should specify all the mappings that are to be applied to that set subset of users, and the target groups in that mapping must be distinct from the target groups of all other sync jobs.

In the specific case @adorton-adobe is raising here, there would need to be two different sync jobs, one for the Adobe Sign users, and one for the Adobe CC users, and those two different sync jobs would use different target groups on the Adobe side. If there were some Adobe Sign users who were also supposed to have Adobe CC, and/or some Adobe CC users who were supposed to have Adobe Sign, which is a common occurrence, then the sync jobs should not directly put users into PLC groups (because then the target groups would overlap). Instead, on the Adobe side, each sync job would have its own target user group(s) that it puts its users into, e.g. "Adobe Sign Users only" and "Adobe Sign Users with CC" for the Adobe Sign job, and "Adobe CC Users only" and "Adobe CC Users with Adobe Sign" for the Adobe CC job. Then both "Adobe CC Users only" and "Adobe Sign Users with Adobe CC" would be put into the "Adobe CC" PLC, and both "Adobe Sign Users only" and "Adobe CC Users with Adobe Sign" would be put into the "Adobe Sign" PLC, and the sync jobs would cooperate properly to give all users their correct entitlements without interfering with each other.

To answer @adorton-adobe's question about --users mapped, the point of --users mapped is simply to make it easier for people to specify "all the groups in the source mapping in the config file". As should be clear from the above discussion, not to specify all the source groups would be a mistake, because the filtered out source users would then lose all their mapped groups.

[adobeDan]

I will add that we already have an enhancement request to be able to filter the users who are considered for sync from the Adobe side. That enhancement will allow different sync jobs to have overlapping target mappings but not interfere with each other by allowing those jobs to filter out the Adobe users that are not addressed by their source users. I am closing this issue since the behavior is as designed.

[adorton-adobe]

Thanks @adobeDan. I'm not totally sure I 100% understand. I'll let you know if it comes up as an issue for a customer.

Can we at least make sure the user guide states that the sync tool will consider all PLCs in the config mapping regardless of the groups specified in --users group?