Open topic with navigation
OmniGroupServer extracts user and group information from repositories, such as Microsoft Active Directory and IBM Notes. OmniGroupServer stores the information so that it can be used by IDOL to provide document security.
When a user submits a query to IDOL server, IDOL must determine whether the user is permitted to view the documents that are returned as results. To do this, IDOL compares the user's information to each document's Access Control List (ACL).
The permissions applied to a file or record specify the users and groups who are permitted, and are not permitted, to view it. The permissions are stored in the file's ACL. When you set up mapped document security and connectors extract files from a repository, the connector writes the ACL into an encrypted document field.
IDOL must also consider the groups that the user belongs to. For example, a user might not have explicit permission to view a document, but they could be a member of a group that has permission. This means that IDOL requires the user and group information from the repository.
IDOL cannot retrieve security information from a repository at query time, because this would result in an unacceptable delay for the user who submitted the query. Instead, you can use OmniGroupServer to extract and cache the security information. OmniGroupServer regularly extracts security information, based on a schedule that you configure, so that it remains synchronized with the repository.
To extract security information from a repository you configure tasks in the OmniGroupServer configuration file. Each task extracts information from one type of repository. You can schedule tasks to run at specific intervals.
OmniGroupServer can make many requests to a repository. To maximize performance, Micro Focus recommends scheduling tasks when the repository has spare capacity to process the queries, for example during the night.
For most repositories, OmniGroupServer can extract incremental changes. The first time the task runs, OmniGroupServer extracts all of the security information from the repository. The next time the task runs, OmniGroupServer only needs to extract the updated information.
Due to API limitations imposed by repositories, OmniGroupServer cannot extract security information from all types of repository. In some cases (for example Microsoft SharePoint), you must use a connector to extract security information. To extract security information using a connector, run the connector's
You can run the
SynchronizeGroups action automatically by using one of the following methods:
Configure a Connector Task in OmniGroupServer. Create and schedule a task in OmniGroupServer, and set the parameter
GroupServerJobType=Connector, OmniGroupServer automatically sends the
SynchronizeGroups action to the specified connector. The connector extracts security information from the repository, using the settings in its configuration file, and returns the information to the OmniGroupServer that sent the action. Micro Focus recommends using this method for retrieving security information using a connector, because it does not require any additional settings to be specified in the connector's configuration file.
Configure the connector to run the SynchronizeGroups action. You can configure a connector to run the
SynchronizeGroups action based on a schedule that you configure. The connector runs the action and returns the information to the OmniGroupServer that has been specified in the
[GroupServer] section of its configuration file. When you use this method, you must configure the new task and specify the details of the OmniGroupServer in the connector's configuration file.
OmniGroupServer can perform operations on the security information it extracts. For example, certain repositories use NT security but do not include the domain name in ACLs. In this case you could configure OmniGroupServer to remove the domain name from the NT groups that are extracted, so that they match the ACL.
Some repositories, such as Microsoft SharePoint, use a combination of security types. To set up security for documents that are extracted from SharePoint, you must configure a task in OmniGroupServer to combine NT security information with that from the SharePoint server. For more information about how to do this, refer to the SharePoint connector documentation.