Directory Source Detail Page
The Directory Source Detail page allows you to view and change settings related to your directory source.
To view the Directory Source Detail page, complete the following steps:
-
Go to the System Configuration cogwheel in the top right corner of Permission Assist and select Directory Sources.
-
Select the directory source. The Directory Source Detail page is displayed.
Imports Tab
The imports tab displays a list of each import attempt. To view detailed information about an import, select the import within the list.
Principles Tab
The Principles tab displays a list of all accounts imported from your directory source application (ex. Active Directory). If a test synchronization is run, this tab acts like a staging area, showing which accounts will be added to the Identities list when an official sync is completed. Using this tab as a staging area can be helpful when:
-
You've just installed Permission Assist and are working on the initial configuration of your directory source.
-
You want to modify the rules within the Rules tab and aren't sure how your Identities list might be affected.
Principles displayed in black are active accounts; active accounts are the only accounts that are count toward your license. Principles displayed in red are accounts that have been disabled within the directory source application. Principles displayed in light grey or light red are accounts that have been ignored according to the rules defined in the Rules tab, which means they will not be imported into the Identities list when a sync is completed.
To view more detailed information about a specific principle, select an account within the list. The details panel is displayed on the right side of the page (see picture below).
Principle Details
After selecting a principle, the details area is displayed which allows you to review more detailed information such as Department, Object ID and more (see picture below).
Principle Name and Matched Identity |
Displays the name of the principle. If the principle exists within the imported list of Identities (Manage > Identities) the name of the matched Identity is displayed below the principle name. |
||||||
---|---|---|---|---|---|---|---|
Information Tabs |
Contains two tabs of information related to the principle.
|
||||||
Matches Rule |
This area shows the rule used to either ignore the principle or import it as an Identity. |
Groups Tab
The Groups tab displays a list of the groups within the directory source. Groups displayed in black are groups associated with active principles in the Principles tab. Groups displayed in red are groups that have been disabled within the directory source application. Groups displayed in light grey or light red are accounts that have been ignored according to the rules defined in the Rules tab, which means they are not associated with the principles in the Principles list and will not be imported within Permission Assist.
Group Details
After selecting a group, the details area is displayed which allows you to review more detailed information such as a description, the distinguished name of the group, and the members of that group (see picture below).
Rules Tab
The Rules tab is used to define which Identities are imported and how those Identities are classified. You can also define the schedule that determines how often Permission Assist syncs with the directory source.
Automatically synchronize this directory and its identities [never] |
This field allows you to define how often Identity information is imported. By default, this field is set to "never". To change the schedule, select the drop-down field and then pick a frequency from the list. |
||||||
---|---|---|---|---|---|---|---|
[Never] Reset the type on Identities |
Within Permission Assist, Identities can be classified as specific types such as employee, service account, vendor account, and so on. Identity types can be helpful for sorting/searching, and are also used by Permission Assist to create recommendations. Select the drop-down field at the start of this sentence and then select one of the following options to determine whether your existing Identities are reclassified when syncing with the directory source.
|
||||||
When a new identity is found [include] it automatically |
When a new Identity is found, this field determines whether the Identity is included or not.
|
||||||
However, when... |
This area is used to create the rules that will be applied when syncing with the directory source. Rules are often created to define Identity types and to determine which locations within the directory sources will be used to pull in Identities. To add a new rule:
Additional examples: If you use an internal standard to create vendor accounts (for example, the user name starts with a vm-), you could assign a "Vendor" type to any Identities that start with "vm-" using a rule similar to the following:
If you have a particular OU within your directory source that you want to exclude, you might create a rule similar to the following:
The order of the rules matters! Permission Assist applies the rules in numerical order (rule 1 first, then rule 2, and so on). |
Settings Tab
Name |
Enter a name for the domain as you want it to appear in the Directory Sources list (ex. Active Directory - Main or Active Directory - Branch 03) |
---|---|
Label |
(optional) If you have multiple directory services, this option may be used to enter a descriptive label to help distinguish identities or groups that come from this directory source. |
Allow users to authenticate... |
This option should always remain selected - even when using SSO - except in rare cases where multiple directory sources exist. This option works in combination with the System Authentication groups to determine what people can do within Permissions Assist based on their role. |
Directory Source Reader |
This field is set to Microsoft Active Directory by default and cannot be changed (for now). |
Advanced Configuration Settings |
|
---|---|
Hostname |
Enter the hostname of the server running LDAP. Example: ldap.example.com. Do not enter http:// or https:// |
Port |
(optional) Enter the port number that your directory service is running under (typically 389 unless using an SSL connection). |
Use SSL |
(optional) Select this option if your configuration requires an SSL connection. |
Username |
Enter the user that has Windows Authorization Access Group rights to LDAP. Example: ldapuser |
Password |
Enter the password associated with the user name entered in the Username field. |
Base DN |
Enter the root node in LDAP that Permission Assist will use to start searching for users and groups. Example: CN=users,DC=example,DC=com |