Learn how to sync accounts from Active Directory (AD) security groups, assign permissions to these groups, and use them to sign in to Safetica console.
❗This feature is only available in Safetica hosted on-premises.
Introduction
Besides creating new accounts manually (learn more about that here), you can also sync Safetica admin accounts by adding security groups from your Active Directory (AD).
In this article, you will learn more about:
- Permissions for adding an AD security group
- How to add AD security groups
- How to sign in to Safetica console using accounts from AD security groups
- How to remove an AD security group from Safetica console
Permissions for adding AD security groups
Permissions for adding AD security groups are as follows:
- Add/remove a security group: Only Safetica admins with the Settings and configuration permission can add or remove AD security groups. The permission can be enabled or disabled in Settings > Accounts and permissions.
How to add an AD security group
Follow these steps to add an AD security group to Safetica console:
- Go to Settings > Accounts and permissions and click Add security group.
- Connect to your AD server: Enter the server name or address and credentials (use the format domain\username and password).
- For a local AD server, you can use localhost as the server address.
- For a local AD server, you can use localhost as the server address.
- Select a security group: Browse the list or use the search bar to find the desired security group.
❗You can select only 1 security group.
4. Click Add security group.
5. Assign permissions: Assign permissions for the selected security group. Permissions apply to all accounts within the group and are configured the same way as for accounts created manually. Learn more about permissions here.
6. The added security group will appear in the list of Safetica admin accounts.
Accounts from security groups are synced on-demand during authentication. They do not sync periodically.
How to sign in to Safetica console using accounts from AD security groups
Once an AD security group is added, its accounts can sign in to Safetica console with their AD credentials.
How to sign in using a security group account:
1. Enter your AD credentials: Use the format domain\username and password. These credentials are authenticated against the specified domain.
2. Permissions verification: Permissions are based on the security group into which the account belongs. When signing in, Safetica checks the security groups associated with the account. The first group found in the list of Safetica admin accounts determines the user’s permissions.
3. Account creation: Safetica dynamically creates an admin account for identification and data storage. Attributes such as email, SID, and canonical name are used to fill in additional info.
4. Visibility: Individual admin accounts from AD security groups will not appear in the Accounts and permissions list. Only the security groups themselves are displayed.
❗Users signed in via an AD security group cannot change their password in Safetica console.
How to remove an AD security group from Safetica console
You can either disable an AD security group or completely delete it from Safetica console.
Disable a security group: Disabling a security group works the same as disabling an admin account. Learn how to disable an account here.
Delete a security group: You can delete a security group from Safetica console the same way as you delete an admin account. Learn how to delete an account here.
The AD security group will be deleted from Safetica, and its admin accounts will no longer be able to sign in to Safetica console (unless they are part of another security group).
❗After disabling or deleting a security group in the Safetica console, there may be a short delay before the associated admin is signed out.