Configuring Microsoft Active Directory

The users that are in Microsoft™ Active Directory are used to authenticate with i2 Analyze. The groups that are in Active Directory are used for authorization in i2 Analyze.

About this task

Create Microsoft Active Directory groups that match the value of the UserGroup attribute of each <GroupPermissions> element in the i2 Analyze security schema file.

The groups that you create in Microsoft Active Directory are used for authorization in i2 Analyze. To identify the groups correctly, you must ensure that the names of groups in Active Directory exactly match the value of the UserGroup attribute of each <GroupPermissions> element in the security schema.
Note: The security schema that the deployment uses is defined in the ApolloServerSettingsMandatory.properties file. The security schema, and properties files are in the toolkit\configuration\fragments\common\WEB-INF\classes directory.
In a single sign-on setup, the following users must be present in Active Directory:
  • A user for the server that hosts the i2 Analyze application, that is mapped to a Kerberos Service Principal Name (SPN).
  • The users that are used to log in to i2 Analyze.
To authorize users, the following groups must be present in Active Directory:
  • A group for each of the group permission elements in the i2 Analyze security schema.
  • A group for administrators.

Procedure

  1. Create the Microsoft Active Directory groups.

    For more information, see How to Create a Group in Active Directory.

    1. Open the Microsoft Active Directory groups controller.
    2. Create groups whose names exactly match the value of the UserGroup attribute of each <GroupPermissions> element in the i2 Analyze security schema file.
  2. Create any Microsoft Active Directory users.
    Create user accounts that can be used to log in to i2 Analyze.
  3. Make each user a member of the correct groups for your environment.
    The groups that the user is a member of in Active Directory are used for authorization in i2 Analyze.

    For more information, see Adding Users to an Active Directory Group.

Results

The users that can access i2 Analyze are created, and are members of the groups that define their access levels.