Hyland Connect

Jasmine_Linam · ‎05-08-2019

I'm looking for advice from companies who uses OnBase for document management, and have multiple locations to see how they're managing the creation of AD Groups. As my company has been implementing OnBase at each site, a minimum of 4 AD groups are created. We have document owners, reviewers, approvers, and viewers. If we continue on with our current process, by the time we're done, we'll have well over 500 AD Groups to manage. The creation of these groups, and the moving of users into different groups has caused not only a major bottleneck in the implementation at the site level, but we have frequent issues with rights as users move into different roles, or need to help out with the management of documents in other areas of the business. I'm looking to identify some best practices, and hopefully streamline our process.

AdamShaneHyland · ‎05-08-2019

Hi Jasmine,

Having a lot of user groups within a larger organization is not uncommon. I have seen customers with 1,000's of user groups based on need. However, you don't want to go crazy on user groups as management can become overwhelming (e.g. having lots of user groups with only one user). This is typically part of a larger discussion as to how user groups are managed within the organization and not solely on OnBase unless you as an OnBase admin are performing the user administration.

When using AD as an integration to OnBase, this can help alleviate the need of an OnBase administrator to manage user group user assignment when users transition roles OR new users come into the organization. That can be done as part of the onboarding process where new users are created in AD and added to user groups outside of OnBase. From there as users move to new roles they are automatically moved into new groups based on the updates in AD.

One question you are going to have to ask is if users are going to be completely managed by the AD integration, if users are going to be partially managed by the AD integration (meaning they can authenticate in to create the new user and get added to a user group granting basic permission but additional user group assignment is managed by the OnBase admin) OR if only authentication is going to take place and user creation and management is completely left to the OnBase admin. All of these options are available with OnBase and require a determination to move forward.

I typically recommend assigning users to groups based on roles since roles across and organization are usually defined and can span locations. This way a users permissions within the software are based on the role they are assigned regardless of where they are located.

As well, another point I try to make is additive permissions which means that you start off with a "general" user group (not named general) which grants users access to the system and basic permissions. From there you add permissions to other users groups based on their required access in the software.

Best wishes.

Jasmine_Linam · ‎05-09-2019

Thanks Adam. The role based approach makes a lot of sense. I'll take this information to my team to discuss. I think this approach makes more sense from a sustainability standpoint. I appreciate your response.

AdamShaneHyland · ‎05-10-2019

My pleasure. I'm always interested in what others are doing and ways which they have found to tackle these types of problems. Maybe others will speak up from their experience and give you insight.

Best wishes.

Hyland Connect

AD Group Creation with multiple locations