IMOS security integration with Active Directory Groups allows creating new users without leaving Active Directory and having them instantly gain access to IMOS, with permissions assigned based on their Active Directory group membership. Active Directory Groups can be selected as Security Groups to define access rights to reports created in the Report Designer.
Note: Active Directory integration requires an imosLicense.xml that includes imos.activedirectory as a licensed module.
Set up the IMOS Messaging Service as for standard Active Directory use:
- imosshell.exe.config should set auth mode to mixed.
To sync an IMOS group and its membership with an Active Directory Group:
- On the Security List, click and then click New Active Directory Group.
- On the Group tab:
- Specify the Active Directory Domain.
- To specify the Active DirectoryGroup:
- Leave the field blank.
- Click Check to select from a list of Active Directory Groups. The user the IMOS Auth Service is running as needs to have the appropriate permissions to query Active Directory.
- In the Group Selection window, select the Active Directory Group.
- Specify an internal IMOS Group Name; it does not need to match the Active Directory Group Name.
- You can also enter a Description for the group.
- To make each user in this group Read-Only, select the check box. Read-Only rights will only count against the read-only user license count, unless the users are also in a Read/Write group.
- To make each user in this group a Security Administrator, select the check box.
Active Directory Users
All the users in the Active Directory Group are created as IMOS users, with the permissions specified in the Active Directory Group’s Rights tabs.
- You can do the following:
- View User Properties.
- Change the IMOS User Name. If it is not changed, it will keep updated along with any changes to the Active Directory name; otherwise it will stay as specified.
- View User Properties.
- Membership, password, email, etc. cannot be edited from within IMOS.
User login is in real time, so if a user attempts to log in with Active Directory, the IMOS Authentication service will look up their group memberships at that moment and determine what rights they have on login to IMOS. However, a syncad Scheduled Task can be set up in the Messaging Service to sync all Active Directory users. This maintenance task will clean out users that have been removed from all IMOS Active Directory groups and no longer belong in IMOS.
For more information on Scheduled Tasks, see the IMOS Messaging Service Manual.