Skip to main content

User Groups and Domain users

Travis Fondren
Updated

SureView has the abilty to sync users and thier permission with AD Groups. This means if a user is added to the proper AD group, the SureView Administrator will not need to manually add or remove users in SureView.

Automatically adding AD users to SureView based on group membership

  1. User logs in via AD, but user does not exist in SureView
  2. If AD domain isn’t set up, user login fails
  3. User checked for AD groups
  4. Groups matched against Domain Groups
  5. If a user isn’t part of any groups that are set up in Domain Groups table for that domain, then login fails
  6. User is added to SureView, and added to relevant user groups. Sync column is set to the domain ID so that the user can be automatically updated via AD sync service

Setup

This requires the UserGroup feature flag, and the CanEditUserGroups permission.

Domain Controller setup

In System Setting Under endpoints you need to add the domain controllers.

Endpoints >> Endpoints >> Domain Controller Servers [System only]

 

Configure SureView to automaticaly add as a new user if they do not exist in SureView

Setup >> Actions >> LDAP >> Create new domain users in SureView [System only]

 

Configuring Domains and Groups in SureView

Go to the Permssions setup and click on the 'Active Directory' tab

 

Creating the Domains in SureView

  • Click on 'Add Domain'
  • Enter the Domain name as you will use it when logging in.

Adding Domain Groups and linking to SureView Permission Groups

Option 1 

  • Click the 'Add Domain Group' button
  • Select the domain you want use
  • For the 'Domain Group name' enter the Domain Group name exactly as it appears in AD.
  • For User Group, select the SureView Permission Group you wish to link to the Domain Group.

 

Option 2 

Go to the 'User Group' tab on the Permission setup screen

  • Select the user permssion group you want to link an AD Group to and click the   icon to edit the group.
  • Click the icon in the lower right under 'Domain Groups. This will add a new line
  • Select the Domain from the drop down under 'Domain'
  • For Group name, enter the Domain Group name exactly as it appears in AD.

 

 

SVDomainSync

SVDomainSync is a service that syncs SureView users with Active Directory users. It uses telnet trace port 16200

It must be logged in with a user account that has access to the domain in order to function.

When running, it will check hourly for domains that have not been synced in the past 4 hours. It will then set the NextSyncAt to 4 hours from now, and sync users. These times can be changed in the config - ExecuteIntervalHours marks how often to run, and DomainUpdateFrequencyHours is how often to sync a domain. You can force a domain to be synced by setting the NextSyncAt value in the Domain table to NULL.

It will only sync users with SyncWithDomainId set. By default, this will only be users who have been automatically added via active directory. However, you can also set users who were manually added to be automatically synced by setting this value in the Users table.

When the service syncs a user, it will update which user groups a user is a member of, as well as Name, Email address and telephone. If the user account is disabled in Active Directory, it will be disabled in SureView.

Optionally,SureView users not found in Active Directory can be deleted from SureView. The config setting DeleteOnNotFound controls this - by default, it is off, and SureView users not found in AD will be disabled in SureView. If set to true, the user account will instead be deleted.

Users disabled or deleted in this manner will be logged out of SureView; the service will delete from the UserSessions table.

 

Related articles

Comments

0 comments

Please sign in to leave a comment.