Concept
Windows Active Directory User Groups
You can map Windows Active Directory groups to EcoStruxure Building Operation user account groups if the EcoStruxure Building Operation software runs on a network that uses this directory to manage users and user account groups. An EcoStruxure Building Operation user account group that includes a Windows account group can be member of another EcoStruxure Building Operation user account group.
You can map Windows Active Directory universal and global groups to EcoStruxure Building Operation user groups, but you cannot map Windows Active Directory domain local user groups.
Mapping Windows Active Directory account groups to EcoStruxure Building Operation user account groups has advantages both for administrators and operators. Administrators can manage the user accounts in the Windows Active Directory, rather than managing the accounts in two places. Any changes are instantly implemented to the mapped EcoStruxure Building Operation user account group. Operators only have to remember the Windows login. Once logged in to a Windows user account that is mapped to an EcoStruxure Building Operation account, the user is authenticated to access WorkStation without having to log in a second time.
Windows Active Directory account groups can only be mapped on EcoStruxure BMS servers that are running on Microsoft Windows operating system. Automation servers cannot map Windows Active Directory groups.
For example, the Windows Active Directory user account groups Main Admin and Main User are mapped to the EcoStruxure Building Operation user account groups Administrators and External Users. The External Users user account group is a member of the Operator user account group. The Administrators account group, which is a member of the External Users, inherits access to the Operator workspace.
If several Windows Active Directory account groups have the same name, any EcoStruxure Building Operation user account group mapped to one of these groups will also be mapped to the other Windows Active Directory account groups with the same name.
The default account for running the Enterprise Server service or Enterprise Central service is the Windows Local System account. The Windows Local System account has sufficient permissions for accessing the Active Directory by default.
Make sure that the Enterprise Server service or Enterprise Central service account has sufficient access permissions to read all user groups necessary in all locations in the Active Directory in order to be able to log on to the Enterprise Server or Enterprise Central using the Windows authentication.
Creating a User Account Group
Domains
Creating and Configuring a Domain
User Accounts and User Account Groups
User Account Management Overview
Syntax for IP Address Allow List