itopia CAS can be configured to automatically import users from your Active Directory domain and assign them to Collection Pools. When you enable AD auto-import, you can map security groups to Collection Pools within your deployment; CAS will periodically read the membership of these AD groups and add or remove users from Collection Pools.
How Auto-Import Works
When you enable AD auto-import, you must then map at least one CAS security group to a Collection Pool. The security group may either have been imported or created directly in CAS. Mappings are not exclusive; you may map a single security group to multiple Collection Pools or multiple security groups to the same Collection Pool.
For each mapping, CAS will periodically "sync" the membership of the security group from Active Directory to CAS. The membership of the CAS security group will be updated to match the membership in Active Directory, and users in the group will be assigned to the mapped Collection Pool. If the AD group contains AD users that do not exist in CAS, they will automatically be imported.
As an example, you map the "Accounting" security group to the "Finance" Collection Pool. CAS will periodically read the membership of the "Accounting" group in your Active Directory domain; based on this membership, CAS will:
- Import any AD users that do not exist in CAS
- Assign any new or existing CAS users to the "Finance" Collection Pool, if they are not already assigned to that Collection Pool
- Remove any existing CAS users from the "Finance" Collection Pool if they are no longer a member of the "Accounting" group only if they were added by a previous auto-import; users that were manually assigned to the Collection Pool would not be removed
- Remove any CAS users from the deployment if they:
- Were added by an auto-import AND
- Are not a member of any other auto-import group
Auto-Imported User Behavior
When a user is added to CAS via an AD auto-import, their CAS user is handled slightly differently than when they are added via other methods. Specifically:
- Users that were created via AD auto-import cannot be manually removed from CAS; instead, the user must be removed from the AD security group and a sync must occur. If the user is not a member of any other AD auto-import groups, the CAS user will be removed.
- However, if a user is created via AD auto-import and AD auto-import is later disabled, the administrator can decide whether to convert auto-imported users to standard users, in which case they can be removed from CAS manually.
Step-By-Step: Configuring AD Auto-Import
- Log into the CAS Admin Console (cas.itopia.com) as a user with at least the Deployment Editor role, or with custom permissions that include Create/Delete Users, Edit Users, and Create/Edit/Delete Security Groups.
- Using the left-hand menu, navigate to Settings » Active Directory.
- Enable the Automatically import users and groups from Active Directory option.
- Click the Add Mapping button.
- Select a CAS security group and its corresponding Collection Pool.
- Repeat steps 4 and 5 as necessary.
- Click Save.
- By default, an AD auto-import sync occurs every twelve hours. Administrators can change this interval to once every six hours or every twenty-four hours. Once the AD auto-import is enabled, administrators can also perform an immediate manual synchronization using the CAS Admin Console (cas.itopia.com) or the CAS REST API. Note that performing syncs too often may impact Active Directory performance.
- If users are members of multiple security groups that are mapped to Collection Pools, they will be assigned to multiple Collection Pools and will see resources from all Collection Pools in the Cloud VDI Portal (portal.cloudvdi.net)
- If a user is imported into CAS by AD auto-import, they cannot be manually deleted. They must be removed from all AD groups that are configured in AD auto-import and, after a sync, they will be removed from CAS