Provision user accounts and distribution groups
The User Management Tool provisions users and groups to ShareFile through the creation of rules which correspond to Active Directory OUs and security groups. Once rules are created they can be run once or set to run on a schedule keeping ShareFile users and groups in sync with changes in AD. Customers can choose to create users and groups based on existing AD organization or may choose to create a designation for ShareFile in Active Directory so that users can be managed centrally through AD but stay synced with the ShareFile application.
If you are testing this tool or running a POC of ShareFile it is recommended that you create a ShareFile group in active directory to test with that contains all your POC users. This will allow you to test adding and removing users from the group.
Creating User Provisioning Rules
To create a rule which will provision user accounts in ShareFile navigate to the Users tab. The left-hand panel will display your Active Directory forest where you can browse to find the correct user group. When a valid user group is selected,you will see users displayed in the right-hand panel.
For a user to be provisioned into ShareFile that user must have a first name, last name and email address displayed in the right-hand column. If any of these fields are missing that user will not be added and an error will show when you attempt to run the rule.
Once the desired Active Directory user group is selected click add rule in the bottom left hand corner. The Edit Users Rule options will appear where you can determine how you would like these users created in ShareFile. Once the correct settings are selected click save and then click close.
Edit User Rule Options
After choosing to run a rule on a specific AD user group you must choose settings for how that rule will run. The Edit Users Rule pop up will appear allowing you to choose the appropriate settings for this rule.
Please note that clicking close on this screen will close the editing with current settings and does not cancel the creation of the rule. If you have created the rule in error it will need to be deleted from the rules tab. The question mark icon in the upper right hand corner will open a pop out that gives additional information about some settings available. Setting details are also listed below.
Policies, User Access: Choose which User Access Policy you want to assign the group by selecting the Policy from the drop-down list.
Policies, File and Folder Management: Choose which File and Folder Management Policy you want to assign the group by selecting the Policy from the drop-down list.
Policies, Storage Location: Choose which Storage Location Policy you want to assign the group by selecting the Policy from the drop-down list.
Update ShareFile employee information based on selected AD object (will disable user if disabled in AD): When using the UMT for long term user management it is recommended to keep this box selected. When this item is selected the rule is able to both provision users and update existing ShareFile users based on changes in AD. This will only update users email, first name, last name, and status. When rules are run on a recurring schedule this will mean that users who are disabled in AD will become disabled in ShareFile as well which is useful when centralizing user management to active directory.
Create ShareFile employees based on the selected AD object: This checkbox allows you to provision users into ShareFile and will enable all the below options as well.
Default Company Name: Typically this is the company name listed on your account and is only used for display and organizational purposes. If you work with multiple companies this field can be changed to label employees in ShareFile appropriately.
Notify Employees with email: When checked this will send a system generated welcome to ShareFile email to any newly created users.
Creating Distribution Group Provisioning Rules
ShareFile distribution groups allow you to easily send files and manage folder permissions for groups of users in a single instance. If you would like to use Active Directory security groups to create and provision group membership in ShareFile you will need to click on the groups tab in the top navigation bar of the UMT. On the groups page, you must search for the group you desire to use. You can search by what the group name contains or what it starts with based on a setting on the right.
Please note that ShareFile Distribution Groups can only support up to 2000 users per group. Once this limit is hit no additional users will be added and errors will be shown in the logs.
Once you have found the correct group click Add Rule in the bottom left corner. The edit groups rule pop up will appear where you can choose if this rule should be for one time use to create the group and populate existing members or if you would like it to update the group membership as well when running the rule on a schedule. Best practice is to leave both options selected so that rules can keep ShareFile groups synced with AD groups for centralized management.
Clicking close on this screen will close the editing with current settings and does not cancel the creation of the rule. If you have created the rule in error, it will need to be deleted from the rules tab.
The Groups tab is designed specifically to create distribution groups and populate them with existing ShareFile users but not to provision users initially in ShareFile. If you select a rule which contains users who are not already covered by a user provisioning rule a pop up asking if you would like to create a corresponding user provisioning rule will appear. If you do not create the corresponding user provisioning role then only users who already have ShareFile accounts will be added to the group membership.
Schedule and Manage Rules
Rules can be run on manual; single instance use or can be scheduled to run recurring to keep ShareFile synced with changes in Active Directory.
Understanding the Rules tab
The Rules tab will display all the rules you have currently configured with the UMT. This information is stored long term as a part of your account in the SaaS application so previously created rules will show up for all administrators on any machine. Rules are listed in the left-handpane and will be named first off, the AD attribute selected and then will say if the rule is to sync users or sync groups.
Rules are split between two tabs:
The first tab is the User Rules tab. This will house all your User rules in a hierarchy order. Beside each rule, you will see a number to the left of the rule’s name. On the right, you will see up/down arrows which can be used to move the rule up or down in the hierarchy. It is important to make sure your rules are in the correct order because if a user is part of more than one rule, the rule which runs first (highest in the hierarchy order) will be the policies that the user is assigned to.
The second tab is the Group Rules tab. This tab houses all Group rules.The middle pane will display users and groups which will be affected by running rules. Finally,the far-right hand pane will show all actions to be completed ifthe rules are run. This will show the users and groups affected as well as if they need to be created or simply updated based on a change in AD. This pane can help you determine the impact of committing active rules based on the current state of your active directory.
Commit a Rule
If you would like to immediately apply the rules you can click the Commit Now button. This will perform all the actions listed in the right-hand actions pane. If you see no actions listed it is recommended that a refresh is done first so that you can review the effects of committing the rule.
Commit now should be used for running fules for one time or manual use or for immediately applying changes which may be needed outside an existing schedule.
Schedule a Rule
Rulescan be set to run as a scheduled activity through integration with Windows Scheduler. This is the most common configuration of the User Management Tool as it allows centralized user and group management for IT in active directory where most user management is performed by IT. This way if a user changes job roles, changes email or personal information, or is deactivated in AD a corresponding action will be performed in ShareFile automatically.
Clicking schedule will allow you to create a scheduled task with Windows Scheduler. Scheduled tasks can be run weekly, daily, continuously, once, or on a manually configured schedule. You can also configure the start date and time for the schedule task to initiate.
Updates to a rule or rules being added or removed will not change an existing scheduled task. If necessary you can update existing scheduled tasks through the schedule option as well.
Edit Existing Rules
To edit the settings of an existing rule, first highlight the rule in question and then click the Edit button. This will open the same options screen used when initially creating the rule where policies and settings can be changed. This will only update the settings forthe single highlighted rule at a time.
When saving edits to a rule, a pop-up will appear to remind you to update any scheduled tasks before the changes will apply.
Note: Unlike earlier versions of the UMT, editing a rules list of policies will affect how new users are provisioned in ShareFile and any existing user that is in the rule that has already been provisioned in ShareFile.
To delete a single rule you will want to highlight that rule and then click the delete button near the bottom of the rules screen. This should be used when a rule is created in error or the wrong AD item was used.
Please note that deleting a rule will not affect previously schedule tasks. If you wish to make this change you will also need to update the scheduled task.
Rules can also be cleared entirely by using the delete all option. Keep in mind that since rules are stored in the cloud for the account you will removing all of this configuration data which could be from other installations or administrators. Note, the delete all option only deletes the rules within the tab you are under. If you wish to delete every rule in the UMT, you need to select ‘Delete All’ under both the ‘User Rules’ tab and the ‘Group Rules’ tab.
A quick view of logged actions performed by the UMT can be seen on the dashboard. This will list all users and groups created or updated as well as list any errors that occurred in the process of running rules.