About Active Directory configuration for QM and Analytics

The Active Directory Configuration page lets you create or edit a connection between Workforce Optimization and an Active Directory (AD) server in your environment. You can use this connection for user authentication, sync, or both.

Note the following parameters when configuring the connection with the AD server, whether for authentication, sync, or both:

  • At least one configured AD must exist.
  • Each AD domain must have at least one configured user path.
  • The Workforce Optimization server must be in the same domain as the user.

Authentication

AD authentication enables you to use AD users and passwords for authentication in Workforce Optimization. It is available only for on-premises deployments of Workforce Optimization.

Sync

AD sync enables Workforce Optimization to sync Workforce Optimization users with AD users. When AD sync is configured, Workforce Optimization matches existing Workforce Optimization users with existing AD users. Then, whenever an AD user’s first name, last name, employee ID, or email address is changed, Workforce Optimization also changes the corresponding values of the matched Workforce Optimization user.

  • AD sync does not add or deactivate Workforce Optimization users.
  • If Workforce Optimization cannot match an AD user with any existing Workforce Optimization user, it does not add a new Workforce Optimization user.
  • If an AD user who is synced with a Workforce Optimization user is deleted in AD, Workforce Optimization does not deactivate the Workforce Optimization user.

You can review which AD users are matched with Workforce Optimization users and which ones are not on the Active Directory Sync page (see Review Active Directory sync results for QM and Analytics).

Matching users

The following list provides an overview of how Workforce Optimization matches users.

  1. The administrator configures the AD connection, including the organizational units that contain the users to be synced.
  2. The administrator selects one of four matching properties: Default, Employee ID, First Name / Last Name, or User Name. If the administrator selects Default, Workforce Optimization uses the Default matching property only. If the administrator selects First Name / Last Name, Employee ID, or Email, Workforce Optimization first uses the Default matching property, then uses the selected matching property.
  3. Each matching property designates a field on the Users page and an equivalent property in AD. Workforce Optimization compares Workforce Optimization users and AD users based on the values that the field and the property contain. When exactly one user in Workforce Optimization and one user in AD have the same value, Workforce Optimization matches the users.

    The following table describes which field and which equivalent property must have the same value for Workforce Optimization to match users.

    Matching Property Users Page AD Property Notes

    Default

    Windows Login

    User logon name (pre-Windows 2000)

    If selected, Workforce Optimization matches users with the Default matching property only.

    AD has two user logon name properties: the “User logon name property” (<user>@<domain>) and the “User logon name (pre-Windows 2000)” property (<domain>\<user>). Workforce Optimization matches users on the “User logon name (pre-Windows 2000)” property only.

    If you edit the “User logon name (pre-Windows 2000)” property in AD after users are matched, Workforce Optimization unmatches the AD user from the Workforce Optimization user, regardless of the matching property that Workforce Optimization used to match them originally.

    First Name / Last Name

    First Name

    First name

    If selected, Workforce Optimization first matches users with the Default matching property, then with the First Name / Last Name matching property.

    First Name / Last Name is not case-sensitive. If multiple Workforce Optimization users have the same First Name and Last Name as a single AD user, Workforce Optimization does not match the AD user with any Workforce Optimization user.

    Last Name

    Last name

    Employee ID

    Employee ID

    employeeID

    If selected, Workforce Optimization first matches users with the Default matching property, then with the Employee ID matching property.

    If multiple Workforce Optimization users have the same Employee ID as a single AD user, Workforce Optimization does not match the AD user with any Workforce Optimization user.

    User Name

    User Name

    E-mail

    If selected, Workforce Optimization first matches users with the Default matching property, then with the User Name matching property.

  4. For each Workforce Optimization user whom Workforce Optimization matches with an AD user, Workforce Optimization does the following:

    • Adds a Recording user profile, if the user does not already have one.

    • Populates any of the following fields in the Recording user profile whose equivalent properties are configured in AD: First Name, Last Name, Email Address, External User ID, and Employee ID.
    • Disables editing the Windows Login field on the User’s page.
  5. If the Recording user profile has the correct precedence, Workforce Optimization transfers the values from the Recording user profile to the Workforce Optimization user.

    NOTE   If an Override user profile does not already exist, Workforce Optimization does not create one. This means that the values in the Recording user profile can overwrite the identity traits of a user who was manually created in Workforce Optimization, including first name, last name, user name, and employee ID. For more information about user profiles, see Manage user profiles for QM and Analytics and Configure global settings, “User Profile Precedence.”

Syncing matched users

When someone changes a matched user in AD, Workforce Optimization detects it and makes several changes. The following table summarizes these changes.

Change in AD Resulting Change in Workforce Optimization

“First name” property is changed

First name in the Recording user profile is changed. If the Recording user profile has the correct precedence, the user’s first name is also changed on the User’s page.

“Last name” property is changed

 

Last name in the Recording user profile is changed. If the Recording user profile has the correct precedence, the user’s last name is also changed on the User’s page.

“employeeID” property is changed

Employee ID in the Recording user profile is changed. If the Recording user profile has the correct precedence, the user’s employee ID is also changed on the User’s page.

“E-mail” property is changed

Email address in the Recording user profile is changed. If the Recording user profile has the correct precedence, the user’s user name is also changed on the User’s page.

“User logon name (pre-Windows 2000)” property is changed

The user is unmatched.

Unmatching synced users

If you no longer want a Workforce Optimization user to be linked with an AD user, you can unlink them. When a Workforce Optimization user is unlinked from an AD user, Workforce Optimization stops updating the user and the user’s Recording user profile when properties are changed in AD, and it enables the user’s Windows login for editing.

Unmatching a Workforce Optimization user does not delete the Recording user profile or delete any of the values stored in it, nor does it prevent the Workforce Optimization user from being matched with the AD user again the next time that sync runs. To permanently prevent Workforce Optimization from matching users, you must also change the Workforce Optimization user before sync runs again so that the Workforce Optimization user no longer has the same identity (as determined by the matching property that is currently selected) as the AD user.

Field descriptions

The fields on the Active Directory Configuration page are described below.