This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Configuring security keywords for Active Directory when the username is not FIRST.LAST

Dave_Feit1
Confirmed Champ
Confirmed Champ

‎03-21-2018 01:38 PM

I have a client who wants to implement security keywords to restrict access to HR documents (employees can only see their documents).  We do not want to use the traditional "keyword type equals a static value" approach, as it cannot be configured until after the OnBase user account is created by them signing in. This would lead to a window where an employee could see more than they should, in addition to extra manual steps.

The option of mapping a keyword to the dynamic <<USERNAME>> looks like the way to go.  However, the client's Active Directory user name is not in a first.last format, and could change if they transfer to a different department.  Changing how the client utilizes A.D. is currently off the table, so I'm looking for advice, recommendations, and examples of how others have utilized security keywords for Active Directory when the username is not FIRST.LAST.

Labels:
0 Kudos
1 REPLY 1

Alex_French
Elite Collaborator
Elite Collaborator

‎03-21-2018 02:01 PM

Hi Dave,

We do three different things that might be relevant to your situation.  I don't think any of them will directly help with "AD sAMAccountName may change if they move between departments".

1) We do lots of programmatic group management even for groups that are AD-synced.  If a scheduled process sees that AD group X has a new member who doesn't exist in OnBase, we use the Unity API to create the user account and set security keywords even before they first log in to OnBase.

2) If the AD sAMAccountName is static, but doesn't match the person's first and last name, you just need to get that sAMAcountName on the document as a keyword.  For example, my Dartmouth NetID is "F001GQB", so my HR documents or my student loan documents would get the keyword value "F001GQB".  This may not work, or may require another step, if the AD account's sAMAccountName may change over time.

3) If using the "keyword type equals a static value" approach per user account, I *think* you could assign a dummy value to an OnBase User GROUP ("NONE" or "-1") so that the user would not see *any* documents on first log in. Then the value "First.Last" or similar could be manually or programmatically assigned to their OnBase User ACCOUNT, and they would then have access to documents with the matching Keyword value "First.Last".

I hope some of that helps!

0 Kudos
Getting started

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC