4 Replies Latest reply on Nov 18, 2019 11:59 PM by Vinayak Jadhav

    Sync AD Group Membership to Users?

    Jan Lindhardsen
      Share This:

      HI All!

       

      First of all my requirements is to sync or validate ARS users against our AD to check (some) Permission group memberships.

       

      I do find the AREA documentation somewhat lacking, and when trying to vacuum the community I see a somewhat fractured picture of the the built in LDAP features.

       

      My understanding is that if I want to validate users memberships based on AD groups, then the user has to be an AD user, meaning:

      • The user has to be an AD only user, it cannot be a local user present in the User form.
      • In other words, it is an all or nothing functionality.

      Is this correct?

       

      So, for many reasons this is not a viable (or at least not preferred due to the of groups and attributes that we then have to place and maintain in AD.

       

      So what can do to achieve this?

      I’m thinking maybe:

      1. A Spoon job that search all my users (in User form) and return their AD group memberships (given a certain prefix)
      2. Insert the username and all the groups into a staging form
      3. From the staging update the Group List in User form, based on the group fetched from AD.

       

      Is this possible, anyone who have done anything similar?

       

      Just to be clear, this is for a custom built Remedy ARS application, not ITSM.

        • 1. Re: Sync AD Group Membership to Users?
          Marek Ceizel

          Hello Jan,

           

          I can confirm the solution you describe at the end. We use ITSM and synchronize the Permission Groups/Users from AD.

          The idea behind is that we have a mapping Table as AD (of course) doens't contain the Permission Groups names from ITSM.

           

          So we do everything in a quite complex AI Job where we take records from AD (LDAP) and existing users from CTM:People. Then we have to care about the Licenses, Permission Groups, Application Licenses, People Record Status, etc.... At the end the user is created/modified/deprecated from the point of view Permissions/Licenses/Existence in AD in User/CTM:People form. For the Permissions attribute that comes from AD we map Permission Groups of ITSM (custom mapping which we define and can modifiy in a regular form). We don't even use a staging form in this whole AI Job.

           

          For you this all should be much easier as you have only ARS you don't need to care about the Groups mapping and you can create the Groups Names exactly as it comes from AD. Then for the rest it is also much easier to care only for User form as you don't have the CTM:People.

           

          hope it helps a bit

           

          regards

          Marek

          2 of 2 people found this helpful
          • 2. Re: Sync AD Group Membership to Users?
            Vinayak Jadhav

            Hello Jan,

             

            The user need not be an AD only user to validate users membership against AD. You can validate if your user present in AD as well as user form.

             

             

             

             

            Regards,

            Vinayak.

            • 3. Re: Sync AD Group Membership to Users?
              Jan Lindhardsen

              Vinayak, could you please share some details on this?

              How do you verify a users AD group memberships while the user is an ARS User form user?

              • 4. Re: Sync AD Group Membership to Users?
                Vinayak Jadhav

                Hi Jan,

                 

                Can you please share your exact requirement.

                 

                Regards,

                Vinayak.