Creating Exclusions for User or Group Mappings in Active Directory Enhanced - Legacy Authentication Methods - Foundation 23.1 - Foundation 23.1 - Ready - OnBase - Essential - Premier - Standard - external - Standard - Essential - Premier

Legacy Authentication Methods

Legacy Authentication Methods
Foundation 23.1

User privileges should be managed primarily through the use of group mappings, which are inclusive. However, if it is necessary to specifically prevent a Windows group or user from being associated with a particular OnBase User Group, that user or group can be mapped to the Exclusions for the OnBase User Group. Adding a user or group to the Exclusions is analogous to the Windows Deny permission.

To explicitly exclude an Active Directory user or group from an OnBase User Group, use drag-and-drop mouse functionality in the Active Directory - Enhanced dialog box:

  1. Expand the OnBase User Group in the Groups pane by clicking the + beside the User Group name. The mapped users and groups are displayed, as well as the Exclusions node.
  2. Select a user or group in the Configured Active Directory Domains pane or the Groups pane and hold down the left mouse button.
  3. Drag the selected user or group onto the Exclusion node and release the mouse button. That user or group is excluded from the selected OnBase User Group.
  4. Click Apply to save the configuration changes and continue working in the Active Directory - Enhanced dialog box, or click OK to save the configuration changes and close the Active Directory - Enhanced dialog box.

If a user or group is excluded from a User Group in OnBase, that user or the group's members are not granted the OnBase rights for that User Group. However, if a user or group is mapped to multiple OnBase User Groups, the user or group's members will retain any rights to OnBase User Groups they are not excluded from.

For example, if a user is a member of both OnBase User Group A and B, and both User Groups have Indexing rights, then the user retains Indexing rights in OnBase if they are only excluded from User Group A or B, because they are still a member of the other group.

To prevent an Active Directory user or members of an Active Directory group from logging in to OnBase altogether, add them to the root Exclusions node at the bottom of the Groups pane: