Version: 2024.3.1

Users

When you select the Repository node for the first time, the client parts of the Repository plug-in are loaded. Then the node name changes from Repository Configuration (unloaded) to Repository Configuration. The plug-in also loads its child nodes.

Then a node for each tenant you are allowed to manage is loaded.

Manage Tenant-Administrators and Administrators

To manage Tenant-Administrators or Administrators select the Tenants node. Then select one tenant from the list and click Edit:

Users / groups which are direct members of the administrator group are shown with an empty path. For users added by another group, the path shows the reason why this user is administrator. Only direct members can be added or removed.

When adding new user or group you can filter by name, User/group and Is-Deleted. Deleted principals are rendered strike-through.

Icons are showing additional status for the users and groups. You can also group the list - for example by the second column:

NOTE: When adding new members or removing members the changes are immediately saved.

Users and Groups

To manage users and groups select the Users and Groups node below the tenant node of one tenant.

For every tenant you get different users and groups. But every tenant can also see users and groups of the system tenant. Users and groups can be manually added and edited but editing an AD-user or AD-group, the values are overwritten when the AD-synchronization runs.

When you select one entry the details about the user or group are shown in the tools window. The tool window can also un-docked from the main window:

Details of an AD-user:

Details of an AD-group:

Depending of the type of the principal (user of group) and the item source (inPoint, AD oder External) different fields are available.

Currently no user or group details can be modified.

Memberships

For every user and group the membership information can be edited. The only expectation are some system tenant principals (like Root-User or Everyone-Groups)

Editing memberships of a user

For users you can specify in which groups they are. By clicking + or - you can add and remove groups. Groups with no direct membership are shown grayed out and the path shows the reason why this user is member of this group. Only direct members can be added or removed.

So in this example the user is direct member of HS_Wien but because HS_Wien is member of HS_All it is also an indirect member of HS_All.

If you double click a group or select a group and click the < button you can navigate to that group.

Editing membership of a group

For groups you can specify in which groups they are but also which members are in this group. By clicking + or - you can add and remove groups and for children also users. Members with no direct membership are shown grayed out and the path shows the reason why this principal is member of this group. Only direct members can be added or removed.

If you double click a principal or select a group and click the < or > button you can navigate to that user / group.

So in this example the group is direct member of HS_All. Contains some users.

When you navigated to another group you see also a Back button (<-) to navigate back to the previous principal.

This example shows a group with no parent groups and only child groups. But there are some indirect child members.

Active Directory synchronization

Importing new Groups

The button Import allows you to add new groups from the Active-Directory:

You can let the search field empty (or type a single *) to search for all groups in the Active-Directory. Entering a text without a * searches for groups containing this name. Entering a text with * the search is done as typed (*test searches for all groups ending with test)

You may specify more restrictions by opening the Search-Settings:

Usually the search is terminated after 200 groups. But the limit can be configured here. The AD-Domains are read from the inPoint-Server. They are configures in the PAM-Storage web.config in AppSetting LDAPAuthenticationDomain. By default the search is run for all domains.

In the search result you may select the groups you want to import. Groups which are disabled have a reason in the right column (For example: A group with the same GUID is already exists, ...)

NOTE: The search in the Active-Directory is directly executed from the client. therefore the current windows-user running inPoint.Admin needs the rights to run the AD-Query in all specified domains.

After adding new groups the AD-users in this groups can be added/synchronized.

Synchronize Users and Groups

The button Sync runs the AD-Sync job for the current tenant. This job synchronizes the AD-Users for all already imported AD-Groups or just for the selected AD-Groups:

NOTE: The documentation from here is outdated

When the job writes some messages you can inspect them by clicking the Logs button:

Running the AD-Sync job means:

find the job(s) for the current tenant
clone it
run it
wait for finishing and check for logs
delete it!

So when finished there should be no additional AD-Sync job the jobs list for the current tenant. When something fails (Maybe the client/server crashes) the job should be manually deleted. This manually create jobs have names like Manual AD-Sync 2019-2019-03-15 13:19:23Z

Manage Tenant-Administrators and Administrators​

Users and Groups​

Memberships​

Editing memberships of a user​

Editing membership of a group​

Active Directory synchronization​

Importing new Groups​

Synchronize Users and Groups​