Manage ConnectMaster user privileges

 

For ConnectMaster to know which user has which rights, the Active Directory user must be a member of the corresponding Active Directory (AD) groups.

To do so you must configure the name pattern of your AD groups in the ConnectMaster config file and you must create these groups in your Active Directory, so you can assign users to these groups.

Group name pattern configuration

For ConnectMaster to know which of your AD groups are related to ConnectMaster privileges, it needs to know the name pattern of these groups.

The name pattern for standard user rights is:
[adfs_group_prefix][UserRight][adfs_group_suffix]

 

The name pattern for ConnectMaster user groups is:
[adfs_group_prefix][adfs_usergroup_prefix][UserGroupName][adfs_group_suffix]

 

The name pattern for ConnectMaster explorer views is:
[adfs_group_prefix][adfs_expview_prefix][ExplorerViewName][adfs_group_suffix]

 

In the ConnectMaster config file (see section 3.2) you can define the following name pattern parts (see Figure 3).

ADFS_M~1_img25

Figure  - Name pattern config

If you used the preconfigured values, examples for the three name patterns would be:

Pattern

Example

Standard user right

CM_ADMIN

ConnectMaster user group

CM_USERGROUP_MyUserGroup

ConnectMaster explorer view

CM_ExpView_MyView

Group mapping to ConnectMaster privileges

Each ConnectMaster user privilege will be represented by an Active Directory group. The following table shows the mapping which privilege will be represented by which group name.

The group names assume that the default pattern configuration was used (see 4.1).

 

ConnectMaster user privilege

AD group name

Remarks

User Type

CM_ADMIN

This privilege is mandatory. The AD user must be member of one of these groups

 

CM_NORMAL

 

CM_VIEWER

Web Type

CM_WEBEDIT

 

 

CM_WEBVIEWER

GIS Type

CM_GISEDIT

 

 

CM_GISVIEWER

Fixed License

CM_Fix

 

RNP

CM_RNPUSER

 

Fiber Monitoring

CM_FMONADMIN

 

 

CM_FMONNORMAL

 

CM_FMONVIEWER

 

CM_FMONSERVICE

User Groups

CM_USERGROUP_MyGroup

CM_USERGROUP_ + Group name for every user group in the database
This privilege is mandatory. The AD user must be member of one user group

Explorer Views

CM_ExpView_MyView

CM_ExpView_ + View name for every explorer view in the database

 

Configure ConnectMaster privileges inside of Active Directory

To authorize a user with ADFS in ConnectMaster, it is needed to create user groups inside of the Active Directory.

After the user group creation, the groups must be added to the users.

Create needed user groups

There is a new button inside of the AdminTool to export all needed information to a PowerShell script.

ADFS_M~1_img26

 

After you pressed the button, multiple dialogs will be shown, where you can enter the name pattern information for the AD groups. Please use the same configuration you defined in the ConnectMaster config file (see section 4.1).

 

The following value should be the same as the value of “adfs_group_prefix” in the config file:

ADFS_M~1_img27

 

 

The following value should be the same as the value of “adfs_group_suffix” in the config file:

ADFS_M~1_img28

 

The following value should be the same as the value of “adfs_usergroup_prefix” in the config file:

ADFS_M~1_img29

 

The following value should be the same as the value of “adfs_expview_prefix” in the config file:

ADFS_M~1_img30

 

After the configuration, specify a proper path to store this script file:

ADFS_M~1_img31

 

With help of the following command, the needed user groups can be created on ADFS Server:

Open a PowerShell as Administrator:

ADFS_M~1_img32

 

Enable Execution of unsigned PS1-Scripts .

Set-ExecutionPolicy –ExecutionPolicy Bypass –Scope Process

 

ADFS_M~1_img33

Confirm with "Y".

ADFS_M~1_img34

Specify the Script file to be executed.

ADFS_M~1_img35

Hit "Enter" to execute the Script. The Groups are available afterwards.

Set user groups to user

To set user groups, open ‘Active Directory Users and Computers’

ADFS_M~1_img36

 

Look for the user you want to grant access to ConnectMaster.

ADFS_M~1_img37

With a double click on the selected user, the needed user groups can be added.

ADFS_M~1_img38

The mandatory information is:

User kind (CM_ADMIN or CM_NORMAL or CM_VIEWER)

At least one Usergroup must be set

 

Note: To disable a user for ConnectMaster remove the user kind.

 

Optional assignments:

CM_WEBEDIT or CM_WEBVIEWER

CM_GISEDIT or CM_GISVIEWER

CM_RNPUSER

CM_Fix

CM_FMONADMIN or CM_FMONNORMAL or CM_FMONVIEWER

Explorer View