Manage Active Directory role mapping

An administrator or a user with permission to view and manage roles can view the details of the available Active Directory role mappings.

Prerequisites

Ensure that you are logged in to the Control Room as the administrator.

By default, the Control Room will retrieve all security groups from the Users directory.

To create role mappings with filters for the Users directory along with other organizational units (OU), you must update the um.properties file. In the Control Room, the Users directory is considered similar to the OUs. Therefore, you must define the filter in the um.properties file.

For example, set the filter in the file as follows: 
um.ldap.groupmapping.domain.filter='mydomain.com:OU1&groupFilter|OU2&groupFilter|Users&groupFilter'
Note: Group filters such as groupFilter are optional.
In this example, by applying this change to the um.properties directs the Control Room to perform the following tasks:
  1. Go to domain mydomain.com
  2. Retrieve all security groups from Organization Unit OU1 that have the group name starts with groupFilter.
  3. Retrieve all security groups from Organization Unit OU2 that have the group name starts with groupFilter.
  4. Retrieve all security groups from Users directory that have the group name starts with groupFilter.

This setting ensures that the users from the organization units OU1 and OU2 will be retrieved in addition to the Users directory.

Recommendation: Use filters to narrow down the group display as displaying larger number of groups impacts the performance and makes troubleshooting difficult.

The filters defined in the um.properties file are stored in the database. When you update to a newer version of the Control Room, the Control Room references the filters stored in the database because the default um.properties file that comes with the installation will not contain these filters. If you define new filters in the default um.properties file, the Control Room references the filters defined in the um.properties file and overwrites the ones stored in the database.

Multiple Domain Mapping

Mapping supports multiple domains separated by a coma.

um.ldap.groupmapping.domain.filter='mydomain.com:OU1&groupFilter|OU2&groupFilter|Users&groupFilter,mydomain2.com:OU3|OU4'
In the example above, the Control Room will perform the additional processes:
  1. Go to domain mydomain2.com
  2. Retrieve all security groups from Organization Unit OU3.
  3. Retrieve all security groups from Organization Unit OU4.

Retrieving security groups from nested OUs

Example for retrieving security groups from nested OUs.

In the following example organization, consider "Marketing" as the parent OU with additional nested OUs and security groups located in each of these nested OUs.

  • Marketing
    • Group 1
    • Group 2
    • US_OU
      • Group 3
      • California_OU
        • Group 4
        • NoCal_OU
          • Group 5
        • SoCal_OU
          • Group 6
By adding the following entry, Control Room will retrieve all groups, group1, group2, group3, group4, group5 and group6 from Marketing and the nested OUs. 
um.ldap.groupmapping.domain.filter='mydomain.com:Marketing'
Note: Providing nested OU in the entry is not supported.

Active Directory role mapping

Navigate to Administration > > Roles > Active Directory role mappings and the page displays any role mappings that are created in the Control Room. You can view or edit the role mappings. You can also create new role mappings or restart the role synchronization process between the Control Room and Active Directory.

When enabled, this synchronization process is triggered once a day (1440 minutes) by default. You can trigger synchronizations in any interval by changing the number of minutes. We recommend that you set the interval settings larger than the default.

Recommendations:
  • You should set the interval settings larger then the default setting of 1440 minutes.
  • The synchronization process mappings and users is process intensive. We recommend that you maintain a short list of groups and assign specific users to each of these groups on the Active Directory so that you can avoid any scalability issues.
  • Do not use both Import and Do not import mappings in the same system because it may complicate use cases and make troubleshooting more difficult to correct any issues.
  • If both Import and Do not import mappings are defined and a user is included in both mappings, then the Import mappings take precedence over the Do not import mappings.

    Consider these examples:

    • AD Mapping A = Role A – Group A – Import users from this group into Automation 360
    • AD Mapping B = Role B – Group B – Do not import users from this group

    Where user D is included in both Groups A and B within Active Directory.

    User D will be created in Automation 360 and will be assigned Role A.

    • AD Mapping A = Role A – Group A – Import users from this group into Automation 360
    • AD Mapping B = Role B – Group B – Do not import users from this group
    • AD Mapping C = Role C – Group C – Import users from this group into Automation 360

    Where user D is included in Groups A, B, and C in Active Directory (AD).

    User D will be created in Automation 360 and will be assigned to Role A and Role C.

Device license conflict
When there are multiple mappings with different device licenses and a user is mapped to all of the mappings, it becomes difficult to determine which device license will be assigned to the user because one device license is allowed per user. For this scenario, the Control Room supports a preferred ordered list that you can define in the um.properties file. The default configuration for device licenses in the um.properties file is: um.ldap.groupmapping.device.license.preferable.order=Development:Runtime:AttendedRuntime:CitizenDeveloper. The mapping assignment will choose the default license based on the following order of availability:
  1. Development
  2. Runtime
  3. AttendedRuntime
  4. CitizenDeveloper

You can change the default device license by adding the preferred keyword as a new entry in the um.properties file.

The following table lists the keywords for the device licenses that you need to use for the preferable order list:
Keywords License
Development Bot Creator
Runtime Unattended Bot Runner
AttendedRuntime Attended Bot Runner
CitizenDeveloper Citizen Developer

If a user is mapped to multiple mappings and the mappings have the same device license for different auto-login options (enable or disable), then the auto-login configuration will override the settings. As a result, we recommend that you keep the auto-login option consistent across all the mappings for the same device licenses.

One or more available role mappings that match your search criteria appear in the Role Mapping table.
Note: The role mappings page displays only the list of mappings and does not validate the mappings by default. Because the changes in security groups and roles are infrequent and take more time in case of slow network or higher number of mappings, the page displays only the list of mappings. To configure default validation on the role mappings page, in the um.properties file, add the following entry: um.ldap.groupmapping.sync.on.get.mappings=true. Validation of role mappings occurs when you sync the role mappings between the Active Directory and the Control Room.

You can run automations either on the device which is set as your bot running device or from a device pool for which you have consumer privileges (Create a user ). When using Active Directory role mapping, if you want any mapped Active Directory user to be able to use more than one device, you must configure a device pool (Create device pools).