Directory Services User Management

From myObjectiveOLAP Server 3.0.1 third party Directory Services authentication is supported as a means of authenticating client connections and allowing for myObjectiveOLAP access to be managed by your existing support teams.

Heterogeneous installations using Directory Services and Native User Store are also supported. Native User management is still supported and will continue to be so.

Overview of Directory Services Implementation

The following diagram details the implementation of the Directory Services myObjectiveOLAP Server implementation.

Step	Description
1	End user starts the logon process to myObjectiveOLAP. The myObjectiveOLAP client contacts the domain and validates the users username & password.
2	Group membership information is passed to the myObjectiveOLAP client application. User details are also retrieved e.g. Site, Description, Telephone Number, Email, First Name, Surname
3	[Providing Username and Password correct in Step 1] myObjectiveOLAP initiates a connection with the myObjectiveOLAP Server and passes the information to the myObjectiveOLAP native user store and configures user profile based on group membership details.

Configuring myObjectiveOLAP for Directory Services Authentication

To configure myObjectiveOLAP for Directory Services Authentication you will need to update your mooApplicationSettings.xml file adding two new keys:

Authentication Keys

ACTIVED_AUTHENTICATION

Key Values Boolean [TRUE/FALSE] Determines whether Directory Services Authentication should be used. DEFAULT: Disabled, Native User Management in Effect

ACTIVED_AUTHENTICATION_DOMAIN

Key Value String. Name of your Domain. DEFAULT: Disabled, Native User Management in Effect

You can copy and paste the following into your application settings file, adding your domain name details.

<Key>ACTIVED_AUTHENTICATION</Key>

</Settings>

<Key>ACTIVED_AUTHENTICATION_DOMAIN</Key>

<Value>YOUR_DOMAIN_NAME</Value>

</Settings>

Our example settings file is shown below:

Your mooApplicationSettings.xml file is only read on start-up of the client application (Excel). If you have already started the Excel session you wish to connect from you should restart Excel.

Creating Standard Groups

A minimum of two groups are required for Directory Services authentication.

Group	Description
myObjectiveOLAP	End user group, user does not have access to any administration functions
myObjectiveOLAPAdmin	Admin group, user can access all functionality, including process, workflow, and session management.

These should be created as follows (example shows creating users and groups through the Windows Server 2012 Active Directory Users and Computers control):

1) Create a new Group:

2) Call the new group "myObjectiveOLAP"

3) Repeat Step 1 & 2, but create this group as "myObjectiveOLAPAdmin"

Creating a User and Assigning to the myObjectiveOLAP Groups

In this example we will go through the steps of creating a brand new user and provisioning them for myObjectiveOLAP access

1) Create a new user

2) Complete basic information about our new user

3) Set an initial password.

IMPORTANT: In a real world scenario you will probably select "User must change password at next logon". If you are testing and not planning to logon to a computer to change the password before attempting to access myObjectiveOLAP you should un-check this box as Active Directory will not authenticate any third party authentication until the password has been changed.