Assigning roles and privileges to Azure Active Directory groups
The Management Console supports synchronizing Azure Active Directory groups through SCIM or Active Directory Sync. This capability allows administrators to centrally manage access to Active Directory groups.
The Assign Active Directory Groups feature enables administrators to assign roles and privileges to Active Directory groups directly from the Management Console. This reduces the need to manage reviewer roles on individual users-basis.
Before you use this feature, note the following facts:
-
By default, all synchronized Active Directory groups are assigned the None role. At this stage, effective role and privileges of each member will be either their individual user role or other Active Directory groups the user belongs to.
-
When administrators assign the Reviewer role at the Active Directory group level, all direct members of the Active Directory group automatically inherit the assigned reviewer privileges. A maximum of 100 members (user accounts) from a single Active Directory group can be assigned case-level reviewer privileges.
Only the direct group members can be assigned the Reviewer role. The nested groups and their members cannot be assigned the Reviewer role.
-
When administrators assign the Administrator role at the Active Directory group level, all direct members of the Active Directory group automatically inherit the assigned administrator privileges.
Only the direct group members can be assigned the Administrator role. The nested groups and their members cannot be assigned the Administrator role.
-
The administrator can add, remove, and import monitored accounts while assigning roles and privileges to the Active Directory group.
-
The Expiry date for monitored accounts will be highest date assigned from Individual user and all Active Directory groups.
-
Active Directory groups assigned with the Reviewer role can be selected as reviewers in Arctera eDiscovery. However, the Active Directory group role cannot be changed using Arctera eDiscovery.
-
Administrators can assign case-level reviewer privileges to an Active Directory group. All direct members of the Active Directory group automatically inherit the assigned reviewer privileges for the selected case. When an Active Directory group is added as a case reviewer, all its members are added as reviewers for the case.
-
If an Active Directory group is deleted during synchronization, members of that Active Directory group no longer retain the roles and privileges that were assigned to them through that Active Directory group. In this scenario, each member's effective role and privileges will be either their individual user role or other Active Directory groups the user belongs to.
-
If an Active Directory group with case-level reviewer privileges is removed, the expiry date for its members is set to the group removal date. The members still remain listed as case reviewers. However, when such members log in to Arctera eDiscovery with an expired reviewer role, the associated cases are not displayed to them.