AX2557

Scheduler task: Active Directory Import

This task imports users from Active Directory groups into Axiom Software security. For more information on using Active Directory integration with Axiom Software, see Synchronizing users with Active Directory.

This task has three tabs of settings: Source Directory, Notification, and Preview Import.

NOTE: The user running this task must be an administrator or have the Administer Security permission.

For Cloud Service systems, the Active Directory Import task can import users from your local Active Directory by use of the Axiom Cloud Integration Service. If you have a remote data connection that is enabled for user authentication, this task will use that connection when the job is executed by Scheduler. For more information, see Managing remote data connections.

Source Directory tab

On this tab, you specify the domain to import from and the groups to import.

Item Description

Domain or Server

Select either Domain or Server to specify the source domain for the import.

  • If you select Domain, enter the name of the domain.
  • If you select Server, enter the name of the domain controller server.

The server option is available in case you are not currently logged into the source domain, and your current domain does not have access to the source domain. In this case, you must use domain credentials in order to access the source domain.

Only one domain can be selected per import task. If you want to import users from multiple domains into an Axiom Software system, then you must create multiple import tasks.

Credentials

Specifies the credentials to use when accessing Active Directory for the import. Select one of the following:

  • Use process credentials: (Default) Use the credentials of the network service account for Axiom Scheduler Server (on-premise installations) or Axiom Cloud Integration Service (Cloud Service systems).

  • Specify domain credentials: Enter the credentials of a specified domain User and Password. This option is required if you identified the source domain using the server name instead of the domain name.

Never Enable Users

Specifies whether the import enables imported users as part of the process:

  • If unchecked (default), then newly imported users are enabled as part of the import. Additionally, any existing imported users who have been changed to disabled are re-enabled.

  • If checked, then newly imported users are not enabled as part of the import. A security administrator must modify the security settings after the import is complete to enable the new users. Existing imported users retain their current enabled status.

Groups to import

The Active Directory groups for which members will be imported into Axiom Software Security.

  • Click Add to select from a list of groups for the specified domain. If the specified domain name is not valid or if Axiom Software cannot connect to it, then an error will result when attempting to add groups.

  • If you need to remove a group, select the group and click Remove.

  • Click Role Mapping to define mappings for the selected groups. If a mapping exists for a group, then when users are imported for that group they are automatically assigned to the mapped role and subsystem. See the discussion following this table for more information.

Role mapping

In the Role Mapping dialog, click Add mapping (the plus icon) to add a role mapping for a group. Then complete the following:

  • In the Directory Group column, select the Active Directory group to be mapped.

  • In the Axiom Role column, select the role to be assigned to users in that group. If you want to map the group to more than one role, add another mapping row.

  • In the Subsystem column, select the subsystem for users in that group. If you want to map the group to more than one subsystem, add another mapping row. This option only displays if subsystems are enabled for your system.

  • In the User Type column, select the license type for the imported users. The default license type is Standard.

  • In the Authentication Type column, select the authentication type for the imported users, Windows User or SAML. The default authentication type is Windows User. Note that the selected authentication type will be assigned to users regardless of whether that authentication type is currently enabled for the system.

You can map each group to multiple roles and subsystems. If a group has no defined mappings, then the users will not be assigned to any roles or subsystems. If the import creates new users without mappings, the assigned user type is Standard and the assigned authentication type is Windows User.

To remove a mapping, select the mapping in the grid and then click Remove mapping (the X icon). If users have already been imported using this mapping, removing the mapping will not remove the users from the role or subsystem in subsequent imports (unless other group mappings in the import use the same role or subsystem, and the users are not also part of that group).

NOTE: If a user belongs to multiple mappings—either multiple mappings for a single group, or multiple mapped groups—then the user will be assigned to the user type and the authentication type for the last-processed mapping. Role mappings are processed in role ID order.

Notification tab

On this tab, you specify users to be notified when changes are made in Axiom Software Security due to the import.

Type in one or more email addresses to be notified. Separate multiple addresses with a semi-colon. For example:

jdoe@axiomepm.com;jsmith@axiomepm.com

When the import task is run, if any users are created or modified in the Axiom Software system, an email notification will be sent to the addresses specified here. The email summarizes the changes made. This email notification is independent of any job-level notification settings (which notify based on overall job completion or failure).

We recommend setting up this task-level notification to send emails to the security administrator(s) responsible for maintaining the security settings in Axiom Software, so that he or she can define security settings for newly added users, validate changes made to existing users, and perform any other follow-up tasks.

Scheduler job variables can be used in this setting.

Preview Import tab

On this tab, you can preview the import results to test that the import is set up as desired.

To preview the results, click Preview. Axiom Software processes the import task but does not actually make the changes to the system. Instead, the tab displays a summary of the changes that would result.

The preview shows a list of users that would be added, changed, or disabled.

NOTE: The preview is always executed locally, even for Cloud Service systems. The remote data connection to the Cloud Integration Service is only used when the task is executed by Scheduler.