Configure Active Directory

Your organization may want to have users authenticate to Asset Manager Enterprise Edition using Active Directory (AD). This arrangement––with an assist from you––maps AD user-rights to the Asset Manager system and controls what individual users can see and control when logged in to a Asset Manager Command Center.  Your contribution is to tell the Asset Manager system how to apply rules to map groups, organizations, and roles by creating a CSV group mapping file. The group mapping file you create specifies the mapping.

For more on organizations, roles, and permissions, see the About Organizations, Zones & Users page.

Update

In the group mapping mechanism, a list of AD groups separated by the pipe symbol (|) can now be set as 'superuser' (or the column can be left blank). 

Sample format:

group2|group4|group1 Manager/Development superuser
group5|group4|group6 Viewer/Sales  

 

When a new AD user signs on to Asset Manager, a user account is created along with roles mapped to the user's AD groups. If these AD groups are defined as 'superuser', all the users in AD group will be designated at Asset Manager superusers. Changes to group mapping data take effect when the users associated with those records signs on to the Asset Manager system.

For example, AD has defined these groups and we want to assign users to particular roles in Asset Manager, remembering that each role is always paired with an organization defined in Asset Manager.

Example AD Groups
vp
admin
security
na
emea
apac


Customer-Defined Asset Manager Organizations
NA
EMEA
APAC
Actual Asset Manager Roles
SysAdmin (no GUI access)
Viewer (read-only)
Manager (read + write)

 

And you want these rules to apply to your Asset Manager users:

  1. Vice presidents should get read-only access in all organizations
    GroupRole+Organization
    vpViewer/NA
    vpViewer/EMEA
    vpViewer/APAC

    That portion of the group mapping CSV file would look like this:

    vp,Viewer/NA

    vp,Viewer/EMEA

    vp,Viewer/APAC

    Notice that the CSV example contains only two columns—AD group name and Asset Manager role + organization.  The two columns are separated by a comma (,). Any row containing more than two columns is considered an invalid row.

  2. Admins should get SysAdmin roles in their own regions

    Group Role+Organization
    admin|na SysAdmin/NA
    admin|emea SysAdmin/EMEA
    admin|apac SysAdmin/APAC

    The AD users in row #1 are members of both the admin and na groups.  The Asset Manager users in row #1 are SysAdmins for the NA organization.
    That portion of the group mapping file would look like this:

    admin|na,SysAdmin/NA

    admin|emea,SysAdmin/EMEA

    admin|apac,SysAdmin/APAC

  3. People on the Security team should have Viewer and Manager roles in some regions.
    GroupRole+Organization

    security|na|emea

    		Viewer/NA
    security|na|emeaManager/NA
    security|na|emeaViewer/EMEA
    security|na|emeaManager/EMEA
    security|na|emeaViewer/APAC
    security|na|emeaViewer/APAC
    security|apacManager/APAC
    security|apacViewer/NA
    security|apacViewer/EMEA

    AD users in row #7 are members of both the security and apac groups and in Asset Manager have a Manager role in the APAC organization.
    That portion of the group mapping file would look like this:

security|na|emea,Viewer/NA

security|na|emea,Manager/NA

security|na|emea,Viewer/EMEA

security|na|emea,Manager/EMEA

security|na|emea,Viewer/APAC

security|apac,Viewer/APAC

security|apac,Manager/APAC

security|apac,Viewer/NA

security|apac,Viewer/EMEA


The contents of the assembled CSV file would look like this:

vp,Viewer/NA

vp,Viewer/EMEA

vp,Viewer/APAC

admin|na,SysAdmin/NA

admin|emea,SysAdmin/EMEA

admin|apac,SysAdmin/APAC

security|na|emea,Viewer/NA

security|na|emea,Manager/NA

security|na|emea,Viewer/EMEA

security|na|emea,Manager/EMEA

security|na|emea,Viewer/APAC

security|apac,Viewer/APAC

security|apac,Manager/APAC

security|apac,Viewer/NA

security|apac,Viewer/EMEA

CSV File Rules

The rules we've introduced are as follows:

  1. Each line in the group mapping file starts with a list of AD groups followed by a role/organization pair.
  2. If there is more than one group, separate by a vertical bar (|)
  3. Each role must be paired with its organization, separated by a forward slash (/)
  4. Users are assigned roles for every in which their AD groups match

The admin and manager users and see these roles by default.

To map Active Directory (AD) groups and roles to Asset Manager organizations, here's the process.

Prerequisites

  1. Ensure that Groups and Users have already been set up in an Active Directory (AD) server before beginning this procedure.

See https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal to learn how. 

  1. Find out the credentials to your organization's AD server. Here are the types of information you'll need and an example of most (We've masked the name of our Active Directory server):

Active Directory CLI Commands

To configure Active Directory on Asset Manager Enterprise Edition:

  1. Identify the Host Name or IP Address of your Command Center.
  2. Use that information to log in to the CLI of your Command Center.
    At the command-line prompt, enter authentication ad
  3. These are the available AD Authentication CLI commands. Each of these, their purpose and syntax follow along with a screencap. The Active Directory CLI commands are presented here in the order they are presented on the CLI menu. Although not fixed, the order of operations is likely to be 1) configure, 2) viewconfig, 3) netbios, 4) enable 5) groupmapping.  This order of operations in the last column of the table below.
    CLI CommandDescription & ExampleLikely Order of Operations
    groupmapping

    Maps an Active Directory group to an Organization in Asset Manager Enterprise Edition

    authentication ad groupmapping append path/to/local/file

    authentication ad groupmapping append admin@172.18.1.184:/home/admin/AD-group-mapping.csv

    If your Active Directory mapping introduces new Organizations, you will need to create those organizations in the Command Center as follows:

    organization new name-of-new-organization

    		5
    configure

    Configures an Active Directory authentication server
    authentication ad configure <AD server> <realm> <domain> <username> <password>

    		1
    netbios

    The netbios is an alias for the hostname used in Active Directory authentication. It's only required if your hostname is more than 15 characters long.

    If the hostname of the Command Center is longer than the maximum number of characters allowed, AD will not be enabled. In cases like these, use the netbios to serve as an alias for a too-long hostname.


    		3
    enable/disable

    Enables and disables an AD authentication

    authentication ad <enable|disable>

    		4
    viewconfig

    Displays the current AD configuration. 

    		2
    clearconfig

    Clears the current AD configuration

    		optional

View Users in Asset Manager

When an AD user signs on to Asset Manager, and goes to Settings > Users, the users, groups, and organizations to which they have been given rights in the AD server groupings—and only those—are visible.