Automatically check AD Group Memberships
0 vote
Hi,
This should happen automatically and immediately once there has been a change to anyones AD Group Membership (you could use their kerberos/NTLM/Windows Authentication to achieve that), and/or allow this to be specified by an admin in the DPS Console.
The reason for requesting this feature, is because;
* We offer RDM as a Microsoft RemoteApp, which is accessed through RDWeb. (RDM itself is running on multiple terminal servers)
* We use a PAM solution, and as such, our users activate their rights on a need-to-need basis, which effectively puts them in/out of a security group that has been given pre-defined rights to a repository.
Ideally; changes in a users’ AD Group memberships shouldn’t be cached at all, it should happen on-the-fly, and you can prevent reading the whole AD for changes to all users, by specifying that users have to be a part of a certain AD group to begin with, so that only users who are a part of that certain AD group, will have their group memberships refreshed on-the-fly.
All Comments (2)
Hello,
We use to check the AD group automatically on logging but this was causing DPS huge performance issue. This is why we synchronize the AD group instead now. I will talk with the team and verify if we can find a better way.
Regards
David Hervieux
Hi David,
I understand that this could cause the user experience to be a bit sluggish, but there's a way around this, which would be to let administrators define a certain AD group where any members within this AD group will have all their AD Group Memberships updated without delay.
As otherwise, using RDM in environments that are using PAM/PIM solutions as a need for a better access control will suffer.
All the best.
Best regards,
Johnny Minde