We use the AD connector to sync our on-premises users to OneLogin, and these users' roles are provisioned using mappings with conditions around group membership, distinguishedname, company, department, and email address. When a new user is synced from Active Directory he or she is mapped correctly and receives the correct roles.
Later if a user is changed in Active Directory the changes will be replicated up to OneLogin automatically. However, this doesn't always result in mappings being re-applied. In one case I had a bad mapping that should have resulted in a subset of users receiving the wrong role, but the mapping never seemed to take effect. Several months later I was alerted to one user whose roles were incorrect and I was able to trace down the faulty mapping and disable it. This would have been prevented if the mapping had taken effect when I first created or modified it.
Is there any documentation on exactly when and under what conditions a re-mapping will take place for a user?
Please sign in to leave a comment.