Integrate PowerOne with Active Directory

Administrators can integrate PowerOne with a single external Active Directory (AD) service. This integration simplifies PowerOne access management, improves security by reducing identity and authorization silos, and further uses your AD investment.

To integrate with AD, administrators must provide the following details:

Host
Name of the server where active directory service is hosted
Bind DN
Distinguished name (DN) of a user who is authorized to access the contents of the AD tree
Password
Password of the user described by the Bind DN
Users DN
DN describing the entry where the users are located in the directory tree
Groups DN
DN describing the entry where the groups are located in the directory tree (in most cases, Groups DN is the same as the Users DN)

Administrators can choose a secured AD connection (LDAP over SSL) or an unsecured connection (LDAP) from Settings > Directory Services page. For a secured connection, the administrator must upload a certificate from the AD host. The certificate must be Base64-encoded. When the administrator uploads the certificate, it is added to the keystore of PowerOne internal authentication service. If an administrator has already uploaded a certificate, a job is initiated and the certificate install option is disabled until the job is completed. The administrator can monitor the job's progress in the Directory Services page or through the entry in the Jobs page. When a certificate upload is in progress, no other Administrator users should attempt to upload a certificate.

Administrators can perform a connection test before saving the AD services integration. This connection test is enforced when the administrator performs the integration through PowerOne Navigator. After a successful integration with AD services, administrators can assign roles to groups from the AD service. Use the common name (CN) of a group when defining these role assignments.

These roles control the access of users within the assigned group:

Administrator
Perform all PowerOne operations; view user roles; add, modify, and delete users
Read-Only
View user roles and PowerOne configuration, except for sensitive data
CRG Administrator
Manage CRGs and Platform Controllers; view user roles and PowerOne configuration including component credentials
Security Administrator
Manage component and Platform Controller credentials; view user roles and PowerOne configuration
CRG Automation
Create, modify, and delete CRGs using the PowerOne Controller API; no access to PowerOne Navigator*

*The CRG Automation role is used to manage CRGs through the Controller API but a user with this role does not have permission to access Navigator.

Administrators can update the details of the existing AD services connection. They can perform this connection test with any new values before updating an existing integration. When updating AD service values, Navigator will automatically perform a connection test if the user has not manually performed a successful test.

When an external AD users log in to PowerOne using Navigator or the Controller API, they must use their User Principal Name (UPN) as the username (for example, user@domain). External users must be a member of a group that is assigned to a role in PowerOne to access PowerOne. Local users in PowerOne will continue to have access according to the permissions assigned to them.

When an external AD user is a member of multiple groups and more than one of these groups has a role assigned, it is possible for the user to have multiple roles assigned to them. As a result, the user has the cumulative permissions that are associated with each role.

When the administrator removes the AD service connection, the role assignments associated with remote groups are also removed. The result is that all users in AD are denied access to PowerOne.