You are viewing limited content. For full access, please sign in.

Question

Question

Repository Users, Windows Users, and Linked Trustees

Administration Laserfiche
Updated February 22, 2019
asked on February 13, 2019

At Empower I thought I understood users but.... Our previous admin created Repository Users and Windows Accounts and then apparently linked them:

Repository User:

Windows Account:

There are no privileges or feature rights on the Windows Account but they are enabled on the repository user.

We have everyone login using their Windows AD account.

 

I would love some input on this.

Is this right?

0 0

Replies

replied on February 13, 2019 Show version history

There's a lot of ways to do this, but we don't have many repository users in our configuration.

We have Repository Groups for permissions, but with Windows Authentication there is no real need to create a separate Repository user for each person unless you really want to get rid of the domain part of the username.

Honestly, linking every AD account to a repository user is just going to make maintenance a lot harder because you'll need to create a new user whenever you get new employees; with Windows accounts you can put them in an AD group, link the AD group to the Repository Group, and then everything can be handled in AD without having to update LF every time.

1 0
replied on February 13, 2019

Hi David,

The ability to link repository users with windows account in this way is actually a legacy setup that I would not recommend. It was useful back before their was true direct support of AD users, but that hasn't been necessary for a while and it's there just for backwards compatibility at this point. The user scenario basically keeps all of the rights and security definition on the repository user, and simply enables basic windows for sign-in. Note that this is only in reference to individual repository USERS linked to windows accounts, affiliating windows accounts with repository GROUPS is a common and recommend practice for role-based security.

I would recommend approaching this as Jason mentioned above where you interact directly with the AD users, or - better yet - AD or Laserfiche groups. 

1 0
replied on February 21, 2019

Hi,

Thank you for the answer.  Sorry I am late to respond. I hope you can add a little more information.

If we got rid of our repository users and went to all AD users and an AD user was deleted would the creator information retain the name or would it have the anonymous UID of the deleted user?

Thanks,

Dave

0 0
replied on February 21, 2019

In our environment, the "created by" attribute retains the "domain\account" information even after they are deleted from AD.

The only place I can recall seeing their SID instead is on the Windows Accounts section of the admin console.

I believe things like "created by" are stored values, not referenced, so that in situations like this you do not lose the value.

0 0
replied on February 22, 2019

Thanks for taking time on this.  My VAR weighed in with this: "If the account is a normal LF account with a domain user attached to it, then disable the account and do not delete it. There can be “created by” field ramifications when deleting an account."

I will try to do some tests and see what I get. I'll post my results as a followup.

Thanks again for your answers!

0 0
replied on February 13, 2019

Hi Jason,

Thanks for this. I agree with you.  I don't know why this was configured this way and would like to do as you suggest.  I just need to look at how best to undo it... :)

 

Thanks!

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...