Merge pull request #537 from bhunut-adobe/feature/ignore-outcast-users

adorton-adobe · web-flow · commit c60ad3b4e2e1 · 2019-11-21T14:11:49.000-07:00
New Feature --exclude-unmapped-users
diff --git a/docs/en/user-manual/command_parameters.md b/docs/en/user-manual/command_parameters.md
@@ -41,6 +41,7 @@ specific behavior in various situations.
 | `--strategy sync`<br />`--strategy push` | Available in release 2.2 and later. Optional.  Default operating mode is `--strategy sync`.   Controls whether User Sync reads user information from Adobe and compares to the directory information and then issues updates to Adobe, or simply pushes the directory input to Adobe without considering the existing user information on Adobe.  `sync` is the default and the subject of the description of most of this documentation.  `push` is useful when there is a large number of users on the Adobe side (>30,000) and known additions or changes to a small number of users are desired, and the list of those users is available in a csv file or a specific directory group.<br />If `--strategy push` is specified, `--adobe-only-user-action` cannot be specified as the determination of adobe-only users is not made.<br/>`--strategy push` will create new users, modify their group memberships for mapped groups only (if `--process-groups` is present),  update user information (if `--update-user-info` is present), and will not remove users from the organization or delete their accounts.  See [Handling Push Notifications](usage_scenarios.md#handling-push-notifications) for information on how to remove users via push notifications. |
 | `--connector ldap`<br />`--connector okta`<br />`--connector csv` _filename_ | Available in release 2.3 and later. Optional. Specifies the directory connector to be used (defaults to LDAP).  If you specify the use of a CSV input file with this argument, then you cannot also specify one with `--users`, but you can then specify other `--users` options (such as `mapped` or `group`) for use with the CSV file.  (The Okta connector does not support `--users all`, so you must specify a `--users` option of `mapped` or `group` if you use the Okta connector.) |
 | `--adobe-users all`<br />`--adobe-users mapped`<br />`--adobe-users group` _grp1,grp2_ | Available in release 2.4 and later. Optional. Specify the adobe users to be selected for sync. The default is all meaning all users found in Adobe Admin Console. Specifying group interprets the argument as a comma-separated list of groups (product profile or user-group) in the console, and only users in those groups are selected. Specifying mapped is the same as specifying group with all the adobe groups listed in the group mapping in the configuration file.
+| `--exclude-unmapped-users` | Available in release 2.6 and later. Optional. Exclude users that is not part of a mapped group from being created. <br /> Example use case:<br /> `--users all --exclude-unmapped-users` <br /> this will allow UST to compare with the entire directory without syncing unmapped users to the console
 {: .bordertablestyle }
 
 As of version 2.3 of User Sync, the values of most command-line parameters can also be specified in the main configuration file, in an optional section called `invocation_defaults`.  Here is an example use of that section:
diff --git a/examples/config files - basic/user-sync-config.yml b/examples/config files - basic/user-sync-config.yml
@@ -330,6 +330,11 @@ invocation_defaults:
   adobe_users: all
   # For argument --connector, the default is 'ldap'.
   connector: ldap
+  # For argument --exclude_unmapped_users, the default is False (include all).
+  # If you set this default to True, UST will automatically skip user creation
+  # on user that is not part of any mapped group.
+  # --include-unmapped-users to override the default.
+  exclude_unmapped_users: No
   # For argument --process-groups, the default is False (don't process).
   # If you set this default to True, you can supply the argument
   # --no-process-groups to override the default.
diff --git a/user_sync/app.py b/user_sync/app.py
@@ -125,6 +125,8 @@ def main():
               cls=user_sync.cli.OptionMulti,
               type=list,
               metavar='ldap|okta|csv|adobe_console [path-to-file.csv]')
+@click.option('--exclude-unmapped-users/--include-unmapped-users', default=None,
+              help='Exclude users that is not part of a mapped group from being created on Adobe side')
 @click.option('--process-groups/--no-process-groups', default=None,
               help='if membership in mapped groups differs between the enterprise directory and Adobe sides, '
                    'the group membership is updated on the Adobe side so that the memberships in mapped '
diff --git a/user_sync/config.py b/user_sync/config.py
@@ -51,6 +51,7 @@ class ConfigLoader(object):
         'config_filename': 'user-sync-config.yml',
         'connector': ['ldap'],
         'encoding_name': 'utf8',
+        'exclude_unmapped_users': False,
         'process_groups': False,
         'strategy': 'sync',
         'test_mode': False,
diff --git a/user_sync/rules.py b/user_sync/rules.py
@@ -325,6 +325,9 @@ def will_update_user_info(self, umapi_info):
     def will_process_groups(self):
         return self.options['process_groups']
 
+    def will_exclude_unmapped_users(self):
+        return self.options['exclude_unmapped_users']
+
     def get_umapi_info(self, umapi_name):
         umapi_info = self.umapi_info_by_name.get(umapi_name)
         if umapi_info is None:
@@ -465,6 +468,7 @@ def sync_umapi_users(self, umapi_connectors):
             verb = "Push"
         else:
             verb = "Sync"
+        exclude_unmapped_users = self.will_exclude_unmapped_users()
         # first sync the primary connector, so the users get created in the primary
         if umapi_connectors.get_secondary_connectors():
             self.logger.debug('%sing users to primary umapi...', verb)
@@ -476,6 +480,9 @@ def sync_umapi_users(self, umapi_connectors):
         else:
             primary_adds_by_user_key = self.update_umapi_users_for_connector(umapi_info, umapi_connector)
         for user_key, groups_to_add in six.iteritems(primary_adds_by_user_key):
+            if exclude_unmapped_users and not groups_to_add:
+                # If user is not part of any group and ignore outcast is enabled. Do not create user.
+                continue
             # We always create every user in the primary umapi, because it's believed to own the directories.
             self.logger.info('Creating user with user key: %s', user_key)
             self.primary_users_created.add(user_key)
