ECMToolbox Active Directory Group Synchronization
- Justin Shee
With Active Directory (AD) Synchronization, you can map a workflow group to an “Active Directory” group.
Note: To use this feature, Active Directory must be configured under Workflow Settings, and Active Directory Sync must be enabled.
AD Synchronization Concept and Explanation
When it comes to managing a large user base, some companies will typically integrate their software security by using pre-defined active directory groups for multiple software’s. For instance, there is a group for “Chief Financial Officers” that manages security for a Document Management System. The same group can be associated to an ECM Toolbox user group as well to unify management to one AD group. This would allow ECM Toolbox to know what accounts to import from AD and assign them membership immediately to the mapped group to grant access.
This helps centralize security management right from Active Directory and reduce overhead in managing security within ECM Toolbox separately.
In some scenarios, please see how ECM Toolbox will interact with Active Directory when an ECM Toolbox group is synchronized with an active directory group. Depending on the polling interval configuration, changes are not immediate and usually take about 5 minutes for the next cycle to update.
Active Directory Group Synchronization Rules
The following rules are below along with situations:
The system will not add, modify, or delete AD users and groups.
The system will utilize an existing AD account with rights to view the forests for all users and groups, so Workflow will know the members in the groups to sync with.
Workflow administrators can no longer add or remove user memberships in a group that is synchronized with AD. AD will determine users based on user memberships of the AD group.
Situation | Action |
|---|---|
User does not exist in ECM Toolbox user table. | ECM Toolbox will import the user into the user table to capture full name, and email. Then assigns the user membership to the mapped group. |
User no longer exists in the AD Group. | If the user no longer exists, the membership is revoked. |
User no longer exists in any of the mapped AD Groups. | The user account will be disabled on ECM Toolbox. |
User details were modified in AD, such as full name and email. | ECM Toolbox will pull the latest information from active directory and update the local copy of user full name and email. |
Setting up Active Directory
Navigate to Administration Dropdown, Click User Groups.
Click Add and provide a name or click Edit on an existing group to configure.
Select an Active Directory Group to synchronize with.
Click Save.
The system will now start polling the active directory group, and update memberships of that group. You cannot modify membership as control has been handed over to Active Directory.
CASO Knowledge Base