You can activate a schedule which will scan the Active Directory for new users who currently have no access in Nathean Analytics and create those new users in Nathean Analytics. It is based up using the Nathean Schedule Service to scan the Active Directory for eligible users and creating a new account Nathean Analytics when it finds new target users.
There are two parts to the integration, the first relates to creating an account in Nathean Analytics for uses in the active directory and the second for giving them data, views and report access.
For account creation, the service looks for any AD users who are a member of ADUserGroup and uses this as a target list of users to set up in Nathean Analytics. The service creates them in Nathean Analytics and added them to the ADDomainGroupAuthenticate and sets the authentication on that Nathean Analytics account to that group.
For permissions, the service scans the Active Directory and get a list of all the users’s groups membership. It then looks through the Nathean Analytics groups list and matches them by name. For those which match, it adds the Nathean Analytics user to those matching Nathean Analytics groups and therefore they get the permissions defined for those groups.
This is achieved by configuring the Nathean Schedule Service Windows Service and configuring a schedule in Nathean Analytics.
1 Configuring the Nathean Schedule Service Windows Service
The following Keys must be added to the Nathean Schedule Service.config file and the Nathean Analytics web.config
<add key="ADUserGroup" value=""/>
<add key="ADDomainName" value=""/>
<add key="ADDomainUser" value=""/>
<add key="ADDomainUserPassword" value=""/>
<add key="ADDomainMachineName" value=""/>
<add key="ADContainer" value=""/>
<add key="ADDomainGroupAuthenticate" value=""/>
<add key="ADTimeoutPeriod" value=""/>
<add key="APIServerURL" value=""/>
<add key="ServiceUserToken" value=""/>
ADUserGroup – This is the name of the group in the Active Directory for controlling which users have access to Nathean Analytics. So sites who wish to limit the membership to Nathean Analytics use a specific Domain Group and only allocate the group to those users who should have access to Nathean Analytics. For sites which wish to give access to all users in the domain, use a group name like “EveryOne” or some other group in the domain which all users would have membership of. This does not control data access within Nathean Analytics, it is simply the source of the target users.
ADDomainName The fully qualified name of the AD domain eg NATDOM.LOCAL.
The Nathean Schedule Service Windows Service must log onto the AD domain in order to get access to the list of domain members. The credentials provided must have AD querying permissions.
ADDomainUser is the fully qualified domain user name eg NATDOM.LOCAL\ADIntegrationUser
ADDomainPassword is the password for that above user.
ADDomainMachineName is an LDAP compliant server which the service can use to query the AD. This is normally the machine name as listed in the DNS.
ADDomainGroupAuthenticate is the group name within Nathean Analytics which is used for the Authentication group in Nathean Analytics. By allocating data/view and report permissions to this group you can give all users access to shared views/reports etc.
ADContainer is the container on the AD which is to operate as the root for the search for user accounts and is the distinguished name of the container object.
ADTimeoutPeriod is the number of minutes between each activation of the AD scan process.
APIServerURL is the url of the Nathean Analytics api eg http://logixserver.domain.com/api
ServiceUserToken is a valid userToken for a Nathean Analytics user who have permissions to edit the user modules. You can use the API\Login call to generated a new token.
2 Configuring a schedule in Nathean Analytics
Make sure that the Schedule is named “Active Directory”. The frequency of the schedule does not control the frequency of the AD scan. This is done by the key value “ADTimeoutPeriod”.
After this, the service will activate on the “ADTimeoutPeriod” or by using the “Run Now” feature on the schedule page in Nathean Analytics
The log files for Nathean Schedule Service Windows Service can be used for debugging the service to see if all it operating correctly.
Note, we recommend extensive testing to ensure that the service is creating the new accounts in Nathean Analytics that that those accounts only have access to the data they require.
Preexisting accounts will remain untouched only if they are not in the Active Directory. If those preexisting accounts do exist in the Active Directory, the service will start managing them too and alter their group membership based upon what is defined in the Active Directory and will overwrite the preexisting account group membership.