Better AD group syncing

Ilsa Loving shared this idea 10 months ago
Under Consideration

I would be nice if FileCloud could somehow automatically import groups. Having to manually create the group, and then separately populate the group, is very cumbersome. It would be nice if the system could do one of the following:

* automatically import/sync all groups of (for example) all users of the system.

* automatically import all members of a group after the group is created, if FC detects that the name of the group matches an existing AD group.


It would greatly save time when having to do group maintenance.

Comments (18)

photo
1

thanks for your feedback. We will consider this feedback for future releases.

photo
3

One other thing I just thought of. It would be nice if FileCloud could also automatically disable users who no longer match the sync criteria (For example, if the "Limit Login to AD Group" field was populated, any users that are no longer in that group should be disabled. Also, users who have been disabled in active directory should also be disabled in FC.

photo
2

thats a fantastic idea!

photo
3

One further thing: If Active Directory group membership has been removed the user should automatically be removed in the FileCloud group as well during AD sync

photo
1

understood

photo
1

Option to remove users who are not in group is already supported in 18.2

photo
1

Does "remove users" mean they're deleted?

photo
1

No, they are just removed from the FileCloud group. Users still remain in FileCloud.

photo
1

So just so I understand (as we haven't upgraded to 18.2 yet), we need to remove them from the relevant AD group before the user is removed? I was hoping that simply disabling the account in AD would be sufficient.


What happens then? Are the users deleted or only disabled? (My preference is the latter). What happens to any files they owned?

photo
1

When a user is removed from an AD group and you have enabled the option to remove from FC as well, then the user is just removed from the FileCloud group. No change is done to the user itself (like deletion or disabling).

photo
1

Nice - it would be nice though if, at least for the "Limit Login to AD Group" feature, that the users would be removed from FileCloud. I assume that's possible since now you have two-way sync for the other groups. But using the feature should be a way to control licenses and overall access.

photo
2

Thanks for the feedback. The main problem is dataloss possible here. If someone removed a user from an AD group (for testing or inadvertently), and FC deleted the user (all content gets wiped). So we are unsure that is the most user-friendly behavior. The other option is to disable user accounts instead in FC which is safer, saner and also gets rid of the user using up the license. We can consider that.

photo
1

I agree. Deleting a user is too dangerous because then at best you would have files with no owner, if not outright deleted. Unless FC went through a laborious process of resetting ownership of any files, I think disabling is the best way to go.

Disabling a user removes them from the license count.

photo
1

Disabling the account would only be useful if you are solely using the groups to provide access to filecloud itself. We use the AD sync to create Team folder groups. Therefore when we remove a user from an AD group, that does not necessarily mean they do not require access any longer. Unfortunately we need to develop a plan to query for stale accounts and remove them via the API etc..

photo
1

Users should never be deleted automatically and they should be disabling only when their AD user is disabled. Seeing as AD is only used for auth I'm not sure if that's gonna be possible. Would be nice though.

photo
1

Yes, I agree, if the user is disabled in AD, then I would love it if they got disabled in Filecloud automatically!

photo
1

Cory, understood, we will implement this in 19.1

photo
1

have to say, i understand all others regarding deletion and so on. but in our case it would be best if the user is deleted from FileCloud if he is not in the AD Group anymore. We use FileCloud only to transfer files between business partner and so on and have declared it as temporary space only. So if someone needs access, he is dropped into the ad group and then automatically has access to FileCloud. If he isn't allowed to use FileCloud anymore, we delete the account from the AD group and he also should be deleted in FileCloud.

That would be the best option for us. Nevertheless i could live with the option, that if the user is not in an synced group anymore, that the account in FileCloud gets disabled and we clean old users from time to time.

photo