MicroStrategy ONE
Manage LDAP Authentication
While working with MicroStrategy and implementing LDAP authentication, you may want to improve performance or troubleshoot your LDAP implementation. The sections below cover steps that can help your LDAP authentication and MicroStrategy systems work as a cohesive unit.
- If your LDAP server information changes, or to edit your LDAP authentication settings in general, see Modifying Your LDAP Authentication Settings.
- If you want to modify the settings for importing users into MicroStrategy, for example, if you initially chose not to import users, and now want to import users and groups, see Importing LDAP Users and Groups into MicroStrategy.
- If you choose to synchronize users and groups in batches, and want to select a synchronization schedule, see Selecting Schedules for Importing and Synchronizing Users.
- If you are using single sign-on (SSO) authentication systems, such as Windows NT authentication or trusted authentication, you can link users' SSO credentials to their LDAP user names, as described in Using LDAP with Single Sign-On Authentication Systems.
- Depending on the way your LDAP directory is configured, You can import additional LDAP attributes for users, for example, a
countryCode
attribute, indicating the user's location. These additional LDAP attributes can be used to create security filters for users, such as displaying data that is relevant to the user's country. For information on creating these security filters, see Using LDAP Attributes in Security Filters.
Modifying Your LDAP Authentication Settings
Depending on changes in your organization's policies, you may need to modify the LDAP authentication settings in MicroStrategy. To modify your LDAP authentication settings, you can use the Intelligence Server Configuration Editor. The steps to access the LDAP settings in the Intelligence Server Configuration Editor are described below.
To Access LDAP Authentication Settings in the Intelligence Server Configuration Editor
- In Developer, log in to a project source as a user with administrative privileges.
- From the Administration menu, select Server, and click Configure MicroStrategy Intelligence Server.
- Expand the LDAP category. The LDAP settings are displayed. You can modify the following:
- Your LDAP server settings, such as the machine name, port, and so on.
- Your LDAP SDK information, such as the location of the LDAP SDK DLL files.
- The LDAP search filters that Intelligence Server uses to find and authenticate users.
- If you are importing and synchronizing users or groups in batches, the synchronization schedules.
- If you are importing users and groups, the import settings.
Importing LDAP Users and Groups into MicroStrategy
You can choose to import LDAP users and groups at login, in a batch process, or a combination of the two, described as follows:
- Importing users and groups at login: When an LDAP user logs in to MicroStrategy for the first time, that user is imported into MicroStrategy and a physical MicroStrategy user is created in the MicroStrategy metadata. Any groups associated with that user that are not already in MicroStrategy are also imported and created in the metadata.
- Importing users and groups in batches: The list of users and groups are returned from user and group searches on your LDAP directory. MicroStrategy users and groups are created in the MicroStrategy metadata for all imported LDAP users and groups.
This section covers the following:
- For information on setting up user and group import options, see Importing Users and Groups into MicroStrategy.
- Once you have set up user and group import options, you can import additional LDAP information, such as users' email addresses, or specific LDAP attributes. For steps, see Importing Users' Email Addresses.
- For information on assigning security settings after users are imported, see User Privileges and Security Settings after Import.
Importing Users and Groups into MicroStrategy
You can choose to import users and their associated groups when a user logs in to MicroStrategy for the first time.
- Ensure that you have reviewed the information and made decisions regarding your organization's policy on importing and synchronizing user information, described in the following sections:
- If you want to import users and groups in batches, you must define the LDAP search filters to return lists of users and groups to import into MicroStrategy. For information on defining search filters, see Checklist: Information Required for Connecting Your LDAP Server to MicroStrategy.
To Import Users and/or Groups into MicroStrategy
- In Developer, log in to a project source as a user with administrative privileges.
- From the Administration menu, select Server > Configure MicroStrategy Intelligence Server.
- Expand the LDAP category, then expand Import, and then select Import/Synchronize.
- If you want to import user and group information when users log in, in the Import/Synchronize at Login area, do the following:
- To import users at login, select Import Users.
- To allow MicroStrategy's user information to automatically synchronize with the LDAP user information, select Synchronize MicroStrategy User Login/User Name with LDAP.
- To import groups at login, select the Import Groups.
- To allow MicroStrategy's group information to automatically synchronize with the LDAP group information, select Synchronize MicroStrategy Group Name with LDAP.
- If you want to import user and group information in batches, in the Import/Synchronize in Batch area, do the following:
- To import users in batches, select Import Users. You must also enter a user search filter in the Enter search filter for importing list of users field to return a list of users to import.
- To synchronize MicroStrategy's user information with the LDAP user information, select Synchronize MicroStrategy User Login/User Name with LDAP.
- To import groups in batches, select Import Groups. You must also enter a group search filter in the Enter search filter for importing list of groups field to return a list of users to import.
- To synchronize MicroStrategy's group information with the LDAP group information, select Synchronize MicroStrategy Group Name with LDAP.
- To modify the way that LDAP user and group information is imported, for example, to import group names as the LDAP distinguished name, under the LDAP category, under Import, click User/Group.
- Click OK.
Once a user or group is created in MicroStrategy, the users are given their own inboxes and personal folders. Additionally, you can do the following:
- Import users' email addresses. For steps, see Importing Users' Email Addresses.
- Assign privileges and security settings that control what a user can access in MicroStrategy. For information on assigning security settings after users are imported, see User Privileges and Security Settings after Import.
- Import additional LDAP attributes, which can then be used in security filters for users. For steps, see Using LDAP Attributes in Security Filters.
Importing Users' Email Addresses
Depending on your requirements, you can import additional information, such as users' email addresses, from your LDAP directory. For example, If you have a license for MicroStrategy Distribution Services, then when you import LDAP users, either in a batch or at login, you can import these email addresses as contacts associated with those users.
To Import Users' Email Addresses from LDAP
- In Developer, log in to a project source as a user with administrative privileges.
- From the Administration menu, select Server, and then select Configure MicroStrategy Intelligence Server.
- Expand the LDAP category, then expand Import, and select Options.
- Select Import Email Address.
- Select whether to use the default LDAP email address attribute of
mail
, or to use a different attribute. If you want to use a different attribute, specify it in the text field. - From the Device drop-down list, select the email device that the email addresses are to be associated with.
- Click OK.
User Privileges and Security Settings after Import
Imported users receive the privileges of the MicroStrategy LDAP Users group. You can add additional privileges to specific users in the LDAP Users group using the standard MicroStrategy process in the User Editor. You can also adjust privileges for the LDAP Users group as a whole. Group privileges can be modified using the MicroStrategy Group Editor.
The privileges and security settings assigned to LDAP users imported in MicroStrategy depend on the users' associated MicroStrategy group privileges and security permissions. To see the default privileges assigned to a user or group, in the folder list, expand your project source, expand Administration, and then expand User Manager. Right-click the group (or select the group and right-click the user) and select Edit. The Project Access tab displays all privileges for each project in the project source.
The process of synchronizing users and groups can modify which groups a user belongs to, and thus modify the user's privileges and security settings.
Selecting Schedules for Importing and Synchronizing Users
If you choose to synchronize users and groups in batches, you can select a schedule that dictates when LDAP users and groups are synchronized in MicroStrategy. For information on creating and using schedules, see Creating and Managing Schedules. To select a synchronization schedule for LDAP, follow the steps below.
To Select a Schedule for Importing and Synchronizing Users
- In Developer, log in to a project source as a user with administrative privileges.
- From the Administration menu, select Server, and then select Configure MicroStrategy Intelligence Server.
- Expand the LDAP category, then click Schedules. The available schedules are displayed. By default, all the checkboxes for all the schedules are cleared.
- Select the schedules to use as LDAP user and group synchronization schedules.
- To synchronize your MicroStrategy users and groups with the latest LDAP users and groups immediately, select Run schedules on save.
- Click OK.
Using LDAP with Single Sign-On Authentication Systems
If you are using single sign-on (SSO) authentication systems, such as Windows NT authentication or trusted authentication, you can link users' SSO credentials to their LDAP user names, and import the LDAP user and group information into MicroStrategy. For information about configuring a single sign-on system, see Enable Single Sign-On Authentication.
Depending on the SSO authentication system you are using, refer to one of the following sections for steps:
- If you are using Windows NT authentication, see Implement Windows NT Authentication.
- If you are using integrated or trusted authentication, see Enabling Integrated Authentication.
Using LDAP Attributes in Security Filters
You may want to integrate LDAP attributes into your MicroStrategy security model. For example, you want users to only see sales data about their country. You import the LDAP attribute countryName
, create a security filter based on that LDAP attribute, and then you assign that security filter to all LDAP users. Now, when a user from Brazil views a report that breaks down sales revenue by country, they only see the sales data for Brazil.
LDAP attributes are imported into MicroStrategy as system prompts. A system prompt is a special type of prompt that is answered automatically by Intelligence Server. The LDAP attribute system prompts are answered with the related LDAP attribute value for the user who executes the object containing the system prompt. You import LDAP attributes into MicroStrategy from the Intelligence Server Configuration Editor.
Once you have created system prompts based on your LDAP attributes, you can use those system prompts in security filters to restrict the data that your users can see based on their LDAP attributes. For information about using system prompts in security filters, including instructions, see Restricting Access to Data: Security Filters. For general information about security filters, see Restricting Access to Data: Security Filters.
To Import an LDAP Attribute into a Project
- In Developer, log in to a project source.
- From the Administration menu, point to Server and then select Configure MicroStrategy Intelligence Server.
- Expand the LDAP category, then expand the Import category, and then select Attributes.
- From the Select LDAP Attributes drop-down list, select the LDAP attribute to import.
- From the Data Type drop-down list, select the data type of that attribute.
- Click Add.
- Click OK.
Controlling Project Access with LDAP Attributes
By default, an LDAP user can log in to a project source even if the LDAP attributes that are used in system prompts are not defined for that user. To increase the security of the system, you can prevent LDAP users from logging in to a project source if all LDAP attributes that are used in system prompts are not defined for that user.
When you select this option, you prevent all LDAP users from logging in to the project source if they do not have all the required LDAP attributes. This affects all users using LDAP authentication, and also any users using Windows, Trusted, or Integrated authentication if those authentication systems have been configured to use LDAP. For example, if you are using Trusted authentication with a SiteMinder single sign-on system, and SiteMinder is configured to use an LDAP directory, this option prevents SiteMinder users from logging in if they do not have all the required LDAP attributes.
- This setting prevents users from logging in to all projects in a project source.
- If your system uses multiple LDAP servers, make sure that all LDAP attributes used by Intelligence Server are defined on all LDAP servers. If a required LDAP attribute is defined on LDAP server A and not on LDAP server B, and the User login fails if LDAP attribute value is not read from the LDAP server checkbox is selected, users from LDAP server B will not be able to log in to MicroStrategy.
To Only Allow Users with All Required LDAP Attributes to Log In to the System
- In Developer, log in to a project source.
- From the Administration menu, point to Server and then select Configure MicroStrategy Intelligence Server.
- Expand the LDAP category, then expand the Import category, and then select Attributes.
- Select the User logon fails if LDAP attribute value is not read from the LDAP server checkbox.
- Click OK .