LDAP New User Configuration

When Advantage security is configured to use Lightweight Directory Access Protocol (LDAP) as the means of user authentication and user information data storage for User Information (SCUSER), a potential problem can exist for new users defined on the LDAP server but not yet completely defined within security (for example, no organizational information or user Security Roles have been assigned). The LDAP New User Configuration (SCULDAP) page allows the definition of user security information based on the user's first organizational unit defined on the LDAP server. When a new LDAP user initially logs into the application, security assigns the user default organizational values as well as up to three security roles and other application user settings, based on the information set up on this page. This setup page is accessed by Advantage when a user logs into Advantage for the first time is defined on the LDAP Server but is not defined in Advantage and that user is using the password setup on the LDAP server. This automatic setup is only a temporary solution to allow the user initial access to the application. Most likely a security administrator will later grant the user more customized (and most likely more liberal) access through additional security roles.

It is recommended that User ID records on the LDAP server are never deleted. If User IDs are deleted on the LDAP server when employees are terminated, there is a risk that User IDs previously assigned terminated employees are assigned to new employees. This is an example of reusing User IDs that is known to cause problems with accurate data reporting. If a previously terminated employee is rehired, it is recommended that the employee is assigned exactly the same User ID that the employee was assigned to during previous employment.

CGI Advantage tracks all user interaction through User IDs. Maintenance and reporting will be inherently difficult if the same User ID is associated with transactions created by two entirely different employees. Similar problems arise when an employee is rehired and is assigned a different User ID than the User ID used during previous employment. In this case, the employee will have to search through two different User IDs (the old plus new User ID) to track transactions in the system submitted by that same employee.

A good way to ensure that User IDs are kept unique for a CGI Advantage user and employee is to make sure that User IDs are never deleted from either the LDAP server or from the CGI Advantage. In CGI Advantage the most common solution to terminate an employee is to keep the user record and mark the record as “locked” or “disabled”.

In order for Advantage to work with LDAP some configuration settings have to be done on ADV30Params.ini and csf.properties files. Refer to the “Security Setup for LDAP” topic in this user guide for all of the required settings.

Enter the organizational unit name defined on the LDAP server in the LDAP Organizational Unit field.
Enter the default organizational value for the user in one or more Home Organization fields.
Define up to three default Security Roles to be granted using Security Role ID 1, Security Role ID 2, and Security Role ID 3.
Optionally, specify the Override Errors level and set the Locked Out and Logging check boxes. (Refer to the User Information page for additional information about these fields.)
Identify the applications that the user can access.
Select Save or Save & Close.

Note: Setup is required in several other places in Advantage to utilize LDAP. Refer to the "Security Setup for LDAP" section for detailed setup in other places (such as ADV30Params.ini and csf.properties).