Sync Solve Users With an Active Directory Group

You can sync ControlUp with an Active Directory (AD) security group to automatically create a ControlUp account for new users added to the security group. This means that new users on your team can access the VDI & DaaS web console (Solve) without first having to register in the Real-Time Console.

How it works

The script Create Solve users from AD Security Group scans the specified AD security group. If a user in the security group doesn't have a ControlUp account, then the script creates an account for the user.

The script automatically runs once per day to sync ControlUp with the security group using a scheduled trigger.

Set permissions for the security group

The script doesn't automatically set any permissions for the ControlUp accounts that it creates. You can use the Real-Time Console Security Policy to assign a security group a certain role. To allow the created ControlUp accounts to access the VDI & DaaS web console (Solve), assign the security group to a role that has the Use Solve or Manage Solve permission.

To set a role for a security group:

1. Go to Security Policy > Manage Roles.
2. Click Edit on the role you want to assign to users in the security group.
3. Click Add Users/Groups and add the security group to the role.

Sync multiple security groups

You can use nested security groups to sync multiple groups for different types of ControlUp users (for example, admins and non-admins). To do this, use three security groups:

• All CU Users
• CU Admins
• CU Users

Set the CU Admins and CU Users groups to be members of the All CU Users group. Configure the script to sync with the All CU Users group. 

The script creates a ControlUp account for new users added to the CU Admins and CU Users groups. Each user's ControlUp account is assigned the role configured for their security group in the Real-Time Console Security Policy.

Prerequisites

To use this feature, you must have:

• A ControlUp license that allows Automated Actions.
• Real-Time DX version 8.8 Maintenance Release or higher.
• The ActiveDirectory PowerShell Module installed on the ControlUp Monitor running the script.

Step 1 - Add and configure the Active Directory sync script

1. Sign in to the Real-Time Console and select Script Actions.
2. Go to the Community Scripts tab and add the script Create Solve users from AD Security Group.
3. Accept the terms of the script and click Next.
4. Select ControlUp Monitors to allow Monitors to automatically run the action, and click Add Action.
5. Go to the Organizational Scripts tab, select the Create Solve users from AD Security Group script and click Modify.
6. Go to the Settings tab and set the following:
   1. Set the Execution Context to Other Machine and select the Monitor to run the script. Note that this Monitor must have the ActiveDirectory PowerShell module installed.
   2. Set the Security Context to Shared credentials and select credentials that have permission to read from your Active Directory.
7. Go to the Arguments tab and click Edit...
8. Set the Default value for the SolveUserSecurityGroup parameter to the name of the security group you want to sync to ControlUp and click OK.

The Active Directory sync script is now added to your organization.

Step 2 - Set up the trigger to automatically run the script

After you have added the script to your organization, download the following trigger JSON file. The trigger is preconfigured to run the Active Directory sync script once per day.

To add the trigger to your ControlUp organization:

1. In the Real-Time Console, select Triggers.
2. In the Trigger settings window, click Import and select the trigger JSON file you downloaded.
3. After importing the trigger, click Apply.

The trigger is now set up and the script will automatically create a ControlUp account for new users added to the security group.