Organization Settings / Admin Guide (ADP Cloud)#

Users and Permissions#

Users setup#

Users with the "User" permission can add new users and change user role assignments. This is done on the Organization page that can be found in the menu when clicking on your user name in the top right corner of the UI. If you don’t have the right permissions, this option will not be available.

Adding A New User#

To add a new user, click + Add User at the top of the User list. From the Add new user form, you can invite new users by entering their e-mail address, assign roles, and then send an invite. Upon first login, the user will be asked to enter a password.

Changing User Settings#

To change a user’s settings, click on the edit button to the right of the user’s name in the User list. In the Edit user form, you can change the Name, User name and the two-factor settings. Note that the e-mail address cannot be changed, since this is used to identify the user. Also the role assignments can be changed, see below for more information.

Deleting A User#

Use the trashbin button to the right of the user’s name in the User table to delete a user.

Roles and Permissions#

A role groups a set of permissions that controls access to different features in ADP Cloud. A user must be assigned at least one role. ADP Cloud comes with two pre-defined roles:

Super User - which has full access to all features.
ADP Standard User - which has access to all features except typical administrative tasks (add users, change permissions…).

The "Super User" role is fixed and cannot be changed. The "ADP Standard User" role can be changed and it is also possible to define custom roles. The following permissions are available when defining roles:

Name	Description
Nodes	Register/unregister ADP Edge nodes, run remote sessions, deploy flows.
Flows	Create and modify flows
Credentials	Add/delete credentials
Resources	Add/delete resources
Universal Connectors	Use wizard to build/modify and publish/unpublish/delete UCs
Labels	Add/delete labels and assign labels to ADP Edge nodes
Modules	Register/unregister custom modules
Users	Add/delete users, assign roles
Roles	Add/change role definitions
Identity Providers	Add/Change user authentication with external identity providers

Enable a permission using the checkbox to the right of each category.

More fine granular control is possible by either toggling the icons after each category name or by expanding a category using the ">" icon to the left of the category names. Each category typically have "View", "Create", "Update" and "Delete" permissions that can be set individually. Some categories have additional permissions and in some cases standard sub-permissions are disabled because the action is not allowed on that feature.

Using Labels To Limit Access To ADP Edge Nodes#

Labels assigned to ADP Edge nodes can be used to limit access to a subset of the available ADP Edge nodes. This is done by expanding the Nodes category and then add labels on the individual permissions. For example, if you want to create a role that will only show ADP Edge nodes with the "Stockholm" label, add the "Stockholm" label on the "View" permission.

Note: Toggling sub-permissions in the permission categories and using labels to limit ADP Edge node access should be used with care and only by experienced administrators, since you can end up with combinations that will be difficult to use.

Authenticating Users With OpenID Connect#

With the standard setup, users are authenticated internally in ADP Cloud. If you already have a directory server where your users are registered, you can use this for authenticating users with ADP Cloud through Open ID Connect. To set up authentication with external directory servers, you need to configure one or several identity providers. An identity provider manages users from one or several domains. When a user tries to login with an e-mail address containing a domain which belongs to one of the configured identity providers, an authentication request will be sent to the external directory server, checking whether the user has a role that should give access to ADP Cloud. With the identity provider configuration, you can also map roles and groups in the external provider against permissions in ADP Cloud. Note: You can only configure identity providers for domains that have been registered with your organization by Balluff.

Setting Up An Identity Provider (Wizard)#

Identity providers are configured on the Organization page, found in the user menu in the top right corner of the ADP Cloud interface. On that page, select Identity providers in the left-hand menu. This opens up a list of currently defined identity providers, if any, and also allows you to add new providers.

When clicking + Add Identity Provider, a wizard opens up which takes you through three steps to complete the configuration.

Basic information

The following settings are available:

Name	Required	Description
Name	Yes	The name of this configuration. Shown in the identity provider listing.
Description	No	Optional description.
Client ID	Yes	The Client Id for Balluff obtained from your directory server.
Client Secret	Yes	The Client Secret for Balluff obtained from your directory server.
Authority	Yes	The URL to your Open ID Connect endpoint.
User Name Claim	Yes	The name of the claim that contains the user e-mail address.
Get Claims From User Information Endpoint	No	Fetch additional user information from external directory which was not included in token due to size.
ADP Role	No	Role in the external directory required to get access to ADP Cloud. If left empty, all users will get access.
Disables	No	If checked, this identity provider is disabled and no requests to the external authentication server will be made.

Domains

This step is used to map this configuration against one or several user domains. The domains listed here must be assigned to this organization by Balluff. A domain can only be managed by one identity provider, hence any domains already assigned to an identity provider will not be available for selection.
Role Mapping

In the final step, you can map roles and groups in the external directory against permissions in ADP Cloud. Each external role can be mapped to one or several ADP permissions and multiple external roles can be mapped to the same ADP permissions. To add a new mapping, enter a new name in the Role Name field and check one or several permissions in the list. Then click Add. All current mapping are shown in the list at the bottom of the page and here you can also modify and delete existing mappings.

Modifying Identity Provider configurations#

Clicking on the "edit" icon to the right of an existing identity provider configuration in the list opens the wizard so that you can make changes. To save your changes, click Update or click somewhere in the UI. That will make you leave the wizard. You will then be asked if you want to save or discard your changes.

Using Azure ActiveDirectory As Identity Providers#

This section describes how you configure your Azure AD for use with ADP Cloud.

Initial Setup In Azure#

Configure Azure groups to be used for access rights in ADP Cloud:
- Go to Azure Active Directory -> Groups and create the groups you want to use to set up access rights in ADP Cloud or use any existing group. At least one group is needed.
- Write down the Object ID of the group(s) (this is a guid).
- Assign the users that should have access to ADP Cloud to the right groups.
Create an app registration for ADP Cloud:
- Go to Azure Active Directory -> App Registrations and create a new app registration. If you don’t have any other preferences, click Accounts in this organizational directory only (Standard Catalog only - Single tenant).
- On the Overview page, write down the Application (client) ID and click on Endpoints and copy the URL in the OpenID Connect metadata document, but skip the part after v2.0/. The URL should look like this: https://login.microsoftonline.com//v2.0/.
- On the newly created app registration, click Add a certificate or secret. Save the secret value (client_secret, which is auto generated). You will not be able to access it later.
- Go to API permissions -> Add a permission -> Microsoft Graph -> Delegated permissions -> RoleManagement.Read.All and add it.
Azure AD roles limit (optional):
- Azure AD has a limit on the number of object IDs that it includes in the groups claim. The limit varies between token types as follows: 150 for SAML tokens, 200 for JWT tokens and 6 for Single Page applications. If a user belongs to more groups than this limit, then Azure AD will not include any group in the claims.
- It is possible, make sure that this limit is not be reached. One way is to only include groups assigned to the application which the user is part of. To add groups to the application:
  - On the Overview page, click on the link next to Managed application in local directory.
  - Go to Users and Groups and click on Add user/group
- Go to Token configuration -> Add groups claim and uncheck Security groups and make sure only Groups assigned to the application is checked.

Setup In ADP Cloud#

From the setup in Azure, you should now have the following:

client_id
client_secret
Endpoint URL

Follow these steps to setup a new identity provider in ADP Cloud that uses your Azure AD:

Create an identity provider as described above.
Fill in the client_id and client_secret you saved above when creating the app registration.
Set the authority to the endpoint URL you saved above (https://login.microsoftonline.com/<guid>/v2.0/).
Set Username Claim to e-mail.
Check the Get Claims From User Information Endpoint checkbox.
Enter the Group ID (as you saved above) of the group(s) that should be used to allow access to ADP Cloud.
Choose the domains you want to use with this AD.
Use the Group IDs to associate users to the appropriate roles in ADP Cloud.
Press Finish.
Copy the Return URL.

Final Setup In Azure#

On the App Registration Overview -> Add redirect URI -> Add a Platform -> Web, put the redirect URL from ADP Cloud into Redirect URI and click Configure.

You are done! Users logging in to ADP Cloud with a domain registered above will now be authenticated using your Azure AD.