Map up to 1000 Active Directory groups to roles

Starting from Version 11.3.4.2, you can now map 1000 Active Directory groups (increased from 200) to user roles in the Control Room by defining the domain, organizational unit, and prefix for groups of the organization unit in the um.properties file.

The following special characters are used in the um.properties file to separate domains, organization units, or security groups: comma (,), colon (:), ampersand (&), or pipe (|). Therefore, if any of your Active Directory entities have names that include these special characters, escape these characters by preceding them with a double backslash.

For example:
domain name 1: sameenterprise.com
(in domain 1) OU name 1 : marketing,finance
(in domain 1) OU name 2 : engineering
(in domain 1 OU 1) Group name: groupA
(in domain 1 OU 1) Group name: groupB&C
(in domain 1 OU 2) Group name: groupC|A
domain name 2: asia.sameenterprise.com
(in domain 2) OU name 1: sales:hr
(in domain 2 OU 1) Group name: AsiaGroup
In this example, the organization unit names "marketing,finance", "sales:hr" and the group names "groupB&C" , "groupC|A" are preceded with "\\" to escape these special characters (:), (,), (&), (|). The result appears as follows:
 (in domain 1) OU name 1 : marketing\\,finance
(in domain 1) OU name 2 : engineering
(in domain 1 OU 1) Group name: groupA
(in domain 1 OU 1) Group name: groupB\\&C
(in domain 1 OU 2) Group name: groupC\\|A
domain name 2: asia.sameenterprise.com
(in domain 2) OU name 1: sales\\:hr
(in domain 2 OU 1) Group name: AsiaGroup

Procedure

  1. Go to the Control Room installation path.
  2. From the list of files, open the um.properties file with an XML editor such as Notepad++.
  3. Define the domain, organization unit, and prefix for the groups of the organization unit in the um.properties file:
    um.ldap.groupmapping.domain.filter='<domain>:<organization unit>&<prefix for the groups of the OU>'|'<organization unit>&<prefix for the groups of the OU>'.

    Repeat for the other domains.

    For example: um.ldap.groupmapping.domain.filter='sameenterprise.com:marketing&groupA&groupB|engineering&groupC,asia.sameenterprise.com:sales&AsiaGroup|eng-ou&engGroup2'
    If the domain samenterprise.com is selected, security groups starting with groupA or groupB will be retrieved from the marketing organization unit. If the domain asia.samenterprise.com is selected, any security groups starting with AsiaGroup from the sales organization unit or security groups starting with engGroup2 from the eng-ou organization unit will be retrieved.
    Note: You can search for Active Directory groups that are defined in the um.properties file. Nested organization units are not supported.
  4. Save the file and restart these services: Automation Anywhere Control Room Caching, Automation Anywhere Control Room Messaging, and Automation Anywhere Control Room Service.