Individual users have roles and permissions assigned to them that define what actions they can take and to which vaults they have access. You can create groups of users and assign roles and permissions to the group. As a member of a group, a user has all the permissions and roles assigned to the group. By default, every new user is added to a group called Everyone. The Everyone group is only available on an Access Control Lists. It does not appear in the Groups dialog box. If the Everyone group is granted membership to a folder, all new users have access to that folder
Groups can be comprised of users or other groups. Groups can be disabled, turning off all permissions assigned to the group. The permissions and roles assigned to a group are independent of individual user roles and permissions. Groups can also be restricted to specific folders within a vault, so you can keep projects and other data secure between groups.
By assigning users to groups and then granting folder membership to those groups, you can easily manage users and their access to vault folders. This is the best practice for creating a vault security model.
Note: Folder membership is only available with the vault server that is installed with Autodesk Vault.
Active Directory Domain Groups
Note: Windows Authentication is available only in the Autodesk Vault Collaboration and Professional editions.
An administrator can create a group of users on the Autodesk Vault server or domain user groups can be imported, retaining the group membership and security settings. Groups can then be managed using Windows permissions. Importing a domain group imports all members of the group as well as sub-groups.
This allows for accounts to be created using Active Directory information and allows users to log into a data management client without requiring a new account. If a user account or group already exists on the vault server, it can be promoted to an Active Directory account or group. Likewise, an account or group created by importing an Active Directory account can be disconnected or demoted from the Active Directory domain, making the account or group unique to the vault server.
You cannot manage Active Directory accounts through the server console. You can only import Active Directory accounts, promote vault server accounts to the Active Directory domain, or demote Active Directory accounts to standard vault server user accounts. To manage Active Directory user accounts and Active Directory group membership, you must use the User Accounts controls in the Windows Control Panel.
Manage Groups
Note: You must be assigned the role of Administrator to perform this operation.
- Select Tools Administration
Global Settings.
- In the Global Settings dialog, select the Security tab.
- Click Groups.
- In the Group Management dialog, you can list groups three different ways:
- Select View List to view the groups in a flat list.
- Select View By Vault to view the groups as a list grouped by the vaults to which they are assigned.
- Select View By Role to view the groups as a list grouped by roles.
Create groups
- Click New.
- In the Group dialog box, specify the group settings, and then click OK.
- Click Close.
Edit groups
- Select a group from the list.
- Click Edit.
- In the Group dialog box, specify the group settings, and then click OK.
- Click Close.
Import an Active Directory domain group
Note: Windows Authentication is available only in the Autodesk Vault Collaboration and Professional editions.
- In the Group Management dialog, select a vault server group and then select Actions Promote to Domain Group.
- In the Select Groups dialog, click Locations to specify the domain containing the Active Directory group to which the selected vault server group will be mapped. In the Locations dialog, select the domain to use and then click OK.
- In the Select Groups dialog, enter the name of the Active Directory domain group to which the vault server group will be promoted or click Advanced to search for the group.
- Once the group has been specified, click OK in the Select Groups dialog. The vault server group information is replaced with the domain group information.
All members of the group as well as sub-groups are imported. Groups imported from an Active Directory domain retain the group name and e-mail address from Active Directory. The domain name is displayed in front of the group name.
Note: An imported domain group can be updated to reflect changes to the Active Directory group membership. For more information, see Update a Domain Group.
Edit groups
- In the Group Name field, enter a name for the group.
- Enter an e-mail distribution list address for the group in the Email field. You can also enter a list of individual email addresses separated by a semicolon (;).
- Click Roles and assign one or more roles to the group. Every member of the group is assigned the permissions of the group. Individual user roles are combined with the roles assigned to the group to which a user belongs. As a best practice, always assign roles to groups to make user permission management easier.
- Click Vaults and select one or more vaults to which the group has access. Every member of the group has access to the vaults assigned to the group.
- A group can be a member of another group. Click Groups and select one or more groups to which this group belongs.
Add members to groups
- Click Add to add members to the group.
- From the Add Users dialog box, select the users to include in the group, and then click OK.
Remove members from groups
- Select a member from the Group Members list.
- Click Remove.
Enable or disable groups
Similar to a user profile, a group can be enabled or disabled. A group must be enabled for the permissions of the group to be active. When a group is disabled, the roles and vault access assigned to the group are no longer available to the members of that group.
Note: Disabling a group doesn't disable individual users. If you disable a group, only the permissions of the group are affected.
- Click the Enable group check box to make the group permissions available to all members.
- Clear the Enable group check box to deny the group permissions to all members.
Add Groups
The Add Groups dialog box displays the enabled groups which the current user profile or group belongs to and which groups they can be added to. A check next to the group name indicates that the user profile that is currently being added or edited belongs to that group.
Note: A group can be a member of another group.
Promote Vault Server Groups to Active Directory Domain Groups
A vault server group can be promoted to an domain group. Promoting a vault server group to an Active Directory group maps the vault server group to an existing domain group. Promoting a group replaces the vault server group information with the selected domain information.
- In the Group Management dialog, select a group, select a vault server group and then select Actions Promote to Domain Group.
- In the Select Groups dialog, click Locations to specify the domain containing the Active Directory groups to import. In the Locations dialog, select the domain to use and then click OK.
- In the Select Groups dialog, enter the names of the groups to add from the Active Directory domain or click Advanced to search for the groups.
- Once the groups have been specified, click OK in the Select Groups dialog. The vault server group information is replaced with the domain group information.
Note: All members of the selected domain group are imported.
Demote Active Directory Domain Groups to Vault Server Groups
A vault server group that was imported from an Active Directory domain or promoted to an Active Directory domain can be demoted, creating a vault server-only group. Once demoted, the group is unique to the vault server and no longer associated with the domain group.
- In the Group Management dialog, select an Active Directory group and then select Actions Demote Domain Group. When the group is demoted, the domain name is removed from the group name. As a result, the demoted group may collide with an existing vault server group with the same name. If the vault server group name already exists, you are prompted to rename the demoted group.
The vault server group retains the vault server group membership and permissions but is no longer associated with the Active Directory group.
Update Domain Groups
If members have been added or removed from the Active Directory domain group, the vault server group can be updated to reflect the changes to the group.
- In the Group Management dialog, select a group.
- Select Actions Update Domain Group.
Note: One advantage to using groups is when you are adding users to a vault or vaults. First, create a group and add members to the group. Once members have been added to the group, assign a vault to the group.