Creating groups in Azure AD and synching to Optimizely CMS

Vote:
 

Hi, we have integrated with OpenID Connect so that users can log in with their AD user. From there we want to add users in different groups. These groups have different permissions in the CMS. Let's say I create a group in Azure AD called NewsPageEditors and add a user to that group in Azure AD. Will that group be synched to Optimizely CMS so we can set permissions?

#306499
Aug 09, 2023 12:50
Vote:
 

Hi Tam, 

Yes they will be synced/cached, however you first need to login with a user that has the group you would like to sync.

Once they login the group will be synced and then you will be able to set permissions as normal from within the CMS Admin section.

Any issues let us know.

Paul

#306500
Aug 09, 2023 13:07
Tam Duc Ha Vo - Aug 09, 2023 13:08
Great, thank you for the quick response! I've added another question below if you have the time to answer :)
Vote:
 

Just another question. How can we remove groups that are not from Azure AD?CmsAdmins and CmsEditors have not been created in Azure AD. Since we have integrated with AD, the functionality to Administer Groups is not available anymore, which is correct. 

#306503
Aug 09, 2023 13:13
Vote:
 

CmsAdmins and CmsEditors are mapped roles, they are mapped to WebAdmins,Administrators and WebEditors, respectively. You can check your web.config/appsettings.json and remove those roles (inside episerverframework section) if you don't need them. I'd rather leave them as is 

#306507
Aug 09, 2023 15:24
Tam Duc Ha Vo - Aug 10, 2023 7:42
Those roles are only mapped in appsettings.development.json and not in appsettings.json. The groups I posted a picture of is in preprod. Any idea why?
Vote:
 

Is it possible to see which users are in which group in the CMS?

#306562
Aug 10, 2023 10:25
Vote:
 

You can see which groups an user is in, and which users in a certain group, but not all at once 

#306564
Aug 10, 2023 10:44
Tam Duc Ha Vo - Aug 10, 2023 10:46
But that functionality is not available when integrating with Azure AD. Since you have to remove .AddCmsAspNetIdentity
Vote:
 

I don’t think you can see which groups that  users belong to in CMS as your users and groups are managed from Azure AD. 

You might be able to find syhronizrd user and roles from database tables - from memory synchronised users and roles are stored in two tables with name "sync" keyword. You could build custom UI to display them.

#306567
Aug 10, 2023 11:15
Tam Duc Ha Vo - Aug 10, 2023 11:19
I was fearing we had to do something like that. But thanks, i'll check it out!
Vincent - Aug 10, 2023 12:29
Me either. Can you provide a bit more context why do you want to know this from CMS since you can’t administer anything for users and groups in CMS? Your entire Authentication and Authorisation are managed in the IDP side, and you can easily find out these information from Azure AD management portal
Tam Duc Ha Vo - Aug 10, 2023 12:35
The users of the edit interface of the CMS won't have access to Active Directory, beucase they'll have to contact an administrator of the Azure environment every time they want to check which users are in which group.

That is correct, the customer only wants to see which user is in which group, but not actually do anything with it.
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.