Username Semantics - Metasys - LIT-1201528 - General System Information - Metasys System - 12.0.50

Security Administrator System Technical Bulletin

Brand
Metasys
Product name
Metasys System
Document type
Technical Bulletin
Document number
LIT-1201528
Version
12.0.50
Revision date
2023-06-02
Language
English

An Active Directory service fully qualified username consists of three parts: the user login name, an at sign (@), and the domain specifier:

{User Login Name}@{Domain Specifier}

Note: Active Directory usernames cannot be the same as a local Metasys username.

The user login name must be an existing name that is a member of the Active Directory service, and the domain specifier can be either at the domain level or at the forest level depending on your web.config file appSettings section. For more information, see the Steps to Enable Exact UPN Format section.

You can enable authentication for an exact UPN format that complies with Microsoft Office 365 authentication in which the domain specifier is at the forest level. For example, you can have company.com instead of division.company.com.

If the hybrid UPN format is the only UPN format available, the domain specifier must be a fully qualified domain name (FQDN). For example, division.company.com instead of company.com.

If you rename the user’s login name, the Metasys Administrator must synchronize the user with Active Directory service before the rename is recognized in the Metasys system. The user cannot use SSO login-free access to the Metasys system until the synchronization occurs. For synchronization details, see User Name Synchronization in the Metasys System. If you change the domain specifier for the user, that is, move the user to another domain, you must delete the original user, then re-add the user to the Metasys system using the new domain name.

You can add an Active Directory service user with any of these methods see Figure 1:

  • In the toolbar section of the Security Administration screen, click the Add Active Directory User icon.
  • On Security Administrator screen, click the Insert > Insert Active Directory User menu option.
  • In the Roles and Users tab, right-click the Active Directory Users folder.

You can change a Metasys system user account from a Metasys local account to an Active Directory service user account. However, since the Metasys system does not provide a method to convert the user directly, choose on of the following options:

  • Keep the Metasys local user account active as a backup account in case the Active Directory service becomes temporarily unavailable. Remember that the new Active Directory service user account is not linked in any way to the Metasys local account. This means that, the local account remains under the control of the existing Metasys system tools, including password changes.
  • Disable the Metasys local account after you are sure that you have correctly set up the user’s Active Directory service user account in the Metasys system.
  • Delete the Metasys local account after you are sure that you have correctly set up the user’s Active Directory service user account in the Metasys system.

Under normal circumstances, each user needs one account to access the Metasys system.