Active Directory Groups in User Management

Active Directory Groups Tab

The User Management section of the Settings page has a tab for Active Directory Groups that are currently mapped to CDO. Most importantly, this page displays the role of the AD group as assigned in your AD manager.

Users within an AD group are not listed individually in either the Active Directory Groups tab or the Users tab.

Audit Logs Tab

The User Management section of the Settings page has a tab for Audit Logs. This new section shows the last time of login of all users who accessed a CDO tenant, and the role(s) each user held at the time of last login. This includes both explicit user logins and AD group logins.

Multi-role Users

As an extension along the IAM capabilities in CDO, it is now possible for a user to have multiple roles.

A user can be part of multiple groups in AD, and each of those groups can be defined in CDO with different CDO roles. The final permissions a user gets on login are a combination of the roles of all the AD groups defined in CDO that the user is part of. For instance, if a user is part of two AD groups and both the groups are added in CDO with two different roles such as edit-only and deploy-only, the user would have both edit-only and deploy-only permissions. This applies to any number of groups and roles.

AD group mappings only need to be defined once in CDO, and managing access and permissions for users can subsequently be achieved exclusively in AD by adding, removing, or moving users between different groups.