Aegis supports imported user and group accounts from both Active Directory (AD) and the local Security Account Manager (SAM) database on the Aegis Server computer, as well as internal Aegis users and groups. You cannot modify the imported user and group accounts in Aegis, but you can configure Aegis to automatically synchronize the accounts with any changes made in AD and the SAM database. For more information about account synchronization, see Section 4.1.2, Understanding User and Group Synchronization.
Aegis provides the following default groups, each of which is associated with a default permission set at the global level to determine product access. For more information about default permission sets, see Section 4.2.1, Default Permission Sets.
Aegis imports the local Administrators group during the installation procedure and associates the group with the Aegis Administration permission set.
User and group accounts associated with the Aegis Administrators group have the permissions to perform all Aegis functions.
Aegis Administrators typically install Aegis and Aegis adapters. Aegis Administrators interact with the Configuration Console and the Adapter Configuration Utility to configure, manage, and maintain Aegis, including security and user setup. They might also be responsible for consulting with discipline experts.
User and group accounts associated with the Aegis Managers group have all the permissions associated with the Aegis Management permission set.
User and group accounts associated with the Aegis Users group have all the permissions associated with the Resource Viewing permission set. Aegis adds all imported users to the Aegis Users group.
User and group accounts associated with the Process Authors group have all the permissions associated with the Process Authoring, Process Operation, and Process Viewing permission sets.
Process Authors interact mainly with the Workflow Designer to create and maintain triggers, triggering event definitions, and process workflows.
User and group accounts associated with the Process Operators group have all the permissions associated with the Process Operation and Process Viewing permission sets.
Process Operators interact mainly with the Operations Console to:
View processes and associated work items, including activity details, related events, and supporting analysis.
Manually trigger work items. For example, an HR manager can trigger a workflow to create a new account for a new employee.
Monitor and supply input to active work items.
Terminate work items.
Process Operators can also use the Configuration Console to view processes and workflow revisions.
User and group accounts associated with the Process Viewers group have all the permissions associated with the Process Viewing permission set.
By default, Aegis periodically checks AD and the SAM database for changes to imported user and group accounts. If Aegis detects changes to the attributes it supports, it automatically synchronizes imported accounts with the updated attributes. Aegis also retrieves the groups to which the imported user and group accounts belong in AD and the SAM database, which allows Aegis to correctly handle permission assignments to parent groups.
To synchronize domain accounts, ensure the Aegis Namespace Provider service account has at least read privileges for the specified domain. If the service account does not have proper rights in the domain, Aegis cannot synchronize attributes and parent groups for domain accounts, which prevents Aegis from displaying the associated parent groups in the Configuration Console. For more information about the service account, see Section 2.2.5, Understanding Aegis Application Credentials. For more information about synchronizing user and group accounts in a one-way trust, see Trusted Domains.
NOTE:
If a user account’s group memberships change while the user is logged on to the Configuration Console, the user must log off and log back on to see the changes.
If a group account’s group memberships change while a member of the group is logged on to the Configuration Console, the user must log off and log back on to see the changes.
If you disable automatic synchronization, you must manually synchronize user and group accounts to import any changes.
To manually synchronize imported user and group accounts:
In the Navigation pane, click Security.
In the left pane, click one of the following:
Users
Groups
In the view pane, select the account you want to synchronize.
In the User Tasks or Group Tasks list, click Synchronize Now.
You can import local SAM user accounts from the SAM database on the computer where the Resource Management provider is running, typically the Aegis Server computer.
To import local SAM user accounts:
In the Navigation pane, click Security.
In the left pane, click Users.
In the User Tasks list, click Import Local Users.
On the Import Local Users window, select the local users you want to import into Aegis, and then click Import.
You can import local SAM accounts from the SAM database on the computer where the Resource Management provider is running, typically the Aegis Server computer.
To import local SAM groups:
In the Navigation pane, click Security.
In the left pane, click Groups.
In the Group Tasks list, click Import Local Groups.
On the Import Local Groups window, select the local groups you want to import into Aegis, and then click Import.
You can create internal Aegis groups if there are no AD or SAM groups that suit your needs. Aegis groups allow you to group users and groups without having to modify any AD or SAM settings.
To create an Aegis group:
In the Navigation pane, click Security.
In the left pane, click Groups.
In the Group Tasks list, click Create Aegis Group.
On the General tab of the Create Aegis Group window, provide the appropriate information, and then click OK.