How to Manage Authentication Groups for AD

Owned by Jason Ray (Deactivated)
Last updated: Feb 16, 2022
2 min read

There are 2 ways to assign access to sites via Active Directory groups: assign access to a single site or assign access to a whole division of sites.

Assigning access to a single site

The group name should be specified using the following format:

INTLAPP_WM_LOC_[territory code]_[division code] [site/location name]

For example, the group name for the USW site titled Addiction Treatment Services (ATS) in the Hawaiian and Pacific Islands division (HI) would be:

INTLAPP_WM_LOC_USW_HI Addiction Treatment Services (ATS)

The group name for a site is created when the site is created and can be managed in Conductor on the Sites page under OIDC Group Mapping. This value in this field is slightly different than the group name your IT department will need (above), in that it excludes the _LOC part of the group name. This difference is necessary for the system to work correctly.

Assigning access to an entire division

If a user needs access to edit all the sites within a division, the group name format above will be changed slightly. _LOC will be replaced with _DIV and the site name will be removed (INTLAPP_WM_DIV_[territory code]_[division code]). So for our example above, the group name that allows access to all Hawaiian and Pacific Island sites would be:

INTLAPP_WM_DIV_USW_HI

Divisional Conductors

Divisional Conductors have access to all sites within a Division and also have access to Conductor, where they can create sites and share assets within their Division.

DHQ Conductors need access to 2 groups in order to function correctly:

  1. The Divisional AD Group: INTLAPP_WM_DIV_[territory code]_[division code]

  2. The Symphony Conductor AD Group: WEBMANAGER_SYMPHONY_CONDUCTOR

Territorial Conductors

Most of the time there should only be one person per territory in this group.

THQ Conductors have super user access to create, edit, and delete redirects, sites, domain mappings, etc. To assign super user access to Webmanager, assign the person to the WEBMANAGERMASTERADMIN AD Group.

Assigning access to an entire territory

If a user needs access to edit all the sites within territory, but doesn’t need the added super user abilities to map sites to domains, manage redirects, and delete sites, you can assign that user to the WEBMANAGERADMIN_[territory code] group.

Related Articles