Organizational units
About organizational units
Organizational units provide an additional level of control for managing system resources. In addition to assigning access to resources by user profiles, the profiles that are created can also be organized into customized units.
Before users can be assigned to organizational units, the units must be defined by assigning an ID and description. By assigning a user to an organizational unit, the amount of information that the user can view in Mobile Enterprise Platform can be limited. When a user is assigned to an organizational unit, the user can only view or edit system information pertaining to other users also assigned to that unit.
Main is the default parent organizational unit. You may not edit the Unit ID for the Main organization unit. You are not required to define any other organizational units unless you want to configure and map multiple LDAP directories.
You can enter a physical address for each organizational unit.
LDAP configuration and mapping
Beginning in 9.0 SP6, each organizational unit can have a unique LDAP configuration. This allows you to set up multiple LDAP servers, and to use a different domain for any of your organizational units. As part of this update, LDAP configuration and mapping settings are now located on the organizational units page.
If your system is using LDAP security, the LDAP Configuration and LDAP Mapping tabs display when you add or edit an organizational unit.
The LDAP Configuration tab allows you to configure specific settings for LDAP security. These settings vary based on the type of server you want to configure.
The LDAP Mapping tab allows you to map LDAP attributes. These attributes define the information you want to extract from the LDAP directory. The LDAP Extraction Agent then uses that information to create and populate user profiles. The mapping is case sensitive.
AIM sessions
You can assign an AIM session to an organizational unit if you want the transactions generated from the AIM session to be associated with an organizational unit for review. For example, in a warehouse environment a single shop floor manager might be responsible for both the shipping and receiving teams. To manage which apps and system functionality each of these teams has access to, the system can be configured with a user profile for shipping and another profile for receiving. When the manager logs into any of the affected system components, the system data is automatically filtered such that only data that is pertinent to the two teams under the manager's supervision is displayed.
Add an organizational unit
You can define organizational units and then assign user profiles to them. A physical address can also be defined for each organizational unit.
To add an organizational unit, complete the following steps in Platform Manager.
-
Go to Admin > Organizational Units.
-
Select Add New Org Unit.
-
For Unit ID, enter the 1 to 10 character ID for the organizational unit.
-
For Parent, select the parent unit for the organizational unit.
-
For Description, enter a unique description for the organizational unit.
-
If your security settings are configured to use LDAP, for Distinguished Name, enter the unique distinguished name.Step InformationNote:This field displays when the LDAP security mode is set to LDAP.
-
Optional. For Physical Address, enter physical address information for the organizational unit in the provided fields.
-
If your security settings are configured to use LDAP, complete one of the following tasks.
-
Select Save.
Postrequisite: If you are not using LDAP extraction, assign users to the new organizational unit. For more information, refer to Add a user profile or Edit a user profile.
Configure LDAP settings for Azure Active Directory
Beginning in 9.0 SP6, if your security settings are configured to use LDAP, the LDAP configuration and LDAP mapping tabs display when you add or edit an organizational unit. You can use these tabs to configure an Azure Active Directory server.
Prerequisites:
To configure LDAP settings for Azure Active Directory, complete the following steps in Platform Manager.
-
In Admin > Organizational Units, on the LDAP Configuration tab, complete the following substeps, or select Inherit to populate the settings with the settings from the parent organizational unit.Step InformationNote:Selecting Inherit overwrites any settings you have entered. If you want to edit the inherited fields, you can select Edit.
-
For Server type, select Azure Active Directory.
-
For Login URL, enter the login URL for Azure Active Directory: https://login.microsoftonline.com.
-
For API URL, enter the root URL for the API request: https://graph.microsoft.com.
-
For API version, enter the version of the API request: 1.0.
-
For Domain name, enter the domain name for your Azure Active Directory: domain.com.
-
For Application ID, enter the application ID from Azure Active Directory: a 36 character, alphanumeric string formatted as xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.
-
For Client Secret, enter the Key provided by Azure Active Directory: a 40 character string formatted as xxxxx~xxxxxxxxxxxxxxxxxxxx~xxx~xxxxxxxxx.Step InformationNote: The ~ character might be in different places for each client secret.
-
For Directory ID, enter the directory ID that will be used by Azure Active Directory: a 36 character, alphanumeric string formatted as xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.
-
Optional. To retrieve detailed logs after configuration, select the Detailed logging checkbox.
-
-
On the LDAP Mapping tab, populate all mapping fields with the corresponding attribute for your Azure Active Directory. For additional details, refer to Organizational unit settings.
-
For User ID, enter the attribute you want to map.ExampleExample: userPrincipalName
-
For Last Name, enter the attribute you want to map.ExampleExample: surname
-
Optional. For First Name, enter the attribute you want to map.ExampleExample: givenName
-
Optional. For Language ID, enter the attribute you want to map.ExampleExample: preferredLanguage
-
For Email Address, enter the attribute you want to map.ExampleExample: mail
-
Optional. For Phone Number, enter the attribute you want to map.ExampleExample: telephoneNumber
-
Optional. For Generic Data, enter any other relevant attributes to pull information from the users.
Step InformationNote:These settings define what user information is extracted from your LDAP server when populating user profiles in Mobile Enterprise Platform. Mapping is case sensitive. If the proper case is not used, then the user will not be extracted. -
-
Select Save.
Result: If you configure an LDAP server for a parent organizational unit, all child organizational units automatically inherit those settings.
Postrequisite: Edit a role or Define a custom role for each corresponding user role in Azure Active Directory.
Configure LDAP settings for Microsoft Active Directory
Beginning in 9.0 SP6, if your security settings are configured to use LDAP, the LDAP configuration and LDAP mapping tabs display when you add or edit an organizational unit. You can use these tabs to configure a Microsoft Active Directory server.
Prerequisites:
To configure LDAP settings for Microsoft Active Directory, complete the following steps in Platform Manager.
-
In Admin > Organizational Units, on the LDAP Configuration tab, complete the following substeps, or select Inherit to populate the settings with the settings from the parent organizational unit.Step InformationNote:Selecting Inherit overwrites any settings you have entered. If you want to edit the inherited fields, you can select Edit.
-
For Server type, select Microsoft Active Directory.
-
If you are on a Advanced Inventory Cloud implementation, for Gateway, select the gateway you want to use.Step InformationNote:This field only displays for Advanced Inventory cloud customers. Cloud customers must have a registered gateway configuring LDAP settings for Microsoft Active Directory. For more information, refer to Add a registered gateway.
-
For Host IP/Name, enter the needed host IP or name.
-
For Port, enter the port number.
-
For User ID, enter the user ID number for the Active Directory server.
-
For Password, enter the password for the Active Directory server.
-
For Base DN, enter the LDAP directory's top level.ExampleExample: dc=xyzcompany, dc=com, where dc is stands for domain component.
-
For Domain parts, enter the number of domain parts to use to authenticate the user ID.ExampleExample: If your domain is test.domain.com, and the login is test\UserID, you should use 1 domain part. If the login is test.domain\UserID, you should use 2 domain parts.
-
Optional. To authenticate the user ID using the full domain name at the top level, select Include domain.ExampleExample: test.domain.com\UserID instead of test.domain\UserID.
-
Optional. To authenticate the user ID using the Universal Principal Name, select Use UPNformat.ExampleExample: UserID@test.domain.com instead of test.domain\UserID.
-
Optional. To have the system authenticate to LDAP using the mapped alternate User ID instead of the mapped Mobile Enterprise Platform User ID, select Use Alternate ID.
-
Optional. To allow a user to authenticate without a password, select Allow blank password.
-
Optional. To have communication between the LDAP server and the system is encrypted using secure socket layer encryption (SSL), select Secure connection.
-
Optional. To enable logging of detailed messages, select Detailed logging.
-
-
On the LDAP Mapping tab, populate all mapping fields with the corresponding attribute for your Microsoft Active Directory. For additional details, refer to Organizational unit settings.
-
For User ID and Alternate LDAP user ID, enter the attributes you want to map.Step InformationNote:If you selected Use Alternate ID, the system uses the mapped Alternate LDAP user ID to authenticate users. If you did not select Use Alternate ID, the system uses the mapped User ID.ExampleExample:
uid -
For Last Name, enter the attribute you want to map.ExampleExample:
sn -
Optional. For First Name, enter the attribute you want to map.ExampleExample:
givenName -
Optional. For Language ID, enter the attribute you want to map.ExampleExample:
preferredLanguage -
For Email Address, enter the attribute you want to map.ExampleExample:
mail -
Optional. For Phone Number, enter the attribute you want to map.ExampleExample:
telephoneNumber -
Optional. For Generic Data, enter any other relevant information to pull from the users.
Step InformationNote:These settings define what user information is extracted from your LDAP server when populating user profiles in Mobile Enterprise Platform. Mapping is case sensitive. If the proper case is not used, then the user will not be extracted. -
-
Select Save.
Result: If you configure an LDAP server for a parent organizational unit, all child organizational units automatically inherit those settings.
Postrequisite: Edit a role or Define a custom role for each corresponding user role in Microsoft Active Directory.
Configure LDAP settings for Oracle Internet Directory
Beginning in 9.0 SP6, if your security settings are configured to use LDAP, the LDAP configuration and LDAP mapping tabs display when you add or edit an organizational unit. You can use these tabs to configure an Oracle Internet Directory server.
Prerequisites:
To configure LDAP settings for Oracle Internet Directory, complete the following steps in Platform Manager.
-
In Admin > Organizational Units, on the LDAP Configuration tab, complete the following substeps, or select Inherit to populate the settings with the settings from the parent organizational unit.Step InformationNote:Selecting Inherit overwrites any settings you have entered. If you want to edit the inherited fields, you can select Edit.
-
For Server type, select Oracle Internet Directory.
-
If you are on a Advanced Inventory Cloud implementation, for Gateway, select the gateway you want to use.Step InformationNote:This field only displays for Advanced Inventory Cloud customers. Cloud customers must have a registered gateway before configuring LDAP settings for Oracle Internet Directory. For more information, refer to Add a registered gateway.
-
For Host IP/Name, enter the needed host IP or name.
-
For Port, enter the port number.
-
For User ID, enter the user ID number for the Active Directory server.
-
For Password, enter the password for the Active Directory server.
-
For Base DN, enter the LDAP directory's top level.ExampleExample: dc=xyzcompany, dc=com, where dc is stands for domain component.
-
For Domain parts, enter the number of domain parts to use to authenticate the user ID.ExampleExample: If your domain is test.domain.com, and the login is test\UserID, you should use 1 domain part. If the login is test.domain\UserID, you should use 2 domain parts.
-
Optional. To authenticate the user ID using the full domain name at the top level, select Include domain.ExampleExample: test.domain.com\UserID instead of test.domain\UserID.
-
Optional. To authenticate the user ID using the Universal Principal Name, select Use UPNformat.ExampleExample: UserID@test.domain.com instead of test.domain\UserID.
-
Optional. To have the system authenticate to LDAP using the mapped alternate User ID instead of the mapped Mobile Enterprise Platform User ID, select Use Alternate ID.
-
Optional. To allow a user to authenticate without a password, select Allow blank password.
-
Optional. To have communication between the LDAP server and the system is encrypted using secure socket layer encryption (SSL), select Secure connection.
-
Optional. To enable logging of detailed messages, select Detailed logging.
-
-
On the LDAP Mapping tab, populate all mapping fields with the corresponding attribute for your Oracle Internet Directory. For additional details, refer to Organizational unit settings.
-
For User ID and Alternate LDAP user ID, enter the attributes you want to map.Step InformationNote:If you selected Use Alternate ID, the system uses the mapped Alternate LDAP user ID to authenticate users. If you did not select Use Alternate ID, the system uses the mapped User ID.ExampleExample:
uid -
For Last Name, enter the attribute you want to map.ExampleExample:
sn -
Optional. For First Name, enter the attribute you want to map.ExampleExample:
givenName -
Optional. For Language ID, enter the attribute you want to map.ExampleExample:
preferredLanguage -
For Email Address, enter the attribute you want to map.ExampleExample:
mail -
Optional. For Phone Number, enter the attribute you want to map.ExampleExample:
telephoneNumber -
Optional. For Generic Data, enter any other relevant information to pull from the users.
Step InformationNote:These settings define what user information is extracted from your LDAP server when populating user profiles in Mobile Enterprise Platform. Mapping is case sensitive. If the proper case is not used, then the user will not be extracted. -
-
Select Save.
Result: If you configure an LDAP server for a parent organizational unit, all child organizational units automatically inherit those settings.
Postrequisite: Edit a role or Define a custom role for each corresponding user role in Oracle Internet Directory.
Configure LDAP settings for Kerberos or NTLM
Beginning in 9.0 SP6, if your security settings are configured to use LDAP, the LDAP configuration and LDAP mapping tabs display when you add or edit an organizational unit. As of Cloud Inventory® Platform 9.5 SP2, you can use these tabs to configure a Kerberos or New Technology LAN Manager (NTLM) authentication.
Because Kerberos and other NTLM are intended to communicate over a non-secure network, its authentication requires a unique configuration in order to work. Cloud Inventory® Platform provides a configuration to negotiate the authentication connection for processes like Kerberos and NTLM.
Prerequisites:
To configure LDAP settings for Kerberos or NTLM, complete the following steps in Platform Manager.
-
Open Admin > Organizational Units.
-
Select Main.
-
Select the LDAP Configuration tab.
-
Scroll down to the Authentication Connection Type section.
-
Select Negotiate connection.
Edit an organizational unit
You can edit the parent, description, distinguished name, and physical address of any organizational units that you create. Main is the root organizational unit created by the system, and you may not edit its parent. Beginning in 9.0 SP6, if your security mode is set to LDAP, you can edit the LDAP configuration and mapping settings for all organizational units.
To edit an organizational unit, complete the following steps in Platform Manager.
-
Go to Admin > Organizational Units.
-
Select the organizational unit you want to edit.
-
In the Unit Identification section, edit any of the following information for the organizational unit.
-
For Parent, select the parent unit for the organizational unit.
-
For Description, enter a unique description for the organizational unit.
-
For Distinguished Name, enter the unique distinguished name number.
-
-
For Physical Address, edit any of the the physical address information for the organizational unit in the provided fields.
-
Optional. To edit the LDAP configuration and mapping settings for an organizational unit, complete one of the following tasks.
-
When editing is complete, select Save.
Delete an organizational unit
Organizational units can be deleted.
To delete an organizational unit, complete the following steps in Platform Manager.
-
Go to Admin > Organizational Units.
-
Select the unit to delete.
-
Select Delete.
Organizational unit settings
The following list outlines settings for organizational units.
Unit ID
Specifies the 1 to 10 character ID for the Organizational Unit.
Parent
The parent unit of the organizational unit being created. This can be drilled down by using the + and - buttons if there are multiple levels.
Description
Specifies a description for the organizational unit.
Distinguished name (DN) (Only applies if using LDAP security)
Specifies the Distinguished Name (DN) that allows the appropriate user information to be found in the LDAP directory. DN is a sequence of relative distinguished names (RDNs) connected by commas. An RDN is an attribute with an associated value in the form attribute=value. If the role in the LDAP directory from which to extract user information is Pickers, the following shows an example of what could be specified for the DN: CN=Pickers,CN=Users,DC=XYZCORP,DC=COM (all replaced by Object ID for LDAP Azure.)
Object ID (Only applies if using LDAP Azure Active Directory)
Specifies the Object ID that allows the appropriate user information to be found in the Azure Active Directory.
LDAP Configuration for Microsoft Active Directory and Oracle Internet Directory
Server type
Specifies the LDAP server type.
Gateway
Allows you to select the gateway to use (if applicable).
This field only displays for Advanced Inventory Cloud customers. Cloud customers must have a registered gateway before configuring LDAP settings for Microsoft Active Directory and Oracle Internet Directory. For more information, refer to Add a registered gateway.
Host IP/Name
Specifies the name or the IP address of the LDAP server. If the Secure Connection option is selected when configuring LDAP security, a server name must be used instead of an IP address.
Port
Specifies the port number on which the LDAP server communicates with clients. The LDAP standard for this port number is 389. For a secure connection (SSL), the LDAP standard for this port number is 636. Use the port number that was specified for the directory service (Microsoft Active Directory or Oracle Internet Directory).
User ID
Specifies the user ID used to log on to the Active Directory server.
Password
Specifies the password used to log on to the Active Directory server.
Base DN
Specifies the LDAP directory's top level, or root of the directory tree, also known as the base. The name of that base is the Base Distinguished Name, or Base DN.
Example: dc=xyzcompany, dc=com, where dc is stands for domain component.
Domain parts
When logging in to Mobile Enterprise Platform, the user ID is authenticated against LDAP using only the number of parts specified in this field.
Example: If your domain is test.domain.com, and the login is test\UserID, you should use 1 domain part. If the login is test.domain\UserID, you should use 2 domain parts.
Include domain
When logging in to Mobile Enterprise Platform, the user ID is authenticated against LDAP using the full domain name including the top level.
Example: test.domain.com\UserID instead of test.domain\UserID.
Use UPN format
When logging in to Mobile Enterprise Platform, the user ID is authenticated against LDAP using Universal Principal Name.
Example: UserID@test.domain.com instead of test.domain\UserID.
Use Alternate ID
When selected, the system authenticates to LDAP using the mapped alternate User ID instead of the mapped Mobile Enterprise Platform User ID.
Allow blank password
When selected, allows a user to authenticate without a password.
Secure connection
Specifies that communication between the LDAP server and the system is encrypted using secure socket layer encryption (SSL) to prevent unauthorized parties from reading or tampering with it.
Detailed logging
Enables logging of detailed messages, for example, it includes the users that were updated, added, and deleted during the extraction process.
LDAP Configuration for Azure Active Directory
Server type
Specifies the LDAP server type. The server will be set to Azure Active Directory.
Login URL
Specifies the login URL for Azure Active Directory.
API URL
Specifies the root URL for the API request.
API version
Specifies the version of the API request.
Domain Name
Specifies the name or the IP address of the LDAP server. If the Secure Connection option is selected when configuring LDAP security, a server name must be used and not an IP address for this value.
Application ID
The ID created when building a new application in Azure. Specifies the Application ID used to log on to the LDAP server.
Client Secret
The password created when you create an application in Azure.
Directory ID
Specifies the Azure Active Directory's top level, or root of the directory tree. In Azure it will be referenced as TenantId (Directory ID? Check in Azure).
Detailed logging
Enables logging of detailed messages from the Azure LDAP extraction. For example, the logging includes the users that were updated, added, and deleted during the extraction process.
LDAP Mapping for Microsoft Active Directory and Oracle Internet Directory
The following LDAP attributes define the user information to extract from the LDAP directory to use when creating and populating user profiles. Be aware that the attribute names provided are only examples and that it is highly likely that the attribute used in your mapping procedure will not be the same.
User ID
Specifies a user logon name in the LDAP directory. This attribute maps to the Login ID on a user profile in the system. A mapped attribute is required for Login ID. The actual attribute that is used in the LDAP directory may be different.
Example Attribute Name: userPrincipleName
Alternate LDAP user ID
If you selected Use Alternate ID, the system uses this attribute to authenticate users. If you did not select Use Alternate ID, the system uses the mapped User ID.
Example Attribute Name: sAMAccountName
Last name
Specifies a surname in the LDAP directory. This attribute maps to Last name in a user profile in the system. A mapped attribute is required for Last name. The actual attribute that is used in the LDAP directory may be different.
Example Attribute Name: surname
First name
Specifies a common name in the LDAP directory. This attribute maps to First name in a user profile in the system. The actual attribute that is used in the LDAP directory may be different.
Example Attribute Name: givenName
Language ID
Specifies the user language in the LDAP directory. This attribute maps to Language in a user profile in the system. The actual attribute that is used in the LDAP directory may be different.
Example Attribute Name: preferredLanguage
Email address
Specifies an email address in the LDAP directory. This attribute maps to Email address in a user profile in the system. The actual attribute that you use in the LDAP directory may be different.
Example Attribute Name: mail
Phone number
Specifies phone number in the LDAP directory. This attribute maps to the phone number in a user profile in the system. The actual attribute that you use in the LDAP directory may be different.
Example Attribute Name: telephoneNumber
Generic data 1 - 5
Defined specifically for use in the LDAP directory. The attribute corresponds to a particular field name on a user profile. The only fields in user profiles that require an attribute to be mapped to them are User ID and Last name.
Example Attribute Name: User defined attribute
LDAP mapping for Azure Active Directory
The following LDAP attributes define the user information to extract from the LDAP directory to use when creating and populating user profiles. Be aware that the attribute names provided are only examples and that it is highly likely that the attribute used in your mapping procedure will not be the same.
Login ID
Specifies a user logon name in the LDAP directory. This attribute maps to Login ID on a user profile in the system. A mapped attribute is required for Login ID. The actual attribute that is used in the LDAP directory may be different.
Example Attribute Name: userPrincipleName
Last name
Specifies a surname in the LDAP directory. This attribute maps to Last name in a user profile in the system. A mapped attribute is required for Last name. The actual attribute that is used in the LDAP directory may be different.
Example Attribute Name: surname
First name
Specifies a common name in the LDAP directory. This attribute maps to First name in a user profile in the system. The actual attribute that is used in the LDAP directory may be different.
Example Attribute Name: givenName
Language ID
Specifies the user language in the LDAP directory. This attribute maps to Language in a user profile in the system. The actual attribute that is used in the LDAP directory may be different.
Example Attribute Name: preferredLanguage
Email address
Specifies an email address in the LDAP directory. This attribute maps to Email address in a user profile in the system. The actual attribute that you use in the LDAP directory may be different.
Example Attribute Name: mail
Phone number
Specifies phone number in the LDAP directory. This attribute maps to the phone number in a user profile in the system. The actual attribute that you use in the LDAP directory may be different.
Example Attribute Name: telephoneNumber
Generic data 1 - 5
Defined specifically for use in the LDAP directory. The attribute corresponds to a particular field name on a user profile. The only fields in user profiles that require an attribute to be mapped to them are User ID and Last name.
Example Attribute Name: User defined attribute
Loading...
There was a problem loading this topic