Tables
Permissions - Contain the permission definitions (eg, “Can Process Alarms”, “Can Process Alarms Older Than Y seconds”, “Can Edit Setup”)
User Roles - A custom “Role” (eg, “Operator”, “Supervisor”, “Admin”)
UserRolePermissions - The permissions granted to a Role (eg, “Operators have Can Process Alarms”
UserGroups - Custom Groups (eg, “Campus A Operators”)
UserGroupRoles - What UserRoles a UserGroup has, and where to apply them (eg, “Campus A operators have Operator role on Campus A”)
UserGroupMembership - Which users are members of which group (eg, “Gary is in Campus A operators”)
A User is added to a UserGroup with an entry in the UserGroupMembership table
A UserGroup is associated to a Tenancy (GroupID column) and will have one or multiple UserGroupRoles
A UserGroupRole associates a UserGroup with a UserRole and sets the appropriate Group/Area Permissions
A UserRole will have one or multiple UserRolePermissions
UserRolePermissions will be referencing the Permissions definitions
Automatically adding AD users to Immix based on group membership
There are two tables - Domain and DomainGroup
The Domain should have the domain name, and the station’s group ID. For most customers, there’ll only ever need one entry into this table, but if they have multiple domains, this will be important.
DomainGroup holds the groups for the domain. For each entry, there should be the Domain this is for, the name of the group, and the UserGroupID that this will add users to.
Select * from Prefs where preftypeID=79
Select * from Domain
Select * from DomainGroup
- User logs in via AD, but user does not exist in Immix
- If AD domain isn’t set up, user login fails
- User checked for AD groups
- Groups matched against Domain Groups
- If a user isn’t part of any groups that are set up in Domain Groups table for that domain, then login fails
- User is added to Immix, and added to relevant user groups. Sync column is set to the domain ID so that the user can be automatically updated via AD sync service
Help SQL Scripts
SELECT UserID, Username, SyncWithDomainID FROM Users
SELECT * FROM UserGroupMembership ugm
INNER JOIN UserGroup ug ON ugm.UserGroupID = ug.UserGroupID
SELECT u.Username, u.FullName, ugm.UserID, ug.Title as 'Role', ugm.UserGroupID , d.DomainName,
(CASE WHEN u.SyncWithDomainID IS NULL
Then NULL
ELSE dg.DomainGroup
END
) AS 'Domain Group'
FROM UserGroupMembership ugm
INNER JOIN UserGroup ug ON ugm.UserGroupID = ug.UserGroupID
INNER JOIN Users u ON u.UserID = ugm.UserID
LEFT JOIN Domain d ON d.DomainID = u.SyncWithDomainID
LEFT JOIN DomainGroup dg ON dg.UserGroupID = ugm.UserGroupID
SVDomainSync
SVDomainSync is a service that syncs Immix users with Active Directory users. It uses telnet trace port 16200
It must be logged in with a user account that has access to the domain in order to function.
When running, it will check hourly for domains that have not been synced in the past 4 hours. It will then set the NextSyncAt to 4 hours from now, and sync users. These times can be changed in the config - ExecuteIntervalHours marks how often to run, and DomainUpdateFrequencyHours is how often to sync a domain. You can force a domain to be synced by setting the NextSyncAt value in the Domain table to NULL.
It will only sync users with SyncWithDomainId set. By default, this will only be users who have been automatically added via active directory. However, you can also set users who were manually added to be automatically synced by setting this value in the Users table.
When the service syncs a user, it will update which user groups a user is a member of, as well as Name, Email address and telephone. If the user account is disabled in Active Directory, it will be disabled in Immix.
Optionally, Immix users not found in Active Directory can be deleted from Immix. The config setting DeleteOnNotFound controls this - by default, it is off, and Immix users not found in AD will be disabled in Immix. If set to true, the user account will instead be deleted.
Users disabled or deleted in this manner will be logged out of Immix; the service will delete from the UserSessions table.
Setup
This requires the UserGroup feature flag, and the CanEditUserGroups permission.
The Permissions menu item will let you edit user roles and groups.
Comments
0 comments
Please sign in to leave a comment.