BusinessObjects Enterprise Administrator's Guide

Mapping AD accounts

To simplify administration, BusinessObjects Enterprise supports AD authentication for user and group accounts. However, before users can use their AD user name and password to log on to BusinessObjects Enterprise, their AD user account needs to be mapped to BusinessObjects Enterprise. When you map an AD account, you can choose to create a new BusinessObjects Enterprise account or link to an existing BusinessObjects Enterprise account.

To map AD users and groups

Before starting this procedure, ensure that you have the appropriate AD domain and group information. As well, you must have created a domain user account on your AD server for BusinessObjects Enterprise to use when authenticating AD users and groups.

Go to the Authentication management area of the CMC.
Click the Windows AD tab.

Ensure that the Windows Active Directory Authentication is enabled check box is selected.
If you will be using single sign-on, select the Single Sign On is enabled check box.

Note: If you select this option, you must also configure the IIS for single sign-on. For details, see Setting up AD single sign-on. Failing to configure IIS could compromise your system security if the account that IIS runs under belongs to a mapped group, because users who use one of the web applications would automatically have the same access privileges as the IIS machine account.

In the "AD Administration Credentials" area, enter the name and password of the domain user account you've set up on your AD server for BusinessObjects Enterprise to use when authenticating AD users and groups.

Administration credentials can use one of the following formats:

NT name (DomainName\UserName)
UPN (user@DNS_domain_name)

Administration credentials must be entered to enable AD authentication, map groups, check rights, and so on.

Complete the Default AD Domain field.

Note:

Groups from the default domain can be mapped without specifying the domain name prefix.
By entering the Default AD Domain name, users from the default domain do not have to specify the AD domain name when they log on to BusinessObjects Enterprise via AD authentication.

In the "Mapped AD Member Groups" area, enter the AD domain\group in the Add AD Group (Domain\Group) field.

Groups can be mapped using one of the following formats:

NT name (DomainName\GroupName)
DN (cn=GroupName, ......, dc=DomainName, dc=com)
Note: If you want to map a local group, you can use only the NT name format (\\ServerName\GroupName). Windows AD does not support local users. This means that local users who belong to a mapped local group will not be mapped to BusinessObjects Enterprise. Therefore they will not be able to access BusinessObjects Enterprise.

Click Add.

The group is added to the list.

New Alias Options allow you to specify how AD aliases are mapped to Enterprise accounts. Select either:

Assign each added AD alias to an account with the same name
Use this option when you know users have an existing Enterprise account with the same name; that is, AD aliases will be assigned to existing users (auto alias creation is turned on). Users who do not have an existing Enterprise account, or who do not have the same name in their Enterprise and AD account, are added as new AD users.

or
Create a new account for every added AD alias
Use this option when you want to create a new account for each user.

Update Options allow you to specify if AD aliases are automatically created for all new users. Select either:

New aliases will be added and new users will be created
Use this option to automatically create a new alias for every AD user mapped to BusinessObjects Enterprise. New AD accounts are added for users without BusinessObjects Enterprise accounts, or for all users if you selected the "Create a new account for every added AD alias" option.

or
No new aliases will be added and new users will not be created
Use this option when the AD directory you are mapping contains many users, but only a few of them will use BusinessObjects Enterprise. BusinessObjects Enterprise does not automatically create aliases and Enterprise accounts for all users. Instead, it creates aliases (and accounts, if required) only for users who log on to BusinessObjects Enterprise.

Note: You can also add AD users individually by adding them as a new user in BusinessObjects Enterprise and selecting Windows AD authentication. For details, see Creating a user and a third-party alias.

New User Options allow you to specify properties of the new Enterprise accounts that are created to map to AD accounts. Select either:

New users are created as named users
New user accounts are configured to use named user licenses. Named user licenses are associated with specific users and allow people to access the system based on their user name and password. This provides named users with access to the system regardless of how many other people are connected. You must have a named user license available for each user account created using this option.
New users are created as concurrent users
New user accounts are configured to use concurrent user licenses. Concurrent licenses specify the number of people who can connect to BusinessObjects Enterprise at the same time. This type of licensing is very flexible because a small concurrent license can support a large user base. For example, depending on how often and how long users access BusinessObjects Enterprise, a 100 user concurrent license could support 250, 500, or 700 users.

Click Update.

A message appears stating that it will take several seconds to update the member groups.

Click OK.

Business Objects
http://www.businessobjects.com/
Support services
http://www.businessobjects.com/services/support/
Product Documentation on the Web
http://support.businessobjects.com/documentation/