Marketing Platform integration with Windows Active Directory provides the features described in this section.

IBM® Unica Marketing applications query the Marketing Platform for user authorization information. When Active Directory server integration is implemented and Windows integrated login is enabled, users are authenticated to all IBM® Unica Marketing applications when they log in to the corporate network, and no password is required to log in to IBM® Unica Marketing applications. User authentication is based on their Windows login, bypassing the applications’ login screens.

If Windows integrated login is not enabled, users must still log in on the IBM® Unica Marketing login screen, using their Windows credentials.

When Windows integrated login is enabled, all users are created and maintained in the Active Directory server. (You do not have the option of creating some users in the Marketing Platform, which are known as internal users in this guide). If you require the ability to create internal users, do not enable Windows integrated login.

If you prefer not to enable Windows integrated login, follow the directions for integrating with an LDAP server. See Configuration process checklist (LDAP integration) for details.

IBM® Unica Marketing imports groups and their users from the directory server database through a periodic synchronization task that automatically retrieves information from the directory server. When IBM® Unica Marketing imports users and groups from the server database, group memberships are maintained.

You can assign IBM® Unica Marketing privileges by mapping an Active Directory group to an IBM® Unica Marketing group. This mapping allows any new users added to the mapped Active Directory group to assume the privileges set for the corresponding IBM® Unica Marketing group.

A subgroup in the Marketing Platform inherits the roles, but not the LDAP mappings or user memberships, assigned to its parents.

If you do not want to create groups in your Active Directory server that are specific to IBM® Unica Marketing products, you have the option to control the users who are imported by specifying attributes. To achieve this, you would do the following during the LDAP configuration process.

When you use attribute based synchronization, the periodic synchronization is always a full synchronization, instead of a partial synchronization, which is done for group based synchronization. For attribute based synchronization, you should set the LDAP sync interval property to a high value, or set it to 0 to turn off automatic synchronization and rely on manual full synchronization when users are added to the directory.

In multi-partition environments, user partition membership is determined by the group to which the user belongs, when that group is assigned to a partition. A user can belong to only one partition. Therefore, if a user is a member of more than one LDAP group, and these groups are mapped to IBM® Unica Marketing groups that are assigned to different partitions, the system must choose a single partition for that user.

You should try to avoid this situation. However, if it occurs, the partition of the IBM® Unica Marketing group most recently mapped to an LDAP group is the one that the user belongs to. To determine which LDAP group was most recently mapped, look at the LDAP group mappings displayed in the Configuration area. They are displayed in chronological order, with the most recent mapping listed last.

When IBM® Unica Marketing is configured to integrate with an Active Directory server, users and groups are synchronized automatically at pre-defined intervals. During these automatic synchronizations, only those users and groups (specified by the configuration) that were created or changed since the last synchronization are brought into IBM® Unica Marketing. You can force a synchronization of all users and groups by using the Synchronize function in the Users area of IBM® Unica Marketing.