Azure Active Directory
  • 03 Oct 2022
  • 4 Minutes to read
  • Contributors
  • Dark
    Light
  • PDF

Azure Active Directory

  • Dark
    Light
  • PDF

Introduction

This article describes the user management capabilities in Business Applications for a Serverless360 account with Azure Active Directory authentication.

Add user or group

Users with the Account owner or Owner role can add new users and AD groups to Business Activity Monitoring (hereafter referred to as "product") using the Add user and Add group options in Users tab of the User management section of the product.

Add user in AD.png

  • The first 500 users/groups from the corresponding Azure Active Directory will be listed, and users can make use of the "Load more" option to load the next set of users/groups.
  • For Active directory users, users in the retrieved list can be filtered by User principal name using the filter option provided above the user list. If no user is found in the retrieved list, the same filter can be performed directly in the Active directory, which will list the filtered users from the Active directory.
  • For Active directory groups, groups in the retrieved list can be filtered by group name using the filter option provided above the group list. If no group is found in the retrieved list, the same filter can be performed directly in the Active directory, which will list the filtered groups from the Active directory.

Role assignment

User can be assigned roles in any of the two ways:

1. Direct role assignment
2. Specified access

  • Direct role assignment refers to the assignment of a role to a user/group, which will be applicable for the entire product. For instance, assigning a direct role like 'Reader' for a user/group means that the user/group has complete read access to all the Business Application groups and applications in the product.

Direct role assignment.png

Owner role cannot be assigned to AD groups.

  • Specified access refers to assigning different roles on different product-specific areas. For instance, if an organisation has three Business Application groups for its three environments such as Production, Staging, and Development, a user like a contractor or an AD group with guest users cannot be given even 'Reader' access to Production application. In such cases, the user/group can be assigned Specified access, by choosing only the Business Application groups and/or applications that the user/group can see, and assign a role for each chosen Business Application group/application, which determines what the user/group members can do inside that Business Application group/application.

Add AD user.gif

While specifying custom permissions, the permissions are granted hierarchically. This means if a Business Application group is chosen, all its children groups and applications are chosen automatically. The same applies when a role is assigned to the selected parent group.

Users/groups who are already added to Serverless360 (members of other products of Serverless360, or do not have any product-permission) are available to be added from the Existing user and Existing group tab for Add user and Add group options respectively.

Existing user.png

Manage role assignments of users and groups

Managing role assignments of users/groups in the product can be done using several options:

  • An individual user or group's role assignments can be managed using the Edit permission option in the Actions column under the Users tab in User management section of the product.

Edit permission AD 1.gif

  • User/group role assignments can be edited in bulk by selecting the users/groups and clicking the Edit permission option under the Users tab in User management section of the product.

Edit permission AD 2.gif

  • User/group role assignments for a Business Application group can be managed using the Users option in the context menu of the tree view.

Edit permission AD 3.gif

  • User/group role assignments for a Business Application can be managed using the Users option in the context menu of the tree view or using the View all option under the Users details in the overview section of the Business Application.

Edit permission AD 4.gif

Only users/groups having direct access to a Business Application/Group can be revoked access when viewing from the Business Application/Group's Users widget.

Remove user or group

Account owners or owners of the product can remove any existing user/group by selecting Remove user/group option in the Actions column, or select the required users and groups and bulk remove them using the Remove option above the users list.

Remove user.gif

User/group removed from a product still exists in Serverless360's directory. Account owners can remove the users/groups completely from Serverless360 by navigating to Settings -> Users and choosing Remove user/group option.

Permission evaluation

  • When an Active Directory user is added directly as a member of Serverless360, the permissions are evaluated against the roles that have been assigned to that user during user operations. If that user is also a member of an AD group that has been added to Serverless360, the group permissions will not be evaluated because the direct user membership in Serverless360 takes precedence.

  • However, when a user signs in as a member of an AD group, i.e, this user is not added to Serverless360 directly, but the AD group that this user is a member of is added, the permissions of that user are checked against the roles assigned to that group during user operations. When a user belongs to multiple groups, high level permissions are determined by comparing the roles of all the groups.

  • The same is true when a user signs in as an owner of AD group, i.e, this user is not added to Serverless360 directly, but the AD group that this user is a direct owner of is added.

Although Serverless360 supports direct owners of AD groups, the recommended method of AD group management in Serverless360 is to stick to members of AD groups where the owners are also members of those groups.

Added information

  • AD group authentication occurs in a transitive manner, which means that if a parent group is added to Serverless360, all child groups in all inner levels of that group will be authenticated even if those child groups are not added to Serverless360.

  • Child groups, on the other hand, can be added if the users of different groups require different permissions based on business needs.


Was this article helpful?