Integration with Active Directory

You integrate MYOB Advanced with Microsoft Active Directory (AD) to manage users and access in one place. You create, delete, and manage user accounts by using AD. During integration you map AD groups with user roles in MYOB Advanced to determine users' access rights.

Attention: This functionality is available only if the Active Directory and Other External SSO feature is enabled on the Enable/Disable Features form.
Tip: Enabling integration with AD does not affect the standard authorization and authentication mechanism of MYOB Advanced. With the AD integration enabled, you still can create regular (non-AD) users in MYOB Advanced.

Configuration Steps

To integrate an instance of MYOB Advanced with AD, you perform the following steps:

  1. Enable integration with Active Directory by modifying the web.config file of the application instance, as described in To Enable Active Directory Integration.
    Important: When you save changes to the web.config file, the website is automatically restarted. Make sure that all users are warned about the restart so that they can save their documents in advance.
  2. Map the user roles configured in MYOB Advanced to the groups configured in the Active Directory domain by using the User Roles (SM201005) form in MYOB Advanced. For details, see To Map Active Directory Groups to Roles in MYOB Advanced.
    Tip: Enabling AD integration does not affect the standard authorization and authentication capabilities of MYOB Advanced. With AD integration enabled, you can still create internal users in MYOB Advanced.
  3. Optional: If you need to override roles assigned to AD users, manually add the AD user accounts to the system (if necessary) and specify the roles for the accounts. For details, see To Set Up Role Assignment for Domain Users.

User Accounts of Domain Users in MYOB Advanced

After you have enabled integration with the identity management system, user accounts for domain users are created automatically when the users sign in to your MYOB Advanced instance for the first time.

The accounts of domain users in MYOB Advanced are based on their accounts in the domain. The password of a domain user in MYOB Advanced is the same as the domain account password. The email address and the first and last name of the user are populated from the domain account as well. However, the login, password, email address, and first and last name are managed through the domain and cannot be changed in MYOB Advanced.

Attention: You cannot restore the passwords of domain users by using MYOB Advanced tools. You should restore users' domain credentials by using tools of Active Directory (AD).

To speed up authentication of users, the information about AD groups is automatically cached by MYOB Advanced, if the count of the user groups is greater than or equal to the value of the ADGroupCacheLimit parameter specified in the web.config file. To update the list of the user groups in Acumatica ERP with current information from AD, click Reload AD Groups on the toolbar of the User Roles (201005) form.

The Reload AD Groups button appears only when you integrated MYOB Advanced instance with AD, AD FS or Azure AD and when the number of the user groups in AD, AD FS or Azure AD is greater than or equal to the value of the ADGroupCacheLimit parameter specified in the web.config file. If the number of the users and groups in AD is less than the value of the ADGroupCacheLimit parameter, MYOB Advanced retrieves the lists of users and groups directly from AD.

Domain User Authentication

Generally, to sign in to MYOB Advanced, AD users type their domain credentials without specifying the domain name. But some employees may have both a local user account and a domain user account with the same user name. In this case, MYOB Advanced will authenticate the users based on the password they specify (assuming that the local and domain passwords differ).

If both the user names and the passwords are the same for a local user account and a domain user account, on the Sign-In page, the user can select the account to sign in with as follows:

  • To sign in with a local account, the user enters the user name of the local account (as usual).
  • To sign in with a domain account, the user enters the login in the <Domain_Name>\<User_Name> format, where <Domain_Name> is the NetBIOS domain name of the integrated domain and <User_Name> is the user account name in the integrated domain.
Tip: If there is a local account with the name which includes a domain name and a user name from this domain, for example, Terra\User1, a domain user with the name User1 from domain Terra will be mapped to this local account and will inherit all permissions of this account. In this case passwords of a local user and a domain user may differ but they both will access the same user account. To prevent confusion, we recommend that you disable or delete the local accounts of employees who do not perform any administration or configuration tasks in MYOB Advanced.

Domain User Authorization

When a domain user tries to access MYOB Advanced, user authorization occurs as follows:

  1. The application instance sends an authentication request to the AD server to validate the user's credentials.
  2. When validation has completed successfully, the AD server sends MYOB Advanced the list of AD groups to which the user is assigned.
  3. MYOB Advanced compares the list of AD groups with the internal MYOB Advanced roles, based on the mapping rules defined on the User Roles (SM201005) form.
  4. The system finds any MYOB Advanced roles that are associated with AD groups to which the domain user account is assigned. If MYOB Advanced finds at least one role, the user is authenticated to sign in to the MYOB Advanced instance.

    The user access rights within the MYOB Advanced application instance are based on the internal list of roles.

For more information about authentication in MYOB Advanced, see Managing User Access. For details about roles and access rights in MYOB Advanced, see Configuring User Roles.

Access Rights of Domain Users

Domain users inherit access rights from the AD groups that you mapped to MYOB Advanced user roles. In addition, you can assign specific user roles to each domain user if the access rights for this user should differ from the AD group rights.

New domain users automatically get the rights to sign in to MYOB Advanced when they join a domain. The membership of these users in MYOB Advanced roles is then automatically updated to comply with the membership of the users in the domain groups.

Attention: The user type functionality, described in User Access: Linked Entities and User Types, cannot be applied to domain users.