Please enable JS

Prolaborate Best Practices - Active Directory configuration in V4

February 24, 2023

When it comes to User Management in Prolaborate, it is recommended to enable Single Sign-On for better security and user experience.

This can be achieved by integrating Prolaborate with Active Directory (AD) or any SAML based apps like Azure AD, Okta, IBM SAM, Oracle ICS, etc.

In this article, we will be looking at the best practices for integrating Prolaborate with Active Directory.

The Goal

The goal is to deliver seamless login experience to all the Prolaborate users!

The objective is to make it easy and effortless for

  1. Admins to manage users and their experience in Prolaborate. Experience refers to the EA model information shared with the users and whether they can edit or collaborate, the information that is presented to them through dashboards, etc.

Importantly, Admins need to have minimal effort to make any changes to users or groups in Active Directory. Users to manage their credentials and use Prolaborate

Scenarios:

Scenario 1:

  1. For the team that prefers to leverage user groups from existing Active Directory (AD)
  2. Users who would like to access Prolaborate are added to User Groups of AD

In such scenario we can directly configure the existing AD user group to a Prolaborate user group

Scenario 2:

  1. For the team that prefers to leverage users from existing Active Directory (AD)
  2. Users who would like to access Prolaborate are part of AD but are not assigned to any AD Groups

In such scenario we can directly configure the existing AD user to Prolaborate user group

Scenario 3:

This scenario is applicable only for a small team (4 or 5 members) where the configuration and permissions are assigned to a Prolaborate User.

  1. For the team that prefers to leverage (users) user management from existing AD
  2. Users who would like to access Prolaborate are part of AD but are not assigned to any AD Groups

In such scenario we can directly configure the existing AD user to Prolaborate User

Pre-Requisite:

How to Configure Active Directory in Prolaborate?

Get started by configuring the details of Active Directory in Prolaborate.

Click on Menu > Active Directory. Click on Setup Active Directory.

Note:
  • You can get the details mentioned below from your IT team.
  • Give a Name to the setup,preferably a name based on the domain or sub-domain
  • Enter the Active Directory Server's IP address or DNS and Port number
  • Enter the domain address in the Domain field
  • Enter the Username and Password to login to the AD server. The user needs permission to access and retrieve AD objects as a pre-requisite.
  • Enable SSL if it is enabled in AD

    Please ensure proper domain or sub-domain is entered here. For example, if you are Volkswagen, you should not configure Volkswagen.com domain in Prolaborate. Instead, you should configure the sub-domains like audi.volkswagen.com, skoda.volkswagen.com, etc.

  • Click on Save

By clicking Test & Save, Prolaborate will check whether the details you entered are valid. If they are valid, the settings will be saved. Else, you will see an error message and the details will not be saved.

If you have more than one domain or sub-domain, repeat the above steps for each.

Once the details are saved successfully, enable Windows Sign-in.

Scenario 1: Map AD User Group to a PL User Group

Steps to Add AD groups in Prolaborate

This step is a prerequisite to enable Active Directory users to log in to Prolaborate.

An AD user will be allowed to log in to Prolaborate only when either of the options are fulfilled.

  1. Option 1: The AD group that a user is part of is added to Prolaborate (we will discuss this in the following section)
  2. Option 2: The respective user’s account is directly added to Prolaborate (we will discuss t this in the following section)

To add a AD group, open a repository and click on Menu > Users.

In the Users page, click on Active Directory Groups and then on Add AD Group.

If you have configured more than one domain, ensure the right domain is selected.

  • In the AD Browser, select a folder. The groups available in that folder will be listed under AD Groups section on the right
  • Select the Groups you want to add
  • Click on Add icon to add the selected AD Groups

If you want to add the selected AD groups to a Prolaborate user group, select the group in Default Group dropdown. The rationale behind this will be explained in the Create User Groups section below.

Assign Dashboard to AD Groups

If you have assigned access permissions to AD groups, you should assign a dashboard as a landing page for those groups.

Click on Menu > Users.

In the Users page, click on Active Directory Groups. Edit the group and set the newly created dashboard as the Default Dashboard for this group.

Repeat this step for all groups.

Scenario 2: Map AD user to PL User Group

Steps to Add AD users in Prolaborate (Optional)

While this is not recommended, there is one exception.

You should add the AD user directly to Prolaborate when a user needs access to Prolaborate, but is not part of any relevant groups that need access. So, instead of adding the group, you only add that user to Prolaborate.

For a high number of AD users, it is better to create a new group in AD with all the users who need access to Prolaborate to it.

Creating groups in Prolaborate is much simpler than creating in AD. Refer to next section for details

To add a AD user, open a repository, click on Menu > Users. In the Users page, click on Add User.

Select Add from Active Directory > appropriate AD domain > By User.

  • In the AD Browser, select the appropriate folder and the users available in that folder will be listed under AD Users section on the right
  • Select the users you want to add and the Add icon will be enabled
  • Click on Add icon to add the selected AD user

Optionally, if you want to add the selected users to a specific group, select the group in Default Group dropdown. The rationale behind this will be explained in the Create User Groups section below.

If you can’t locate a user, you can select the top folder and click on Advanced Search.

How to Assign Dashboards for AD Users?

When a user logs in to Prolaborate, the access to the below opens up.

  1. Repository browser
  2. Dashboard

In this step, we will decide which group will be presented what kind of information through the dashboard.

While Dashboards is a huge topic (Learn more here), we would recommend you to at least create one dashboard per group.

And you can start simple by adding widgets like EA Item Links and Diagram Thumbnails in each dashboard. These dashboards make it easier for the users to get to the intended model information.

Once dashboards are created, the next step is to assign these dashboards to appropriate AD or Prolaborate groups.

How to Configure Access Permissions for AD Users?

When a user logs in to Prolaborate, he/she is shown

  1. Repository browser
  2. Dashboard

In this step, one can decide which group can have access to which sectiions of the EA models in the Repository browser and what are their specific uses.

The most important benefit of adding AD groups or creating Prolaborate groups is providing and managing access permissions easily.

Once the permissions are configured for these groups, all the users who are part of these groups get the same access that is provided to the respective groups that they belong to.

Note that once the permissions are configured, you are not expected to do anything even whe users are added to or removed from the AD or Prolaborate groups. Prolaborate integrates with Active Directory in real-time and hence, status of a user in the Active Directory is checked every single time a user is logging in or opening Prolaborate.

Depending on the steps completed so far,there are three options :

  1. Configure access for an AD group
  2. Configure access for a Prolaborate user group
  3. Configure access for both

Irrespective of the option choosen, the steps to provide access remain the same.

Click on Menu > Access Permissions

  1. Select a model/view/package from Repository Browser
  2. Select an AD or Prolaborate group
  3. Choose the Type of Access. There are four types of Access:
    1. Read – View live modeling information
    2. Read and Write - View and edit models
    3. Read and Collaborate – View model information and participate in discussions
    4. Read and Collaborate – View model information and participate in discussions
  4. Click on Add icon

Repeat the above steps for every group. You can repeat the steps for the same group if you want to provide access to different parts of a model for that group.

Learn more about Access Permissions here.

Scenario 3: Map AD User to PL User

How to add AD users in New Prolaborate User Group? (Optional)

User groups in Prolaborate serve the same purpose as the groups in AD. Groups make it easier to manage the experience of a set of users conveniently.

This step will be needed only in the following situations:

  1. You want to manage multiple AD groups in the same way
  2. You have to add individual AD users and group them to manage them easily
  3. You want to group AD groups and users and manage them in the same way
  4. You want to provide role-based admin access to specific capabilities in Prolaborate

To add a group, click on Menu > User Groups. Click on Add Group

Fill in the following details and click on Submit to create a group.

  • Mention the Name of the group
  • Add the AD Users and/or Groups that need to be part of this group
  • Default Dashboard - Ignore this for now. We will set a default dashboard after creating one. We will see more details on this in the ‘Create Dashboards’ section.

You can leave the other fields for now.

Learn more about User groups here.

Assign Dashboard to Prolaborate User Groups

If you have assigned access permissions to Prolaborate user groups, you should assign a dashboard as a landing page for those groups. Click on Menu > User Groups.

Edit the group and set the newly created dashboard as the Default Dashboard for this group.

Repeat this step for all groups.

Frequently asked questions on Active Directory Integration.

How it works?

Let’s quickly recap how these steps help us achieve the goals we mentioned at the start of this article.

When a AD user logs in, he/she

  1. Sees relevant EA model content in the Repository Browser as per the access set to the groups that user is part of and
  2. Is presented with a dashboard or ’My diagrams’ page with important model information

Every single AD user will have a seamless experience as the relevant and important information is shared and presented to them.

The admins don’t have to do anything at all even if there are changes to the groups in Active Directory or Prolaborate.

Our Goal here is achieved as we deliver the best experience with minimal efforts to all!

Perform Mandatory Sync between Prolaborate and Active Directory

Whenever a user from a AD group logs in, Prolaborate creates a local user account.

This is to enhance the user experience and provide special capabilities/access? to that user. For example, the local user account lets the users add a profile picture, take up admin tasks, and access few profile capabilities.

Note the local user account which is created by Prolaborate is not associated with authentication*. Authentication happens only as per AD configuration.

Note:
  • It is highly recommended that Prolaborate Admins must perform synchronization that syncs the users between AD and Prolaborate whenever a user is removed from AD. It is recommended to perform this at least once a week or month.

To sync the user accounts, click on Menu > Users.

In the Users page, click on Active Directory Groups and then on Sync Users.

When you click on Sync Users, the users who are neither present in any group in the AD Groups list nor directly added to Users list from AD are shown. You can either choose to inactivate them preventing them logging in to Prolaborate or leave them as it is.

Learn more here.

How to grant Admin Access for a AD user?

To make the AD user an admin, go to the Users page, edit the user, and make the user an admin. The user will now have access to all admin capabilities.

How to modify access permissions for an AD User?

This feature assists in providing permissions to specific capabilities to a user with admin access.

For example,

  1. If you want let users manage access permissions but not add or remove users or just manage dashboards.
  2. If you want this group to just manage dashboards, enable Dashboards.

This can be achieved through the Prolaborate User Groups functionality.

To provide role-based admin access to specific AD users or groups, click on Menu > User Groups.

  1. Create a user group and add the required AD users or groups to it.
  2. Select the Feature Sets you want this group to have access to .