LDAP Group Synch
I'm trying to understand the behavior of ldap group synch:
We have an ldap synch with no filters on the configuration tab (for users) but with filters on the group synch.
With this setup, when a user who has never logged on to eGRC clicks on the eGRC link, his account get auto created and he sees the default workspaces.
Question: LDAP synch is set to run at 11:30 PM everyday.
A user is added to an "Admin AD group" at 5 PM. The user clicks on the link for the first time --> His account is auto created.
Should he get the AD admin group access immediately on login at 5 PM or ONLY after the LDAP synch completes at 11:30 PM?
The User is added in the AD Group, Is this the reason when User Clicks on "eGRC" link the User's account get automatically created?
@Syed - What if the user is not the Part of the AD group and clicks on eGRC link? Will user account get created?
That works fine.
Here is a scenario which we are trying to find a workaround for.
We want everybody at the org to have access to egrc but not unless they click on the link.
So in the LDAP synch we have no filter for the users (i.e. it is blank) and in the 3rd tab we have unchecked create new users because we dont want the entire user base (2M) to get created in Archer. This works great. With this setup when the user clicks on the link, he is created with the default role.
However, there are scenarios where the users request their name to be added to a particular AD group. Once the AD team adds them to AD group. The LDAP synch does not add the user unless their user name is already create in Archer.
Is there any way we can push the new user to be created in Archer along with the group synch without adding a filter on the second tab?
If you do not have a filter in the second tab, then any user that is part of the AD will get created in Archer when they click on the link. However, if you have no filter and on the 3rd tab you "create new users" checked then ALL your AD accounts will be created in Archer too.
One idea is to use the REST API to create the domain user in Archer -OR- add the new domain user to the LDAP Groups -OR- both.
From the Web UI, Archer users (normal and domain) cannot be added to LDAP Groups or removed from them, but the REST API can. The REST API URL would be /api/core/system/usergroup and here is a sample input/output.
Ah! Glad that rest can do this. Will give this a shot.
Also, is there any way we can schedule an ldap synch more than once a day? I think that will solve a bunch of problems for us.
Enhancement request ARCHER-22542 was logged last year to add more Frequency options for the LDAP Schedule.
Using SQL queries is not a recommended approach for several reasons:
- The database schema is different between Archer versions. For example, translation tables introduced.
- SQL bypasses Archer code logic, permissions, and auditing.
- Custom SQL queries are not supported.
- The data can be spread across many, many tables.
- SQL commands should not be used unless it's absolutely necessary to resolve an issue OR functionality does not exist.
With all that said, a scheduled SQL Agent Job could be setup to run the following SQL command that changes the LDAP Sync start time to run in 2 minutes from now. Just be sure the frequency is longer than the time it takes to run the LDAP Sync. Also, test thoroughly in a non-prod environment and after any upgrade to ensure it still works.
-- Force the LDAP Synch to run 2 min from now...use with SQL Agent Job to run every X minutes/hours
DECLARE @ldap_config_id AS INT
SET @ldap_config_id = 1
DECLARE @oldtime AS varchar(max)
DECLARE @newtime AS varchar(max)
DECLARE @newdata AS varchar(max)
SET @oldtime = (SELECT SUBSTRING(data_map_xml, CHARINDEX('TimeOfDay="',data_map_xml, 0), 16) FROM tblLDAPConfig WHERE config_id = @ldap_config_id)
SET @newtime = (SELECT 'TimeOfDay="' + CONVERT(VARCHAR(5), DATEADD(MINUTE, 2, GETDATE()), 114) 'hh:mi')
SET @newdata = (SELECT REPLACE(data_map_xml, @oldtime, @newtime) FROM tblLDAPConfig WHERE config_id = @ldap_config_id)
UPDATE tblLDAPConfig SET data_map_xml = @newdata WHERE config_id = @ldap_config_id
Hi @syedtahir16 - we are trying to do something similar with the auto creation of the accounts, but it's not working as we hoped. Was there any specific update required to the Authentication methods or web.config required in order to get this to work as you described? Thank you in advance.