User Management Tool for Policy-Based Administration

Provision user accounts and distribution groups

Rule creation

The User Management Tool provisions users and groups to ShareFile/Citrix Content Collaboration through the creation of rules which correspond to Active Directory (AD) Organizational Units (OUs) and security groups. Once rules are created, they can be run once or set to run on a schedule, keeping ShareFile/Citrix Content Collaboration users and groups in sync with changes in AD. Customers can choose to create users and groups based on existing AD organizations or can choose to create a designation for ShareFile/Citrix Content Collaboration in Active Directory so that users can be managed centrally through AD but stay synced.

If you are testing this tool or running a POC, it is recommended that you create a ShareFile/Citrix Content Collaboration group in Active Directory to test with that contains all your POC users. This allows you to test adding and removing users from the group.

Creating user provisioning rules

To create a rule which provisions user accounts in ShareFile/Citrix Content Collaboration, navigate to the Users tab. The left-hand panel displays your Active Directory forest where you can browse to find the correct user group. When a valid user group is selected, the users display in the right-hand panel.

For a user to be provisioned, the user must have a first name, last name, and email address displayed in the right-hand column. If any of these fields are missing, that user is not added and an error displays when you attempt to run the rule.

Once the desired Active Directory user group is selected, select Add rule in the bottom left-hand corner. The Edit Users Rule options appears where you can determine how you would like these users created in ShareFile/Citrix Content Collaboration. Once the correct settings are chosen, select Save and then select Close.

Edit User Rule options

After choosing to run a rule on a specific AD user group, you must choose settings for how that rule runs. The Edit Users Rule pop up appears, allowing you to choose the appropriate settings for this rule.

The question mark icon in the upper right hand corner opens a pop out that gives additional information about some settings available. Setting details are also listed below.

  • Policies, User Access: Choose which user access policy you want to assign the group by selecting the policy from the drop-down list.

  • Policies, File and Folder Management: Choose which file and folder management policy you want to assign the group by selecting the policy from the drop-down list.

  • Policies, Storage Location: Choose which storage location policy you want to assign the group by selecting the policy from the drop-down list.

  • Update ShareFile employee information based on selected AD object (will disable user if disabled in AD): When using the UMT for long term user management, keep this box selected. When this item is selected, the rule is able to both provision users and update existing users based on changes in AD. This only updates user’s email, first name, last name, and status. When rules are run on a recurring schedule, users who are disabled or deleted in AD are disabled in ShareFile/Citrix Content Collaboration as well, which is useful when centralizing user management to Active Directory.

  • Create ShareFile employees based on the selected AD object: This checkbox allows you to provision users into ShareFile/Citrix Content Collaboration and enables all the below options.

  • Default Company Name: This is the company name listed on your account and is only used for display and organizational purposes. If you work with multiple companies, this field can be changed to label employees in ShareFile/Citrix Content Collaboration appropriately.

  • Notify Employees with email: When checked, this sends a system generated welcome email to any newly created users.

Creating distribution group provisioning rules

Distribution groups allow you to easily send files and manage folder permissions for groups of users in a single instance. If you would like to use Active Directory security groups to create and provision group membership in ShareFile/Citrix Content Collaboration, select the Groups tab in the top navigation bar of the UMT. On the Groups page, you must search for the group you want to use. You can search by what the group name contains or what it starts with based on the settings on the right.

Distribution groups can support up to 2,000 users per group. Once this limit is hit, no additional users can be added and errors are shown in the logs.

Once you have found the correct group, select Add Rule in the bottom left corner. The Edit Groups Rule pop up appears where you can choose if this rule is for one time use to create the group and populate existing members or if you would like it to update the group membership, as well when running the rule on a schedule. We recommend leaving both options selected so that rules can keep ShareFile/Citrix Content Collaboration groups synced with AD groups for centralized management.

Note:

Selecting Close on this screen closes the editing with current settings and does not cancel the creation of the rule. If you have created the rule in error, it must be deleted from the Rules tab.

The Groups tab is designed specifically to create distribution groups and populate them with existing ShareFile/Citrix Content Collaboration users but not to provision users initially. If you select a rule which contains users who are not already covered by a user provisioning rule, a pop up asking if you would like to create a corresponding user provisioning rule appears. If you do not create the corresponding user provisioning role, then only users who already have ShareFile/Citrix Content Collaboration accounts are added to the group membership.

Schedule and manage rules

Rules can be run on manual, single instance use, or can be scheduled to run recurring to keep ShareFile/Citrix Content Collaboration synced with changes in Active Directory.

Understanding the Rules tab

The Rules tab displays all the rules you have currently configured with the UMT. This information is stored long term as a part of your account in the SaaS application so previously created rules show up for all administrators on any machine. Rules are listed in the left-hand pane and are named first, then by the AD attribute selected and then say if the rule is to sync users or sync groups.

The first tab is the User Rules tab. This houses all your user rules in a hierarchy order. Beside each rule, a number to the left of the rule’s name is shown. On the right, up/down arrows are shown which can be used to move the rule up or down in the hierarchy. It is important to make sure your rules are in the correct order because if a user is part of more than one rule, the rule which runs first (highest in the hierarchy order) will be the policies that the user is assigned to.

The second tab is the Group Rules tab. This tab houses all group rules. The middle pane displays users and groups which are affected by running rules. The far-right hand pane shows all actions to be completed when the rules are run. This shows the users and groups affected as well as if they need to be created or updated based on changes in AD. This pane can help you determine the impact of committing active rules based on the current state of your Active Directory.

Commit a rule

To immediately apply the rules, select Commit Now. This performs all the actions listed in the right-hand actions pane. If you see no actions listed, it is recommended that a refresh is done first so that you can review the effects of committing the rule.

Commit Now should be used for running rules for one time or manual use or for immediately applying changes which might be needed outside an existing schedule.

Schedule a rule

Rules can be set to run as a scheduled activity through integration with Windows Scheduler. This is the most common configuration of the User Management Tool, as it allows centralized user and group management for IT in Active Directory where most user management is performed by IT. If a user changes job roles, email, or personal information or is deactivated in AD, a corresponding action is performed in ShareFile/Citrix Content Collaboration automatically.

Selecting Schedule allows you to create a scheduled task with Windows Scheduler. Scheduled tasks can be run weekly, daily, continuously, once, or on a manually configured schedule. You can also configure the start date and time for the schedule task to initiate.

Updates to a rule or rules being added or removed do not change an existing scheduled task. If necessary, you can update existing scheduled tasks through the Schedule option as well.

Edit existing rules

To edit the settings of an existing rule, highlight the rule and then click Edit. This opens the same options screen used when initially creating the rule where policies and settings can be changed. This only updates the settings for the single highlighted rule at a time.

When saving edits to a rule, a pop-up appears to remind you to update any scheduled tasks before the changes apply.

Editing a rules list of policies affects how new users are provisioned and any existing user that is in the rule that has already been provisioned.

Deleting rules

To delete a single rule, highlight that rule and then select Delete near the bottom of the Rules screen. This is used when a rule is created in error or the wrong AD item was used.

Deleting a rule does not affect previously schedule tasks. If you want to make this change, update the scheduled task also.

Rules can also be cleared entirely by using the Delete All option. Since rules are stored in the cloud for the account, all of this configuration data is removed which could be from other installations or administrators. The Delete All option only deletes the rules within the tab you are under. If you want to delete every rule in the UMT, select Delete All under both the User Rules tab and the Group Rules tab.

Logs

A quick view of logged actions performed by the UMT can be seen on the dashboard. This lists all users and groups created or updated, in addition to listing any errors that occurred in the process of running rules.

Provision user accounts and distribution groups