Directory Source Detail Page

The Directory Source Detail page allows you to view and change settings related to your directory source.

 

Imports Tab

The imports tab displays a list of each import attempt. To view detailed information about an import, select the import within the list.

 

Principles Tab

The Principles tab displays a list of all accounts imported from your directory source application (ex. Active Directory).  If a test synchronization is run, this tab acts like a staging area, showing which accounts will be added to the Identities list when an official sync is completed. Using this tab as a staging area can be helpful when:

  • You've just installed Permission Assist and are working on the initial configuration of your directory source.

  • You want to modify the rules within the Rules tab and aren't sure how your Identities list might be affected.

Principles displayed in black are active accounts; active accounts are the only accounts that are count toward your license. Principles displayed in red are accounts that have been disabled within the directory source application. Principles displayed in light grey or light red are accounts that have been ignored according to the rules defined in the Rules tab, which means they will not be imported into the Identities list when a sync is completed. 

To view more detailed information about a specific principle, select an account within the list. The details panel is displayed on the right side of the page (see picture below).

 

Principle Details

After selecting a principle, the details area is displayed which allows you to review more detailed information such as Department, Object ID and more (see picture below).

 

Principle Name and Matched Identity

Displays the name of the principle. If the principle exists within the imported list of Identities (Manage > Identities) the name of the matched Identity is displayed below the principle name. 

Information Tabs

Contains two tabs of information related to the principle.

Tab

Description

Info

Displays additional directory information about the principle provided by the directory source such as department, email address, status, object ID, last login date, and so on.

Groups

Displays a list of groups associated with the principle.

 

Matches Rule

This area shows the rule used to either ignore the principle or import it as an Identity.  

 

 

Groups Tab

The Groups tab displays a list of the groups within the directory source. Groups displayed in black are groups associated with active principles in the Principles tab. Groups displayed in red are groups that have been disabled within the directory source application. Groups displayed in light grey or light red are accounts that have been ignored according to the rules defined in the Rules tab, which means they are not associated with the principles in the Principles list and will not be imported within Permission Assist

Group Details

After selecting a group, the details area is displayed which allows you to review more detailed information such as a description, the distinguished name of the group, and the members of that group (see picture below).

 

Rules Tab

The Rules tab is used to define which Identities are imported and how those Identities are classified. You can also define the schedule that determines how often Permission Assist syncs with the directory source.

Automatically synchronize this directory and its identities [never]

This field allows you to define how often Identity information is imported.

By default, this field is set to "never". To change the schedule, select the drop-down field and then pick a frequency from the list.

[Never] Reset the type on Identities

Within Permission Assist, Identities can be classified as specific types such as employee, service account, vendor account, and so on. Identity types can be helpful for sorting/searching, and are also used by Permission Assist to create recommendations.

Select the drop-down field at the start of this sentence and then select one of the following options to determine whether your existing Identities are reclassified when syncing with the directory source. 

Option

Description

Never

When this option is selected, the type for existing Identities will not be updated during a sync with the directory source.

Always

When this option is selected, the type for existing Identities will be updated when Permission Assist syncs with the directory source.

 

When a new identity is found [include] it automatically

When a new Identity is found, this field determines whether the Identity is included or not.

Field

Description

include

By default, this field is set to "Include" which means new Identities will be added to the Identities list (this is the option that is most often recommended).

don't include

When this field is set to "don't include," new Identities will not be added to the Identities list unless they meet the criteria set within the list of rules. Using the "don't include" option could be preferable if you have an organized, yet very complex structure within your directory source and you want to strictly limit which Identities are pulled in; however, please be aware that it could also increase the risk of not bringing in Identities that should be reviewed if the structure of the directory source changes (ex. new OUs are added).

 

However, when...

This area is used to create the rules that will be applied when syncing with the directory source. Rules are often created to define Identity types and to determine which locations within the directory sources will be used to pull in Identities.

To add a new rule:

  1. Select the Add Rule link just to the right of "However, when..."

  2. Select each drop-down field and then select the options you need to create the rules you want.

    For example, if you want to exclude mailbox accounts from the list of Identities, you might set up a rule as follows:

Additional examples:

If you use an internal standard to create vendor accounts (for example, the user name starts with a vm-), you could assign a "Vendor" type to any Identities that start with "vm-" using a rule similar to the following:

If you have a particular OU within your directory source that you want to exclude, you might create a rule similar to the following:

 

The order of the rules matters!

Permission Assist applies the rules in numerical order (rule 1 first, then rule 2, and so on).

 

Settings Tab

 

Name

Enter a name for the domain as you want it to appear in the Directory Sources list (ex. Active Directory - Main or Active Directory - Branch 03)

Label

(optional) If you have multiple directory services, this option may be used to enter a descriptive label to help distinguish identities or groups that come from this directory source.

Allow users to authenticate...

This option should always remain selected - even when using SSO - except in rare cases where multiple directory sources exist. This option works in combination with the System Authentication groups to determine what people can do within Permissions Assist based on their role.

Directory Source Reader

This field is set to Microsoft Active Directory by default and cannot be changed (for now).

 

Advanced Configuration Settings

Hostname

Enter the hostname of the server running LDAP. Example: ldap.example.com. Do not enter http:// or https://

Port

(optional) Enter the port number that your directory service is running under (typically 389 unless using an SSL connection).

Use SSL

(optional) Select this option if your configuration requires an SSL connection.

Username

Enter the user that has Windows Authorization Access Group rights to LDAP. Example: ldapuser

Password

Enter the password associated with the user name entered in the Username field.

Base DN

Enter the root node in LDAP that Permission Assist will use to start searching for users and groups. Example: CN=users,DC=example,DC=com