Configure user creation - Data360_Analyze - Latest

Data360 Analyze Server Help

Product type
Software
Portfolio
Verify
Product family
Data360
Product
Data360 Analyze
Version
Latest
Language
English
Product name
Data360 Analyze
Title
Data360 Analyze Server Help
Copyright
2024
First publish date
2016
Last updated
2024-11-28
Published on
2024-11-28T15:26:57.181000
Note: You must be an Administrator to have access to configure SSO and LDAP/AD settings.

Depending on the authentication method that you have set up, users can either be created manually or dynamically in Data360 Analyze:

  • Manual user creation - Administrators can create users locally in Data360 Analyze, see Creating local users.
  • Dynamic user creation - If you have SSO or LDAP/AD authentication enabled, users can be automatically created on sign in as follows:
    • If you have enabled SSO authentication, local users can be created on sign in based on the value passed from CA Single Sign-On in the SM_USER header. Alternatively, if you have configured LDAP/AD integration, users will be searched for within the LDAP/AD source system using the value passed from CA Single Sign-On in the SM_USER header, and then created based on their LDAP/AD profile.
    • If you have configured LDAP/AD integration, users can be automatically created on sign in or imported based on their LDAP/AD user accounts.

To configure dynamic user creation for SSO or LDAP/AD users, or to manually import users from LDAP/AD:

  1. From the Directory, select Settings.
  2. Select User Accounts.

    From the Details panel, you can:

    • Select default roles for new user accounts, see General.
    • Select whether you want to create user accounts on demand, see On Demand User Creation.
    • Configure the import LDAP Server details.
    • Enter the LDAP import settings for your LDAP/AD server, including the option to automate LDAP/AD synchronization.
    • Configure Advanced Settings for LDAP/AD imports, including LDAP alias dereferencing.

General

Property Description
Default roles for new users

Select one or more default user roles to assign to new users when they are created as part of on-demand user creation.

If you do not want to assign a user role immediately, you can leave this field blank. For more information on the user roles that are available in Data360 Analyze, see User roles.

Tip: If you want to edit the user role for a particular user at a later date, you can do this by selecting the Users collection from the Directory, see Managing users.
Default roles for new groups Select one or more default roles to assign to new groups when they are created as part of on-demand group synchronization.

On Demand User Creation

Property Description
Do not create user account Select this option if you do not want user accounts to be created dynamically. In this case, Admin users can manually create new user accounts, see Creating local users.
Create local account

Select Create local account to enable local user accounts to be automatically created the first time a user signs in to Data360 Analyze.

Sync groups When Create local account is selected, select Sync groups if you want to enable SAML SSO group management.
Import from LDAP

Select Import from LDAP to enable user accounts to be automatically created from external systems. If you have integrated with SSO or LDAP/AD and you select this option, the first time that an LDAP/AD or SSO user signs in to Data360 Analyze, their account will be automatically created.

Note: If you want to import user account details via LDAP/AD, you must also complete the LDAP Server and LDAP import fields.

If you do not select this option, you can manually import LDAP/AD users by clicking the import button when you have finished entering your LDAP/AD settings.

Update user accounts on every sign in

Select Update user accounts on every sign in if you want Data360 Analyze to synchronize with your LDAP/AD server each time an LDAP/AD user signs in to gather the latest user account information. Note that this action could take some time to complete.

Bulk import

Property Description
Schedule update and import Now

You can set the Schedule update every X days at X property to enable automatic synchronization with your LDAP/AD source system to regularly obtain the latest user account information.

Note: Updates can only occur when the server is running. If the server is restarted, the next sync happens at the scheduled time, not immediately after the server restarts.

When you have finished entering your LDAP/AD settings, click the import Now button to import users and groups from your LDAP/AD server. When the import is complete, an import summary is displayed in the details panel.

Note: The import Now button is only enabled when you have completed the LDAP Server and LDAP import sections.

LDAP Server

Enter the import server connection settings for your LDAP/AD server, as per the examples in the following table:

Server Connection property Description
LDAP

- or -

Active Directory

Select LDAP or Active Directory depending on your external source system.
Server URL Specify the name of the server which hosts your LDAP/AD source system, including the port number and root DN, in the following format:

<protocol><server>:<port number>/<rootDN>

ldap://server.example.com:389/ou=someOrgUnit,dc=example,dc=com

The root Distinguished Name (root DN) defines the entry point in the LDAP/AD structure from which the import will take place.

Note: We recommend that you set the root DN to the lowest possible point in the LDAP/AD structure.

Using a secure connection to import LDAP/AD users and groups

If you want to enable LDAP over SSL, use the "ldaps" protocol in your URL and ensure that the port number corresponds to the LDAPS port number on the LDAP server.

ldaps://server.example.com:389/ou=someOrgUnit,dc=example,dc=com

You must then install security certificates on both your source LDAP/AD server and the Data360 Analyze server. See Adding SSL certificates > Installing the certificate for more details.

Application User DN Enter the Application User DN.

The Application User DN is the DN of the LDAP binding user that will be used to connect to the source system when performing an import.

CN=User,DC=example,DC=com

Application User Password Enter the Application User Password that corresponds to the Application User DN.

LDAP import

Enter the import settings for your LDAP/AD server, as per the examples in the following table:

import Settings property Description
Username Attribute

Specify the attribute on your source LDAP/AD system that will be used as the username for the imported users.

userPrincipalName

uid

User Filter Applying a filter

You must apply a user filter to determine how users are identified on the source system and, optionally, to limit the import to only those users who require access to Data360 Analyze. You can apply a filter by using standard LDAP query syntax, as in the following examples, where objectClass=<something> is used to identify users in the source system.

A value is required for this property.

Filtering to exclude an attribute

(&(!(|(ou:dn:=ResearchAndDevelopment)(ou:dn:=HumanResources)))(objectClass=person))

This query would import all objects that have an objectClass attribute of "person", and would exclude objects that have an Organizational Unit attribute of "HumanResources" OR "ResearchAndDevelopment".

Using the wildcard operator

(objectClass=*)

This query would import all objects that have the objectClass attribute populated with a value.

Import usernames as lowercase Select import usernames as lowercase to enable users to enter their login username in lower case and still access the system. This option is useful when integrating with an LDAP/AD system that performs case insensitive authentication.

If you do not select this option, usernames will be imported in their original case.

Username set to "aUser" on AD:

  • If import usernames as lower case is not selected, users can only access Data360 Analyze with the 'aUser' login name (case sensitive).
  • If import usernames as lower case is selected, users can only access Data360 Analyze with the 'auser' login name (lowercase only).
Import Groups Select import groups if you want to import groups as well as users.
Group Filter If you are importing groups, you must apply a filter to identify the groups on the source system and, optionally, to limit the import to groups that match a specific filter criteria. You can apply a filter by typing standard LDAP query syntax, as in the following example, where objectClass=<something> is used to identify a group in the source system.

Filtering for multiple attributes

(&(objectClass=groupOfNames)(memberOf=CN=Data360 Analyze Users Group,dc=example,dc=com))

This query would import objects that have an objectClass attribute of "groupOfNames" AND are members of the "Data360 Analyze Users Group".

Group Name Attribute Specify the attribute on your source LDAP/AD system which will be used as the group name for groups that you import to Data360 Analyze.
Group Member Attribute Specify the attribute on the source LDAP/AD system that identifies users that are members of the group.
Paging limit Setting a paging limit

To allow data to be handled in set sizes and avoid slowing down the LDAP/AD system when handling large data sets, paging limits are often set on LDAP/AD systems. You must align Data360 Analyze with your source system by entering a paging limit that is the same or less than the paging limit that is set on your LDAP/AD source system.

Please contact your LDAP/AD administrator regarding the paging limit that is set on your source system.

If your source system specifies a paging limit of "5", and you set a paging limit of "0" (unlimited) in Data360 Analyze, you would receive an error because this is greater than the paging limit of "5" that is specified on the source system. Similarly, if you specified a paging limit of "10" in Data360 Analyze, you would receive an error stating that you have exceeded the page limit size that is set in the source system. By entering a paging limit of "5" or less in Data360 Analyze, the import would complete successfully, as this corresponds to the paging limit that is set on the source system.

Advanced Settings

You also have the option to configure the following advanced settings:

Advanced Settings property Description
Referral Select an option to configure the URL referral.

Choose from:

  • ignore - prevents any referrals from being followed.
  • follow - enables referrals to be automatically followed.
  • throw - causes the import to fail when a referral is given.
Search Sub-Tree Select Search Sub-Tree to search for users in the entire sub-tree relative to the rootDN.
Search Time Limit Specify the time to wait in milliseconds before the search fails. A value of zero means that there is no limit.
Search Count Limit Specify the maximum number of results that can be returned in a search. A value of zero means that there is no limit.
Ignore Partial Result Error Specify whether partial result errors should be ignored in searches.

Configuring LDAP alias dereferencing

You can use the Key/Value table to specify settings specific to your LDAP or AD server, for example, you can configure LDAP alias dereferencing.

In an LDAP system, an "alias entry" is a directory entry that points to another entry. By default, Data360 Analyze does not set the behavior of alias dereferencing on LDAP imports, therefore the source LDAP system will follow its own alias dereferencing settings during an LDAP import.

You can configure LDAP alias dereferencing by entering the following key: java.naming.ldap.derefAliases

Then enter one of the following values:

Alias dereferencing property value Definition
always Always dereference aliases. LDAP imports include objects that are referenced by an alias.
never Never dereference aliases. LDAP imports do not include objects that are referenced by an alias.
finding Only dereferences aliases that are one level deep in the LDAP directory. LDAP imports do not include aliases that are referenced by another alias. For example, if alias "A" references alias "B", alias "B" is not dereferenced.

Consider the following LDAP directory structure:

"ou=Staff" is an alias that points to "ou=People". There are two user entries referenced by "ou=People":

  • "cn=JBloggs"
  • "cn=ABooth"

"cn=New, ou=People" is an alias pointing to "cn=SJobs, ou=NewHires".

The following table outlines the effect of changing the alias dereferencing property value on an LDAP import that is set to search from "ou=Staff":

Alias dereferencing property value Result of LDAP import
always "cn=JBloggs", "cn=ABooth" and "cn=SJobs" are imported.
never Nobody is imported.
finding "cn=JBloggs" and "cn=ABooth" are imported.

When you have finished entering your LDAP/AD import settings, click the import Now button to import users and groups from your LDAP/AD server. When the import is complete, an import summary is displayed in the details panel.

Synchronizing with LDAP/AD

After you have completed the initial LDAP import, you can synchronize Data360 Analyze users and groups with your LDAP/AD server at any time by clicking the import Now button.

Or, if you have selected Update user accounts on every sign in or Schedule update every X days at X, new user accounts will be created automatically as specified.

CAUTION:
Data360 Analyze assumes that a user who is being imported from LDAP/AD with the same username and DN as a previously imported user, who has since been deactivated in Data360 Analyze, is the same user. Therefore, the deactivated Data360 Analyze user will be re-instated, and they will regain access to their old Data360 Analyze documents.

See also:

Stopping the scheduler