Sign in

Introducing

Ideagen Community

Introducing

Ideagen Community

Articles in this section

  1. Q-Pulse
  2. Q-Pulse Windows
  3. Admin Guide
  4. Permissions & Security

How to Integrate Q-Pulse Groups with Active Directory Groups

Alan Blair
  • Updated
Follow
Who is this article for?

 Q-Pulse Administrators configuring user access.

 Administration module access is needed.

Q-Pulse security is based around the permissions that can be added directly, via a group or inherited based on the users relationship to the record (i.e. dynamic access).

Security groups can be linked to Active Directory groups, meaning that end users will gain Q-Pulse Group access based on their Active Directory membership. This allows access to be controlled as users move throughout your organisation.

Example: Joe Bloggs works on the factory floor and so is a member of the Floor Staff active directory group. This gives him access to the appropriate Q-Pulse groups for his role. Joe is promoted to a management role and as his active directory membership his Q-Pulse access is automatically updated as well.

This article outlines:

  1. Limitations of AD Group Integration
  2. How to Associate a Q-Pulse Group with an AD Group
  3. How to Troubleshoot Integration Issues
  4. Further Reading

1. Limitations of AD Group Integration

Before configuring integration, please be aware that permissions granted through integration will not be displayed through the view effective permissions screen. Users may appear to have no permissions assigned when in reality they are obtaining access through Active Directory integration
Important Note: Q-Pulse does not automatically update permissions inherited due to AD group integration. For example, if a user is a member of the Accounts group in AD that's associated with the Accounts group in Q-Pulse, the user inherits permissions from the Accounts Q-Pulse group. However, if the user is removed from the Accounts group in AD, the user does not automatically or seamlessly lose the permissions previously inherited. The same logic applies when users are added to groups in AD. They do not automatically inherit the permissions. To force a refresh of the permissions please have your IT Team re-start the Q-Pulse Server Service on the application server.
To refresh permissions that should or shouldn't be inherited due to integration, the Q-Pulse Server service on the application server can be restarted by IT at a time when all users are logged out of Q-Pulse.
 
An alternate solution is to edit and save the details of a group in the Groups area of the Administration module. For example, if a user has been removed the Accounts group in AD, changing and saving the Description field of the Accounts group in Q-Pulse will remove the inherited permissions from the user.
 
Only one AD group can be assigned with a Q-Pulse static group. If more than one AD groups require the same access then multiple Q-Pulse static groups will need to be configured to control this access.

2. How to Associate a Q-Pulse Group with an AD Group

  1. Open the Administration module.
  2. Browse to Settings and Defaults.
  3. Under Authentication, click Edit.
  4. Navigate to Active Directory Group Integration as shown in the image below.
  5. Enable the "association of Q-Pulse security groups to Active Directory groups" option.
mceclip0.png
  1. Click OK.
  2. Go to Security, then to Groups.
  3. Double click on the group you would like to associate.
  4. In the Group Details Form screen, enter the name of the AD group into the Associated Active Directory Group field.
The example below shows the Documents (Full Access) group associated with the Support group stored in AD.
 
mceclip1.png
  1. Click OK.

3. How to Troubleshoot Integration Issues

For integration to work, the Q Pulse Server service running on the application server must be able to connect to AD to determine group membership of users. Below are some points to review if integration isn't working.

  • The application server must be a member of the domain.
  • The Q-Pulse Server service must be running under the context of an account with the required AD access rights. This account must be able to read the values stored within users' memberOf attributes.
  • The correct AD group name must be entered into the Associated Active Directory Group field. This field must contain a group's cn (Common Name) attribute value as shown in AD. 
  • Firewalls may block communication between the application server and one or more of your domain controllers. When integration is determining AD group memberships, it queries membership information from AD using LDAP over port 389 by default. This port must not be blocked.

4. Further Reading

Article Comments

0 comments