How to Automatically Create eDP Clearwell Users With Automatic Role Assignment (Users in a OU)

Description

A customer would like to automatically create users in the eDiscovery Platform for a select group of users and  automatically assign roles to those users using LDAP.

Note:  All images in this document are from a Veritas lab.  All user names are ficticious.  Server names are veritas eDP Clearwell lab names.

 Step 1: Make sure LDAP/LDAPS is working as expected.  See KB article 100059507
If you know LDAP lookups and authentication are working skip to Step 2. 

 Step 2: Automatically create users in eDP Clearwell selectively for only a group of users within an Organizational Unit (OU).  If rather use a group instead of an OU, please see KB Article 100059510

1. In Active Directory Users and Computers, create an Organizational Unit (OU) that will contain all user accounts that will be allowed to access eDP Clearwell.  For this example, calling the OU "eDP Clearwell Users".
   
   
2. Now drag some users into this OU that will need to have automatic eDP account creation so can access eDP like so:
   
3. Change the following property to match the new OU:
   From: esa.ldap.userBase=ou=TestUsers,dc=edp,dc=lab
   To: esa.ldap.userBase=ou=eDP Clearwell Users,dc=edp,dc=lab
4. Add the additional LDAP properties for automatic eDP user account creation:esa.ldap.createUnknownUsers=true
   creation:esa.ldap.defaultRole=Case User

 Note:  At this point any user account that is added to the "eDP Clearwell Users" organizational unit within Active Directory (AD) should be able to log into eDP Clearwell.  If first time logging in, eDP Clearwell will automatically create the eDP Clearwell account within the product and assign the default role of Case User.  A default role is required to be set.

 Step 3: Automatically assign roles to the users.

1. In Active Directory Users and Computers, create an Organizational Unit (OU) that will contain all the Roles. 
2. For this example "eDP Clearwell Roles" will be used:
   
   
   Note: By default the product will look for all groups within this OU that have prefix "Clearwell ".  This can be changed if needed by using the property esa.ldap.rolePrefix.  For this example, the prefix will not be changed from the default.
3. eDP Roles are located eDP Clearwell->System->Users->Roles.  Built-in roles are located here.  New roles can also be created.  The below image shows the default built-in roles along with one newly created role called midrole:
   
4. Make a list of which roles you would like to be automatically assigned to eDP user accounts.  For this example, Case Admin, System Manager, and eDiscovery Admin will be the roles automatically assigned.
5. Active Directory Users and Computers, go to the new OU called "eDP Clearwell Roles" and create the following new groups within that OU (The default prefix is Clearwell, followed by the eDP role name):
   
6. When done should look like the following:
   
7. Finally, assign users added to the 'eDP Clearwell Users" OU to their appropriate role in the "eDP Clearwell Roles" OU.

 Step 4: Configure the eDP properties for automatic role assignment:
esa.ldap.useLDAPRoles=true
esa.ldap.roleBase=ou=eDP Clearwell Roles,dc=edp,dc=lab
esa.ldap.roleName=name
esa.ldap.roleSearch=(member={0})
esa.ldap.roleSubtree=true

 Explanation:  The settings above will enable automatic LDAP automatic roles assignment within eDP.  eDP Clearwell software will search within the base of "ou=eDP Clearwell Roles,dc=edp,dc=lab" for any roles/groups that are defined.  If the user logging in cannot be found as a member of any of the roles/groups, the user will get the default role "Case User".  When creating a group in Active directory, by default the group name is also automatically added to the ldap attribute called name as seen here using the adsiedit.exe tool:

 Therefore, the appropriate setting esa.ldap.roleName is LDAP attribute called name.

 Groups have an attribute called member that contains all members (user accounts) that belong to that group like the following using the adsiedit.exe tool:

Therefore, the appropriate value for esa.ldap.roleSearch is (member={0}).  eDP Clearwell gets the canonical name for user trying to log in and replaces the {0} variable with the value.  For example the string becomes:

(member=CN=Aaliyah Adams,OU=eDP Clearwell Users,DC=eDP,DC=lab)

ldp.exe is another tool that is used for LDAP testing.  The below image is example testing the search string:

 In short, eDP Clearwell is searching all roles under eDP Clearwell Roles for groups that have names beginning with "Clearwell ", searches each group for members to compare against the user trying to login as, and if found then removes the prefix from the group name to determine eDP Role to automatically set (Case Admin for example), look in eDP Roles to see if the role exist, is so automatically assign that role to that user that is logging in.