SAP SuccessFactors to Active Directory User Provisioning - Cross-Forest Manager

Derek Morgan II 0 Reputation points
2024-06-20T20:00:20.54+00:00

In brief, I am working with a customer on user provisioning from SAP SF to AD, to include create, delete, and update operations. The current scenario is as follows:

User A resides in AD Forest A and User B resides in AD Forest B. According to SAP SF, User B reports to User A. The desired state is that User B has the manager attribute in AD set to User A. Also, AD Forest A and AD Forest B have a two-way bidirectional trust.

From past experience, setting the manager attribute to a user object in a separate AD forest, even with bidirectional trust configured, was not possible and this was by design. I am keen to know: with the inbound user provisioning from SAP SF to AD, is now able to bypass this design limitation in Active Directory, or am I mistaken and the design limitation of cross-forest manager no longer exists?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,131 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,313 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Neuvi Jiang 465 Reputation points Microsoft Vendor
    2024-06-21T07:55:32.0733333+00:00

    Hi Derek Morgan II,

    Thank you for posting in the Q&A Forums.

    We need to clarify a few key points:

    Active Directory (AD) does have some design limitations, including the number of objects, the number of security identifiers, the size of access control lists, the group membership of security subjects, and the length of FQDNs. However, specifically with regard to cross forest manager settings, AD does not explicitly prohibit setting a user object in one forest to the manager attribute of a user object in another forest.

    However, in practice, due to the complexity of AD's security model and trust relationships, setting the manager attribute directly across forests may encounter some difficulties.

    In AD, if a two-way trust relationship exists between two forests, then theoretically user objects in these two forests should be able to access and recognize resources in each other's forests. However, this does not mean that user attributes in the other forest can be modified without restriction.

    Two-way trust is mainly used for authentication and authorization, not directly for modifying user attributes.

    Best regards

    NeuviJ

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments