Management of large multi user sites
Answered
Hi
We operate a number of concrete plants / quarries where users potentially need access to multiple sites.
I'm trying to work out the best possible way to manage this. We could potentially end up with 100's of sites and users.
I've created security groups in AD but when the systems are merged it looks like LDAP queries only one group. Is it possible to nest multiple queries in the one search filter? Issue again is that I could have 100s of security groups (one or more for each plant). Also adding groups within a group in AD LDAP doesn't fetch these users?
It would be great if NX roles could be applied to a security group rather than individuals? Users could be members of multiple groups and would be assigned the role of that group.
Where users require access to multiple sites do I have to create a role just for them?
Glad to hear from other users with large sites in a similar situation and how they manage it.
-
Hello Jason,
We are currently working on the new integration with the LDAP. Likely it is going to be available in the 4.3 version, which is planned for the next year.
The new version will allow to:
- Fetch users within the nested group.
- Fetch users automatically when they are added to the LDAP.
- Assign rights and permissions for fetched users automatically based on what group in LDAP they are.
- Apply roles in Nx to groups in LDAP, and, therefore, have users with multiple roles.
I'm not sure if it will be possible to nest multiple queries in the one search filter, I'll check and add the answer here later.
1 -
Hi Jason,
I'm happy to tell you that it is already possible in existing versions to query multiple groups from AD. Search Filter field in LDAP Settings allows you to define search criteria using LDAP search filter syntax. HERE I found how exactly your query should look like. So you can choose between:1) (|(memberOf=<Group1 DN>)(memberOf=<Group2 DN>)…)
and
2) memberOf:1.2.840.113556.1.4.1941:=<Grouping group DN>
0 -
The new version will allow to:
- Fetch users within the nested group.
- Fetch users automatically when they are added to the LDAP.
- Assign rights and permissions for fetched users automatically based on what group in LDAP they are.
- Apply roles in Nx to groups in LDAP, and, therefore, have users with multiple roles.
Is there any update on these features? We are particularly interested fetching users automatically and assigning rights based on LDAP groups. We basically want to be able to add a user in a certain group in our AD and that is automatically replicated in NX.
If this is not going to be available in the short term, can you suggest any workarounds to get this functionality. e.g Middleware calling API's or using the SDK?
A quick look at the API's show we can enable users and add them to the appropriate group, but there is no way to fetch new users in the first place without a manual button click?
0 -
Hello Rob,
Although this feature is on our roadmap and we are starting the development quite soon, it won't be available in 4.3 as we wrote before. Currently it is planed to the next release after 4.3.
And unfortunately there's no workaround to get this automation for now.
0 -
@..., thanks for your comments.
there is no way to fetch new users in the first place without a manual button click?
You can create users and do anything with them using API. Take a look at POST /ec2/saveUsers and POST /ec2/saveUser
Your automation (let's say, python script) could take LDAP users and create them in our system and then assign them to appropriate groups -- I see no reason why this shouldn't work. But all sync will be performed by your script. Let me know if you are willing to create such automation. You can also post any issues you will encounter to Developer Forum, our support engineers will help you there.
Thanks!0 -
Oh, probably, you want automatically fetch from LDAP using Nx function, I see. This might be not possible, that's true. But let me double-check this.
UPD: yep, as fetching users is made on the client side, the only way to automate this for you is to add users using APIs I've mentioned before (using isLdap flag).0 -
UPD: yep, as fetching users is made on the client side, the only way to automate this for you is to add users using APIs I've mentioned before (using isLdap flag).
Ok, so if we add users via the API with the isLdap flag, will those users then sync with Ldap for password changes, account locks etc?
0 -
@...
as Veronika Nazarova mentioned before -- those users won't sync, as we only have fetch (LDAP->nx) and no sync. As of now, sync should be handled by the same script, as I mentioned before.
But we're working on it and I hope this will be added in the future versions.0 -
I meant, if I add a user via API with the isLDAP flag, if they change their password in AD, will this be recognised in Nx?
0 -
@... yes, Nx authenticates LDAP users directly in LDAP. So password change will be recognised.
0 -
Has there been any progress on this, assigning roles to AD Security Groups, rather than individual users?
I'm in the process of setting up a multi-site Nx system with v5.0.0.35745 and this doesn't seem to be an option, so managing users who have access to some sites but not others is going to become quite messy.
0
Please sign in to leave a comment.
Comments
11 comments