In the desktop application:
Select the Groups > Add Domain Group main menu item
Select the Add Domain Group context menu item.
In the web application:
Select the Add Domain Group item from the drop-down menu of the
Create toolbar
button.
Foresight Foresight Analytics Platform uses information from domain directory service or global directory for working with domain security subjects.
To connect a domain group of users in the Groups section:
In the desktop application:
Select the Groups > Add Domain Group main menu item
Select the Add Domain Group context menu item.
In the web application:
Select the Add Domain Group item from the drop-down menu
of the Create toolbar
button.
NOTE. Connecting a domain group is available for the users who hold the Changing User Permissions, Distributing Roles, Changing Policy privilege only in the desktop application, if the repository is based on Microsoft SQL Server DBMS. Oracle-based DBMS require advanced settings, including a special mechanism of domain user authorization. If role separation mode is enabled, menu items are available only for information security administrator.
After executing the operation a dialog box to select domain groups in the desktop and web applications opens:
For details about how to work with dialogs of domain user group selection, go to the Selecting Users and Groups section.
NOTE. On selecting domain user group, the Subject Type and Arrangement radio buttons are not available in dialog boxes.
Select the required groups of users and click the OK button, after which the account creation dialog box opens:
NOTE. This dialog box is unavailable for the groups already created in the repository.
When the Create on DB Server checkbox is selected, the group to be added is created on the database server, and the system requests credentials of the user, who has permissions to create users. This checkbox is deselected by default.
When the Grant Rights on DBMS Level checkbox is selected, permissions for the added group are distributed at database level, and the system requests credentials of the user, who has permissions to create tables.
Select the Apply in All Similar Cases checkbox to perform the selected actions for all domain groups to repository to be updated without additional questions. This checkbox is selected by default.
NOTE. When integrated domain authentication is used (it is determined in repository settings) adding a domain group allows all users of this group to use privileges assigned to this group. The users must not necessarily be created in Foresight Analytics Platform and on server.
A special mechanism of authorization of domain users who are not added in the security manager is implemented on working with the Oracle DBMS based repository. This mechanism uses domain groups with configured security levels. To enable the ability to add domain groups in the repository security manager based on Oracle DBMS, execute the following operations:
Enable role separation mode between information security administrator and application administrator.
Enable level-based access control.
Enable compatibility mode to work with domain groups in Oracle DBMS by means of the Fore language.
After this the security manager will be able to connect domain groups. After adding a domain group in the security manager, the Oracle DBMS role can be determined for it. This setting enables a group to be associated with any role created on the Oracle server. By default, the domain group name is used as the role value. When the domain user who is not in the repository security manager is connecting the check for the existence of this user in domain groups, which are connected in the security manager. If the user is included in any domain group, the correspondence of the role, set for the group to roles created on the DBMS server is checked. If the server contains the specified role, the user is connected according to the security level set for the group. Otherwise the error message appears.
See also:
Creating Groups of Users and Working with Them | Creating and Editing Group of Users