Windows Authentication and Requirement for Dual Maintenance of Groups

[jthillmn]

Can someone please confirm I'm understanding the integration to Active Directory correctly, particularly as it relates to "Groups"?

It appears Sparx requires group assignments to be maintained inside of Sparx EA.  This implies it ignores group assignments that could be passed in through the Windows Authentication handshake; i.e. I can't simply maintain groups in AD and pass those across to Sparx without having to maintain the group assignments on both sides?

[qwerty]

IIRC, yes. EA has it's own group security settings which can't be related to Windoze. Even if you migrate a repository you need to redo the Windoze AD inside EA for the migrated repo (I guess due to security reasons).

q.

[Geert Bellekens]

Since v15.1 you this feature has been implemented.
Now you only have to indicate AD groups and link them to EA groups.
Users are created/removed automatically.

So finally no more double maintenance of users. A big incentive to upgrade for a number of (larger) clients.

Geert

[Uffe]

Since v15.1 you this feature has been implemented.
Now you only have to indicate AD groups and link them to EA groups.
Users are created/removed automatically.

I wondered about this actually. Exactly when and how is this done?
When anyone opens the project, or just when a user with the Manage Users permission does?
Is there an indication that this sync is taking place -- does the dialog open, or is there a message in the status bar?
Are you prevented from closing the client while it's going on? Bearing in mind an AD group can easily run to thousands of members, I'd be interested to know how this works.

So finally no more double maintenance of users. A big incentive to upgrade for a number of (larger) clients.

Slightly offset by the control flow / object flow disincentive, but yeah. Would be nice.

/U

[Eve]

It validates each user against active directory at every login. If the user isn't in the model, it is added to the model. If the user is not in any group linked to an EA security group then it won't let them in even if they were previously allowed.

[Geert Bellekens]

It validates each user against active directory at every login. If the user isn't in the model, it is added to the model. If the user is not in any group linked to an EA security group then it won't let them in even if they were previously allowed.

Yes, I tested that recently when we did a v12.1 -> v15.1 migration (+ an on-premise to Azure migration at the same time to make things interesting)

- added a user to an AD group
- user could open EA model
- removed user from group
- user could no longer open the EA model

I love that is does this type of "lazy loading" of users, so we don't need any kind of synchronization process between AD an EA (and thus no chance of them being out of sync)

Geert

[Uffe]

It validates each user against active directory at every login. If the user isn't in the model, it is added to the model. If the user is not in any group linked to an EA security group then it won't let them in even if they were previously allowed.

Hmm. That's not what the manual says.

Link to Active Directory
Select this checkbox to enable linking to a Windows Active Directory Group from which to import users. The 'Select Group' dialog displays on which you specify the Windows Active Directory Group to attach to. You then start importing the users when you click on the Sync button.
You must have 'Accept Active Directory Authentication' permission in Windows to link to the Active Directory; an error message displays if you do not have this.
...
Active Directory Link
Displays the address of the Active Directory Group that this user group is linked to, if any.
Sync
Enabled if the group is linked to a Windows Active Directory. Click on this button to synchronize the group with the Active Directory (that is, import specific users into the model from the Active Directory). You use this option when you initially set up the User Group; subsequent user IDs must be added to the user group manually.

(My emphasis.)

The manual also leaves a number of other questions unanswered.

• Is the user automatically deleted when no longer in a permitted AD group?
• Is the user automatically added to Authors when added from the AD?
• Is the user automatically deleted from Authors when no longer in a permitted AD group?
• Is the EA group automatically deleted when it no longer exists in the AD?
• Are users automatically deleted when they were in only one AD group that no longer exists?

/U

[Geert Bellekens]

I'd love answers on those questions as well.

I tested some of those, but not all.
The main thing I tested was if the users could access the model or not depending on being part of the correct AD group
I care a bit less about whether or not there is a user record present in EA.

IIRC the user is deleted when he tries to log in, but no longer is in any of the allowed AD groups but I could be mistaken.

Geert

[jthillmn]

Thank you, everyone, for your input.  I find it encouraging that v15.1 appears to exhibit the behaviors I was hoping to find.  I, too, find the experiences Geert has shared to contradict what is found on page 45 of the "Team Support" documentation (https://sparxsystems.com/resources/user-guides/15.1/modeling/team-support.pdf).  For now, I will trust Geert's experiences over that document and continue to monitor this thread.

Regards...Jim

[jthillmn]

And my apologies to Eve for excluding her comment that affirms the documentation might not be accurate.

Quote from: Eve on May 13, 2020, 05:27:08 pm

It validates each user against active directory at every login. If the user isn't in the model, it is added to the model. If the user is not in any group linked to an EA security group then it won't let them in even if they were previously allowed.

[Eve]

You still need to manually define a group and link it to active directory. You don't need to manually maintain the users of that group.

There are two different functions. Not one function with contradictory documentation.

The Sync button on the security Groups dialog updates all users from that AD group.

The automatic behavior comes from the User dialog. 'Automatically create or modify Windows or OpenID users'.

I don't know when or if either function ever deletes users.

[RoyC]

>> The automatic behavior comes from the User dialog. 'Automatically create or modify Windows or OpenID users'.

This is part of Single Sign On, which you will find documented on page 52 of the PDF you referred to.  Or here, in the online Help:

https://www.sparxsystems.com/enterprise_architect_user_guide/15.1/team_support/single_sign_on.html

[Tarun Sachdeva]

After one creates a new security group and synchronizes that with the AD using sync button, the login id which comes in the Group Users column is not same as the ID used for Windows Authentication. For example, the login id that appears is 123.abc (kinda like firstname.lastname) whereas the Windows authentication id for this user is xyz (some unique employee code). So, the user is not able to connect to EA model. I need to manually modify the login in the Users after synchronizing the groups.
Is this a bug or can it be configured to meet this desirable standard requirements? Not sure if anyone else has observed this yet as it doubles up the work!

[Geert Bellekens]

I've never used the sync button. Are you sure you need that in v15.1?
My users are added automatically without any intervention from my part.

All I needed to do was link the AD groups to EA groups.

Geert