Security Login
This feature is new for adTempus version 4.
A Security Login represents a user of adTempus. Each user of adTempus must have an associated Login, which is used to authenticate (identify) the user and to assign permissions for the user.
Logins are managed through the Server Security Settings window.
Previous versions of adTempus used automatic authentication based on the user's Windows identity, and did not use an explicitly-defined Login account in adTempus. When upgrading from previous versions, it will be necessary to create and configure user logins for all users, even if you are using Windows authentication. See the Security Changes topic for more information.
Security Login Properties
General
adTempus supports two methods to authenticate (identify) a user: Windows (integrated or automatic) authentication and adTempus authentication. The authentication type cannot be changed once the Login has been created.
Windows Authentication
With Windows Authentication, the user is not prompted for a user ID and password when connecting to adTempus; adTempus locates the correct Login based on the user's Windows identity.
Windows Authentication can be used when the user will be connecting to adTempus from the same computer where the adTempus service is running, from another computer in the same domain, or from a computer or domain that has a trust relationship with the adTempus server.
When you choose Windows Authentication, set the Login Name to the Windows user ID, including the domain name (for example, "domain\userid"). Use the Select button to enter and validate the user ID.
You can configure adTempus to authenticate based on Active Directory group membership. See Automatic Authentication below.
adTempus Authentication
With adTempus Authentication, the user is prompted for a user ID and password when connecting to adTempus. This authentication method can be used when a user needs to be able to connect from a computer outside of the server's trust zone, when Windows authentication cannot be used.
When you choose adTempus Authentication, set the Login Name to the user ID the user should use, and enter a password for the user.
Users can change their passwords using the Configuration > Change Password command in the Console.
Enabled
Uncheck the Enabled box to disable this Login. The user will not be able to log in to adTempus while the account is disabled.
Convert to standard Login
This option appears if the Login is a dynamic Login. See below for more information.
Description
Optionally enter a description or notes for this Login.
Groups
Select the Security Groups that this user belongs to. The "All Users" group cannot be deselected. Users assigned to the "adTempus Administrators" group have full access to and control over all objects in adTempus.
Automatic Login through Group Membership
If you are using Windows authentication and have a large number of users or potential users of adTempus, you may wish to manage security through Active Directory groups (Windows security groups) as was possible in adTempus 3 and earlier, instead of creating individual Logins for each user. For example, you may want to establish an Active Directory group named "adTempus Users" and configure adTempus to grant a specific set of permissions to any user who belongs to that Active Directory group.
To do so, you create a Login in adTempus that is linked to the Active Directory group, by entering the name of the group instead of an individual user name when you create the Login. This is referred to as a template Login.
Then assign this Login to the appropriate adTempus security groups and configure permissions as normal.
When a user connects to adTempus using Windows authentication, adTempus will check to see if there is a Login linked to the Windows account. If so, the user is authenticated using that Login.
Otherwise, adTempus will look at all template Logins and check to see if the user is a member of the corresponding Active Directory group. If so, adTempus grants access and permissions to the user based on the template Logins that it matches. adTempus also creates and saves an individual Login for the user, which is referred to as a dynamic Login. Like a regular Login, it appears in the list of Logins in the Security Settings window. However, you cannot directly assign permissions or groups to the Login. Instead, each time the user connects to adTempus, the permissions and group memberships are updated based on the template Logins.
You create an Active Directory group named "mydomain\adTempus users".
In adTempus you create a corresponding Login using Windows authentication and setting the Name to "mydomain\adTempus users". This is now a template Login linked to the Active Directory group.
Also in adTempus you assign the "mydomain\adTempus users" Login to the "Read-Only Users" security group that you have previously created.
User Claire runs the adTempus Console and connects to the server for the first time. There is no individual Login defined for Claire, but adTempus determines that she is a member of the "mydomain\adTempus users" Active Directory group, which has a corresponding template Login.
adTempus creates an individual Login for Claire and copies the "Read-Only Users" group membership from the template Login (and any other group memberships and permissions assigned to that Login).
This automatically-created Login for Claire now appears in the Logins list.
Converting to a Standard Login
A dynamic Login gets updated each time the user connects, to reflect the current permissions and group assignments for the template Logins that the user matches. If you need to customize the permissions for a dynamic Login, you can convert it to a standard Login by clicking the Convert to standard Login button. Once you do this, the Login will no longer be updated from the template Logins, and you can manage it just like any other explicitly-created Login.
Related Concepts