1. What happens access-wise to a user that belongs to multiple groups?
The user receives the union of access rights associated to each group he belongs to.
Example: John Smith belongs to the HR and Finance groups which have been added to Orchestrator. HR group has the Management role and access to the HR folder, Finance has the Executor role, and access to the Finance folder. Being part of both groups, John has the Management and Executor roles and access to both the HR and Finance folders.
2. What happens access-wise when a user is also added separately alongside a group it belongs to?
The user receives the union of access rights associated to the group he belongs to and the ones explicitly set. Keep in mind that inherited access rights are dependent on group settings, and that explicitly set access rights are independent of group settings.
Example: John Smith has been individually added from AD and explicitly given the Executor role, and access to the Finance folder. The HR group (of which John is a member) has been also added to Orchestrator, and given the Management role and access to the HR folder. John has the Executor and Management roles, and access to both the HR and Finance folders. If he is removed from the HR group at AD level, he loses the Management role and access to the HR folder, but keeps the ones set explicitly.
3. My user belongs to two groups, the first one allows automatic Robot creation, the second doesn't. Does a Robot get created for my user or not?
Since a user receives the union of rights associated to all the groups he belongs to, a Robot gets created for your user based on the configuration made for the first group.
4. I deleted/deactivated a directory group. Will the associated directory users still be able to log in?
No, if you did not set access-rights explicitly for them. Yes, if you granted them access-rights individually in Orchestrator. Inherited access-rights are are only kept for the duration of the active user session. Only explicitly set access rights persist between sessions. Deleting or deactivating a directory group deletes inherited rights, but does nothing to those which have been explicitly set.
5. When do changes made to an AD group take effect in Orchestrator?
Changes made to your AD groups, like adding, moving or deleting a user are interrogated by Orchestrator at each user login, or once every 60 minutes for active sessions. 60 minutes is the default value and it can be changed in web.config
through the WindowsAuth.GroupMembershipCacheExpireHours
parameter.
Updated 3 days ago
See Also
Key Features and Behavior |
Automation Best Practices |
Migration and Upgrade Considerations |
Troubleshooting |