Skip to main content
Version: Classic

Profile Onboarding upon Permission Loss

Overview

With the feature “Profile Onboarding upon Permission Loss,” it can be ensured that user profiles are only assigned to organizational units for which the respective user has permission.
If a user loses permission for one or more organizational units, the onboarding process is re-executed for the affected profiles to correct or remove the assignment if no suitable replacement organizational unit can be found.

Functionality

The ProfileToOrganizationLinkValidator has three different modes, which can be set in the dashboard under Settings -> General Settings -> ProfileOrganizationUnitValidationMode. In the No Check mode, no validation is performed.

Propose Organizational Unit

In the Propose new Org Id mode, all profiles are checked for permissions to their assigned organizational unit. If the job has already been executed before, any existing proposed organizational units are first removed from the profiles, as it is possible that a user has regained their permission in the meantime.
For those profiles that have lost permission to the assigned organizational unit, the profile onboarding is re-executed and a replacement organizational unit is determined. This is added to the profile as a suggestion. If none can be found, this is also recorded accordingly.
The proposed organizational units for a user can be viewed in the User Editor in the Dashboard (Security -> More -> editor).

Assign Organizational Unit

The Apply new Org Id mode works analogously to Propose new Org Id, with the difference that the determined organizational units are directly assigned to the affected profiles without first making a suggestion.
This option should be used with caution and only after checking with Propose new Org Id.

JobHost

Similar to UserSync, a DataSourceId can be specified for the ProfileToOrganizationLinkValidator - if this is not specified, the OrgSync is executed on all databases. Without a specified DataSourceId, the minimal call is ...\primedocs.JobHost.exe ProfileToOrganizationLinkValidator

Parameters

ShortLongRequiredDefaultDescription
-d--DataSourceIdfalsenullGUID of the target database on the server. If omitted, OrgSync is executed on all configured databases.

Limitations

There is no view in the dashboard to display all profiles and their proposed organizational units and to apply the changes.
The proposed organizational units can become outdated if, after a job execution, something changes in the user's permissions or in the organizational units assigned to the profiles.