This document is a supplement to https://risktooltech.freshdesk.com/solution/articles/44000288429-active-directory-integration
The objective of the RUDS utility is to synchronize a Lightweight Directory Access Protocol (LDAP) directory (typically Active Directory (AD)) users and groups to RiskTool (RT). RUDS makes no changes to LDAP database. Most implementations are with AD and that is what we will be using in this document. There are six tabs across the top of the utility.
1. Overview - self explanatory.
2. API - The API tab is used to provide credentials/connectivity to the RiskTool platform. You should create a username in RT just for RUDS that will not match an AD username. Note that the token is unique to the username. When a user is created in RT the password is temporary. You will need to login at least once with the account in order to set the password.
3. LDAP - The LDAP tab is used to control access to the LDAP directory.
4. Users - Here is where the real work is done. The rules panel allows multiple rules sets to be defined. A rule set is the combination of the rule and the The default rule is configured to select AD users who have a surname (sn) and given name (givenname) present. You might want to add (mail=*) after (givename) to require an email to be present in AD also. If the base DN blank in the rule, then the base DN from the LDAP tab is used. Additional base DNs are pre-pended to the LDAP tab base DN. Note that the left most OU will be the bottom OU in the AD tree When you sync, RUDS looks at at all the users found in AD and all the users in RT and compares them by username and email. RT users are either local users or RUDS controlled users. RUDS will convert a local user to RUDS controlled if the username and email match in both systems. Once under RUDS, the AD GUID is used to identify the user.
Once a user is under RUDS control it can not be edited manually. If deleted by RUDS, it can only be restored by RUDS so long as the GUID in AD is still the same.
Groups in the Filtered groups panel will be created in RT. If the user is in RT, the user will be placed in the RT groups they are members of in AD. If removed from the AD group, they will be removed from the group in RT next sync. Groups are not currently removed from RT by RUDS.
If during initial testing you happen to create thousands of users with RUDS, you can point RUDS to an empty OU and it will delete all the users it created in RT. It will also delete any manually created users that it converted. Make sure you have your admin account that doesn't match username plus email with an AD account.
5. Notification - This is used to email the results of each run of RUDS. You might consider making it a distribution group to facilitate changes later without having to bring up the RUDS GUI.
6. Sync - this is used for error messages, to simulate a sync and to perform a manual sync.
Note that once you have the configuration you want, you want to do a file save. This file will be used by the ruds-sync program that you will want to schedule to run on a regular basis.