Community

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Vault should automatically synch with Active Directory domain groups

Submitted by Anonymous on ‎07-11-2018 09:06 AM Status: Archived

Vault should automatically synch with Active Directory domain groups

Currently it seems that when we add and/or modify groups in Active Directory in a Windows domain, we then have to log into Vault and manually update the groups to pick up changes.  This is fine if we explicitly know that folks are being added to the groups, but we DON'T know when folks leave the group (fired, change roles or jobs, etc.).  At a minimum, we should expect Vault to auto synchronize with the AD group on some schedule to pick up changes so that we can remove this burden from our administrator(s).  It becomes a real issue when we have groups with tens or even hundreds of users in the group.

Report
39 Comments (39 New)
POST A COMMENT
39 Comments
ihayesjr
Community Manager
Community Manager
‎08-09-2018 11:57 AM
‎08-09-2018 11:57 AM
Status changed to: Under Review

How often do you think Vault should go back to the AD to synchronize?

Report
0 Votes
Vote
Anonymous
Not applicable
‎08-09-2018 12:00 PM
‎08-09-2018 12:00 PM

once per day would be sufficient, could even be something as simple as having the ability to set it up on/in the job server.  Or, even if a method were exposed in the API, that would be fine to.  The goal is simply to provide a means to either automate it or have it baked in so that we don't have to manage it ourselves.

Report
0 Votes
Vote
scheel
Advocate
Advocate
‎08-15-2019 03:19 AM
‎08-15-2019 03:19 AM

I think that should be configurated by the admin. Once a day is better then nothing.

Report
0 Votes
Vote
jraym92
Explorer
Explorer
‎10-24-2019 07:01 AM
‎10-24-2019 07:01 AM

I also agree, we have Identity Manager Application where any users can go and request access to a role. After it is approved the user is added to the AD group but our Admin does not get notified. The approver has to send an email and then have the Vault Administrator update the groups. This should be automatic and save time and manual steps on a daily basis.

Report
0 Votes
Vote
olegd.prod
Autodesk
Autodesk
‎10-24-2019 07:31 AM
‎10-24-2019 07:31 AM
Are you looking for this?
https://knowledge.autodesk.com/support/vault-products/troubleshooting/caas/sfdcarticles/sfdcarticles...

Report
0 Votes
Vote
ihayesjr
Community Manager
Community Manager
‎10-24-2019 07:51 AM
‎10-24-2019 07:51 AM
Status changed to: Future Consideration
 
Report
0 Votes
Vote
cdbussey
Advocate
Advocate
‎10-05-2021 04:13 PM
‎10-05-2021 04:13 PM

@ihayesjr 

The link provided by "olegd.prod" can't be used because users are merged into the AD groups. If the checkbox is checked, the added users have to me manually merged back into the domain groups. Please keep in mind that the Vault Admin team is not in any way associated with the "IT" group at our company, they are two separate entities with very different permissions with respect to AD. In the AU chat, you mentioned it is "automatic now"...if it is, I'm not sure how this works, because ours clearly doesn't. Please contact us and possibly allow us to screen share so you can see what we are talking about. We are syncing daily...sometimes 2 or 3 times as users are added & removed from AD. I did post about this a few years ago, but I can't find it. Shawn actually gave some details in that post as well.

Report
0 Votes
Vote
ihayesjr
Community Manager
Community Manager
‎10-06-2021 06:23 AM
‎10-06-2021 06:23 AM

@cdbussey 

You want the changes made to Vault AD Groups pushed back to the domain Active Directory. Would you please correct me if I am wrong? 

This change would require some significant work because Vault would need an account with domain-level privileges and would cause security concerns.

Report
0 Votes
Vote
Anonymous
Not applicable
‎10-06-2021 06:29 AM
‎10-06-2021 06:29 AM

Hi @ihayesjr - I think I can speak for @cdbussey a little here, but welcome his response as well.  We don't want the changes to go back to Active Directory.  We just want Vault to pull the changes FROM Active directory when the groups get updated there.  EX:  We use AD groups to control certain security roles in Vault.  We hire a new employee, new employee gets added to AD groups by the system admins.  But, Vault does NOT automatically reflect that user being added to an 'interesting' group.  The admins (@cdbussey is one of our admins) have to log into Vault once or twice a day and go to the groups and "refresh from Active directory".  We simply want to do away with that, and have Vault update those groups via a process or timer or whatever.  It removes one of the several tasks the admins have to worry about.

 

The inverse of that is that is a user has been removed from AD (retires, moves on, fired, etc), the AD group gets updated, but we still have an active account in Vault.  We want that account to be disabled to reflect the fact that it no longer exists in AD.

 

Not bidirectional, simply "update the Vault account"

 

Report
0 Votes
Vote
ihayesjr
Community Manager
Community Manager
‎10-06-2021 06:57 AM
‎10-06-2021 06:57 AM

@Anonymous 

If you add a new user to the AD group. You do not have to go into Vault and update the group. When the new user logs in for the first time, their Vault account is created and group assignment is down based on their AD group membership.

This is done automatically.

Report
0 Votes
Vote
Anonymous
Not applicable
‎10-06-2021 06:59 AM
‎10-06-2021 06:59 AM

@ihayesjr is this something that is in place in Vault 2019 or later versions?  It has not seemed to work in 2019, but perhaps we have a misconfiguration somewhere.

Report
0 Votes
Vote
ihayesjr
Community Manager
Community Manager
‎10-06-2021 07:04 AM
‎10-06-2021 07:04 AM

@Anonymous

This is not new. It has always worked this way. It isn't anything that you have to configure.

Report
0 Votes
Vote
Anonymous
Not applicable
‎10-06-2021 07:08 AM
‎10-06-2021 07:08 AM

@ihayesjr --> we will do some testing, as if that is working (not doubting you, just need to see it) that handles the new user issue.  It doesn't handle the removal though, these accounts will live on forever as active accounts until we synch, and we would need to see if their absence in the group disables the account or not.  We will return the results of those tests here.  Thank you for the feedback and help thus far!

Report
0 Votes
Vote
ihayesjr
Community Manager
Community Manager
‎10-06-2021 07:25 AM
‎10-06-2021 07:25 AM

@Anonymous 

Yes, it will not disable the account, but it cannot be used since the AD user is not there. So I do understand that it would be good to automatically disable the account. 

Report
0 Votes
Vote
cdbussey
Advocate
Advocate
‎10-06-2021 11:46 AM
‎10-06-2021 11:46 AM

@ihayesjr if you are referring to the checkbox that can be checked to create the new user, this creates an account outside of the AD group. There's clearly a difference in what we see, vs what you see. Wouldn't it make sense to have a TEAMS meeting so the information can be viewed by both groups?

Report
0 Votes
Vote
ihayesjr
Community Manager
Community Manager
‎10-08-2021 07:30 AM
‎10-08-2021 07:30 AM

@cdbussey 

Are you Active Directory groups Security Groups or Distribution Groups?

I will connect with you privately to set up a meeting.

Report
0 Votes
Vote
cdbussey
Advocate
Advocate
‎10-08-2021 09:01 AM
‎10-08-2021 09:01 AM

@ihayesjr 

@Anonymous could speak to that better than me, but I think we are using Active Directory Groups.

Thanks for the reply.

Curtis

curtis.bussey@southernco.com

Report
0 Votes
Vote
ihayesjr
Community Manager
Community Manager
‎10-08-2021 09:18 AM
‎10-08-2021 09:18 AM

@cdbussey 

I missed typed my original question.

Are you using Active Directory Security Groups or Active Directory Distribution Groups?

Report
0 Votes
Vote
cdbussey
Advocate
Advocate
‎10-13-2021 10:17 AM
‎10-13-2021 10:17 AM

Active Directory Security Groups, both global and universal scope...(per Lynn Bennet)

Report
0 Votes
Vote
grzjoh18
Advocate
Advocate
‎12-01-2021 07:54 AM
‎12-01-2021 07:54 AM

Hello, an automatic update will be a great benefit! For my personnel perspective I guess, one update a day is enough.
or let me schedule this synchronization by a custom time setting?

Report
0 Votes
Vote

Forums Links

Can't find what you're looking for? Ask the community or share your knowledge.

Submit Idea  

Report a website issue