The User Sync Tool is a command-line tool that automates the creation and management of Adobe user accounts. It does this by reading user and group information from an organization's enterprise directory system or a file and then creating, updating, or removing user accounts in the Adobe Admin Console. The key goals of the User Sync Tool are to streamline the process of named user deployment and automate user management for all Adobe users and products.
This application is open source, maintained by Adobe, and distributed under the terms of the OSI-approved MIT license. See the LICENSE file for details.
Copyright (c) 2016-2017 Adobe Systems Incorporated.
- Python 2.7+
- User Management API Credentials (see the official documentation)
- Accessible LDAP server (optional)
- If running on Windows, a 64 bit version of Windows is required.
The connector is packaged as a self-contained .pex file. See the releases page to get the latest build for your platform.
Requirements:
- Python 2.7+
- virtualenv
- If building on Debian -
python-dev libssl-dev libffi-dev libsasl2-dev libldap2-dev - GNU Make
To build, run make pex from the command line in the main repo directory.
Builds and execution are setup for 64 bit windows versions.
First, there are several projects that do not have good 64 bit builds for Windows platforms. These are enum34, python_ldap, and pyYaml. Acceptable builds are in the misc/build/Win64 folder and these can be used directly. You can also check http://www.lfd.uci.edu/~gohlke/pythonlibs/
Load dependencies into interpreter directory:
pip install -r misc\build\Win64\python-ldap-requirements.txt
pip install -r misc\build\requirements.txt
The requirements will usually be loaded into C:\Python27\lib\site-packages if C:\Python27 is your install directory and you aren't specifying any options that send things elsewhere.
To set up PyCharm for debugging,
- Make sure you are using 64 bit python interpreter. File Settings Project Interpreter
- Make sure interprter isn't overridden in run configuration
- Set up a run configuration based on Python that references the user_sync\app.py file as the script, and has the command line parameters you want to test with (e.g. --users file test.csv). Working directory works best as the folder with your config files.
##User Sync command line
| Parameters and argument specifications | Description |
|---|---|
-h--help |
Show this help message and exit. |
-v--version |
Show program's version number and exit. |
-t--test-mode |
Run API action calls in test mode (does not execute changes). Logs what would have been executed. |
-c filename--config-filename filename |
The complete path to the main configuration file, absolute or relative to the working folder. Default filename is "user-sync-config.yml" |
--users all--users file input_path--users group grp1,grp2--users mapped |
Specify the users to be selected for sync. The default is all meaning all users found in the directory. Specifying file means to take input user specifications from the CSV file named by the argument. Specifying group interprets the argument as a comma-separated list of groups in the enterprise directory, and only users in those groups are selected. Specifying mapped is the same as specifying group with all groups listed in the group mapping in the configuration file. This is a very common case where just the users in mapped groups are to be synced. |
--user-filter regex_pattern |
Limit the set of users that are examined for syncing to those matching a pattern specified with a regular expression. See the Python regular expression documentation for information on constructing regular expressions in Python. The user name must completely match the regular expression. |
--update-user-info |
When supplied, synchronizes user information. If the information differs between the enterprise directory side and the Adobe side, the Adobe side is updated to match. This includes the firstname and lastname fields. |
--process-groups |
When supplied, synchronizes group membership information. If the membership in mapped groups differs between the enterprise directory side and the Adobe side, the group membership is updated on the Adobe side to match. This includes removal of group membership for Adobe users not listed in the directory side (unless the --adobe-only-user-action exclude option is also selected). |
--adobe-only-user-action preserve--adobe-only-user-action remove-adobe-groups--adobe-only-user-action remove--adobe-only-user-action delete--adobe-only-user-action write-file filename--adobe-only-user-action exclude |
When supplied, if user accounts are found on the Adobe side that are not in the directory, take the indicated action. preserve: no action concerning account deletion is taken. This is the default. There may still be group membership changes if the --process-groups option was specified.remove-adobe-groups: The account is removed from user groups and product configurations, freeing any licenses it held, but is left as an active account in the organization.remove: In addition to remove-adobe-groups, the account is also removed from the organization, but is left as an existing account.delete: In addition to the action for remove, the account is deleted if owned by the organization.write-file: the list of user account present on the Adobe side but not in the directory is written to the file indicated. No other account action is taken. You can then pass this file to the --adobe-only-user-list argument in a subsequent run.exclude: No update of any kind is applied to users found only on the Adobe side. This is used when doing updates of specific users via a file (--users file f) where only users needing explicit updates are listed in the file and all other users should be left alone.Only permitted actions will be applied. Accounts of type adobeID are owned by the user so the delete action will do the equivalent of remove. The same is true of Adobe accounts owned by other organizations. |
adobe-only-user-list filename |
Specifies a file from which a list of users will be read. This list is used as the definitive list of "Adobe only" user accounts to be acted upon. One of the --adobe-only-user-action directives must also be specified and its action will be applied to user accounts in the list. The --users option is disallowed if this option is present: only account removal actions can be processed. |
See the examples directory for sample configuration files of all types. These sample files include all of the possible options with descriptions of them.