Active Directory User Management
Exploring
This program accesses the AdmSsoUsers table and lets you configure and manage the relationship between Microsoft Active Directory (AD) users and SYSPRO operators.
Things you can do in this program include:
- View all users added to the SYSPRO.ERP security group in Microsoft Active Directory (AD).
- Assign Active Directory users to existing SYSPRO operator codes.
- Create a new SYSPRO operator code to assign to an Active Directory user.
- Force a sync between Microsoft Active Directory (AD) and SYSPRO to update the operator list.
- Delink a SYSPRO operator from an Active Directory user.
- Delete a SYSPRO operator that was linked to an Active Directory user.
- Filter, hide or unhide the operators that you want to view.
This program is accessed from the Program List pane of the SYSPRO menu:
- Program List > Administration > Security
Microsoft Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks.
It consists of several services that run on Windows Server to manage permissions and access to networked resources.
An organizational unit (OU) is a subdivision within Microsoft Active Directory (AD) into which you can place the following objects:
- Users
- Groups (e.g. Security groups)
- Computers
- Other organizational units
You can create organizational units to mirror your organization's functional or business structure, and each domain can implement its own organizational unit hierarchy.
Security groups provide an efficient way to assign access to resources on your network. They enable the following:
-
Assign user rights to security groups in Microsoft Active Directory (AD).
-
Assign permissions to security groups for resources.
Starting
You can restrict operator access to activities within a program (configured using the Operator Maintenance program).
You can restrict operator access to the fields within a program (configured using the Operator Maintenance program).
You can restrict access to the eSignature transactions within a program at operator, group, role or company level (configured using the eSignature Setup program). Electronic Signatures provide security access, transaction logging and event triggering that gives you greater control over your system changes.
You can restrict operator access to programs by assigning them to groups and applying access control against the group (configured using the Operator Groups program).
You can restrict operator access to functions within a program using passwords (configured using the Password Definition program). When defined, the password must be entered before you can access the function.
The following configuration options in SYSPRO may affect processing within this program or feature, including whether certain fields and options are accessible.
The System Setup program lets you configure your SYSPRO environment. These settings can affect processing within this program.
SYSPRO Ribbon bar > Setup > General Setup
- Active Directory sync required
- AD sync service endpoint
- Email configuration
- Failure email required
- Review email required
- Success email required
- SMTP server IP address
- Outgoing email address
- Username
- Password
- Server port
- Use SSL
-
SYSPRO operators cannot be enabled for simultaneous use of Multi-Factor Authentication and:
- Single Sign-on (i.e. the operator is defined as an Active Directory user)
- Concurrent usage (i.e. the Allow concurrent use of this operator option is enabled against the operator in the Operator Maintenance program)
-
The Single Sign-on feature is intended to work with the SYSPRO Windows client only and is not available for SYSPRO Avanti, SYSPRO Espresso and the SYSPRO Supply Chain Portal. Therefore, an operator that is configured to use Single Sign-on won't have access to these environments.
The SYSPRO Windows client reads the currently logged in and authenticated Windows user and then performs a look-up on the link between the Active Directory name (authenticated Windows user) and the SYSPRO operator code (as defined in the Active Directory User Management program). Therefore, Single Sign-on with Active Directory integration is not intended for environments where you don't have to be ‘logged into’ a windows client.
For example:
When using the SYSPRO Avanti user interface, the platform is running via a browser, which can be running on any operating system (including a phone or tablet). Which means that the concept of being authenticated via Microsoft Active Directory (AD) is not available in SYSPRO.
Similarly, SYSPRO Espresso, which can also run on a browser, phone or tablet also is not designed for Microsoft Active Directory (AD) Authentication.
Solving
This message is displayed when you select the Sync Now function of the Active Directory User Management program and the endpoint for the SYSPRO 8 Active Directory Sync Service is not configured correctly.
Ensure that the following option is configured correctly on the Single Sign-On tab of the System Setup program:
-
AD sync service endpoint
For example:
net.tcp://MachineName:8733/SYSPRO.AD.Sync.Service
You can rename the SYSPRO.ERP security group in Microsoft Active Directory (AD) by adding a suffix to the group name.
For example:
SYSPRO.ERP.ACCOUNTS
When you install the SYSPRO 8 Active Directory Sync Service (using the SYSPRO Installer app) ensure that you enter this suffix at the Security Group Suffix parameter field.
If required, you can update the suffix after installing the SYSPRO 8 Active Directory Sync Service:
-
Create a custom.config file:
To create a custom.config file, make a copy of the SYSPRO.AD.Sync.Service.exe.config file and rename it to custom.config.
The custom.config file can then contain the entry you want to modify and the startup node. Any entries not contained in the custom.config file are retrieved from the original SYSPRO.AD.Sync.Service.exe.config file.
You should ideally stop the service while you do this, otherwise the configurations will be picked up at the next poll interval.
-
Update the ADSecurityGroup key's value with the new security group name.
None.
The synchronization between SYSPRO and Microsoft Active Directory (AD) is a one-way service.
SYSPRO operators defined as AD Managed are managed by Microsoft Active Directory (AD) and updated accordingly in SYSPRO automatically when the SYSPRO 8 Active Directory Sync Service runs.
The following operator attributes are managed by Microsoft Active Directory (AD) and cannot be maintained in SYSPRO for Active Directory operators:
- Operator name
- Operator email address
- Network user name
- Operator status (i.e. Active, Disabled or Removed)
A user who is removed from the SYSPRO.ERP security group in Microsoft Active Directory (AD) is automatically disabled within SYSPRO when the SYSPRO 8 Active Directory Sync Service synchronizes with Microsoft Active Directory (AD).
The SYSPRO 8 Active Directory Sync Service must be run as a named user that has READ permission to access Microsoft Active Directory (AD).
If you have configured receiving emails in the System Setup program (Review email required, Failure email required, Success email required) the following variables are passed to the email templates when the Microsoft Active Directory (AD) synchronization takes place:
-
$SsoUserCount$
Count of users added for review.
-
$SsoOpChanged$
Count of operators with changes (e.g. email, name).
-
$SsoOpActivated$
Count of operators whose status has changed to active from disabled or removed.
-
$SsoOpDisabled$
Count of operators whose status has changed to disabled.
-
$SsoOpRemoved$
Count of operators whose status has changed to removed.
-
$FailedMsg$
If the synchronization fails, then this contains the message as written to the log file.
The PollInterval is set to default every 12 hours, but can be changed if required.
The minimum setting is 0.30 minutes.
An operator Template is required when adding a new SYSPRO operator for an Active Directory user in the Active Directory User Management program.
-
Open the Operator Maintenance program.
Reset your toolbar to ensure all the latest options are visible.
-
From the Edit menu, select Maintain templates.
-
Enter the template code in the Template field on the toolbar and press tab.
-
Enter details for the following mandatory fields on the Operator Details pane:
- Operator name (this becomes the template description)
- Operator group
-
Configure any security groups, roles and other attributes that you require against the template.
-
Enter any remaining information that you require as defaults for the operator template, or accept the defaults provided.
-
Save the operator template.
Template operator codes are prefixed with __Template_ and their operator type records as Template.
The following functions become available in the Active Directory User Management program after linking an Active Directory user to a SYSPRO operator:
-
Delink operator
This delinks the operator from the Active Directory user but retains the SYSPRO operator code.
-
Delete operator
This completely removes the SYSPRO operator.
An operator who is delinked in the Active Directory User Management program remains visible in the program as they are still part of the AdmSsoUsers table.
If you don't want to see delinked operators in the Active Directory User Management program, highlight the operator and select the Hide Users option from the toolbar menu.
SMTP details are required if you have configured any of the following email options in the System Setup program:
- Review email required
- Failure email required
- Success email required
Using
The synchronization process occurs once you have enabled Single Sign-on and added the relevant users to the SYSPRO.ERP security group in Microsoft Active Directory (AD).
When an Active Directory user belongs to the SYSPRO.ERP security group, they are assumed to be personnel in the organization who have access to the SYSPRO ERP application and are therefore SYSPRO operators. This is important because Active Directory users on many sites include personnel who use additional applications and don't necessarily require access to SYSPRO.
-
The SYSPRO 8 Active Directory Sync Service interrogates Microsoft Active Directory (AD) to read all users contained within the SYSPRO.ERP security group, either by direct membership or via a nested group.
This lets you take advantage of an existing Active Directory security grouping (if it exists) without having to duplicate existing groups.
The service provides an audit trail of all updates that occur and stores this information in the AdmSsoUserSyncLog table of your system-wide database.
The service updates the SYSPRO AdmSsoUsers table, which updates the users linked to SYSPRO operators shown in the Active Directory User Management program.
-
The Active Directory User Management program lets you to assign Active Directory users to existing SYSPRO operator codes, or to create new SYSPRO operator codes to which you want to assign Active Directory users.
-
The SYSPRO 8 Active Directory Sync Service detects any change against the attributes of operators in the SYSPRO.ERP security group of Microsoft Active Directory (AD) during its next synchronization schedule and updates (the AdmSsoUsers table and the relevant operators' details).
Operator attributes include:
- Operator name
- Operator email address
- Network user name
- Operator status (i.e. Active, Disabled or Removed)
-
You are notified via email (if this is configured) that changes requiring your attention have been made in Microsoft Active Directory (AD).
For example:
New users are added to the security group in Microsoft Active Directory (AD) which require SYSPRO operator assignment.
This prompts you to run the Active Directory User Management program to review the changes and manage accordingly.
- Columns in a list view are sometimes hidden by default. You can reinstate them using the Field Chooser option from the context-sensitive menu (displayed by right-clicking a header column header in the list view). Select and drag the required column to a position in the list view header.
- Press Ctrl+F1 within a list view or form to view a complete list of functions available.
-
You can reset the toolbar of a specific program in SYSPRO by selecting the program's Customize option from the Add or Remove buttons submenu (available from the small drop down arrow located at the far right end of the toolbar).
Alternatively, you can reset the toolbars of all programs, by selecting the Reset Toolbar Settings function from the Toolbars tab of the Personalize program (SYSPRO Ribbon bar > Home).
- Use the Filter options in the toolbar to customize the operators displayed in the list view.
Referencing
Field | Description |
---|---|
Delink Operators |
After selecting the applicable users within the Operators pane, use this function to delink the Active Directory users from their respective SYSPRO operator records. If you delink an operator, they are no longer controlled by Active Directory. This function is useful when you want to remove the link between an AD user and SYSPRO operator, but retain the SYSPRO operator. |
Delete Operators |
After selecting the applicable users within the Operators pane, use this function to delink the Active Directory users and delete their associated SYSPRO operator records. If you delete an operator, they are no longer controlled by Active Directory. |
Hide Users |
After selecting the applicable operators within the Operators pane, use this function to hide them from the list displayed. Use the Include Hidden Users option from the Filter menu on the toolbar to include these hidden operators in the view once more. |
Unhide Users |
After selecting the applicable operators within the Operators pane, use this function to unhide them. |
Sync Now | Select this option to force an immediate synchronization between Microsoft Active Directory (AD) and SYSPRO. This will update the operator list displayed. |
Field | Description |
---|---|
Select |
Use the checkbox in this column to select multiple operators for actioning. This is only required when using the following toolbar options:
This is useful when actioning more than one operator. |
Operator |
This indicates the operator code assigned to the Active Directory user. An Unassigned entry in this column indicates that the Active Directory user is not associated with any SYSPRO operator. |
Name |
This indicates the descriptive name of the Active Directory user. |
Link action |
Select the appropriate option depending on your requirements for the user: Link to operator
Select this option to link the Active Directory user to a SYSPRO operator using the Active Directory Link Operator program. Once linked, they are controlled by Active Directory. Delink operator
Select this option to delink the Active Directory user from the SYSPRO operator. If you delink an operator, they are no longer controlled by Active Directory. This function is useful when you want to remove the link between an AD user and SYSPRO operator, but retain the SYSPRO operator. |
Add/delete action |
Select the appropriate option depending on your requirements for the user: Add operator
Select this option to create a new SYSPRO operator (using the Add Operator and Link to AD User program) to link to the Active Directory user. Once linked, they are controlled by Active Directory. Delete operator
Select this option to delink the Active Directory user, and delete the associated SYSPRO operator record. |
AD status |
This indicates the current Active Directory status of the user, as defined by the AD administrator in Active Directory. |
AD display name |
This indicates the current Active Directory display name for the user, as defined by the AD administrator in Active Directory. |
AD network user |
This indicates the current Active Directory network user name, as defined by the AD administrator in Active Directory. |
This indicates the current email address of the user, as defined by the AD administrator in Active Directory. |
|
SYSPRO.ERP |
This indicates whether the Active Directory user belongs to the SYSPRO.ERP security group in Active Directory. |
AD control |
This indicates the AD Control of the user, as defined by the AD administrator in Active Directory. |
AD object |
This indicates the AD Object of the user, as defined by the AD administrator in Active Directory. |
AD principle name |
This indicates the AD Principle Name of the user, as defined by the AD administrator in Active Directory. |
Hidden |
This indicates if the operator is defined as hidden. |
Last sync date |
This indicates when the synchronization between Microsoft Active Directory (AD) and SYSPRO was last run. |
Copyright © 2021 SYSPRO PTY Ltd.