Create Active Directory role mapping

When users are created, they automatically inherit the roles assigned to their Active Directory security groups. Create the mapping before synchronizing the user and roles during the user login or background process.

Prerequisites

To complete the task, you must have AAE_Admin role assigned to you. Ensure you are logged in to the Control Room as the administrator.
Note: Active Directory integration is supported on On-Premises deployments.
In order to create a role mapping, as the administrator will have to provide the following information:
  • Unique mapping name.
  • The targeted domain where the security groups will pulling the credentials from (see um.properties for details).
Note: In order to avoid to import a long list of users, a specific security group should be created on the AD side that has only the users who will access Control Room is recommended.
Map a single AD security group to one or more Control Room roles. Create any roles you want to use with the Active Directory security groups. You can also use the default roles available in the Control Room. .
Note: It is recommended that the AAE_Admin role not be used.

Procedure

  1. Log in to the Control Room.
  2. Navigate to Administration > Roles.
  3. Click Active Directory Role Mapping.
  4. Click Create Role Mapping.
  5. Enter the Name.
  6. Click the Active Directory domain drop-down and select an available domain.
  7. Use the Active Directory security group field to search for a group.
    For example, if you have a group named Certified Publishers, search for Certified. All the groups that contain Certified in their name are listed in GROUPS.
  8. Choose whether Import users or Do not import users.
    OptionOutcome
    Import users All the users who are assigned for the selected security group will be created and assign the mapped roles and licenses in Control Room. If users already exist in Control Room, they will be updated with the latest roles and licenses from the mapping.

    If synchronization process is enabled and triggered, the existing Control Room users will have the updated roles and licenses from the mapping.

    If there are new users added to the security group on the Active Directory side, these users will be created in the Control Room.

    If there are users removed from the security group, these users will be deleted from Control Room.
    Do not import users
    After the role mapping is created; no user will be created in Control Room. How this mapping is being used in this deployment:
    • On the Create user configuration page, when you create a new user, the role(s) will automatically be assigned to the new user if any of the user security group maps to the existing role mapping.
    • If synchronization process is enabled and triggered, any existing Control Room users whose security group maps to any role mappings will get the role assignment updated.

    When you create multiple Active Directory (AD) role mappings for multiple security groups, the roles used in the mappings are combined for the users who belong to the security groups.

    Consider the following example:
    • AD Mapping 1 = Role Y – Group Y – User A, User B, User C
    • AD Mapping 2 = Role Z – Group Z – User A, User D, User E
    Where User A is part of both Groups Y and Z within Active Directory. User A will be created in Automation 360 and will be assigned Role Y and Role Z. If you delete AD Mapping 2, then Role Z will be removed for User A. However, User A will continue to use Role Y.
    Note: After a mapping is created and switched from the Import user to Do not import users option, the previously assigned licenses are retained for the users.
  9. Click the right arrow () to add your selection.
  10. Select the required role from the list of Available roles.
  11. Click the right arrow () to add your selection.
  12. Select the device licenses to assign to the security group.
    License mapping is only supported when the Import users options is selected.
    Note: The Do not import users option does not support license assignment. Administrators will be required to map the licenses manually for users. If any of the licenses that are defined in the mappings became unavailable during the synchronization process (not enough license), licenses will not be assigned to the users. Therefore, ensure that there is enough licenses before creating the mappings.

    You can run automations either on the device which is set as your bot running device or from a device pool for which you have consumer privileges (Create a user ). When using Active Directory role mapping, if you want any mapped Active Directory user to be able to use more than one device, you must configure a device pool (Create device pools).

  13. Click Create Mappings.
    Note: When AD role mapping is enabled, you cannot manually add roles for the AD mapped user.

When the synchronization runs, all users with the assigned roles are updated.