Domain Users and Groups
FlowForce Server supports integration with directory services such as Windows Active Directory (AD) and LDAP. This makes it possible to use existing domain users and groups for authentication and authorization, instead of managing all accounts manually inside FlowForce Server.
Domain users
A domain user is an individual account stored in your directory service. These accounts are typically managed by your IT or system administrator and authenticate against the domain (so their passwords and access policies are centrally managed).
Note the following points:
•In FlowForce Server, you can import domain users so that they can log in.
•If the option Allow any domain users to log in is enabled in the Directory Service settings, any user from the configured domain can log in to FlowForce Server, even if their account was never explicitly imported.
•If the option Allow any domain users to log in is disabled, each domain user must be explicitly imported before they can authenticate. This ensures administrators can control exactly which domain accounts are allowed to access FlowForce Server.
To import domain user accounts into FlowForce Server, take the following steps:
1.Click the Settings tab of the Administration page.
2.Select the Enable check box in the Directory Services section.
3.Configure your preferred Directory Service provider as described in Directory Service.
4.Click the Users tab on the Administration page.
5.Click Import Domain Users. This opens the Import Domain Users dialog shown below.
6.If applicable, select the domain of choice from the Context drop-down list.
7.In the Search for text box, start typing the name of the user account you want to import. Partial searches are valid: For example, if you enter a value such as ad, the accounts Administrators, Admanager, and Admin are retrieved from the LDAP server or Active Directory and shown in the dialog.
In the case of Active Directory, FlowForce Server uses the Ambiguous Name Resolution (ANR) search algorithm that allows you to specify complex search conditions in a single clause. For example, you can retrieve the account of a person named Jim Smith by typing ji sm. See the Microsoft documentation for further information about Ambiguous Name Resolution in Active Directory.
8.Select the records you want to import and click Import Selected.
Domain roles
A domain group is a collection of domain users defined in your directory service (e.g., a group called Accounting might contain all accountants in the company). Groups are used in AD/LDAP to simplify access management: Administrators assign privileges to the group, and all members automatically inherit those privileges.
Note the following important aspects:
•When you import a domain group into FlowForce Server, it becomes available as a role to which you can assign privileges.
•All members of the domain group automatically inherit these FlowForce privileges when they log in.
•Importing a domain group does not automatically allow its members to log in. Unless the option Allow any domain users to log in is enabled in the Directory Service settings, individual user accounts must also be imported into FlowForce Server.
•FlowForce Server checks the current membership of the domain group each time a user logs in. Therefore, any changes made in AD/LDAP (such as adding or removing users from the group) are immediately reflected in FlowForce Server.
•The membership of domain groups is managed externally in AD/LDAP, not inside FlowForce Server.
To import domain roles into FlowForce Server, take the following steps:
1.Click the Roles tab on the Administration page.
2.Click Import Domain Roles.
3.Follow the steps 6-8 above.
Domains and domain trusts
You can see the list of available domains on the login page and in the following sections of the Administration page:
•In the dialog box Import Domain Users in the Users tab
•In the dialog box Import Domain Roles in the Roles tab
•In the Settings tab.
Currently, only the following domains are visible in FlowForce Server: the domain with the machine on which FlowForce Server is installed and any domains from the same forest to which this machine belongs. However, other trusted domains connected via the external, forest, realm and shortcut trusts are not supported and cannot be seen in the list of available domains in FlowForce Server.
Note: To run a job, you can use any user credentials accepted by Windows. In this case, Windows will take care of the external trusts.