Versions Compared

Version Old Version 3 New Version Current
Changes made by

wiki

wiki

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Security → Security Groups page can be reached by clicking the  menu item.

Table of Contents


Info
titleUser Account Control

Active Directory Authentication types

Flowster Studio uses two values for the authentication type in the Active Directory entries: Secure and Secure Socket Layer.

The Secure one: requests secure authentication. When this flag is set, the WinNT provider uses NTLM to authenticate the client. Active Directory Domain Services uses Kerberos, and possibly NTLM, to authenticate the client. When the user name and password are a null reference (Nothing in Visual Basic), ADSI binds to the object using the security context of the calling thread, which is either the security context of the user account under which the application is running or of the client user account that the calling thread is impersonating. 

The Secure Socket Layer one: Attaches a cryptographic signature to the message that both identifies the sender and ensures that the message has not been modified in transit. Active Directory Domain Services requires the Certificate Server be installed to support Secure Sockets Layer (SSL) encryption.

Active Directory supports both Kerberos and NTLM. Windows will first try Kerberos and if all the requirements are not met, it will fallback to NTLM. 

Keberos is the default authentication method for AD but it can fallback to NTLM in some cases, but that is handled by Windows itself. Kerberos is used every time a login to an AD is made.

As an example, accessing file share by name like \server1\share would invoke Kerberos and should succeed given proper permision. But accessing same file share using IP address would invoke Kerberos first and fail (as there is no SPN for IP Address) and then fail over to NTLM.

Here are some links for a better understanding of how the two protocols are working:

https://msdn.microsoft.com/en-us/library/bb742516.aspx

https://blogs.msdn.microsoft.com/chiranth/2013/09/20/ntlm-want-to-know-how-it-works/

...

During installation, a super admin user must be entered in order to successfully install the application on a computer. The Super Admin set during installation, can be a custom user (custom users are database users thus no authentication provider is required) or selected from an Active Directory OU, is the only one that can access Flowster Studio components at login. He will be the only one that can define other Active Directory, Google, Azure or Local/Custom users/groups as super adminsadministrators or users, by adding them into specific security groups types.

The predefined SuperAdmins group cannot be deleted from Administrator. Also, if there is only 1 user in the SuperAdmins group, it will not be deleted (there should be at least 1 user in this type of group).

Image RemovedImage Added

On the SuperAdmins group can be performed the following operations:

...

The Update cache for users button can be used when the data (ex. users) update from database was not automatically done.

Load only custom users: if this option is checked, the user can see only the custom users spread through all security groups.

Export Custom Users: 

  • click on Export Custom Users
  • the custom users will be exported in a csv file

Import Custom Users:

  • click Choose file 
  • select the csv file that you want to import
  • click Import

 Note: Passwords can be filled in the csv file and imported with the user's data. Dates can be modified, but the format must be kept dd/mm/yyyy.


Other Security Groups

Administrator gives users the possibility to create unlimited number of security groups and subgroups, as well as adding Active Directory, Google, Azure or Local users or groups into manually created groups.

...

  • Perform a filter (the Browse AD tab) or a search operation (the Search AD tab) on Active Directory Forest.
  • Click the Browse or Search button, depending on the toggle.
  • Select the desired AD group(s) or user(s) and click Add Selected (for Browse AD). If performing an AD Search, there can be added all found Active Directory entries by clicking the Add All Found button.
  • All selected and added information will be displayed in the Final List area. If desired, items can be removed from this area (select item(s) and click Remove Selected) or there can all be cleared (click Clear). If clearing the list, it is necessary  to add other data in order to completely finishing this operation.
  • click Finish in order to add all selected items in the selected security group/subgroup.
  • Check the group to see if the Active Directory or Local user/group was added under the selected group/subgroup.
  • Select the child to visualize the properties Display Name, FQDN, Identifier, Category and Member of in Selected User Info panel.


  • Selecting an Azure provider:
    • The AD Browser window will open
    • search after a User or a Group (if no value is set in the search filter then all the results will be displayed)
    • select and add the desired users/groups into the Final List area and click Save Changes

                    Image Modified

  • Selecting a Google provider:
    • The AD Browser window will open
    • insert a Google e-mail address
    • insert a display name for the given address

                    

  • Selecting a Custom Provider 
    • The Add Custom Flowster User window will open
    • Insert Username
    • Click Generate Password - the Password and Confirm Password fields will be prefilled with the generated password
    • Check Change password at next login if you want to change the generated password at next login
    • Insert Email address
    • Insert Name
    • Choose activation date (optional)
    • Choose expiration date (optional)
    • Click Add User in order to save the configuration

...