Visual Paradigm Teamwork Server Active Directory Authentication (Group)

Teamwork Server supports two ways of authentication - built-in authentication and directory server authentication. While the built-in authentication allows you to easily set up and manage member accounts completely inside Teamwork Server, active server authentication allows users to login to Teamwork Server and VP Server with credentials stored in and managed by a directory server.

In order for directory server authentication to work, administrator has to install a utility called DS Connector, and have it configured to connect both VP Server and the directory server. DS Connector acts as bridge between VP Server and directory server. It's capable to synchronize user listing from directory server to VP Server, and to manage the authentication from Visual Paradigm to directory server, through VP Server.

In this page, you will learn how to work with Active Directory authentication from creating user groups in Active Directory to installing and configuring DS Connector. If you are interested in working with user instead of user group, please read Visual Paradigm Teamwork Server Active Directory Authentication (Groups). If you are interested in LDAP Authentication, please read Visual Paradigm Teamwork Server LDAP Authentication (Groups).

There are series of steps you need to take in order to make Active Directory authentication works. Please read through all the steps below without skipping any of them, even if you are familiar with Active Directory.

Step 1 - Creating organization unit, user and group in Active Directory

  1. Start the Server Manager in Windows Server.
  2. Click on Tools at top right and select Active Directory Administrative Center from the popup menu.
    Open Active Directory Administrative Center
    Open Active Directory Administrative Center
  3. Select your domain from the list on the left hand side.
    Select domain
    Select domain
  4. Create an Organizational Unit to house your corporate users. On the right navigation pane under Task > <domain name> click on New and then select Organizational Unit.
    Create Organizational Unit
    Create Organizational Unit
  5. Organizational unit is like a company. Enter the mandatory details and click OK.
    Filling in the Organizational Unit screen
    Filling in the Organizational Unit screen
  6. This will immediately create the Organizational Unit in the designated location.  Double click on your newly created Organizational Unit.
    Double click on an Organizational Unit to edit it
    Double click on an Organizational Unit to edit it
  7. On the right navigation pane, click on New, and then select User from the popup menu.
    Create user
    Create user
  8. Enter the mandatory details such as user’s name.
    Filling in the User screen
    Filling in the User screen
  9. Enter the password for the user.
  10. Change the Password options to Other password options. If you don't do this, you won't be able to login with this user account from Visual Paradigm products.
    Change Password Option to 'Other password options'
    Change Password Option to 'Other password options'
  11. Click OK. Repeat step 7 to step 10 to create all users in Active Directory.
  12. On the right navigation pane, click on New, and then select Group from the popup menu.
    Create group
    Create group
  13. Enter the mandatory fields such as group name.
    Filling in the Group screen
    Filling in the Group screen
  14. Scroll down to the Members section. You can add users into the group in the Members section.
  15. Click Add....
    Adding member into a group
    Adding member into a group
  16. Enter the account name of the user you want to add into the group. Click OK.
    Enter user's account name
    Enter user's account name
  17. Click OK in the Create Group screen to confirm group creation.

Step 2 - Downloading DS Connector from VP Server

DS Connector acts as a bridge between VP Server and directory server. In this section you will see how to download DS Connector from VP Server.

  1. Open a web browser.
  2. Visit the Teamwork Server URL and login as administrator. Note that the login ID of the default server administrator is Admin.
  3. Select System Tools from the menu on the left hand side.
  4. Open the tab Single Sign-On.
  5. Click on Configure under the section Directory Service Connector.
    To configure directory service connector
    To configure directory service connector
  6. Choose the operating system for the machine where Active Directory is installed.
    Choosing the right operating system
    Choosing the right operating system
  7. Click Download. Keep the dialog box opened as you will need to copy the key presented in the dialog box when you configure DS Connector in the next section.

Step 3 - Installing and configuring DS Connector

In this section you will install DS Connector, and configure it to make it connect to both VP Server and Active Directory.

  1. Copy the downloaded zip file to the machine where Active Directory is installed.
  2. Extract the zip file to a folder.
    DS Connector (zip) extracted
    DS Connector (zip) extracted
  3. Open an elevated command prompt.

    For Windows Server 2008 users, click the Start button, type cmd, and then right-click Command Prompt and select Run as administrator from the popup menu.

    For Windows Server 2012 users, search cmd in the Apps screen, and then right-click Command Prompt and select Run as administrator at the bottom of the screen.
    Run elevated command prompt
    Run elevated command prompt
  4. Navigate to DS_Connector_12.1\service where DS_Connector_12.1 is the name of the folder extracted.
  5. Type the following command to install DS Connector as service:
    install_service.bat
    Installing DS Connector as system service
    Installing DS Connector as system service
  6. Run DS_Connector_12.1\DSConnectorUI.exe. Please run it as administrator to avoid any potential issues caused by insufficient write permission.
  7. When you run DS Connector the first time, you are prompted to configure the connection to VPository/Teamwork Server. In the Configure Server window, click Other and then select VP Server from the popup menu.
    To configure connection to VP Server
    To configure connection to VP Server
  8. Enter the host name and port of VP Server.
  9. Enter the key, which is the code you saw in the end of the previous section. If you have accidentally closed that dialog box, or if the key has expired, don't worry, just click Configure again (step 5 of the previous section) to obtain another key.
    Entering key for server configuration
    Entering key for server configuration
  10. Click Connect. If succeed, you should see the message Server configuration succeed.
  11. DS Connector is now connected to VP Server. Now, you need to configure the connection to Active Directory. On the left hand side of the DS Connector Console, click Add Directory Server.
    To add a directory server
    To add a directory server
  12. Select Active Directory as Directory Server.
    Selecting Active Directory
    Selecting Active Directory
  13. Enter a name for this configuration.
  14. Enter the host name and port of the Active Directory. As we suggested you to install DS Connector on the machine where Active Directory is installed, your host name is pretty likely to be localhost or 127.0.0.1. Regarding the port, while the default port of Active Directory is 389, you may need to confirm it with your administrator in case it has been changed.
  15. Enter Bind DN or User. You can check the required value from the Account details page of the administrator user. The value of User SamAccountName is the value you need to enter now.
    Obtaining the Bind DN or user
    Obtaining the Bind DN or user
  16. Enter the password for logging into Active Directory.
    Configuring Active Directory connection
    Configuring Active Directory connection
  17. Click Test Connection. If succeed, you should see the message Test connection succeed.
  18. Click Save in the Configure Directory Server window.
  19. The newly configured directory server is listed on the left hand side of the DS Connector Console. If necessary you can add more directory servers by repeating from step 11 until this step.
    Directory server added
    Directory server added

Step 4 - Synchronizing users to VP Server

In this section you will add users into DS Connector Console to let it synchronize the users to VP Server. When you finished this section, the chosen users can login Teamwork Server from Visual Paradigm, using the login details managed by Active Directory.

  1. Select the directory server in DS Connector Console.
    Selecting a directory server
    Selecting a directory server
  2. On the right hand side, click Add.
  3. In the Add users/group window, select the user groups to be made available on Teamwork Server. The users in selected groups will become members of Teamwork server, and will have access to Visual Paradigm projects.
    Select user groups to add to DS Connector Console
    Select user groups to add to DS Connector Console
  4. Click Add.
  5. That's it. You can see the selected user groups listed on the right hand side of the DS Connector Console.
    Users added to DS Connector Console
    Users added to DS Connector Console

    The user groups, along with the users will be synchronized to VP Server shortly (~1 minute). Once the synchronization has been completed, you will see the user groups available in the Members > Groups page of VP Server, like this:
    User group synchronized to VP Server
    User group synchronized to VP Server
    The users are available in the Members page of the Teamwork module of VP Server. Note that the synchronization will synchronize only the user name and login ID. It will not synchronize nor to process any password of any users in Active Directory. Whenever a user tries to login to Teamwork Server from Visual Paradigm, Teamwork Server will communicate with Active Directory for authentication.
    Users synchronized from Active Directory
    Users synchronized from Active Directory
    So now, you assign the user groups to projects so that the users can open the project from Visual Paradigm and start working. If necessary you can also grant them admin permissions.

    To login Teamwork Server from Visual Paradigm, please enter the Email(Login ID) as shown in the image above as Email, and the password stored in Active Directory as Password.
    Login from Visual Paradigm
    Login from Visual Paradigm

Union of permissions among user groups

It is legit and technically possible to have a user placed in mutliple user groups. For example, Mary is both a product manager and tester, and therefore belong to two different user groups for the two distinct roles. Because different level of permissions can be set to different groups, Teamwork Server takes the union of all and apply the result to the user. The following table shows you how it works. Let's say all the users in the table are members of group X, Y and Z. The "A" permission they enjoy is a union of the "A" permission specified in group X, Y and Z.

User Permission "A" of Group "X"
(specified in AD)
Permission "A" of Group "Y"
(specified in AD)
Permission "A" of Group "Z"
(specified in AD)
Result: Permission "A" of user
(in Teamwork Server)
Peter TRUE TRUE TRUE TRUE
Mary TRUE FALSE TRUE TRUE
David FALSE FALSE FALSE FALSE
Example of the union of permissions among user groups

 

Permission overriding

While permissions can be specified for user groups, it is also possible to specify permissions for every user, no matter he/she is inside a group or not. Permissions specified for user has a higher priority than thay specified for the user group(s) the user belong to. The following table shows you the idea. If you want to know how to specify permission for user, please read the page Visual Paradigm Teamwork Server Active Directory Authentication.

User Permission "A" of Group "X"
(specified in AD)
Permission "A" of Group "Z"
(specified in AD)
Result: Permission "A" of user
(in Teamwork Server)
Peter TRUE TRUE TRUE
Mary TRUE FALSE TRUE
David FALSE TRUE FALSE
Betty FALSE FALSE FALSE
Example of the permission overriding

 

Related Resources

The following resources may help you learn more about the topic discussed in this page.

 
7. Managing groups (LDAP) Table of Contents 9. Managing projects
 

Technical Support

Have technical issues or suggestions? Please contact Visual Paradigm Support Team.

Sales Support

Have questions related to registration, licensing or payment? Feel free to contact Visual Paradigm Sales Team.

Discussion Forum

Share your suggestions of opinions at VP Discussion Forum.