Skip to main content

This article applies to Cloud.

Other available versions:

Version 6 | Version 5 | Version 4icon.qnmark.png

Available in:

StandardPremiumEnterprise
Small Business
Code42 Support

User management with Code42 User Directory Sync

This article applies to Cloud.

Other available versions:

Version 6 | Version 5 | Version 4icon.qnmark.png

Available in:

StandardPremiumEnterprise
Small Business

Overview

Code42 User Directory Sync leverages your organization's existing directory services environment by enabling LDAP integration in Code42 for Enterprise. Every directory structure is different, so Code42 User Directory Sync allows you to add JavaScript to map your existing directory structure to Code42 organizations and roles for automated user management. 

This article gives examples of how to use JavaScipt with User Directory Sync. However, to download and configure Code42 User Directory Sync in your Code42 environment, contact your Customer Success Manager (CSM) for enterprise support at csmsupport@code42.com

Before you begin

  • Existing Code42 cloud environments: To download and configure Code42 User Directory Sync, you must contact your Customer Success Manager (CSM) for enterprise support at csmsupport@code42.com
  • New Code42 cloud environments: Code42 User Directory Sync is configured as part of your implementation. 

 

LDAP script capabilities

Our Professional Services team can help you add JavaScript to Code42 User Directory Sync. First, these scripts read user attributes and group membership information from your LDAP environment. Next, the Code42 User Directory Sync places them into the correct organization and grants them appropriate user roles based on their LDAP attributes and group membership. 

We use three different scripts: 

LDAP script triggers

A sync executes the Active, Org Name, and Role scripts each time it runs. When the scripts run, they read users' LDAP attributes and group membership, and change your Code42 environment to match. 

Example use of LDAP scripts

Consider the following situation. Company X's Org Name script depends on the location LDAP attribute. If the location attribute for user jsmith changes from San Francisco to New York, then the LDAP sync process moves jsmith from the San Francisco org to the New York org.

Script assistance
The sections below contain sample scripts. Assistance with scripts is beyond the scope of Customer Champions. For further assistance:
  • Contact your Customer Success Manager (CSM) at csmsupport@code42.com to engage the Code42 Professional Services team. They have access to a large library of existing scripts and can help tailor Code42 for Enterprise's LDAP integration as needed. 

  • Post your question to the Code42 community to get advice from fellow Code42 administrators.

Active script

By default, LDAP sync automatically deactivates any users that do not match the LDAP search filter. Deactivated accounts are no longer authorized to back up or restore, and associated device archives are automatically placed into cold storage.

The default active script code, which handles the default Active script behavior, is:

function isActive(entry) {
    return true;
}

If the user is found in LDAP, the default JavaScript function returns the value TRUE. The authority server then treats the user as active.

Active script example

But what if your company policy requires that LDAP entries for users remain permanently in LDAP, and the user's employment status is maintained via an LDAP attribute? You can use an Active Script to deactivate a user account based on an LDAP user attribute. This script deactivates a user if they are disabled in active directory (AD). 

function isActive(entry) {
  if (entry.userAccountControl & 0x2) {
    return false;
  } else {
    return true;
  }
}
Expected datatype
The active script must return a Boolean (true or false).

User deactivation and reactivation

When a user is deactivated, the user's devices are automatically deactivated. However, when a user is reactivated, the user's devices are not automatically reactivated. Devices can be reactivated in two ways:

  • The reactivated user may sign in to the Code42 app on the deactivated device
  • The administrator may activate the user's device from the administration console

In either case, the device's GUID remains the same. Data that was previously backed up is still available, if the data retention period has not expired. File selections and other settings also remain the same.

Reactivation of manually deactivated users 

If you use the administration console to directly deactivate users from an organization with directory services enabled, these users will be reactivated when User Directory Sync detects another change and syncs the user.

To make sure a user stays deactivated, do one of the following:

  • For all users and devices in Code42 organizations with directory services enabled, deactivate or remove the users from the directory service, rather than directly from the administration console.
  • Create a new organization that is not linked to any directory service, and move users to that organization before deactivating them. They will not be reactivated by Code42 User Directory Sync.
  • Change the user's username, or whatever attribute is mapped to the LDAP search filter. The user will no longer be affected by the Code42 User Directory Sync.

Users on legal hold cannot be deactivated

Users placed under legal hold cannot be deactivated. Their data is retained for the legal hold process. If a user is deactivated in LDAP, Code42 blocks the user instead. Once the user is released from legal hold, they are automatically deactivated.

Reactivating a user: If you deactivate users while they are on legal hold, and then wish to reactivate those users, you must unblock the user in the administration console. 

Org script

The org script places a user into a specific Code42 organization. JavaScript is used to parse the user's LDAP entry and return a single value. The user is placed into an organization that matches the return value. Target organizations do not need to exist before the script runs. If a named target organization does not exist, the org script creates an organization with that name.

Any valid parsing can be performed on the DN (distinguished name) of the user's record with JavaScript, and in this way, LDAP OUs (organizational units) can map to Code42 environment organizations automatically.

Org script example

The org script can place users into a Code42 environment organization based on the OU specified in each user's LDAP distinguished name. The script does the following:

  1. Parse the user's distinguished name.
  2. If the user is in the LDAP Staff OU, return the value “Staff” to place the user into the Code42 environment's Staff organization.
  3. If the user is in the LDAP Students OU, return the value “Students” to place the user into the Code42 environment's Students organization.
  4. If the user is in neither the Staff nor the Students OU, return the value “Default” to place the user in the Default organization.
function getOrgName(entry) {
   var ou = entry.dn;
   if (ou != null){
       if ((ou.indexOf("Staff") >= 0 )){  
           return 'Staff';
       }
       else if ((ou.indexOf("Students") >= 0 )){
           return 'Students';  
       }
       else {
           return 'Default';  
       }  
   }
   else {
       return 'Default';  
   }  
}
Expected datatype
The org script must return a string.

Role script

The Role script applies a set of user roles to a user account based on the user's LDAP attributes or security group membership. Only roles that are added to the Role Mapping list within the administration console can be managed by Code42 User Directory Sync. Code42 does not add, update, or remove roles that are not in the Role Mapping list.

Role script example

This example analyzes an LDAP environment and grants Code42 for Enterprise user roles based on LDAP memberships.

  1. Determine which LDAP groups the user is a member of.
  2. Map the appropriate Code42 environment roles to the account:
    • If the user is a member of the Admins LDAP group, grant the Org Security Viewer role.
    • If the user is a member of the Support LDAP group, grant the Org Admin role.
    • If the user is a member of the Managers group, grant the Org Manager role.
    • If the user is a member of the WorkstationAdmins group, grant the Org Help Desk role.
function getRoles(entry) {
   var memberof = entry.memberOf;

   // Default user roles
   var myRoles=new Array("PROe User","Desktop User");

   // Loop over LDAP groups
   for (var x = 0; x < memberof.length; ++x) {
      if (memberof[x].indexOf("Admins") > -1) {
         myRoles.push("Org Security Viewer");
      }
      if (memberof[x].indexOf("Support") > -1) {
         myRoles.push("Org Admin");
      }
      if (memberof[x].indexOf("Managers") > -1) {
         myRoles.push("Org Manager");
      }
      if (memberof[x].indexOf("WorkstationAdmins") > -1) {
         myRoles.push("Org Help Desk");
      }
   }
   return myRoles;
}
Expected datatype
The role script must return an array.