Pulse v6.3.0 | Using AD groups to manage Pulse security

Pulse Pulse Questions
,
1

Hi team,

We updated our Pulse DEV environment to v6.3.0 few months back and are testing out few of the new features that were provided in it.

One of the feature is use of AD groups to manage Pulse groups and security. We followed the steps on this page (Using active directory to manage Pulse groups and users security - Cubewise CODE) but were unable to get desired results.

On turning all the three below parameters to true, we got a huge no of groups imported into Pulse as whenever a user logged in all the AD groups associated with the user were imported making it impossible to manage for large no of users.

EnableWindowsGroupImport = true
EnableWindowsLogonSessionGroupInclusion = true
EnableWindowsGroupOnlyMode = true

We then deleted all the AD groups imported, turned the import parameter to false and rest 2 to true but in this case we did not get any AD group.

EnableWindowsGroupImport = false
EnableWindowsLogonSessionGroupInclusion = true
EnableWindowsGroupOnlyMode = true

Our requirement is that we want only few selected AD groups to be imported in Pulse (or we can also enter the AD groups details manually into the Pulse portal if that’s an option) and we want to provide different level of access to these groups on Pulse and it’s services.
Post that any user which logs into Pulse and is a member of that AD group should automatically get the access as per the permission/access provided to the AD group.

Let us know how this can be implemented or if there are any blockers for the same.

Thanks,
Atindra

2

Hi @Atindra,

What kind of “Windows Group Names” are you seeing and wanting to exclude? At the moment, there is a parameter in Pulse.cfg file to be able to exclude those not wanted and contains the folllowing by default,

[Security]
...
ExcludeWindowsGroupDomains = MicrosoftAccount, Users
...

Cheers!

Paul

3

Hi @plim ,

We are seeing all the groups associated with the user. We don’t want to exclude only few groups, we basically want to exclude the import for all groups. We just want a few groups to be included.

For example let’s say we have a AD group named ‘abc’ and it has 3 members in it.
So what we want is that, we go to System Groups page on Pulse, create a new group with the same name ‘abc’ and then provide it certain permissions on Pulse. Then any of the 3 user who’s part of that AD group, when they login to Pulse they get the same access as provided to the AD group.

Is this possible or is there any alternative way/ workaround to make something similar possible?

Thanks,
Atindra

4

Hi @Atindra,

That should be possible with the current interim build already.

You can pre-create and AD Groups before the user logs in.

Pulse is just retrieving the group name and creating it if it is not there.

With that, you should be able to create the groups ahead of time and assign access to them before that user is able to login.

Cheers!

Paul

5

Hi @plim ,

How can we pre-create the specific AD group on Pulse with keeping the parameter

EnableWindowsGroupImport = false

As setting it to true will import not just that AD group but all other AD groups too.

I tried adding an existing AD group in the system groups on Pulse and provide it with certain permissions. Post adding the group tried to login to Pulse using an user account that is part of that AD group, but the user got added only to the Public group and not to that group on Pulse.

Also is there any other documentation regarding the AD groups support in Pulse apart from this “Using active directory to manage Pulse groups and users security - Cubewise CODE

Thanks,
Atindra

6

Hi @Atindra,

For excluding other groups, you can use the parameter posted earlier:

Could you help create a ticket for the above?

Let us setup a meeting next week to discuss further on your environment setup.

Cheers!

Paul

7

Hi @plim ,

Sure, will raise a ticket and setup a call.

Thanks,
Atindra