The PeopleUpdate Administration Console's Security page allows you to manage groups and access control lists that control how users can interact with PeopleUpdate. You can employ the access control lists you create using the Security page to show tabs to certain groups of users and to allow specific groups of users to edit attributes.
You must have administrative access to the PeopleUpdate Administration console to modify security settings.
Log in to the Administration Console. Click here for more information about logging into the Administration Console.
Click Security in the left navigation bar in the Global Configuration section.
To control access to functionality, PeopleUpdate uses access control lists to determine which users can access certain areas of the application. An access control list consists of a set of one or more groups whose membership dictates the users who are part of the list. These groups include built in PeopleUpdate groups like SELF and MANAGER as well as Windows groups from your domain.
You will need to add groups from your domain to the PeopleUpdate security configuration and then create access control lists with those groups. Refer to the section below for more information about how to create access control lists in PeopleUpdate.
PeopleUpdate includes two built in groups that you can include in your access control lists: SELF and MANAGER. These special groups compare the current authenticated PeopleUpdate application user against the users viewed in PeopleUpdate and determines the group(s) in which the authenticated user is a member based upon the authenticated user's relationship to the user being viewed in PeopleUpdate.
|
Built In Group |
Description |
Scope |
|
SELF |
Refers to the current user account accessing the PeopleUpdate application working with her own user account in the Detailed Results, Edit or Account Management pages. Compares the current user against the user displayed in the Detailed Results pane. |
Single user |
|
MANAGER |
Refers to the current user account accessing the PeopleUpdate application and includes working with the chain of direct reports and descendants in an organizational hierarchy as defined by the Manager relationship in Active Directory. Compares the current user displayed in the Detailed Results page to determine if the user viewing the results is the Manager of the user being displayed. |
All users reporting to a particular manager (direct reports only and does not include all users in the chain of command) |
For example, if the user accessing PeopleUpdate is SAMPLEDOMAIN\AnyUser, this user has a SELF relationship to the AnyUser account in Active Directory. In a similar fashion, AnyUser has a MANAGER relationship to any direct reports for AnyUser.
PeopleUpdate retrieves information about the authenticated user from Active Directory. This operation requires searching Active Directory to find details about the authenticated user. The User Authentication Configuration options control how the user information is retrieved from Active Directory.
The User Authentication Configuration allows you to configure the search parameters to retrieve Active Directory information about the authenticated PeopleUpdate application user. If the search does not return results for the authenticated user based upon the parameters defined here, the application will load an empty user and some application functions may not work correctly.
|
LDAP Bind Path |
LDAP bind path to the root of the container in which you are searching for authenticated user informat. The path should start with LDAP:// (in capital letters as this value is case sensitive) and the path indicates to PeopleUpdate where to bind to the directory to execute searches. Note: If you leave the LDAP Bind Path blank it will automatically try to locate a domain controller in the domain using the LDAP://RootDSE bind path, which is the default bind path that binds to the well-known root DSE object. If the authenticated user is still not found, the application will search the root of the forest using the Global Catalog. |
|
Account Name |
Account used to search Active Directory. The account needs Read access to all objects and attributes in Active Directory you want to search when authenticating a user. Example Proxy Account: YOURDOMAIN\PeopleUpdateServiceAcct or PeopleUpdateServiceAcct@yourdomain.local Note: For pre-windows 2000 accounts, account names can only be 20 characters long and are truncated at the 2-th character. You will need to truncate the account name you enter here if it is longer than 20 characters and you are using the NETBIOS form of the name. If your domain and account name are longer than 20 characters, use the UPN format of accountname@domain as a best practice. |
|
Password |
Password for the account |
|
Check for External Associated Account |
Indicates that PeopleUpdate should search for a linked External Associated Account (EAA) for the authenticated user. The EAA is linked through the msExchMasterAccountSid attribute on a user's mailbox in an Exchange Resource Forest. See the article at http://www.msexchange.org/tutorials/Understanding-External-Associated-Account-Windows-Server-2003-Exchange-2003.html for more information about External Associated Accounts. |
You can use security and distribution groups from your domain to control access in PeopleUpdate. The groups you add to the PeopleUpdate security configuration can be included in access control lists that you can apply to attributes to allow editing and apply to tabs to allow groups of users to view the tab. You must add groups to the configuration before you can create access control lists using the groups.
Navigate to the Administration Console’s Security page.
Enter the name of the Windows group in the Group Name field in the Group Configuration section. Ensure you qualify your group name properly by including the domain with the group in the form of MYDOMAIN\Group.
Click Add Group to add the group to the security configuration.
Access control lists help you determine who has access to PeopleUpdate functionality including attribute editing and tab viewing. You must apply access control lists to attributes to attributes to make them editable by users who are members of the access control list. You must also apply access control lists to tabs to hide them from certain users.
Access control lists include groups whose members are also members of the access control list. PeopleUpdate uses access control lists to control security to application functionality including attribute editing and tab viewing.
You can set up as many access control lists as you need to satisfy the unique needs of your organization. Each access control list should have a set of related groups whose members need to perform similar operations in PeopleUpdate.
Navigate to the Administration Console’s Security page.
Enter a descriptive name for the access control list in the Access Control List name field in the Access Control List Configuration: Attribute Editing section.
Click Add Access Control List to add the access control list to the security configuration.
Once you create an access control list, you need to add groups to it. Refer to the Adding a Windows group topic for more information about how to create groups to use to add to an access control list.
Navigate to the Administration Console’s Security page.
Click Edit next to the access control list with the name you want to modify in the Access Control List Configuration: Attribute Editing section. This will put the access control list into edit mode.
Modify the name in the Access Control List Name field.
Click Save ACL to save your changes.
Access control lists use group membership to determine who has access to PeopleUpdate functionality. You can add and remove groups to and from an access control list to change which users are members of an access control list. You can also change the name of an access control list without affecting how it controls security access in the application.
Navigate to the Administration Console’s Security page.
Click Edit next to the access control list that contains the groups you want to modify in the Access Control List Configuration: Attribute Editing section. This will put the access control list into edit mode.
Select the name of the group you want to add to the access control list in the Group list.
Click Add Group to add the group to the access control list.
Add as many groups as you need to the access control list.
Click Save ACL to save your changes.
Navigate to the Administration Console’s Security page.
Click Edit next to the access control list that contains the groups you want to modify in the Access Control List Configuration: Attribute Editing section. This will put the access control list into edit mode.
Click the X icon next to the group you want to remove from the access control list.
Remove as many groups as you need from the access control list.
Click Save ACL to save your changes.