[toc]
Reduce the administrative overhead involved with provisioning new users in your community by defining mappings between Windows security groups and Telligent Community roles. With the mappings in place, as user accounts are created from Windows (the first time they access the community), they are automatically added to the appropriate roles in your Telligent community. From then on, roles are updated whenever a user's profile is updated with Windows (by default every seven days).
Group mappings are only supported when using Windows Authentication.
Enabling group mappings
To enable group mappings, you must first have configured your community to use Windows Authentication. Once that's done, you need to add the following override to the communityserver_override.config file you used to configure the Windows Authentication module to enable group mappings:
<Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']"
mode="change"
name="mapADGroups"
value="true"
/>
Configuring group mappings
Mappings are configured by specifying <add /> and <remove /> elements in the GroupMappings element of the Windows Authentication module. Both require the following two attributes to be specified:
- WindowsGroupName - Name of the Windows security group to be mapped, which must include the domain prefix (that is, DOMAIN\RoleName)
- AuthorizationRole - Name of the Telligent Community role to which you are mapping
Add
An <add /> mapping specifies that any member of the WindowsGroupName in Active Directory should be added to the AuthorizationRole in Telligent Community. In addition to the two attributes above, <add /> mappings support one more optional configuration attribute:
- CreateRoleIfNotFound (optional) - If set to true, Telligent Community creates the AuthorizationRole if the role does not yet exist.
For example, to add members of the Developers Active Directory group to the Developers role in Community Server, add the following to your communityserver_override.config file:
<Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']/GroupMappings"
mode="add">
<add WindowsGroupName="DOMAIN\Developers"
AuthorizationRole="Developers"
CreateRoleIfNotFound="true"
/>
<!-- Additional add and remove entries can go here ->
</Override>
Remove
A <remove /> mapping specifies that any member of the WindowsGroupName in Active Directory should be removed from the AuthorizationRole in Telligent Community.
For example, to remove members of the Contractors Active Directory group from the Registered Users role in Telligent Community, add the following to your communityserver_override.config file:
<Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']/GroupMappings"
mode="add">
<remove WindowsGroupName="DOMAIN\Contractors"
AuthorizationRole="Registered Users"
/>
<!-- Additional add and remove entries can go here -->
</Override>
Troubleshooting
- You must be using Windows Authentication for group mappings to be honored.
- A user's roles are only updated when his/her profile is updated, which out of the box occurs every seven days. To update roles faster, you should set the profileRefreshInterval configuration option to a lower value.
- Role names must include the Domain name - that is, you must use DOMAIN\RoleName instead of just RoleName.