The configuration of the synchronization of Kaspersky Automated Security Awareness Platform users with Active Directory accounts involves the application admin ("ASAP admin") and Active Directory admin.
Synchronization configuration involves the following steps.
The ASAP admin and Active Directory admin need to prepare a list of domain users whose information should be synchronized with the application. These users need to be put in the same Active Directory group.
In test mode, you can view the changes that will be applied after synchronization, but these changes will not be made to the application database. This will help you isolate configuration errors and make changes to synchronization settings.
The ASAP admin needs to add custom fields in the application for the account attributes that need to be retrieved from Active Directory.
Set the required synchronization settings in the ASAP web interface. A script file will be generated automatically based on these settings. If needed, you can make changes to the script manually. Then you need to transfer the file to your company's Active Directory admin.
The Active Directory admin must ensure that the script runs automatically on a regular basis using any operating system planning tools or third-party applications. We recommend running the script once every 24 hours.
After synchronization is complete, we recommend that the ASAP administrator review the history of processed synchronization requests and ensure that the specified attributes of the selected users are transferred correctly. If users were already added to the application before the start of synchronization, you need to check that the data about these users was updated correctly.
If you approve of all configuration changes displayed in the log, now you can switch the application from test to main mode. The next time the script is run, all changes will be recorded in the application database.
If synchronization is successful, each user retrieved from Active Directory should have a local AD service ID.
If a user who was added to the application before the synchronization started doesn't have a local AD service ID, you need to check the Active Directory account information. The account may have been deleted, or the user's email may have changed. In this case, the ASAP admin needs to manually enter changes or delete the user from the application.