Managing Third-Party Vendor Entitlements When Using Active Directory
When third-party vendors want to use Active Directory with the Delinea Connector The Delinea Connector enables secure communication between the Delinea Platform, Active Directories, and various services within your internal network. For enhanced reliability and efficiency, it is recommended to deploy multiple Connectors to enable failover capabilities and load distribution. to log
A record of background events typically related to systems, performance, outages, etc. A log is typically consumed by IT/Ops to help them ensure that things are running optimally and delivered according to the appropriate SLA. in to the Delinea Platform, you must make the following changes to ensure that these third-party vendors can be granted the appropriate entitlements in Secret Server
The Delinea secrets vault. Delinea Secret Server is an enterprise-grade secrets storage vault for securely storing, managing, and controlling access to privileged credentials and other sensitive data. See Secret Server on Platform, Secret Server Cloud (SSC), and Secret Server on Premises (SSOP) for distinctions..
(For more information about the Connector, see Using the Delinea Connector.)
Notes:
-
Permissions: Ensure you have the necessary permissions to modify user attributes and schema changes.
-
Replication: Be aware of Active Directory replication delays if you're working in a multi-domain controller environment.
-
Testing: Always test schema changes in a development environment before applying them in production.
-
When the user logs
A record of background events typically related to systems, performance, outages, etc. A log is typically consumed by IT/Ops to help them ensure that things are running optimally and delivered according to the appropriate SLA. in to the Delinea Platform, they will be granted appropriate third-party vendor entitlements.
To make user attribute and schema changes to ensure that third-party vendors can be granted the appropriate entitlements in Secret Server The Delinea secrets vault. Delinea Secret Server is an enterprise-grade secrets storage vault for securely storing, managing, and controlling access to privileged credentials and other sensitive data. See Secret Server on Platform, Secret Server Cloud (SSC), and Secret Server on Premises (SSOP) for distinctions.:
-
Open the Active Directory Schema Console.
-
Open a Command Prompt as an administrator.
-
Type
regsvr32 schmmgmt.dll
and press Enter to register the Schema Management console. -
Type
mmc
and press Enter to open the Microsoft Management Console (MMC). -
In the MMC, choose File > Add/Remove Snap-in.
-
Select Active Directory Schema and click Add, then click OK.
-
-
Create an Attribute:
-
In the Active Directory Schema console, right-click on Attributes and select Create Attribute.
-
A prompt is displayed, warning that you cannot delete the attribute once it is created. Click Continue.
-
Create a new custom attribute named
platformUserMembershipType
. Fill in the required fields: Common Name, LDAP Display Name, and OID.Ensure you have a unique X500 Object identifier for the attribute that is appropriate for your Active Directory. For more information, see Obtaining an Object Identifier from Microsoft on the Microsoft learning portal.
-
-
Add an Attribute Class:
-
Assign the Custom Attribute to a User:
After defining the custom attribute, you can assign it to users using tools like PowerShell or Active Directory Users and Computers (ADUC).
Using PowerShell:
To set a custom attribute for a user with PowerShell, use the following command:
Example: To add custom attribute
platformUserMembershipType
to the userjdoe
and assign it a value ofvendor
:CopySet-ADUser -Identity "jdoe" -Add @{platformUserMembershipType = "vendor"}
To update the value for the attribute, use the
-Replace
parameter instead of-Add
:CopySet-ADUser -Identity $username -Replace @{$attributeName = $attributeValue }
Example: To update the custom attribute
platformUserMembershipType
to a userjdoe
and assign it a value ofemployee
:CopySet-ADUser -Identity "jdoe" -Replace @{platformUserMembershipType = "employee"}
Using Active Directory Users and Computers:
-
Open Active Directory Users and Computers from the Administrative Tools.
-
Click on View and select Advanced Features.
-
Edit User Properties:
-
Find the user, right-click, and select Properties.
-
Choose the Attribute Editor tab.
-
Locate your custom attribute and enter the desired value.
-
-
Click OK or Apply to save the changes.
Notes:
-
Permissions: Ensure you have the necessary permissions to modify user attributes and schema changes.
-
Replication: Be aware of Active Directory replication delays if you're working in a multi-domain controller environment.
-
Testing: Always test schema changes in a development environment before applying them in production.
-
When the user logs
A record of background events typically related to systems, performance, outages, etc. A log is typically consumed by IT/Ops to help them ensure that things are running optimally and delivered according to the appropriate SLA. in to the Delinea Platform, they will be granted appropriate third-party vendor entitlements.
-