Who is this article for?
Q-Pulse Administrators configuring user access.
Administration module access is needed.
Q-Pulse security is based around the permissions that can be added directly, via a group or inherited based on the users relationship to the record (i.e. dynamic access).
Security groups can be linked to Active Directory groups, meaning that end users will gain Q-Pulse Group access based on their Active Directory membership. This allows access to be controlled as users move throughout your organisation.
Example: Joe Bloggs works on the factory floor and so is a member of the Floor Staff active directory group. This gives him access to the appropriate Q-Pulse groups for his role. Joe is promoted to a management role and as his active directory membership his Q-Pulse access is automatically updated as well.
This article outlines:
- Limitations of AD Group Integration
- How to Associate a Q-Pulse Group with an AD Group
- How to Troubleshoot Integration Issues
- Further Reading
1. Limitations of AD Group IntegrationBefore configuring integration, please be aware that permissions granted through integration will not be displayed through the view effective permissions screen. Users may appear to have no permissions assigned when in reality they are obtaining access through Active Directory integration
Important Note: Q-Pulse does not automatically update permissions inherited due to AD group integration. For example, if a user is a member of the Accounts group in AD that's associated with the Accounts group in Q-Pulse, the user inherits permissions from the Accounts Q-Pulse group. However, if the user is removed from the Accounts group in AD, the user does not automatically or seamlessly lose the permissions previously inherited. The same logic applies when users are added to groups in AD. They do not automatically inherit the permissions. To force a refresh of the permissions please have your IT Team re-start the Q-Pulse Server Service on the application server.To refresh permissions that should or shouldn't be inherited due to integration, the Q-Pulse Server service on the application server can be restarted by IT at a time when all users are logged out of Q-Pulse.
2. How to Associate a Q-Pulse Group with an AD Group
- Open the Administration module.
- Browse to Settings and Defaults.
- Under Authentication, click Edit.
- Navigate to Active Directory Group Integration as shown in the image below.
- Enable the "association of Q-Pulse security groups to Active Directory groups" option.
- Click OK.
- Go to Security, then to Groups.
- Double click on the group you would like to associate.
- In the Group Details Form screen, enter the name of the AD group into the Associated Active Directory Group field.
- Click OK.
3. How to Troubleshoot Integration Issues
For integration to work, the Q Pulse Server service running on the application server must be able to connect to AD to determine group membership of users. Below are some points to review if integration isn't working.
- The application server must be a member of the domain.
- The Q-Pulse Server service must be running under the context of an account with the required AD access rights. This account must be able to read the values stored within users' memberOf attributes.
- The correct AD group name must be entered into the Associated Active Directory Group field. This field must contain a group's cn (Common Name) attribute value as shown in AD.
- Firewalls may block communication between the application server and one or more of your domain controllers. When integration is determining AD group memberships, it queries membership information from AD using LDAP over port 389 by default. This port must not be blocked.