Rethinking the Active Directory integration

written on tirsdag, juli 19 2011

 We're looking at a series of bug reports related to the Active Directory integration in FotoWeb, and will start work on improving this feature with the goal of closing it for good. We're making the following assumptions based on the communication we've had with you:

  1. It is sufficient to update an account and group memberships during log in, hence the background synchronization is not needed
  2. Groups in Groups are used for giving access to FotoWeb, so we must support group hierarchies

The following features will disappear:

  1. Import of users; users will only be imported/synced when logging in
  2. Treating Organizational Units (OUs) as groups
  3. Support for Novell as very, very few are using it

Setting up Active Directory integration will follow the steps outlined below:

  1. Create rights groups in Active Directory for the roles you want defined in FotoWeb, e.g. 'FotoWeb Archive Administrators', 'FotoWeb Users with Upload', 'FotoWeb Read Only Users' and add the groups/users you want into these groups.
  2. Set up the integration in FotoWeb and select the groups created in the step above.
  3. Set up your archives and access lists using these groups
  4. Log in using your AD username and password (or Single-Sign-On). The account will be created in FotoWeb and all groups will be updated. Note that only selected groups from step 2 will be synced, all intermediate groups will only exist in Active Directory.

We're planning to start this work in a couple of weeks time, and look forward to your comments or questions so that we are sure to move in the right direction.

posted in:

New Features and tagged as: , ,

8 Comments

Similar Posts

  1. FotoWeb Desktop for iPhone and Creative Suite Beta Release (Updated)
  2. FotoWeb and Web 2.0 (Updated)
  3. FotoWare 7.0 SR4 Public Beta information

Comments

  • Faisal on on 7.19.2011 at 4:29

    Faisal avatar

    Hi,

    I'm not sure what the changes are other than groups being created in AD by fotoweb. I can't see how this would work if we only have readonly access into AD.

    Would we still be able to assign different permissions to AD groups in fotoweb?

    If the user is in the "Marketing" group in AD, will we see this listed in the operations centre? We might have fwx code which says if user is in marketing group then he this XXX on the page.

  • Marty on on 7.19.2011 at 7:22

    Marty avatar

    Greetings,

    In my interactions with the AD integration, I do not see any problems with the proposed changes.

    Thank you for the opportunity to comment.

    Marty

  • chrisf on on 7.21.2011 at 10:22

    chrisf avatar

    Groups selected by the administrator will still be imported into FotoWeb.

    The difference is that it will not import sub-groups or recreate the exact hierarchy from the AD in the FotoWeb database. Let’s imagine the following hierarchy:

    All FotoWare Employees

    FotoWare NO Employees

    FotoWare Development Team

    FotoWare Marketing Team

    FotoWare Sales Team

    FotoWare Operations Team

    FotoWare DE Employees

    Scenario 1: Selecting All FotoWare Employees for import

    All users in the Dev, Marketing, Sales and Ops groups will be allowed to log on and will be put in the All FotoWare Employees group

    Scenario 2: Selecting All FotoWare Employees and FotoWare Marketing Team

    All users in the Dev, Marketing, Sales, and Ops groups will be allowed to log on and will be put in the All FotoWare Employees group

    Users in the Marketing group will be put in BOTH Marketing and All groups

    Access lists can be set up to give Marketing users upload and edit rights, while all others get read only

  • chrisf on on 7.21.2011 at 3:50

    chrisf avatar

    And it seems the 1500 limit is still haunting us.

    But this time, not so bad: The limitation with the new implementation will be that a user cannot be a member of more than 1500 groups, and any group may not be a member of more than 1500 other groups.

    Not so bad as the old problem, when a group could not hold more than 1500 users. :)

  • Eskil on on 8.04.2011 at 1:10

    Eskil avatar

    Hi.

    This looks nice. Will the group hirarchy support also resolve the problem with trusted domains?

    Reg.

    Eskil

  • Jörg on on 8.26.2011 at 8:53

    Jörg avatar

    Hello.

    What about the AD integration for Index Manager?

    Our users have to verify against indexes and different Index Managers everytime the choose/are forced to change their Windows password.

    This is actually - in my opinion - a bigger issue.

    Cheers.

  • Andreas Gnutzmann on on 8.26.2011 at 3:17

    Andreas Gnutzmann avatar

    Jörg,

    it is possible to set up Active Directory groups and users in the index manager access lists.

    If you have any difficulties doing so, please contact support and we will help you set it up.

  • Jörg on on 9.07.2011 at 10:29

    Jörg avatar

    Hello Andreas.

    Sorry for the late respons.

    I know that I can import/setup AD information at indexes. But even though my users are members of these groups, they have to verify themselves in Fotostation against the Index Manager.

    I could be nice, that there is a kind of single sign-on, so users don't need to verify.

Post a comment

Options:

Size

Colors