The following describes how Microsoft Active Directory users and groups are synchronized with FileHold users and groups. This article applies to customers who use the optional Active Directory integration module, and have it setup with the help of FileHold support. This article is meant for experienced Active Directory administrators who wish to make it easier for FileHold Library administrators to effectively manage the system, especially with larger numbers of users.
Active Directory in the Document Management System
Instead of importing individual users from Active Directory on a continual basis, it is recommended to create specific a Active Directory administration group that correspond to specific FileHold group and role in FileHold. Continuing this with each FileHold group then can provide a complete process.
Document management software security is based on Cabinet, Folder and Document schema / type permissions. These 3 areas are required for users to access documents. By using FileHold group membership in these 3 areas, you can reduce administration overhead.
For example, if you create FileHold specific groups in Active Directory:
The FileHold Active Directory groups each have corresponding FileHold groups that includes the Active Directory group as a member:
If you look at the properties of the FileHold groups, you can see that the Active Directory objects make up the membership. This way the Active Directory membership in each Active Directory group can be reflected or synchronized down to their corresponding FileHold group. Users can belong to multiple FileHold groups.
The Active Directory groups that are synchronized into FileHold are listed in System Administrator > Users area. They are disabled because they cannot login as a group but are synchronized objects that will merge in the users from Active Directory.
- If you open the Properties of one of the Active Directory group "users", you can join an Active Directory group synchronization object to multiple FileHold groups/roles.
- You can have a one-to-one group relationship or a one-to-many group relationship.
The member list of the Active Directory group synchronization object is 100% determined by the Active Directory group membership.
Each hour a scheduled task will merge the users and groups with FileHold from Active Directory. This can also be manually run if a user is needing immediate access to the document management software. Remember that Active Directory may not have completed replication of whatever change(s) were made in AD, so this may take some time before FileHold can see this change in Active Directory and then synchronize this information into FileHold.