Working with External Groups

Describes the instructions to work with external groups

The directory service providers, such as, Active Directory (AD) or Oracle Directory Server Enterprise Edition (ODSEE), are identity management systems that contain information about the enterprise users. You can map the users in the directory service providers to the various roles defined in the Appliances. The External Groups feature enables you to associate users or groups to the roles.

You can import users from a directory service to assign roles for performing various security and administrative operations in the appliances. Using External Groups, you connect to an external source, import the required users or groups, and assign the appliance-specific roles to them. The appliances automatically synchronize with the directory service provider at regular time intervals to update user information. If any user or group in a source directory service is updated, it is reflected across the users in the external groups. The updates made to the local LDAP do not affect the source directory service provider.

If any changes occur to the roles or users in the external groups, an audit event is triggered.

Ensure that Proxy Authentication is enabled to use an external group.

The following screen displays the External Groups screen.

External Groups Screen

Only users with Directory Manager role can configure the External Groups screen.

The following table describes the actions you can perform on the External Groups screen.

IconDescription
User IconList the users present for the external group.
Synchronize Member IconSynchronize with the external group to update the users.
Delete IconDelete the external group.

Required fields for External Groups

Listed below are the required fields for creating an External Group.

Title: Name designated to the External Group

Description: Additional text describing the External Group

Group DN: Distinguished name where groups can be found in the directory

Query by: To pull users from the directory server to the appliance, you must query the directory server using required parameters. This can be achieved using one of the following two methods:

  • Query by User
    Query by User allows to add specific set of users from a directory server.

    • Group Properties
      In the Group Properties, the search is based on the values entered in the Group DN and Member Attribute Name text boxes. Consider an example, where the values in the Group DN and Member Attribute Name are cn=esa,ou=groups,dc=sherwood,dc=com and memberOf respectively. In this case, the search is performed on every user that is available in the directory server. The memberOf value of the users are matched with the specified Group DN. Only those users whose memberOf value matches the Group DN values are returned.

    • Search Filter
      This field facilitates searching multiple users using regex patterns. Consider an example, where the values in the Search Filter for the user is cn=S*. In this case all the users beginning with cn=S in the directory server are retrieved.

  • Query by Group
    Using this method, you can search and add users of a group in the directory server. All the users belonging to the group are retrieved in the search process.

    • Group Properties
      In the Group Properties, the search is based on the values entered in the Group DN and Member Attribute Name text boxes. Consider an example, where the values in the Group DN and Member Attribute Name are cn=hr,ou=groups,dc=sherwood,dc=com and member respectively. The search is performed in the directory server for the group mentioned in the Group DN text box. If the group is available, then all the users of that group containing value of member attribute as cn=hr,ou=groups,dc=sherwood,dc=com are retrieved.

    • Search Filter
      This field facilitates searching multiple groups across the directory server. The users are retrieved based on the values provided in the Search Filter and Member Attribute Name text boxes. A search is performed on the group mentioned in Search Filter and the value mentioned in the Member Attribute Name attribute of the group is fetched. Consider an example, where the values in the Search Filter for the group is cn=accounts and the value in the Member Attribute Name value is member. All the groups that match with cn=accounts are searched. The value that is available in the member attribute of those groups are retrieved as the search result.

Adding an External Group

You can add an external group to assign roles for a group of users. For example, consider a scenario to add an external group with data entered in the Search Filter textbox.

Perform the following steps to add an external group.

  1. In the ESA Web UI, navigate to Settings > Users > External Groups.

  2. Click Create.

  3. Enter the required information in the Title and Description fields.

    Creating an External Group

  4. If you select Group Properties, then enter the Group DN and Member Attribute Name.
    For example,

    Enter the following DN in the Group DN text box:

    cn=Joe,ou=groups,dc=sherwood,dc=com

    Enter the following attribute in the Member Attribute Name text box:

    memberOf

    This text box is not applicable for ODSEE.

  5. If you select Search Filter, enter the search criteria in the Search Filter text box.

    For example,

    For AD, you can enter the search filter as follows:

    (&(memberOf=cn=John,dc=Bob,dc=com))

    For ODSEE, you can enter the search filter as follows:

    isMemberOf=cn=Alex,ou=groups,dc=sherwood,dc=com

  6. Click Preview Users to view the list of users for the selected search criteria.

  7. Select the required roles from the Roles tab.

  8. Click Save.

    An external group is added.

    The Users tab is visible, displaying the list of users added as a part of the external group.

Importing from ODSEE and special characters

If you are importing users from ODSEE, usernames containing special characters are not supported. Special characters include semi colon, forward slash, curly brackets, parentheses, angled brackets, or plus sign. That is: ;, /, {}, () , <>, or +, respectively.

Editing an External Group

You can edit an external group to modify fields such as Description, Mode, Roles, or Group Properties. If any updates are made to the roles of the users in the external groups, the modifications are applicable immediately to the users existing in the local LDAP.

Ensure that you synchronize with the source directory service if you update the Group DN or the search filter.

Perform the following steps to edit an external group:

  1. In the ESA Web UI, navigate to Settings > Users > External Groups.

  2. Select the required external group.

  3. Edit the required fields.

  4. Click Save.

  5. The Enter your password prompt appears. Enter the password and click Ok.
    The changes to the external group are updated.

Deleting an External Group

When you delete an external group, the following scenarios are considered while removing a user from an external group:

  • If the users are not part of other external groups, the users are removed from the local LDAP.
  • If the users are a part of multiple external groups, only the association with the deleted external group and roles is removed.

Perform the following steps to remove an External Group:

  1. In the ESA Web UI, navigate to Settings > Users > External Groups.

  2. Select the required external group and click the Delete ( Delete Icon) icon.

  3. The Enter your password prompt appears. Enter the password and click Ok.
    The external group is deleted.

Synchronizing the External Group

When the proxy authentication is enabled, the External Groups Sync Service is started. This service is responsible for the automatic synchronization of the external groups with the directory services. The time interval for automatic synchronization is 24 hours.

You can manually synchronize the external groups with the directory services using the Synchronize () icon.

After clicking theSynchronize () icon, the Enter your password prompt appears. Enter the password and click Ok.

The following scenarios occur when synchronization is performed between the external groups and the directory services.

  • Users are added to ESA and roles are assigned.
  • Roles of existing users in ESA are updated.
  • Users are deleted from the ESA if they are associated with any external groups.

Based on the scenarios, the messages appearing in the Web UI, when synchronization is performed, are described in the following table.

MessageDescription
AddedUsers are added to the ESA the roles mentioned in the external groups are assigned to the user.
UpdatedRoles pertaining to the users are updated ESA.
RemovedRoles corresponding to the deleted external group is removed for the users. Users are not deleted from ESA.
DeletedUsers are deleted from ESA as they are not associated to any external group.
FailedUpdates to the user fail. The reason for the failure in update appears in the Web UI.

If a GroupDN for an external group is not available during synchronization, the users are removed or deleted. The following log appears in the Insight logs:

Appliance Warning: GroupDN is missing in external Source.

Also, in the Appliance logs, the following message appears:

External Group: <Group name>, GroupDN: <domain name> could not be found on the external source

Last modified February 7, 2025