Active Directory Link Operator

Exploring

This program lets you link Active Directory users to existing SYSPRO operators.

This program can't be run standalone and is accessed from the following program(s):

  • Active Directory User Management

    From the Link to operator function.

Microsoft Active Directory (AD) is a directory service developed by Microsoft for Microsoft Windows domain networks and comprises several services that run on Windows Server to manage permissions and access to networked resources.

An organizational unit (OU) is a subdivision within Microsoft Active Directory (AD) into which you can place the following objects:

  • Users
  • Groups (e.g. Security groups)
  • Computers
  • Other organizational units

You can create organizational units to mirror your organization's functional or business structure, and each domain can implement its own organizational unit hierarchy.

Security groups provide an efficient way to assign access to resources on your network:

  • Assign user rights to security groups in Microsoft Active Directory (AD).

  • Assign permissions to security groups for resources.

Overview topic

SYSPRO Authentication

Topics

SSO using Active Directory

SSO Identity Provider Integration

Multi-Factor Authentication

SYSPRO Installer

Services

SYSPRO 8 Active Directory Sync Service

Programs

Active Directory User Management

Add Operator and Link to AD User

Operator Maintenance

Starting

You restrict operator access to activities within a program using the Operator Maintenance program.

You can restrict operator access to the fields within a program (configured using the Operator Maintenance program).

You can restrict access to the eSignature transactions within a program at operator, group, role or company level (configured using the Electronic Signature Configuration Setup program). Electronic Signatures provide security access, transaction logging and event triggering that gives you greater control over your system changes.

You can restrict operator access to programs by assigning them to groups and applying access control against the group (configured using the Operator Groups program).

You can restrict operator access to functions within a program using passwords (configured using the Password Definition program). When defined, the password must be entered before you can access the function.

The following configuration options in SYSPRO may affect processing within this program or feature, including whether certain fields and options are accessible.

The Setup Options program lets you configure how SYSPRO behaves across all modules. These settings can affect processing within this program.

Setup Options > System Setup > Login

  • Multi-factor authentication

    • Multi-factor authentication required
    • User applicability

  • Multi-factor authentication methods

    • Email authentication required
    • Operator can set own email address
    • Email must match pattern
    • Google authenticator required

Setup Options > System Setup > Connectivity

  • SMTP server IP address
  • Outgoing email address
  • Username
  • Password
  • Server port
  • Use SSL

  • SYSPRO operators cannot be enabled for simultaneous use of Multi-Factor Authentication and:

    • SSO using Active Directory (i.e. the operator is defined as an Active Directory user)
    • Concurrent usage (i.e. the Allow concurrent use of this operator option is enabled against the operator in the Operator Maintenance program)

  • Currently, SSO using Active Directory is not supported with the following platforms:

    • SYSPRO Espresso

    • SYSPRO Supply Chain Portal

    • SYSPRO Web UI (Avanti)

Solving

You can rename the SYSPRO.ERP security group in Microsoft Active Directory (AD) by adding a suffix to the group name.

For example:

SYSPRO.ERP.ACCOUNTS

When you install the SYSPRO 8 Active Directory Sync Service (using the SYSPRO Installer app) ensure that you enter this suffix at the Security Group Suffix parameter field.

If required, you can update the suffix after installing the SYSPRO 8 Active Directory Sync Service:

  1. Create a custom.config file:

    To create a custom.config file, make a copy of the SYSPRO.AD.Sync.Service.exe.config file and rename it to custom.config.

    The custom.config file can then contain the entry you want to modify and the startup node. Any entries not contained in the custom.config file are retrieved from the original SYSPRO.AD.Sync.Service.exe.config file.

    You should ideally stop the service while you do this, otherwise the configurations will be picked up at the next poll interval.

  2. Update the ADSecurityGroup key's value with the new security group name.

None. The synchronization between SYSPRO and Microsoft Active Directory (AD) is a one-way service.

SYSPRO operators defined as AD Managed are managed by Microsoft Active Directory (AD) and updated accordingly in SYSPRO automatically when the SYSPRO 8 Active Directory Sync Service runs.

The following operator attributes are managed by Microsoft Active Directory (AD) and cannot be maintained in SYSPRO for Active Directory operators:

  • Operator name
  • Operator email address
  • Network user name
  • Operator status (i.e. Active, Disabled or Removed)

A user who is removed from the SYSPRO.ERP security group in Microsoft Active Directory (AD) is automatically disabled within SYSPRO when the SYSPRO 8 Active Directory Sync Service synchronizes with Microsoft Active Directory (AD).

The SYSPRO 8 Active Directory Sync Service must be run as a named user that has READ permission to access Microsoft Active Directory (AD).

If you have configured receiving emails in the System Setup program (Review email required, Failure email required, Success email required) the following variables are passed to the email templates when the Microsoft Active Directory (AD) synchronization takes place:

  • $SsoUserCount$

    Count of users added for review.

  • $SsoOpChanged$

    Count of operators with changes (e.g. email, name).

  • $SsoOpActivated$

    Count of operators whose status has changed to active from disabled or removed.

  • $SsoOpDisabled$

    Count of operators whose status has changed to disabled.

  • $SsoOpRemoved$

    Count of operators whose status has changed to removed.

  • $FailedMsg$

    If the synchronization fails, then this contains the message as written to the log file.

The PollInterval is set to default every 12 hours, but can be changed if required.

The minimum setting is 0.30 minutes.

Service operators are signed in by a SYSPRO service and are used for any functionality that is required by the service to obtain information about SYSPRO.

Normal operators sign in to SYSPRO with a username and password. They access certain programs and functions to perform specific tasks.

For example:

the __SRS service operator is used by the SYSPRO 8 Reporting Host Service to obtain information about the companies in an environment, but it isn't used by the business object to retrieve the data for a report, as that would be the specific normal operator that submits the request for the report.

Service operators are created by SYSPRO and are used by SYSPRO services to obtain information about SYSPRO.

The service operator code starts with a double underscore to differentiate them from other operators. A default company code must be assigned to each service operator within the Operator Maintenance program, as we use the company code to log in the service operator via e.net .

The following is a list of service operators and their function within SYSPRO:

  • The __ADSYNC service operator is used by the SYSPRO 8 Active Directory Sync Service to push Microsoft Active Directory (AD) information into SYSPRO for Active Directory managed operators.

  • The __DFM service operator is used by the SYSPRO 8 Document Flow Manager Folder Poller and SYSPRO 8 Document Flow Manager Queue Poller to monitor folders, send files to the queue and process files.

  • The __ESP service operator is used by the following services:

    • SYSPRO 8 Espresso Service,

    • SYSPRO 8 Espresso Notification Service,

    • SYSPRO Espresso Development Plugin and the

    • SYSPRO Avanti Web Service to obtain information for the password reset and forgot password functionality.

  • The __POS service operator is used by the SYSPRO 8 Point of Sale Services to determine and validate the setup options and required credentials at start up, update the required databases and post to SYSPRO (if the Point of Sale operator doesn't have access to SYSPRO).

  • The __RUL service operator is used by the SYSPRO 8 Rules Engine Service and the SYSPRO 8 Rules Data Service.

  • The __SA service operator is used by the SYSPRO 8 Analytics service to make business object calls.

  • The __SAI service operator is used by the SYSPRO 8 Machine Learning service.

  • The __SRS service operator is used by the SYSPRO 8 Reporting Host Service and the SYSPRO 8 Cognitive Service to manage client-side report printing.

  • Only specific services use service operators to log in via e.net.

  • SYSPRO creates service operators by copying the ADMIN operator. If the ADMIN operator record doesn't exist (i.e. it may have been deleted), then the current operator is used when saving system details from the Setup Options program.

Template operators are blue print operators that can be used to create other operators. The configurations or settings applied to the template operator, will then be applied to all operators that are created from the template operator.

  • You can't log into SYSPRO using a template operator.

  • Portal users are created from a template operator, i.e. you have to create the template operator first using the Operator Maintenance program, before you can create a portal user.

An operator Template is required when adding a new SYSPRO operator for an Active Directory user in the Active Directory User Management program.

  1. Open the Operator Maintenance program.

    Reset your toolbar to ensure all the latest options are visible.

  2. From the Edit menu, select Maintain templates.

  3. Enter the template code in the Template field on the toolbar and press tab.

  4. Enter details for the following mandatory fields on the Operator Details pane:

    • Operator name (this becomes the template description)
    • Operator group

  5. Configure any security groups, roles and other attributes that you require against the template.

  6. Enter any remaining information that you require as defaults for the operator template, or accept the defaults provided.

  7. Save the operator template.

    Template operator codes are prefixed with __Template_ and their operator type records as Template.

The following functions become available in the Active Directory User Management program after linking an Active Directory user to a SYSPRO operator:

  • Delink operator (delinks the operator from the Active Directory user but retains the SYSPRO operator code)

  • Delete operator (completely removes the SYSPRO operator)

An operator who is delinked in the Active Directory User Management program remains visible in the program as they are still part of the AdmSsoUsers table.

If you don't want to see delinked operators in the Active Directory User Management program, highlight the operator and select the Hide Users option from the toolbar menu.

SMTP details are required if you have configured any of the following email options from the Connectivity System Setup form of the Setup Options program (Setup Options > System Setup > Connectivity):

  • Review email required
  • Failure email required
  • Success email required

Using

The synchronization process occurs once you have enabled SSO using Active Directory and added the relevant users to the SYSPRO.ERP security group in Microsoft Active Directory (AD).

When an Active Directory user belongs to the SYSPRO.ERP security group, they are assumed to be personnel in the organization who have access to the SYSPRO ERP application and are therefore SYSPRO operators. This is important because Active Directory users on many sites include personnel who use additional applications and don't necessarily require access to SYSPRO.

  1. The SYSPRO 8 Active Directory Sync Service interrogates Microsoft Active Directory (AD) to read all users contained within the SYSPRO.ERP security group, either by direct membership or via a nested group.

    This lets you take advantage of an existing Active Directory security grouping (if it exists) without having to duplicate existing groups.

    The service provides an audit trail of all updates that occur and stores this information in the AdmSsoUserSyncLog table of your system-wide database.

    The service updates the SYSPRO AdmSsoUsers table, which updates the users linked to SYSPRO operators shown in the Active Directory User Management program.

  2. The Active Directory User Management program lets you to assign Active Directory users to existing SYSPRO operator codes, or to create new SYSPRO operator codes to which you want to assign Active Directory users.

  3. The SYSPRO 8 Active Directory Sync Service detects any change against the attributes of operators in the SYSPRO.ERP security group of Microsoft Active Directory (AD) during its next synchronization schedule and updates (the AdmSsoUsers table and the relevant operators' details).

    Operator attributes include:

    • Operator name
    • Operator email address
    • Network user name
    • Operator status (i.e. Active, Disabled or Removed)

  4. You are notified via email (if this is configured) that changes requiring your attention have been made in Microsoft Active Directory (AD).

    For example:

    New users are added to the security group in Microsoft Active Directory (AD) which require SYSPRO operator assignment.

    This prompts you to run the Active Directory User Management program to review the changes and manage accordingly.

  • Columns in a listview are sometimes hidden by default. You can reinstate them using the Field Chooser option from the context-sensitive menu (displayed by right-clicking a header column header in the listview). Select and drag the required column to a position in the listview header.
  • Press Ctrl+F1 within a listview or form to view a complete list of functions available.

Referencing

Field Description
Link Operator to AD User

Once you have captured all the relevant information, select this option to link the defined SYSPRO operator to the selected Active Directory user.

The program will exit and return you to the Active Directory User Management program.
Show matching operators

Enable this option to see any SYSPRO operator records that possibly match the selected Active Directory user.

These are displayed in the Available Operators pane.
Field Description
Link operator  
Operator

This indicates the SYSPRO operator record that must be assigned to the Active Directory user.

Use the browse icon to search for the operator using the Operator Browse program, or select the applicable operator from the Available Operators pane.
AD user information  
Name

This indicates the descriptive name of the Active Directory user.
Email

This indicates the current email address of the user, as defined by the AD administrator in Active Directory.
Network user

This indicates the current Active Directory network user name, as defined by the AD administrator in Active Directory.
Display name

This indicates the current Active Directory display name for the user, as defined by the AD administrator in Active Directory.
Principle name

This indicates the AD Principle Name of the user, as defined by the AD administrator in Active Directory.
AD status

This indicates the current Active Directory status of the user, as defined by the AD administrator in Active Directory.

This pane displays operator records available for you to select and assign to the Active Directory user.

If the Show matching operators option on the toolbar is enabled, only operators that possibly match the Active Directory user are displayed (this is based on a similar name, network user name and/or email address).