• State Not Answered
  • Replies 5 replies
  • Subscribers 94 subscribers
  • Views 1399 views
  • Users 0 members are here
Options
Related

How can I login IAM Modules with an user who has a specific Active Directory Security Group?

Ferhat Karakoyun
over 3 years ago

Hello,

I tried to use "Active Directory  User Account (manuel input)" Method and users can login Modules successfully with their AD accounts. But our customer asked me that how can we control the users' permissions? We don't want every AD users can login modules. Only users can login to Modules who are member of a specific AD security group which we will create. Is that possible to manage the authentication method based to AD security Groups?   Which authentication method do we use with what kind of configurations?

Parents
  • 0 over 3 years ago

    One custemer's version is 8.1.3 and other one is 8.1.1.  I mean fat clients (Designer, LauncPad, Manager, etc..)

  • 0 over 3 years ago in reply to Ferhat Karakoyun

    Option 1 is to use the program functions ApplicationStart_<Toolname> for example ApplciationStart_Manager for this. The drawback is, that some of these are already assigned to the ootb permission groups. That means you would have to copy some of the ootb groups and create your custom ones without these functions assigned. Then assign the needed program functions to a permission group and this group to an application role. Make the membership dynamic based then.

    Option 2, and I think this is the better one, use the OAuth / OpenID Connect authenticator for the fat client authentication and restrict the groups in the IDP itself.

Reply
  • 0 over 3 years ago in reply to Ferhat Karakoyun

    Option 1 is to use the program functions ApplicationStart_<Toolname> for example ApplciationStart_Manager for this. The drawback is, that some of these are already assigned to the ootb permission groups. That means you would have to copy some of the ootb groups and create your custom ones without these functions assigned. Then assign the needed program functions to a permission group and this group to an application role. Make the membership dynamic based then.

    Option 2, and I think this is the better one, use the OAuth / OpenID Connect authenticator for the fat client authentication and restrict the groups in the IDP itself.

Children