Slik kontrollerer du klargjøring av AD-kontoer med en eAdm
Many organizations need to control which users are automatically provisioned with an Active Directory (AD) account. This guide explains how to use a specific permission within eAdm to manage AD account creation, ensuring that only designated users receive an account automatically.
This method is useful in several common scenarios:
Differentiating Employee Types: Automatically create AD accounts for permanent employees, but require managers to manually grant access to temporary or hourly staff.
Managing Existing Users: When migrating to eAdm, you can prevent the system from automatically creating AD accounts for existing employees who have not needed one previously.
The following procedure uses a permission called "Active User Account" to control this process.
Fremgangsmåte
Follow these steps to configure eAdm to manage AD account provisioning via a permission.
Step 1: Create the "Active User Account" Permission
First, create a new permission that will be used to grant AD access.
Navigate to the permissions management area in eAdm.
Create a new permission. In the list of permissions, you will configure its details. For this guide, we will use the following example:
Navn:
Aktiv brukerkonto(Active User Account)ID:
8394(Note: The system will assign an ID automatically; 8394 is used as an example throughout this guide).
Assign this permission to a grouping that is accessible to managers or other authorized staff who will be responsible for manually granting this access.
Step 2: Configure Automatic Assignment Rules
Next, define the rules for which users should receive the "Active User Account" permission automatically. For instance, you can configure the rule to only assign the permission to employees hired after eAdm's go-live date.
Open the Rule Set for the "Active User Account" permission.
Create rules to define the automatic assignment criteria.
Step 3: Update the Active Users Sync Template for AD
Modify the synchronization template for active AD users to require the "Active User Account" permission. This ensures that only users with this permission are created or maintained as active in AD.
Locate the Rule Set linked to the synchronization template for active AD users.
Add a new rule that requires the user to have the "Active User Account" permission. You will use the permission's unique ID from Step 1. This rule checks that the user has the permission with ID 8394.
Step 4: Update the Deactivated Users Sync Template for AD
Finally, update the synchronization template for deactivated users. This rule will ensure that when the "Active User Account" permission is removed from a user, their AD account is automatically deactivated.
Locate the Rule Set for the deactivated users synchronization template.
Add a combination of rules that identifies users who have lost the "Active User Account" permission.
The logic for this rule set is to find users who:
Are not marked as deleted in the source system.
Do not currently have the "Active User Account" permission.
Previously had the "Active User Account" permission (as recorded in their object history).
This logic can be constructed in the rule set as follows:
// Condition 1: The user is NOT marked for deletion.
Slettet | Har ikke verdi
// OR
// Condition 2: A multi-part condition to identify a lost permission.
(
// The user does NOT currently have the permission (ID 8394).
[OBJECTPERMISSION.SYSTEMROLE;Name;Id;8394] | Har ikke verdi
AND
// The user's history shows they PREVIOUSLY had the permission (ID 8394).
[OBJECTHISTORIES;OldValue;OldValue;8394] | Er lik | 8394
)
Note: Remember to manually assign the "Active User Account" permission to any existing users who need an AD account but do not meet the criteria for automatic assignment you configured in Step 2.