...
As best practice, we suggest connecting the UMS with the user accounts of the Active Directory. You maintain the user and group accounts in the Active Directory only. In the UMS, you assign rights to the imported groups.
| Drawio | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Transferring Active Directory groups to the UMS and assigning permissions and roles to them:
Include Page
| Info |
|---|
You may import Administrative Users / UMS administrators from an Active Directory as well as from an LDAP. |
Include Page
| Info |
|---|
The successful import of a group cannot be undone. You have to manually delete the wrongly created UMS group in the "Administrator account" management. The name of the imported Active Directory group is taken from the account. |
Include Page
Click System > Administrator accounts > Groups > Edit to directly assign general group rights.
Assign object-related access rights via object permissions, choosing Access Control in the context menu of any object.
This way, you can assign certain roles to administrators of the UMS according to their group memberships.
Please note:
Permissions are inherited from a parent directory to a child directory or to a subordinated object.
It is possible to change indirect rights, i.e. rights which are given by group assignment. However, directly assigned rights take precedence over indirectly assigned rights.
An administrator can be a member of different groups and receives the corresponding rights. If they are contradictory, the deprivation of a right takes precedence over the permission. If a prohibition for an action or an object of a group is issued, it will override any number of rights from other groups.
Click Effective Rights to get more details about the rules collection, for example if a permission was given directly or if it was assigned by a group or by an inheritance within a tree structure.