Integration with Active Directory
You integrate MYOB Acumatica with Microsoft Active Directory (AD) to manage users and access in one place. You create, delete, and manage user accounts by using AD. During integration you map AD groups with user roles in MYOB Acumatica to determine users' access rights.
Configuration Steps
To integrate an instance of MYOB Acumatica with AD, you perform the following steps:
- Enable integration with Active Directory by modifying the
web.config file of the application instance, as
described in To Enable Active Directory Integration.Important: When you save changes to the web.config file, the website is automatically restarted. Make sure that all users are warned about the restart so that they can save their documents in advance.
- Map the user roles configured in MYOB Acumatica to the groups configured in the Active Directory domain by using the User Roles (SM201005) form in MYOB Acumatica. For details, see To Map Active Directory Groups to Roles in MYOB Acumatica.Tip: Enabling AD integration does not affect the standard authorization and authentication capabilities of MYOB Acumatica. With AD integration enabled, you can still create internal users in MYOB Acumatica.
- Optional: If you need to override roles assigned to AD users, manually add the AD user accounts to the system (if necessary) and specify the roles for the accounts. For details, see To Set Up Role Assignment for Domain Users.
User Accounts of Domain Users in MYOB Acumatica
After you have enabled integration with the identity management system, user accounts for domain users are created automatically when the users sign in to your MYOB Acumatica instance for the first time.
The accounts of domain users in MYOB Acumatica are based on their accounts in the domain. The password of a domain user in MYOB Acumatica is the same as the domain account password. The email address and the first and last name of the user are populated from the domain account as well. However, the login, password, email address, and first and last name are managed through the domain and cannot be changed in MYOB Acumatica.
To speed up authentication of users, the information about AD groups is automatically
cached by MYOB Acumatica, if the count of the user groups is greater than or equal to the value of the
ADGroupCacheLimit
parameter specified in the
web.config file. To update the list of the user groups in
Acumatica ERP with current information from AD, click Reload AD
Groups on the toolbar of the User
Roles (201005) form.
The Reload AD Groups button appears only when you integrated
MYOB Acumatica instance with AD, AD FS or Azure AD and when the number of the user groups in AD,
AD FS or Azure AD is greater than or equal to the value of the
ADGroupCacheLimit
parameter specified in the
web.config file. If the number of the users and groups in
AD is less than the value of the ADGroupCacheLimit
parameter, MYOB Acumatica retrieves the lists of users and groups directly from AD.
Domain User Authentication
Generally, to sign in to MYOB Acumatica, AD users type their domain credentials without specifying the domain name. But some employees may have both a local user account and a domain user account with the same user name. In this case, MYOB Acumatica will authenticate the users based on the password they specify (assuming that the local and domain passwords differ).
If both the user names and the passwords are the same for a local user account and a domain user account, on the Sign-In page, the user can select the account to sign in with as follows:
- To sign in with a local account, the user enters the user name of the local account (as usual).
- To sign in with a domain account, the user enters the login in the <Domain_Name>\<User_Name> format, where <Domain_Name> is the NetBIOS domain name of the integrated domain and <User_Name> is the user account name in the integrated domain.
Domain User Authorization
When a domain user tries to access MYOB Acumatica, user authorization occurs as follows:
- The application instance sends an authentication request to the AD server to validate the user's credentials.
- When validation has completed successfully, the AD server sends MYOB Acumatica the list of AD groups to which the user is assigned.
- MYOB Acumatica compares the list of AD groups with the internal MYOB Acumatica roles, based on the mapping rules defined on the User Roles (SM201005) form.
- The system finds any MYOB Acumatica roles that are associated with AD groups to which the domain user account is
assigned. If MYOB Acumatica finds at least one role, the user is authenticated to sign in to the MYOB Acumatica instance.
The user access rights within the MYOB Acumatica application instance are based on the internal list of roles.
For more information about authentication in MYOB Acumatica, see Managing User Access. For details about roles and access rights in MYOB Acumatica, see Configuring User Roles.
Access Rights of Domain Users
Domain users inherit access rights from the AD groups that you mapped to MYOB Acumatica user roles. In addition, you can assign specific user roles to each domain user if the access rights for this user should differ from the AD group rights.
New domain users automatically get the rights to sign in to MYOB Acumatica when they join a domain. The membership of these users in MYOB Acumatica roles is then automatically updated to comply with the membership of the users in the domain groups.