Marketing Platform integration with
Windows™ Active Directory provides the features described in this section.
IBM® EMM applications query the
Marketing Platform for user authorization information. When Active Directory server integration is implemented and
Windows™ integrated login is enabled, users are authenticated to all
IBM® EMM applications when they log in to the corporate network, and no password is required to log in to
IBM® EMM applications. User authentication is based on their
Windows™ login, bypassing the applications’ login screens.
If Windows™ integrated login is not enabled, users must still log in on the
IBM® EMM login screen, using their
Windows™ credentials.
Only three special characters are allowed in login names: dot (.), underscore ( _ ), and hyphen (-). If any other special characters (including spaces) are present in the login name of a user you plan to import into the Marketing Platform from your Active Directory server, you must change the login name so that the user does not encounter issues when logging out or performing administrative tasks (if the user has administration privileges).
When Windows™ integrated login is enabled, all users are created and maintained in the Active Directory server. (You do not have the option of creating some users in the
Marketing Platform, which are known as internal users in this guide). If you require the ability to create internal users, do not enable
Windows™ integrated login.
If you prefer not to enable Windows™ integrated login, follow the directions for integrating with an LDAP server. See
Configuration process checklist (LDAP integration) for details.
When integration is configured, you cannot add, modify, or delete the imported user accounts in the Marketing Platform. You must perform these management tasks on the LDAP side, and your changes will be imported when synchronization occurs. If you modify imported user accounts in the
Marketing Platform, users may encounter problems with authentication.
Any user accounts you delete on the LDAP side are not deleted from the Marketing Platform. You should disable these accounts manually in the
Marketing Platform. It is safer to disable these deleted user accounts rather than deleting them, because users have folder ownership privileges in
Campaign, and if you delete a user account that owns a folder, objects in that folder will no longer be available.
The Marketing Platform imports groups and their users from the directory server database through a periodic synchronization task that automatically retrieves information from the directory server. When the
Marketing Platform imports users and groups from the server database, group memberships are maintained.
You can assign IBM® EMM privileges by mapping an Active Directory group to an
IBM® EMM group. This mapping allows any new users added to the mapped Active Directory group to assume the privileges set for the corresponding
IBM® EMM group.
A subgroup in the Marketing Platform does not inherit the Active Directory mappings or user memberships assigned to its parents.
If you do not want to create groups in your Active Directory server that are specific to IBM® EMM products, you have the option to control the users who are imported by specifying attributes. To achieve this, you would do the following during the configuration process.
You should try to avoid this situation. However, if it occurs, the partition of the IBM® EMM group most recently mapped to an Active Directory group is the one that the user belongs to. To determine which Active Directory group was most recently mapped, look at the LDAP group mappings displayed in the Configuration area. They are displayed in chronological order, with the most recent mapping listed last.
When IBM® EMM is configured to integrate with an Active Directory server, users and groups are synchronized automatically at pre-defined intervals. During these automatic synchronizations, only those users and groups (specified by the configuration) that were created or changed since the last synchronization are brought into
IBM® EMM. You can force a synchronization of all users and groups by using the Synchronize function in the Users area of
IBM® EMM.
LDAP users with special characters in their login names may experience problems with authentication. See Users window reference for a list of allowed special characters. For LDAP accounts that you plan to import into
IBM® EMM, change login names that contain special characters that are not allowed.