Author Topic: PCS and Active Directory security (Read 12746 times)

Typia · « **on:** June 29, 2021, 07:12:57 pm »

Hi,
we're currently moving from a DB based access to PCS
We have about 50 databases, one per project which are secured by an AD group each e.g for project1 EA_Project1 DB and AD group.

In my understanding, when using PCS, user which launches PCS must have full access to every db then security is set up within EA Model internal security.

We would like to keep an AD based and Managed Security. I know EA internal Security has capabilities to import AD users and groups but it's only import.
We need a live sync between our AD groups and Security.

I must admit I'm pretty confused by advertised capabilities of PCS, as I find really hard to understand what's advertised as prolaborate (seems like prolaborate has that full sync AD access) and PCS.

Is there a way we can achieve our needs ?

Many thanks

Modesto Vega · « **Reply #1 on:** July 09, 2021, 06:13:07 pm »

Quote from: Typia on June 29, 2021, 07:12:57 pm

In my understanding, when using PCS, user which launches PCS must have full access to every db then security is set up within EA Model internal security.

Just to be specific, the account running the PCS windows service must have read/write permissions to all databases. All records are written to the database by these account without loosing the "real" user performing the operation.

Quote from: Typia on June 29, 2021, 07:12:57 pm

We would like to keep an AD based and Managed Security. I know EA internal Security has capabilities to import AD users and groups but it's only import.
We need a live sync between our AD groups and Security.

You import users but map groups . My understanding, but we are still trying this, is that as soon as user is added to a mapped AD group, the user will be able to perform all the functions the group is mapped to.

Typia · « **Reply #2 on:** July 20, 2021, 10:53:39 pm »

Quote from: Modesto Vega on July 09, 2021, 06:13:07 pm

You import users but map groups . My understanding, but we are still trying this, is that as soon as user is added to a mapped AD group, the user will be able to perform all the functions the group is mapped to.

I'm gonna try but in my understanding groups are not mapped and you have to make a manual sync everytime a user is added on AD
(you click sync, new users are on the left, and you click add)
Moreover, when a user is removed from AD, his authorizations are left and you have to delete it manually.

Sparx Systems Forum

News: