- Introduction
- Installation
- Getting Started
- Setup the Environment
- Setup the UKG Pro Connection
- Setup the Active Directory Connection
- Delegation of Control
- Setup Rules
- Link (Identity Match)
- Employee Filter
- Auto Provision
- Auto Provision Conditions
- User Logon Name
- User Logon Name Suffix
- Password
- Password Never Expires
- Setup Mappings
- Field Mappings
- Enable Account
- Container
- Network Access Permission
- Custom Attributes
- Group Mappings
- Working with Expressions
- String Expressions
- Bool Expressions
- Quick Expressions
- Working with Conditional Expressions
- Working with Constants
- Ignore Constant
- IsInsert Constant
- IsUpdate Constant
- IsDisable Constant
- Auto Constant
- Special Methods
- Supported Fields
- Person (UKG)
- Employment (UKG)
- Job (UKG)
- Location (UKG)
- Org Level 1 to 4 (UKG)
- Project (UKG)
- Platform Configuration (UKG)
- User (Active Directory)
- Sending Email to UKG Pro
- Notifications
- Detecting Changes
- SMTP Settings
- Scheduling
- Viewing the Logs
- Activate a License
- Security
- Introduction
- Installation
- Getting Started
- Setup the Environment
- Setup the UKG Pro Connection
- Setup the Active Directory Connection
- Delegation of Control
- Setup Rules
- Link (Identity Match)
- Employee Filter
- Auto Provision
- Auto Provision Conditions
- User Logon Name
- User Logon Name Suffix
- Password
- Password Never Expires
- Setup Mappings
- Field Mappings
- Enable Account
- Container
- Network Access Permission
- Custom Attributes
- Group Mappings
- Working with Expressions
- String Expressions
- Bool Expressions
- Quick Expressions
- Working with Conditional Expressions
- Working with Constants
- Ignore Constant
- IsInsert Constant
- IsUpdate Constant
- IsDisable Constant
- Auto Constant
- Special Methods
- Supported Fields
- Person (UKG)
- Employment (UKG)
- Job (UKG)
- Location (UKG)
- Org Level 1 to 4 (UKG)
- Project (UKG)
- Platform Configuration (UKG)
- User (Active Directory)
- Sending Email to UKG Pro
- Notifications
- Detecting Changes
- SMTP Settings
- Scheduling
- Viewing the Logs
- Activate a License
- Security
Delegation of Control
We recommend using delegation of control to assign the user account the access it needs to perform its tasks.
The only access that the user account needs is:
- Create, delete, and manage user accounts
- Reset user passwords and force password change at next logon
- Read all user information
- Modify the membership of a group

Please make sure that the user account has the appropriate permissions for the tasks it is setup to perform. For example, if Connect to AD is setup with Group Mappings, then the user account needs the "modify the membership of a group" permission.
You can also add the user account to any of these security groups, which includes the required access, however, we recommend using Delegation of Control as a best practice.
- BUILTIN/Account Operators - Account Operators - Members can administer domain user and group accounts
- example.com/Domain Admins - Domain Admins - Designated administrators of the domain
- example.com/Enterprise Admins - Enterprise Admins - Designated administrators of the enterprise
Next Setup Rules