You are viewing limited content. For full access, please sign in.

Question

Question

How to properly apply Access Rights to Laserfiche Groups with AD group synchronization.

Laserfiche Administration Security
Updated October 13, 2014
asked on October 10, 2014

Recently we upgraded to Rio, and we now have the LF License Manager Administrator Console set up for Active Directory Group Synchronization.

From our AD server, we pulled in 8 departmental groups

Then in LF Admin Console, we created 8 LF groups, one for each AD departmental group that we synched. Our Laserfiche vendor explained that the reason it was done this way was to allow us to use the LF groups as containers for the AD groups, that way we can add individuals from other departments to any of the container groups. This makes sense to me.

What does not make sense to me is the way our Access Rights are set up for these groups. When I check Access Rights on most of the folders in our repository, I see both group types (i.e. AD group "X" and the container group for that AD group with the same Access Rights). This seems redundant to me.

If we're using the LF groups as container groups, shouldn't we just have access rights applied to the container groups? I've tested this for one folder in my repository with one AD/LF group, and it worked as expected. So I think I just have some Access Rights housekeeping to do on my repository now. Does that sound right?

Thanks

0 0

Replies

replied on October 10, 2014

Basically, they are interchangable. You can set anything on Lf Groups, AD Groups, or both. If you set them on both, permission sharing will apply for the specific users. The gain of using AD Groups is you don't have the manually add them, the gain of using Lf Groups is that you have more flexibility then what your AD environment might offer you. For example you could make one Lf Group combining multiple AD Groups.

One approach I've done in the past is using AD groups for department access and Lf groups for roles. So I set up access to department specific folders (marketing, sales, etc...) based on AD groups but then specific users are also placed in role groups (scanners, power users, admins, etc...). The combination of the two gives you the intersection of departemental access in the folder tree and what you can do while you are there. I've found this often makes management much simpler, especially when roles change - you just add or move that user from one role to the other.

1 0
replied on October 10, 2014

That sounds correct to me.

 

If you're using local groups as a container for AD groups and users, then there isn't a need to have any Access Rights assigned to the AD accounts. You can remove all the AD References is they're in a local container and it shouldn't cause any issue. 

0 0
replied on October 10, 2014

Also a follow up thought.

 

What we've started doing with some clients in the RIO platform is creating Laserfiche specific AD groups, such as "LF_HumanResources" to use as the Laserfiche container, that way we could add users that may not belong in the traditional HR group.

 

We'd then have those sync in the License Manager, that way during onboarding of a new employee or changing of roles for existing employees could be 100% controlled via AD. No need to ever open Laserfiche Admin console for the allocation of licenses or security rights. 

0 0
replied on October 10, 2014

Thanks!

0 0
replied on October 13, 2014

Ramsey and Justin, Thanks for both of your responses.

 

We are also using LF groups that mirror our AD departmental groups as containers. At this point we are not using role based groups because most users have the same needs, but I think that will be very useful to incorporate as more personnel are accessing the repository.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...