Monday, March 17, 2014

Active Directory User Management with Softerra Adaxes



















In an ideal world, all end user access to Canto Cumulus is controlled via Active Directory. Even better are single sign-on (SSO) integrations as the one mentioned in one of my previous blog posts. But what if …

  1. All of your external endusers are not part of your internal Active Directory?
  2. Your Cumulus solution is hosted in the Cloud?
  3. Your IT team does not want to deal with managing your ever-changing list of external endusers, but also requires you to manage all access through AD?
This is the scenario we faced with one of our large corporate clients. In the end, we designed and built a solution for them that would solve all these problems. A key ingredient was Softerra Adaxes. This software sits like a layer “on top” of an Active Directory and enabled us to grant internal, non-IT Cumulus administrators limited and exactly defined access to an Active Directory to manage their external endusers themselves, without the need to involve any IT staff nor any in-depth knowledge of how Active Directory works.


 As you can see in the diagram, internal users are still managed by the IT team of our customer. Their connection to Sites and Web Client is handled by an SSO integration. However, internal Cumulus administrators can use Softerra Adaxes’ web-based “User Manager” to create and manage their external end users in a secondary Active Directory hosted in the cloud. This includes assigning users to Active Directory groups which are mapped to Cumulus application roles. This “User Manager” is completely customizable. This is how we designed the look for our customer’s Cumulus administrators:



Each of these so-called “home page actions” can be defined down to the finest detail: It is for example possible to allow admins to create users in very defined organizational units (OUs) and assign them to a very defined group (or: groups) within very defined OUs, so that they can only grant access or modify parts of the Active Directory they are allowed to. The configuration can be as close or as open as needed.
To a Cumulus administrator, the “Create new user” dialog could appear like this in their browser:


 
However, in the backend, we (as the solution providers) configured this web-based “User Manager” to be restricted as follows:
 
 
 
 
This can be done for any of the homepage actions and even the home page layout is completely customizable. This is really great news for all Cumulus customers who are required to manage their users via AD, but always complained about the extra effort and delay when they need to create a new user or needed to modify an existing one … like moving a user into a different group, aka: Cumulus role. With Adaxes, that responsibility can be given straight to the people also managing Cumulus.

If you are interested in a similar solution, please get in touch Nextware Professional Services at contact@nextwaretech.com today.


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)