As I am sure many you have seen, we have been working on a bunch of new features for 10.1 for a while now. We have successfully gone through three beta rounds with customers, which you can view all the comments and feedback here.
Before you ask, no this release is not Generally Available yet; however, we do anticipate to go into Why Should I Care About Release Candidates? soon. If you are an Orion NPM customer with active maintenance and wish to participate in the RC, please fill out this survey here.
One of the larger features we added to 10.1 was native Active Directory authentication (with groups support). Prior to this upcoming release, Orion supported local authentication against the SQL database or using Window Pass-thru. For those of you who have Orion in production, when you upgrade to 10.1 you will not need to change anything, everything will continue to work as it always has. Going forward, you just have additional options to choose from for authentication into Orion.
We chose to expand authentication support since many of our customer use Active Directory as a standard way of distributing permissions. This eases some of the administrative overhead of managing user accounts allowing you to manage them in one single place instead of having unique accounts in products all over the place.
Let’s walkthrough how you would go about setting up and using this feature.
1. In the Setting section of the web console, under manage account, you will see we rearranged things a bit. When I click on add new account, I will enter the add user wizard
2. I can now select which type of account I want to add; a local Orion account, an individual Active Directory user account or an Active Directory Group account. For this walk through, I’ll select individual Active Directory user account.
3. Next, I’ll specify the account I want to search the active directory domain SWDEV with and enter the domain I wish to search and execute the search. I can now browse to my name and select it. If I wanted, I could have done swdev\brandon.* as well for example.
4. Just like you have always done when adding local Orion accounts, you specify permission, view limitations etc. for this account and submit.
Now when I log in, if you look at the upper right hand corner of the browser, which I have circled in yellow, you can see I am logged in with my SWDEV/brandon.shopp account.
The user flow for adding an Active Directory Group is the exact same we just walked through, except instead of adding individual user accounts, you add the Active Directory group as seen below.
My SWDEV/brandon.shopp account belongs to this group and I deleted the individual account I created above. Now when I log in, as seen circled in yellow below, it will show me my user account as well as the group I belong to.
A good question I heard in beta was “Brandon, what if an Active Directory user account belongs to multiple groups?”
One of the challenges we faced with supporting AD groups is how to handle the fact that most user accounts are members of multiple groups. With multiple memberships, it’s unclear what to do with the users permissions. We could we give them the sum of all permissions, but how do you handle direct conflicts (e.g., Group 1 says “allow” and Group 2 says “deny)? There are multiple perfectly fine ways to solve the problem, depending on what you want to optimize. The solution we chose emphasizes transparency because Orion’s permissions are fairly straightforward, and we want to keep it that way. Consequently, Orion will only consider the first group membership it encounters, and the administrator will determine the order in which it encounters groups. So if SWDEV/brandon.shopp was a member of two Active Directory groups, then we would go down the list as defined within the Groups tab in the Orion UI to the first group in which this account belongs to and grant them access.
Next question I heard a couple times was “If I logged into my into my laptop, which is in the domain, do I need to log into the Orion web console again?” As long as that account belongs to a group or has been individually defined, then the answer is no. If you don’t like this behavior, this is a global setting which you can turn off.
A couple additional items worth noting here regarding this new feature is even though I focused mainly on Active Directory above, we also will support authentication for Windows Users and Groups on the local Orion server.
That’s it for Active Directory with Groups. Please let me know if you have any questions or comments.