Customizing synchronization
You can use a variety of Sync Options and Filters to customize your sync operation and limit the users and/or groups that are processed to your Team.
Available sync options and filter syntaxes differ for each directory server type. Refer to the Configure Sync Options and Specify Sync Filters sections of one of the following articles for help:
If you're using the Directory Connector CLI, see Directory Connector File Storage for help editing your data.json configuration file.
This section shows you how to use Directory Connector to sync users and groups from your LDAP or Active Directory service to your Bravura Safe Team. Bravura Safe provides built in connectors for the most popular LDAP directory servers, including:
Microsoft Active Directory
Apache Directory Server (ApacheDS)
Apple Open Directory
Fedora Directory Server
Novell eDirectory
OpenDS
OpenLDAP
Sun Directory Server Enterprise Edition (DSEE)
Any generic LDAP directory server
Connect to your Server
To configure Directory Connector to use your LDAP or Active Directory:
Open the Directory Connector Desktop Application.
Navigate to the Settings tab.
From the Type drop-down, select Active Directory / LDAP.
The available fields in this section change according to your selected Type .
Configure the following options:
Option
Description
Server Hostname
Hostname of your directory server.
Examples:
ad.example.com,ldap.company.orgServer Port
Port on which your directory server is listening.
Examples:
389or10389Root Path
Root path at which Directory Connector should start all queries
Examples:
cn=users, dc=ad, dc=example, dc=com, dc=ldap, dc=company, dc=orgThis server uses active directory
Check this box if the server is an Active Directory server.
This server pages search results
Check this box if the server paginates search results (LDAP only).
This server uses an encrypted connection
Checking this box will prompt you to select one of the following options:
Use SSL (LDAPS) If your LDAPS server uses an untrusted certificate, you can configure certificate options on this screen.
UseTSL (STARTTLS) If your LDAP server uses a self-signed certificate for STARTTLS, you can configure certification options on this screen.
Username
The Distinguished Name of an administrative user that the application will use when connecting to the directory server. For Active Directory, the user should be a member of the built-in administrator group.
Password
The password of the user specified above. The password is safely stored in the operating system's native credential manager.
Configure Sync Options
To configure the settings used when syncing using Directory Connector:
Note
If you are using Active Directory, many of these settings are predetermined for you and are therefore are not shown.
Open the Directory Connector Desktop Application.
Navigate to the Settings tab.
In the Sync section, configure the following options as desired:
Option
Description
Interval
Time between automatic sync check (in minutes).
Remove disabled users during sync
Check this box to remove users from the Bravura Safe Team that have been disabled in your Team.
Overwrite existing Team users based on current sync settings
Check this box to fully overwrite the user set on each sync, including removing users from your Team when they're absent from the directory user set.
Note
If for any reason an empty sync is run when this options is enabled, Directory Connector will remove all users. Always run a Test Sync prior to syncing after enabling this option.
More than 2000 users or groups are expected to sync
Check this box if you expect to sync 2000+ users or groups. If you do not check this box, Directory Connector will limit a sync at 2000 users or groups.
Member Attribute
Name of the attribute used by the directory to define a group's membership; for example,
newMember.Creation Data Attribute
Name of the attribute used by the directory to specify when an entry was created; for example,
whenCreated.Revision Date Attribute
Name of the attribute used by the directory to specify when an entry was last changed; for example,
whenChanged.If a user has no email address, combine a username prefix with a suffix value to form an email
Check this box to form valid email options for users that do not have an email address. Users without real or formed email addresses will be skipped by Directory Connector.
Formed Email =
Email Prefix Attribute + Email SuffixEmail Prefix Attribute
Attribute used to create a prefix for formed email addresses.
Email Suffix
A string (
@example.com) used to create a suffix for formed email addresses.Sync users
Check this box to sync users to your Team.
Checking this box will allow you to specify a User Filter, User Path, User Object Class, and User Email Attribute.
User Filter
See Specify Sync Filters.
User Path
Attribute used with the specified Root Path to search for users; for example,
ou=users. If no value is supplied, the subtree search will start from the root path.User Object Class
Name of the class used for the LDAP user object; for example,
user.User Email Attribute
Attribute to be used to load a user's stored email address.
Sync groups
Check this box to sync groups to your Team.
Checking this box will allow you to specify a Group Filter, Group Path, Group Object Class, Group Name Attribute.
Group Filter
See Specify Sync Filters.
Group Path
Attribute used with the specified Root Path to search for groups; for example,
ou=groups. If no value is supplied, the subtree search will start from the root path.Group Object Class
Name of the class used for the LDAP group object; for example,
groupOfUniqueNames.Group Name Attribute
Name of the attribute used by the directory to define the name of a group; for example,
name.
After configuring settings, navigate to the More tab and click Clear Sync Cache to prevent potential conflicts with prior sync operations. See Clear Sync Cache for details.
Specify Sync Filters
User and group filters can be in the form of any LDAP-compatible search filter.
Active Directory provides some advanced options and limitations for writing search filters, when compared to standard LDAP directories. See Microsoft documentation for more information about Active Directory search filters.
Samples
To filter a sync for all entries that have objectClass=user and cn (common name) that contains Finance:
(&(objectClass=user)(cn=*Finance*))(LDAP-only) To filter a sync for all entries with an ou (organization unit) component of their dn (distinguished name) that is either Toronto or Seattle:
(|(ou:dn:=Toronto)(ou:dn:=Seattle))(LDAP-only) To exclude entities that match an expression, for example all ou=Toronto entries except those that also match an ou= Pickering attribute:
(&(ou:dn:=Toronto)(!(ou:dn:=Pickering)))(AD Only) To filter a sync for users in the Donors group:
(&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=Donors,ou=users,dc=company,dc=com))(AD Only) To filter a sync for users that are members of the Donors group, either directory or via nesting:
(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=cn=Donors,ou=users,dc=company,dc=com))
Test a Sync
To test whether Directory Connector will successfully connect to your directory and return the desired users and groups, navigate to the Dashboard tab and click Test Now.
If successful, users and groups will be printed to the Directory Connector window according to specified Sync options and filters.
Start Automatic Sync
Once Sync options and filters are configured, you can begin syncing. To start automatic sync with Directory Connector:
Alternatively, click Sync Now to execute a one-time manual sync.
Directory Connector begins polling your directory based on the configured Sync options and filters.
If you exit or close the application, automatic sync will stop. To keep Directory Connector running in the background, minimize the application or hide it to the system tray.
This section shows you how to use Directory Connector to sync users and groups from your Azure Active Directory to your Bravura Safe Team.
Azure AD setup
Complete the following processes from the Microsoft Azure Portal before configuring Directory Connector. The information obtained from these processes is required for Directory Connector to function properly.
Create App Registration
To create an app registration for Directory Connector:
From your Microsoft Azure portal, navigate to the Azure Active Directory resource.
From the left-hand navigation, select App registrations.
Select New registration and give your registration a Bravura Safe-specific name; for example,
safe-dc.Select Register.
Grant App Permissions
To grant the created app registration the required permissions:
On the created Bravura Safe application, select API Permissions from the left-hand navigation.
Click Add a permission.
When prompted to Select an API, select Microsoft Graph.
Set the following Delegated permissions:
User > User.ReadBasic.All (Read all users' basic profiles)
User > User.Read.All (Read all users' full profiles)
Group > Group.Read.All (Read all groups)
AdministrativeUnit > AdministrativeUnit.Read.All (Only required if you'll be syncing Administrative Units)
Set the following Application Permissions:
User > User.Read.All (Read all users' full profiles)
Group > Group.Read.All (Read all groups)
AdministrativeUnit > Administrative.Unit.Read.All (Only required if you'll be syncing Administrative Units)
On the API Permissions page, click Grant admin consent for...
Create App Secret Key
To create a secret key to be used by Directory Connector:
On the created Bravura Safe application, select Certificates & secrets from the left-hand navigation.
Click New client secret and add a safe-specific description (for example,
safe-dc-secret) and an expiration date (Bravura Security recommends selecting Never).Click Save.
Copy the secret's value to a safe place for later use.
Get App ID
To obtain the app ID to be used by Directory Connector:
On the created Bravura Safe application, select Overview from the left-hand navigation.
Copy the Application (client) ID to a safe place for later use.
Get Tenant Hostname
To obtain the tenant hostname to be used by Directory Connector:
From anywhere in the Azure portal, select the Directory + subscription filter button from the main navigation.
Copy the Current directory: value to a safe place for later use.
Connect to your Directory
After you have taken Azure AD setup steps configure Directory Connector to use your Azure Active Directory:
Open the Directory Connector Desktop Application.
Navigate to the Settings tab.
From the Type drop-down, select Azure Active Directory.
The available fields in this section change according to your selected Type.
Enter the collected Tenant hostname, Application Id, and Secret Key. See Azure AD setup.
Configure Sync Options
To configure the settings used when syncing using Directory Connector:
Open the Directory Connector Desktop Application.
Navigate to the Settings tab.
In the Sync section, configure the following options as desired:
Option
Description
Interval
Time between automatic sync checks (in minutes).
Remove disabled users during sync
Check this box to remove users that have been disabled in your directory from the Bravura Safe Team.
Overwrite existing Team users based on current sync settings
Check this box to always perform a full sync and remove any users from the Bravura Safe Team if they are not in the synced user set.
More than 2000 users or groups are expected to sync
Check this box if you expect to sync 2000+ users or groups. If you do not check this box, Directory Connector will limit a sync at 2000 users or groups.
Sync users
Check this box to sync users to your Team. Checking this box will allow you to specify User Filters.
User Filter
Use comma-separated lists to include or exclude from a sync based on User Email, or Group Membership (below).
Sync Groups
Check this box to sync groups to your Team. Checking this box will allow you to specify Group Filters.
Group Filter
Use comma-separated lists to include or exclude from a sync based on Group name (below).
The following filtering syntaxes should be used in the User Filter field:
Include/Exclude Users by Email
To include or exclude specific users from a sync based on email address:
include:joe@example.com,bill@example.com,tom@example.com
exclude:jow@example.com,bill@example.com,tom@example.com
User by group membership
You can include or exclude users from a sync based on their Azure Active Directory group membership using the includeGroup and excludeGroup keywords. These keywords use Group Object ID, available from the Overview page of the group in the Azure Portal or through the Azure AD Powershell:
includeGroup:963b5acd-9540-446c-8e99-29d68fcba8eb,9d05a51c-f173-4087- 9741-a7543b0fd3bc
excludeGroup:963b5acd-9540-446c-8e99-29d68fcba8eb,9d05a51c-f173-4087- 9741-a7543b0fd3bc
The following filtering syntaxes should be used in the Group Filter field:
Include/Exclude Groups
To include or exclude groups from a sync based on group name:
include:Group A,Group B
exclude:Group A,Group B
Group by Administrative Unit (AU)
You can include or exclude groups from a sync based on their tagged Azure Active Directory Administrative Units (AUs) by using the includeadministrativeunit and excludeadministrativeunit keywords. These keywords use the Object ID of the Administrative Unit:
includeadministrativeunit:7ckcq6e5-d733-4b96-be17-5bad81fe679d
excludeadministrativeunit:7ckcq6e5-d733-4b96-be17-5bad81fe679d
After configuring settings, navigate to the More tab and click Clear Sync Cache to prevent potential conflicts with prior sync operations. See Clear Sync Cache for details.
Test a Sync
To test whether Directory Connector will successfully connect to your directory and return the desired users and groups, navigate to the Dashboard tab and click Test Now.
If successful, users and groups will be printed to the Directory Connector window according to specified Sync options and filters.
It may take up to 15 minutes for permissions for your application to properly propagate. In the meantime, you may receive Insufficient privileges to complete the operation errors.
Update your application if you receive the following error message:
Resource <user id> does not exist or one of its queried reference-property objects are not present, you need to permanently delete or restore the user(s) with <user id>.
Start Automatic Sync
Once Sync options and filters are configured, you can begin syncing. To start automatic sync with Directory Connector:
Alternatively, click Sync Now to execute a one-time manual sync.
Directory Connector begins polling your directory based on the configured Sync options and filters.
If you exit or close the application, automatic sync will stop. To keep Directory Connector running in the background, minimize the application or hide it to the system tray.
This section shows you how to use Directory Connector to sync users and groups from your Google Workspace (formerly "G Suite") Directory to your Bravura Safe Team.
Google Workspace setup
To set up directory sync with Google Workspace (formerly "G Suite"), you will need access to the Google Workspace Admin Portal and Google Cloud Platform Console. Information from these processes is required for Directory Connector to function properly.
Create a Cloud Project
A Google Cloud project is needed to connect Directory Connector to your directory. If you already have a Google Cloud project available, skip to Enable Admin SDK (below).
To create a Google Cloud project to use to connect Directory Connector to your directory:
In the GCP Console, click Create Project.
Enter a safe-specific name for the project (for example,
safe-dc-project) and click Create.
Enable Admin SDK
Complete the following steps to enable the Admin SDK API, to which Directory Connector will make requests:
In the GCP Console, select the created or pre-existing Project.
From the left-hand navigation, select APIs & Services > Library.
In the search box, type
Admin SDKand open the Admin SDK API service.Click Enable.
Create Service Account
Complete the following steps to create a service account to use when making API calls:
In the GCP Console, select the created or pre-existing Project.
From the left-hand navigation, select APIs & Services > Credentials.
Click Create Credentials, and select Service account from the drop-down.
Fill in the Service account details section, and click Create.
In the Grant this service account access to project section, select Project > Owner from the Role drop-down and click Continue.
Click Done.
Obtain Service Account Credentials
To obtain the appropriate permissions for the created service account:
In the GCP Console, select the created or pre-existing Project.
From the left-hand navigation, select IAM & Admin > Service Accounts.
Select the created service account.
On the Service Account Details page, click Add Key and select Create new key from the drop-down.
Select the Key type: JSON and click Create to download a JSON-formatted key to your local machine.
Back on the details page of your service account, select the Show Domain-wide Delegation drop-down.
Check the Enable Domain-wide Delegation box.
Enter a Product name for the consent page.
Click Save.
Allow Read Access to Google Workspace
To authorize the client to read your directory:
Open the Google Admin Portal.
From the left-hand navigation, click Security > API Controls.
Click Manage Domain Wide Delegation.
Click Add new.
In the Client ID field, paste the created Client ID.
To retrieve the created Client ID, open the GCP Console and navigate to API & Services → Credentials.
In the OAuth scopes field, paste the following value to grant only read access:
https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonlyClick Authorize.
Connect to your Directory
To configure Directory Connector to use your Google directory:
Open the Directory Connector Desktop Application.
Navigate to the Settings tab.
From the Type drop-down, select G Suite (Google).
The available fields in this section change according to your selected Type.
Enter the Domain of your Google account.
Enter the email address of an Admin User with full access to your Google Directory.
If you have one, enter the Customer ID of your directory. Many users will not have or be required to enter a Customer ID.
Click Choose File and select the downloaded JSON key.
Configure Sync Options
To configure the settings used when syncing using Directory Connector:
Open the Directory Connector Desktop Application.
Navigate to the Settings tab.
In the Sync section, configure the following options as desired:
Option
Description
Interval
Time between automatic sync checks (in minutes).
Remove disabled users during sync
Check this box to remove users that have been disabled in your directory from the Bravura Safe Team.
Overwrite existing Team users based on current sync settings
Check this box to always perform a full sync and remove any users from the Bravura Safe Team if they are not in the synced user set.
More than 2000 users or groups are expected to sync
Check this box if you expect to sync 2000+ users or groups. If you do not check this box, Directory Connector will limit a sync at 2000 users or groups.
Sync users
Check this box to sync users to your Team. Checking this box will allow you to specify a User Filter.
User Filter
Use comma-separated lists to include or exclude from a sync based on User Email (below).
Sync groups
Check this box to sync groups to your Team. Checking this box will allow you to specify a Group Filter.
Group Filter
Use comma-separated lists to include or exclude from a sync based on Group (below).
Include/Exclude Users by Email
To include or exclude specific users based on email address:
include:anne@example.com,john@example.com,sarah@example.com
exclude:anne@example.com,john@example.com,sarah@example.com
Concatenate with filter
To concatenate a user filter with the filter parameter, use a pipe ( | ):
include:john@example.com,sarah@example.com|profile.firstName eq "John"
exclude:john@example.com,sarah@example.com|profile.firstName eq "John"
Use only filter
To use only the filter parameter, prefix the query with a pipe ( | ):
|profile.lastName eq "Smith"
To include or exclude groups from a sync based on group name:
include:Group A,Group B
exclude:Group A,Group B
After configuring settings, navigate to the More tab and click Clear Sync Cache to prevent potential conflicts with prior sync operations. See Clear Sync Cache for details.
Test a Sync
To test whether Directory Connector will successfully connect to your directory and return the desired users and groups, navigate to the Dashboard tab and click Test Now.
If successful, users and groups will be printed to the Directory Connector window according to specified Sync options and filters.
Start Automatic Sync
Once Sync options and filters are configured, you can begin syncing. To start automatic sync with Directory Connector:
Alternatively, click Sync Now to execute a one-time manual sync.
Directory Connector begins polling your directory based on the configured Sync options and filters.
If you exit or close the application, automatic sync will stop. To keep Directory Connector running in the background, minimize the application or hide it to the system tray.
This section shows you how to start using Directory Connector to sync users and groups from your OneLogin directory to your Bravura Safe Team.
Create API Credentials
Directory Connector needs OneLogin-generated API Credentials to connect to your directory. To create and obtain API credentials for use by Directory Connector:
Log in to your OneLogin Administration portal (
https://yourdomain.onelogin.com/admin).Navigate to Developers > API Credentials.
Click New Credential and give your credential a safe-specific name; for example,
safe-dc.Select the Read Users option to give read permission for user fields, roles, and groups, and click Save.
Copy the generated Client ID and Client Secret.
You can return to view these at any time.
Connect to your Directory
To configure Directory Connector to use your OneLogin directory:
Open the Directory Connector Desktop Application.
Navigate to the Settings tab.
From the Type drop-down, select OneLogin.
The available fields in this section change according to your selected Type.
Enter the Client ID and Client Secret obtained from OneLogin.
From the Region drop-down, select your region.
Configure Sync Options
To configure the settings used when syncing using Directory Connector:
Open the Directory Connector Desktop Application.
Navigate to the Settings tab.
In the Sync section, configure the following options as desired:
Option
Description
Interval
Time between automatic sync checks (in minutes).
Remove disabled users during sync
Check this box to remove users that have been disabled in your directory from the Bravura Safe Team.
Overwrite existing Team users based on current sync settings
Check this box to always perform a full sync and remove any users from the Bravura Safe Team if they are not in the synced user set.
This is recommended for OneLogin directories.
More than 2000 users or groups are expected to sync
Check this box if you expect to sync 2000+ users or groups. If you do not check this box, Directory Connector will limit a sync at 2000 users or groups.
If a user has no email address, combine a username prefix with a suffix value to form an email
Check this box to form valid email options for users that do not have an email address.
Users without real or formed email addresses will be skipped by Directory Connector.
Formed email =
<username> + <email suffix>Email Suffix
A string (
@example.com) used to create a suffix for formed email addresses.Sync users
Check this box to sync users to your Team. Checking this box will allow you to specify User Filters.
User Filter
Use comma-separated lists to include or exclude from a sync based on User Email (below).
Sync Groups
Check this box to sync groups to your Team. Checking this box will allow you to specify Group Filters.
Please be aware, Directory Connector uses OneLogin role values to create Bravura Safe groups.
Group Filter
Use comma-separated lists to include or exclude from a sync based on Group (below).
Note
Directory Connector will create Bravura Safe groups based on OneLogin Roles, not OneLogin Groups.
To include or exclude specific users from a sync based on email address:
include:anne@example.com,john@example.com,sarah@example.com
exclude:anne@example.com,john@example.com,sarah@example.com
To include or exclude groups from a sync based on OneLogin roles:
include:Role A,Role B
exclude:Role A,Role B
After configuring settings, navigate to the More tab and click Clear Sync Cache to prevent potential conflicts with prior sync operations. See Clear Sync Cache for details.
Test a Sync
To test whether Directory Connector will successfully connect to your directory and return the desired users and groups, navigate to the Dashboard tab and click Test Now.
If successful, users and groups are printed to the Directory Connector window according to specified Sync options and filters .
Start Automatic Sync
Once Sync options and filters are configured, you can begin syncing. To start automatic sync with Directory Connector:
Alternatively, click Sync Now to execute a one-time manual sync.
Directory Connector begins polling your directory based on the configured Sync options and filters.
If you exit or close the application, automatic sync will stop. To keep Directory Connector running in the background, minimize the application or hide it to the system tray.
This section shows you how to use Directory Connector to sync users and groups from your Okta directory to your Bravura Safe Team.
Create an Okta API Token
Directory Connector needs an Okta-generated token to connect to your directory. To create and obtain an Okta API Token for use by Directory Connector:
From your Okta Developer Console (
https://yourdomain-admin.okta.com), navigate to Security > API > Tokens.Click Create Token and give your token a safe-specific name; for example,
safe-dc.Copy the generated Token Value to the clipboard (see note below).
Warning
Your Token Value will not be shown again. Paste it somewhere safe to prevent it from being lost.
Connect to your Directory
To configure Directory Connector to use your Okta Directory:
Open the Directory Connector Desktop Application.
Navigate to the Settings tab.
From the Type drop-down, select Okta.
The available fields in this section change according to your selected Type.
Enter your Okta Organization URL in the Team URL field; for example,
https://yourdomain.okta.com.Paste the API Token Value in the Token field.
Configure Sync options
To configure the settings used when syncing using Directory Connector with Okta:
Open the Directory Connector Desktop Application.
Navigate to the Settings tab.
In the Sync section, configure the following options as desired:
Option
Description
Interval
Time between automatic sync checks (in minutes).
Remove disabled users during sync
Check this box to remove users that have been disabled in your directory from the Bravura Safe Team.
Overwrite existing Team users based on current sync settings
Check this box to always perform a full sync and remove any users from the Bravura Safe Team if they are not in the synced user set.
More than 2000 users or groups are expected to sync
Check this box if you expect to sync 2000+ users or groups. If you do not check this box, Directory Connector will limit a sync at 2000 users or groups.
Sync users
Check this box to sync users to your Team. Checking this box will allow you to specify User Filters.
User Filter
Use comma-separated lists to include or exclude based on User Email (below).
Additionally, Okta APIs provide limited filtering capabilities for Users and Groups that may be used in Directory Connector Filter fields. Consult Okta documentation for more information about using the filter parameter for Users.
Sync Groups
Check this box to sync groups to your Team. Checking this box will allow you to specify Group Filters.
Group Filter
Use comma-separated lists to include or exclude based on Groups (below).
Additionally, Okta APIs provide limited filtering capabilities for Users and Groups that may be used in Directory Connector Filter fields. Consult Okta documentation for more information about using the filter parameter for Groups.
Include/Exclude Users by Email
To include or exclude specific users based on email address:
include:anne@example.com,john@example.com,sarah@example.com
exclude:anne@example.com,john@example.com,sarah@example.com
Concatenate with filter
To concatenate a user filter with the filter parameter, use a pipe ( | ):
include:john@example.com,sarah@example.com|profile.firstName eq "John"
exclude:john@example.com,sarah@example.com|profile.firstName eq "John"
Use only filter
To use only the filter parameter, prefix the query with a pipe ( | ):
|profile.lastName eq "Smith"
Include/Exclude Groups
To include or exclude groups by name:
include:Group A,Group B
exclude:Group A,Group B
Concatenate with filter
To concatenate a group filter with the filter parameter, use a pipe ( | ):
include:Group A|type eq "APP_GROUP"
exclude:Group A|type eq "APP_GROUP"
Use only filter
To use only the filter parameter, prefix the query with a pipe ( | ):
|type eq "BUILT_IN"
After configuring settings, navigate to the More tab and click Clear Sync Cache to prevent potential conflicts with prior sync operations. See Clear Sync Cache for details.
Specify Sync Filters
Use comma-separated lists to include or exclude based on User Email or Group Name. Additionally, Okta APIs provided limited filtering capabilities for Users and Groups that may be used in Directory Connector Filter fields.
Consult Okta documentation for more information about using the filter parameter for Users and Groups.
Test Connection
To test whether Directory Connector will successfully connect to your directory and return the desired users and groups, navigate to the Dashboard tab and click Test Now.
If successful, users and groups will be printed to the Directory Connector window according to specified Sync options and filters.
Start Automatic Sync
Once Sync options and filters are configured, you can begin syncing. To start automatic sync with Directory Connector:
Alternatively, click Sync Now to execute a one-time manual sync.
Directory Connector begins polling your directory based on the configured Sync options and filters.
If you exit or close the application, automatic sync will stop. To keep Directory Connector running in the background, minimize the application or hide it to the system tray.
Regardless of which directory you are syncing from, enable the More than 2000 users or groups are expected to sync option to signal to Directory Connector that you are expecting a large number of users or groups:
Log in to the Directory Connector.
Click on the Settings tab.
Enable More than 2000 users or groups are expected to sync.
You can also enable this option directly in the Directory Connector configuration file, data.json by setting "largeImport": true:
"syncConfig": {
...,
...,
...,
"largeImport": true
},"Note
Directory Connector will limit a sync to 2000 users/groups if you do not enable this option.
While syncing changes to your Team Directory Connector keeps a local cache . This cache helps Directory Connector to only send the deltas between the two directories (before/after).
If you encounter sync errors, or if a particular directory change is not being synced as expected, you should clear this cache. Clearing the cache will trigger a full sync to occur during the next sync operation.
To clear the local cache:
Desktop
From the Directory Connector desktop app:
Click the More tab.
In the Other section, click the Clear Sync Cache button.
CLI
Use the following command:
bsafedc clear-cache
Automatic syncs can be scheduled for Teams using the Directory Connector CLI, on defined intervals as an alternative to using the desktop application's interval setting. This is particularly useful in headless environments, or in circumstances where a desktop application cannot be left running in the background.
To schedule syncs, use Cron in Unix-like environments including Linux and MacOS, and use Task Scheduler in Windows environments:
When running a cron job, Bravura Security recommends doing so as a dedicated Directory Connector user. Create a bsafedc user if you haven't already, and add that user to the etc/cron.allow list. This will allow a non-Root user to set up and run cron jobs.
In order to continue, you will also need your Team's API Key client_id and client_secret, which can be obtained by a Team owner from the web interface by clicking Team Settings > My team.
As the permitted bsafedc user:
Edit the user's crontab file by entering
crontab -ein the terminal, or edit the crontab file as any user by enteringcrontab -u <bsafedc_username> -e.Add a line to the
crontabthat includes:A scheduling expression that will determine the time/recurrence interval on which to execute the desired command. For example,
0 0 * * 2to run every Tuesday at midnight.The command to execute at the specified time/recurrence interval. In this case, execute the previously created sync script. For example,
bsafedcSyncService.sh:
For example, to run the sync script every Monday at 12:00:
# 0 12 * * 1 bsafedcSyncService.sh
Use the following reference when scheduling syncs via cron to ensure you're scheduling them for the desired time:
# ┌───────────── minute (0 - 59)
# │ ┌───────────── hour (0 - 23)
# │ │ ┌───────────── day of the month (1 - 31)
# │ │ │ ┌───────────── month (1 - 12)
# │ │ │ │ ┌───────────── day of the week (0 - 6) (Sunday to Saturday; # │ │ │ │ │ 7 is also Sunday on some systems)
# │ │ │ │ │
# │ │ │ │ │
# * * * * * <command to execute>
If you are not comfortable with cron job scheduling expressions, check out https://crontab.guru/ for help.
When running a task, Bravura Security recommends doing so as a dedicated Directory Connector user. Create a bsafedc user if you have not already.
In order to continue, you will also need your Team's API Key client_id and client_secret, which can be obtained by a Team owner from the web interface by clicking Team Settings > My team.
To run as the Task Scheduler Action in order to avoid session timeouts you will need to create a script . This script should securely read your client_secret to complete the login, and run a bsafedc sync command that writes output to bsafedc.log.
You can then specify each directory to sync by performing multiple bsafedc sync operations, for example:
BRAVURASAFECLI_CONNECTOR_APPDATA_DIR="./instance-1" bsafedc sync
BRAVURASAFECLI_CONNECTOR_APPDATA_DIR="./instance-2" bsafedc sync
As the dedicated bsafedc user:
Open Task Scheduler and Click CreateTask from the Actions menu.
Configure the task with the following Security options:
Set the task to use the created bsafedc user.
Set the task to Run whether user is logged on or not.
Click the Triggers tab and click New... to create a trigger that fits your directory sync needs.
For example, you could create a Weekly Trigger that runs at 8:00 PM every Sunday or every week.
Click the Actions tab and select the New... button to create an Action that runs the created sync script.
Click OK to finish creating the scheduled task.