Focal Point
[CLOSED] Switch group after using External group

This topic can be found at:

December 03, 2019, 01:32 AM
[CLOSED] Switch group after using External group

Is it possible after I have done mapping Group from Microsoft AD to one of my group in Security Center and then resign a user to different group and login as new group, or remove that user from AD group without using AD.


Group_A(WF) Mapped to Manager(AD group)
Group_A contain following users:
- Max
- Alex
- Maria
- Sopphia

above listed users are created by AutoAdded, and wanted to move Alex to new Group_B which is NOT mapped to AD.

I am able to add Alex to Group_B via Security Center, but I can not remove Alex from Group_A due to mapped to AD, so when Alex login, he still in Group_A and I don't want Alex no longer to see or belong to Group_A.

My objective is to MOVE a user that was in AD to another group in WebFOCUS without using or touch AD.
Reason for this is some other application may mapped to AD in the same time, therefore, WebFOCUS should not change users in groups in AD but can be redefine to a new group in WebFOCUS ONLY.

I was think about an idea that force Alex to login as new group ONLY.

Any suggestion?

This message has been edited. Last edited by: nox,

WebFOCUS v8.2.06 , Windows
December 03, 2019, 11:06 AM
FP Mod Chuck

WebFOCUS AD integration was designed so all security can be managed by AD and not require security administrators to have to process authentication/authorization requests in more than one place. So if a user is part of a AD group mapped to WebFOCUS the only way to remove them from that group is via AD. WebFOCUS can not touch the AD definitions which is a good thing. Once you use AD group mapping it should be done across the board so in your case Alex should just be defined to an AD group mapped to Group_B from the get go.

Thank you for using Focal Point!

Chuck Wolff - Focal Point Moderator
WebFOCUS 7x and 8x, Windows, Linux All output Formats
December 04, 2019, 01:05 AM
Usually there is only one AD Domain in a Company, and a Company may use several tools or applications that are mapped to AD for easier security management, but some applications may be different role for a same user. Therefore, AD usually will mapped to most important Application( SSO portal or Critical System), but due to some tools like WebFOCUS may be a different role than AD, but in same time would like to have mapped to AD to avoid most of User creation in WebFOCUS(making none sense to create same user twice in AD and WebFOCUS, worst if there is more other like WebFOCUS). Maybe this request might be one of feature in the future?

WebFOCUS v8.2.06 , Windows
December 04, 2019, 07:10 AM

Assuming that actually not all AD user have access to WF, can you have different AD group specially defined for WF ?

Or you can defined internal WF security groups where you then assign users where you want. I understand that you need to manage users also in WF but only the group(s) where they belong to.
And further more, it may only be for exception users such as Alex. All others may be assigned to the default group where no maintenance is required.
I think that this may be your best option.

WF versions : Prod 8.2.04M gen 33, Dev 8.2.04M gen 33, OS : Windows, DB : MSSQL, Outputs : HTML, Excel, PDF
In Focus since 2007