2013 r2 active directory configuration...

2013 R2

Active Directory

Configuration Guide

ConfigGuide_ActiveDirectory.docx of 50

Intellectual property rights

This document is the property of ScanJour. The data contained herein, in whole or in part, may not be duplicated, used or disclosed outside the recipient for any purpose other than to conduct business and technical evaluation. This restriction does not limit the recipient’s right to use information contained in the data if it is obtained from another source without restriction

Disclaimer This document is intended for informational purposes only. Any information herein is believed

to be reliable. However, ScanJour assumes no responsibility for the accuracy of the information. ScanJour reserves the right to change the document and the products described without notice. ScanJour and the authors disclaim any and all liabilities. ScanJour is a trademark used under license by ScanJour A/S. All other logos, trademarks and service marks are the property of the respective third parties. Copyright © ScanJour A/S 2014. All rights reserved

Revision history

Rev. Date Comment

The system users SYSADM and SJSYSADM are no longer mandatory in the application and therefore are

not considered as the prerequisites in Active Directory.

2.0 2007-05-29 Updated for ScanJour Captia 4.1i

2.1 2008-04-16 Updated for ScanJour Captia 4.2

Id-fields extended from 11 to 30 characters.

Section 14 System Access Codes: Amended descriptions of System Access Codes

IADM, DEJOURNALADM and UNLOCKADM. Added descriptions of the System Access Code

FESD_WS, PHRASEEDIT, PHRASEEDIT_GENERAL,

PHRASEEDIT_FILEGROUP and PHRASEEDIT_SUPERUSER.

Description regarding usernames in version G, section 12.2 User Name Restrictions has been deleted.

Prerequisites regarding Active Directory Application

Mode updated.

Section 16 Command Line Parameters: Undo deletions in AD ”key=”” changed to ”key=NULL.”

Section 11.1 ADSI Field Names for OUs: Field name

Country/region ADSI field names changed to “c”. Section 11.2 ADSI Field Names for the Description Group “Groups”: Country/region for groups have been deleted.

2.8 2009-07-23 The Guide has been translated into English and minor 4.2SP3 changes added.

PREFACE and Abbreviations added: GUI, SJAD, SQL Note about Enterprise Access Code have been added.

Section 2.4 Configuration of Code Visibility has been added.

Section 3.1 User Account Permissions: Note on user account has been added.

Examples have been made generic and section headings changed to reflect this.

Section 3.3 Create a scheduled task transfer: the step regarding setting up the Scheduled task to run at a specific time was added.

Renamed “Replication” Program to “SJ AD Connector” and “replication of data” to “transfer of data.”

Section 5 Creating Organizational Units in AD has been added.

Section 6 Create users in Active Directory, step 4: Note about pre-Windows 2000: log on user exception if ScanJour Captia user needed access to G-version

applications has been removed as obsolete.

Section 8.5 Creating a new Distribution Group for

ConfigGuide_WorkZoneContentServerActiveDirectory of 50

Revision history

Rev. Date Comment

handling Committees has been removed because it is no longer relevant.

Section 14.1 WorkZone Content Server System Access Codes:

Added System Access Codes MULTIEDIT, WORKFLOWSUBSTITUTE.

System Access Code IADM now belongs to

rights and access in CCM. Updated System Access Code concerning Word

Phrase Module.

Section 15.9 Lost Entities Restored with IADM: Changes added regarding Case handler change being logged in the case’s life cycle.

Section 16.4 SQL statement element corrected: <ou name> changed to <committee name>.

Section 17 Monitoring the Transfer: A paragraph explaining the use of command line parameters

regarding executing a scheduled transfer task has been added.

Section 8 Distribution Groups “Groups” and “Committees”: The description of “Group access codes can be member of group access codes” has been added.

Updated for Content Services. The access code Content_Services has been added.

In section 5.2 Register OUs in ScanJour Active Directory Connector: Information concerning handling

identical OU-names has been added.

Section 16 Command Line Parameters: Removed obsolete parameters:

/user=<user name> /password=<password>

4.0 2010-03-19 Updated for Captia 4.5. The document title changed from DOC60 to Active

Directory – Configuration Guide.

Section 14.2 ScanJour Configuration Management System Access Codes:

System Access Code TERMS has been deleted, because the Terms Module in CCM has been discontinued.

WORKFLOWADM has been amended. Workflow State has been added.

System Access Codes WORKFLOWSUBSTITUTE and WORKFLOWSUBSTITUTEGLOBAL have

been clarified.

Section 14.1 WorkZone Content Server System Access Codes: WORKFLOWSUBSTITUTEGLOBAL has been added.

Document DOC107 – Corporate Access Codes has

been merged into this document. Section 18 Corporate Access Code has been added.

Section 19 Updated and Corporate Solution explained in more detail with more examples of configuration.

Subsection 19.3.1 “scheduled task process” has been added.

Section 16 Undo Delete Commands in AD is removed – process is now handled automatically.

Subsection 18.3.2 System Access code IAM has been replaced with section 15.9 Lost Entities Restored with IADM and renamed.

Subsection 18.3.2 has been removed.

Section 10.1 Field data concerning users, note 7


Revision history

Rev. Date Comment

elaborated with example xml.

4.5 2010-11-24 Updated for Captia 4.5 SP1

Added sections: 14.3 Extraordinary System Access Codes. 14.4 SQL-Creation of Extraordinary System

Access Codes.

Section 14 System Access Codes: Revised System Access Codes PHRASEEDIT_USER, PHRASEEDIT_DEPARTMENT, and PHRASEEDIT_ORGANIZATION.

Section 14.3.1 SQL-Creation of the Extraordinary

System Access Codes: New English table/field names adapted in SQL statements.

Updated Access code compliancy for terms used for Standard Access Code System (SACS) and Corporate Access Code System (CACS).

Section 18.3 Dummy Group Access Code has been

renamed to 18.3.1 ALLEEMNER – Default Group Access Code.


Added the access code FILINGPERIOD.


Section 14.1 WorkZone Content Server System Access Codes: Removed POST System Access Code as

obsolete.

Section 16 Command Line Parameters: Added new parameter /setsid=<SystemUser>.

Section 13.1 Examples of Stripping: Corrected examples of stripping by removing extra spaces.


4.13 2012-12-20 Updated for WorkZone Content Server 2013

ScanJour Captia has been replaced with WorkZone Content Server throughout the document.

Section 12 Character Restrictions: The section was revised and made more accurate.

Section 16 Command Line Parameters: Corrected default value for /db option.

4.14 2013-05-13 Updated for WorkZone Content Server 2013 SP1

Section 13.1 Examples of Stripping: Fixed error in Example 3.

Section 14.1 WorkZone Content Server System

Access Codes: The descriptions of the Workflow access codes WORKFLOWCREATE, WORKFLOWSUBSTITUTE, and WORKFLOWSUBSTITUTEGLOBAL have been removed as the Workflow functionality is no longer supported.

Section 14.2 ScanJour Configuration Management System Access Codes: The description of the access code WORKFLOWADM has been removed as the

Workflow functionality is no longer supported.

4.15 2014-02-21 Updated for WorkZone Content Server 2013 R2

Light grey entries mark updates at major releases!


Contents

1 PREREQUISITES .................................................................................................. 9

2 SCANJOUR CONFIGURATION MANAGEMENT ........................................................ 9

2.1 CONFIGURATION OF SECURITY CODES ................................................ 9 2.2 CONFIGURATION OF CONTACT TYPES ............................................... 10 2.3 CONFIGURATION OF CUSTOM LABELS ............................................... 10 2.4 CONFIGURATION OF CODE VISIBILITY .............................................. 10

3 SCANJOUR ACTIVE DIRECTORY CONNECTOR ..................................................... 11

3.1 USER ACCOUNT PERMISSIONS ........................................................ 11 3.2 WIZARD GUIDED PRE-CONFIGURATION ........................................... 12 3.3 CREATE A SCHEDULED TASK TRANSFER .............................................. 14 3.4 EXIT THE WIZARD-GUIDED PRE-CONFIGURATION .............................. 15

4 ACTIVE DIRECTORY ........................................................................................... 15

4.1 ACCESS ACTIVE DIRECTORY ........................................................... 15 4.2 DISTRIBUTION GROUPS ................................................................ 15

5 CREATING ORGANIZATIONAL UNITS IN AD ....................................................... 16

5.1 CREATE AN ORGANIZATIONAL UNIT ................................................. 17 5.2 REGISTER OUS IN SCANJOUR ACTIVE DIRECTORY CONNECTOR ............. 18

6 CREATE USERS IN ACTIVE DIRECTORY ......................................................... 20

7 DISTRIBUTION GROUP MEMBERSHIP ESSENTIAL TO USER-TRANSFER ............. 22

7.1 USERS BECOME LOG-ON USERS AND EMPLOYEES IN WORKZONE CONTENT

SERVER 22 7.2 CREATE OR COPY USERS ................................................................ 22 7.3 DISCONTINUE USERS .................................................................... 23 7.4 CHANGE A USER’S ORGANIZATIONAL UNIT ........................................ 23

8 DISTRIBUTION GROUPS “GROUPS” AND “COMMITTEES” .................................. 23

8.1 CREATE GROUP ACCESS CODES ....................................................... 24 8.2 PREPARE THE GROUP ACCESS CODE FOR TRANSFER ............................. 26 8.3 CREATE A COMMITTEE ................................................................... 27 8.4 PREPARE THE COMMITTEE FOR TRANSFER.......................................... 28

9 WHEN YOU HAVE FINISHED ALL CONFIGURATIONS .......................................... 29

9.1 INITIALIZE TRANSFER OF DATA ...................................................... 29 9.2 RE-ENABLE THE SCHEDULED TRANSFER TASK ..................................... 29

10 FIELD TO FIELD TRANSFER BETWEEN AD AND SJ ......................................... 29

10.1 FIELD DATA CONCERNING USERS .................................................... 30 10.2 FIELD DATA CONCERNING OUS ...................................................... 31 10.3 FIELD DATA CONCERNING THE DISTRIBUTION GROUP “GROUPS” .......... 32 10.4 FIELD DATA CONCERNING THE DISTRIBUTION GROUP “COMMITTEES” .... 32

11 ADSI FIELD NAMES ....................................................................................... 33

11.1 ADSI FIELD NAMES FOR OUS ........................................................ 33 11.2 ADSI FIELD NAMES FOR THE DESCRIPTION GROUP “GROUPS” ............. 33 11.3 ADSI FIELD NAMES FOR USERS...................................................... 34

12 CHARACTER RESTRICTIONS ......................................................................... 34

12.1 ORGANIZATIONAL UNIT NAME RESTRICTIONS ................................... 35 12.2 USER NAME RESTRICTIONS ............................................................ 35 12.3 GROUP NAME RESTRICTIONS ......................................................... 36


12.4 COMMITTEE NAME RESTRICTIONS ................................................... 36

13 NAME CODE STRIPPING ................................................................................ 36

13.1 EXAMPLES OF STRIPPING .............................................................. 37

14 SYSTEM ACCESS CODES ................................................................................... 38

14.1 WORKZONE CONTENT SERVER SYSTEM ACCESS CODES ........................ 38 14.2 SCANJOUR CONFIGURATION MANAGEMENT SYSTEM ACCESS CODES ........ 39 14.3 EXTRAORDINARY SYSTEM ACCESS CODES .......................................... 40 14.3.1 SQL-CREATION OF THE EXTRAORDINARY SYSTEM ACCESS CODES .......... 41

15 RECOMMENDATIONS AND ADVICE ................................................................ 43

15.1 EVENT LOG ................................................................................. 43 15.2 ONE CONFIGURATION FILE PER DATABASE ........................................ 43 15.3 DO NOT CHANGE THE NAME CODES .................................................. 43 15.4 DOMAIN SERVER CONNECTION ....................................................... 44 15.5 USERS ....................................................................................... 44 15.6 OUS AND UNITS .......................................................................... 44 15.7 SCHEDULED TRANSFER TASK .......................................................... 44 15.8 MAPPING OF AD FIELDS TO WORKZONE CONTENT SERVER FIELDS ......... 45 15.9 LOST ENTITIES RESTORED WITH IADM ............................................ 45

16 COMMAND LINE PARAMETERS ...................................................................... 46

17 MONITORING THE TRANSFER ....................................................................... 46

17.1 CHECK QUALITY OF TRANSFER ......................................................... 46

18 CORPORATE ACCESS CODE ........................................................................... 47

18.1 PREREQUISITES .......................................................................... 47 18.2 CONFIGURING THE TRANSFER FROM ACTIVE DIRECTORY ....................... 47 18.3 SPECIAL ACCESS CODES FOR THE CORPORATE SOLUTION IN AD............. 49 18.3.1 ALLEEMNER – DEFAULT GROUP ACCESS CODE ................................ 50


Preface

Introduction This guide describes the process of configuration and administration of users, organizational units, and groups in Active Directory and WorkZone Content Server.

Purpose The purpose of the guide is:

To facilitate understanding of basic configuration of organizational units

(OU), users, and groups in Active Directory and WorkZone Content Server.

To supply advice and guidance in connection with operation and maintenance of organizational units (OU), users, and groups in Active Directory and WorkZone Content Server.

Target audience

The target audience of this guide is the technicians who are responsible for the administration of OUs, users, groups, and access codes in WorkZone Content Server through Active Directory.

Abbreviations and special terms

This table explains the abbreviations and special terms used in this document.

Abbreviations Explanations

Access Code The ScanJour application operates with three different types of Access Codes:

Employee Access Code (associated with each user from AD)

Unit Access Code (associated with each OU from AD).

Group Access Code (optional Access Codes).

Note that there are two types of Group Access Codes:

System Access Codes (that is, DEJOURNALADM) –provide its members extended rights and access through the interface, that is, WorkZone Content Server.

Access Codes – an Access Code is created by the organization to provide its members access to restricted

information or the ability to share the restricted information.

Access Codes (excluding System Access Codes) can be used to restrict access to an entity on two levels: with regard to viewing rights and/or editing rights.

Note: If your organization opted for an installation that utilizes the Corporate Access Code System (CACS) then all

cases and documents are created with an Access Code string of a minimum of 2 Access Codes: 1 Organizational Access Code & 1 Group Access Code. For more information see

section 18 Corporate Access Code.

AD Active Directory – the program Active Directory.

ADAM Active Directory Application Mode. ADAM is a light-weight implementation of Active Directory. ADAM is capable of running as a service on the computers running Microsoft Windows Server 2003 or Windows XP Professional. ADAM shares the code base with Active Directory and provides the

same functionality as Active Directory, including an identical API, but does not require the creation of domains or domain


Abbreviations Explanations

controllers.

ADLD Active Directory Light weight Directory. Identical to ADAM, see ADAM-entry.

AD LDS Identical to ADAM, see ADAM-entry.

ADSI Active Directory Service Interface. ADSI is a number of COM

interfaces which provides the opportunity to utilize directory services from different network providers.

GUI Graphic User Interface.

ID Identification – the unique identification key of an item.

Location Code

The Location Code (sometimes Contact Code) is an abbreviation of a unit and part of the units ID in WorkZone

Content Server.

The units ID is made up of a Contact Type of one character (a letter or a number between 0 and 9) and a Contact Code/Location Code of up to 11 characters.

In WorkZone Content Server the unit Secretariat’s ID would be A SECR – here the SECR-part = Location Code.

Note: The Contact Type in Configuration Management may be referred to as Addressee Type in some contexts.

OU Organizational Unit. Created in Active Directory.

SJ ScanJour

SJADConnect The ScanJour Active Directory Connector.

SQL Structured Query Language. A database computer language designed for managing data in a relational database

management.

Unit A unit is an OU that has been replicated to WorkZone Content Server.

Unit Access

Code

Is the Access Code that is added to the users profile on

behalf of the user’s OU membership in AD.

References Ref. Document title

1 ScanJour WorkZone Content Server Database Installation Guide,

Chapter 4.2.

2 Captia_Online_Help.chm, topic on Corporate Access Code (can also be

accessed from Captia Web Client).

3 Configuration_Management_Online_Help.chm, topic on Lost and

Found (can also be accessed from Configuration Management).

4 ScanJour WorkZone Content Server Installation Guide


1 Prerequisites

Prerequisites This guide assumes that the ScanJour programs and databases are up and running

and that the system administrator has access to ScanJour Configuration Management and Active Directory (AD).

To configure and maintain the system properly, access to the following items is a prerequisite:

The individual moduels of ScanJour Configuration Management, for example, Basic Data

ScanJour’s program catalog (all rights access)

sjActiveDirectoryReplication

Active Directory Users and Computers

Active Directory Application Mode SYSADM and SJSYSADM

The system users SYSADM and SJSYSADM have been discontinued in Configuration Management and are no longer a prerequisite in AD. The SYSADM user account has been replaced with System Access Codes in

Configuration Management. This means that the rights are no longer associated with a single account but can be granted to one or several users in whole or in part by adding the necessary System Access Codes to any users’ AD profile. The SJSYSADM user still has limited use with regard to SQL but none in WorkZone Content Server or Configuration Management.

In WorkZone Content Server the SYSADM user is still used with regards to letter templates.

2 ScanJour Configuration Management

System

administration

Before running the Wizard program for configuring your SJ AD, you must first

configure the items listed below. The detailed description of configuring these items is described in this chapter.

Security Codes

Contact Types

Custom Labels

Code Visibility

2.1 Configuration of Security Codes

Configuration of security codes

In Configuration Management in the module Registry Security you have to pre-configure the security system and assign permissions to each level of security. The ScanJour Security System is based on 9 Security Codes: 1, 2, 3, 4, 5, 6, 7, 8, and 9. For each of these security codes, the system administrator must

configure a set of permissions for every register and table of the system. The security code must reflect the permissions of a user regarding the database content. The permissions define whether the user is allowed to search, update,


insert, delete, lock, and unlock a certain type of database item, that is, a case or a relation.

The permissions of each security code can be configured to reflect the demands of specific groups of users. When a user logs on to ScanJour, the security code assigned to the user defines what the user is allowed to do.

Assigning security codes to users is done in Active Directory Users and Computers (AD). When a ScanJour user is created in AD the user must be made a member of a distribution group, representing one of the 9 security codes. When the users are replicated to the ScanJour database, the user is automatically allocated the correct security code and the corresponding permissions for registers and tables in the database.

2.2 Configuration of Contact Types

Configuration

of Contact Types

In Configuration Management in the Basic data Addressee module, you must

pre-configure the following three mandatory Contact Types:

Contact Type A, which is used to contain the replicated organizational units created in AD.

Contact Type M, which is used to contain the replicated user as created in AD for the purpose of a Case Handler register.

Contact Type U, which is used to contain the replicated Committees as created in AD.

In case your organization have installed Local Government Edition, a fourth

Contact Type may apply:

Contact Type K, which is used to contain local authorities, that is, municipalities.

All the contact types listed above must be created with Auto ID set to “N”

while the maximal length of Name Code Length must be 30 characters.

2.3 Configuration of Custom Labels

Configuration of custom labels

In Configuration Management in the Basic data Custom label module, you

must pre-configure a mandatory contact role for members of a committee: Create a Contact Reference named Member under label type NP.

Later on in the process you must add this role/contact reference to Committees in the ScanJour Active Directory Connector.

2.4 Configuration of Code Visibility

Configuration

of Access Code Visibility

In Configuration Management in the Operation Owner module, you can change

the default configuration of Access Code Visibility. By default both User Access

Codes (that is, Employee User Codes) and Unit Access Codes (that is, Organizational Unit Access Codes) are visible. If your organization wishes to deny the use of either one, select the Hide check box near each type in the Access Code Visibility section. After this, the users will be able to choose only from Group Access Codes.


3 ScanJour Active Directory Connector

AD Connector To make Active Directory comply with the ScanJour system once data is

transferred, you must perform initial configuration using SJ Active Directory Connector (SJADConnector). You can access the application from ScanJour program catalog. Run sjActiveDirectoryReplication.exe.

SJADConnector facilitates the transfer (replication) of data from AD to WorkZone Content Server. The administration of users, user security codes, Access Codes, units, and Committees are maintained in AD but this data must continually be updated and transferred to ScanJour database. In order for the ScanJour system to receive the transferred data correctly, it is

essential that the configuration of AD and ScanJour are aligned.

The tasks of transformation of data and alignment are handled by the SJADConnector: sjActiveDirectoryReplication.exe

3.1 User Account Permissions

User Account The name of the user account used to run the connector is not important,

however, it is essential that the user account, including its password, is present

and known to the database and the connector prior to initialization. User permissions

User permissions are essential in two aspects:

The permissions which a user needs to run the Wizard in the SJADConnector.

The permissions which a user needs to run the scheduled task transfer of data from AD to SJ.

Permissions to initiate the Wizard

The first time you run ScanJour Active Directory Connector sjActiveDirectoryReplication.exe a Wizard is initiated. This Wizard will guide

you through the alignment between AD and SJ —and you only have to establish this alignment once. The Wizard writes directly to AD and it is therefore essential that the used user account possesses the necessary permissions to complete this task. The task implies permissions to create the following objects in AD:

OU with the ScanJourCaptiaAdministration title in the root of AD.

11 universal distribution groups in the subtree of ScanJourCaptiaAdministration OU:

o ScanJourCaptia<database name><i> I =1-9 (is used to align the user’s security levels, each distribution group represents the eqv.

security group in SJ).

o ScanJourCaptia<database name>Groups (is used to identify the Access Codes).

o ScanJourCaptia<database name>Committees (is used to identify Committees).

Note: <basename> must be substituted with the current ODBC base name.

These 11 groups can be created by the Wizard by clicking on a button in the GUI of

SJADConnector.


Permissions to run a

scheduled transfer task

To run a scheduled task of transferring data from AD to SJ you must use a

user account which has the following rights:

View the relevant OU’s, groups and users in AD.

Write entries in the event log.

Create and update in the following sub key entries in Window’s Registry:

HKLM\SOFTWARE\SCANJOUR\SJAD

HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application

3.2 Wizard Guided Pre-Configuration

Activity overview

The Wizard will guide you through the following steps during the pre-configuration of the SJADConnector:

Specifying the name of the database.

Specifying the name of the domain server.

Initiating the needed distribution groups in SJ dedicated AD.

Initiating the creation of the configuration file that secures the alignment between AD and SJ.

Creating a desktop shortcut to SJADConnector for easy maintenance access

Configuration of a scheduled task which periodically automatically secures alignment of data.

Preconfiguration wizard

Step Action

1 Access WorkZone Content Servers program catalog –

C:\ProgramFiles\Scanjour\Captia\Program

2 Double click on sjActiveDirectoryReplication.exe to initiate the

Connector’s Wizard.

The window Welcome to the ScanJour Active Connetor Setup appears:

Click Next.

3 On the Database tab, type the name of your database in the text

box.


Preconfiguration wizard

Step Action

Click Next.

4 The tab Server Domain is now active.

On the Server Domain tab, click the Current Domain button to insert the name of the current domain – or enter the name of your Server Domain in the <field name> field manually.

Click Next.

5 On the Administrative groups tab, in the <field name> field the Wizard suggests a prefix for the 11 distribution groups it is about to setup for the transfer of security codes, Committees and Group Access Codes – ScanJourCaptia<database name> .

To enhance legibility, ScanJour recommends that you add a separating character such as a dash after the <database name>.

Click Create.

6 In the Creating groups in AD dialog box, click OK to verify.

Click Next.

7 The tab Setup is now active.

On the Setup tab, in the Run in interactive mode section, click Run now to create the configuration file.

The file is called SJADConfiguration<database name>.xml and can

be found in ScanJour’s program catalog. It is used in the alignment of transferred data from AD to SJ.

8 The window SJ Active Directory Connector appears.

The file SJADConfiguration<database name>.xml is shown.

Click Edit.

9 The window Active Directory Connector Configuration appears.

In the Configuration File section, click Save.

The configuration file is now saved with your entries in WorkZone Content Server’s program catalog.

Click Exit.

10 The window SJ Active Directory Connector appears again.

In the Run in interactive mode section, click Create shortcut.

Click Exit to return to the Wizard.

11 The Create Shortcut dialog box appears.

To verify, click OK.

A desktop shortcut-icon to the SJADConnector for easy

maintenance access is placed on your desktop with the title sjad<database name>, for example, sjadtiltest


3.3 Create a scheduled task transfer

Scheduled task transfer setup and disabling

Perform the following steps to create a scheduled task which periodically automatically secures alignment of data:

Step Action

1 Start SADConnector.

In the SJ Active Directory Connector window, click Run Wizard.

In the Welcome to the ScanJour Active Directory Connector Setup window, click the Setup tab.

In the Setup scheduled task for transfer section, click Create job.

2 Windows Command-line interface appears.

Specify the Server password and press Enter or Back key on your

keyboard.

You have now created a Scheduled task which can be found

StartControl panel Scheduled

taskSjADreplication<database name>

To set it to run at a specific time, you must access the Scheduled Task and setup or edit the tabs Schedule and Settings regarding:

When the task should be performed

Start time

Start date

Note: When the AD Connector wizard is used to create a scheduled

task for the replication, the job is installed with the “Run only when user is logged on” setting. You might want to change this to “Run whether user is logged on or not”. If you do that, you must also check

the “Run with highest privileges” setting. This only applies to Windows Server 2008 and not Windows Server 2003.

3 ScanJour recommends that you disable Scheduled Task until you have finished your AD configuration.

Click StartControl panel Scheduled task.

Right click the SjADreplication<database name> item and select Properties.

4 The Scheduled Task Window appears.

The Task tab is active.

On the Task tab, clear the Enabled check box. Click OK.

5 Note: Remember to re-activate the Scheduled Task before your

system runs.


3.4 Exit the Wizard-Guided Pre-Configuration

Exit Setup Perform the following steps to exit the Wizard-guided pre-configuration:

Step Action

1

In the Welcome to the ScanJour Active Directory

Connector Setup window on the Setup tab, click Exit.

2 In the Exit dialog box, click OK to verify exit.

4 Active Directory

AD Activity overview

Access the part of Active Directory that deals with Users and Computers as described below. This part of Active directory will be your entry to conduct the following activities:

Create your organizations hierarchical structure of OUs.

Create new and maintain users.

Maintain distribution groups and memberships.

Create new and maintain memberships of security groups (for example, Group Access Codes and Committees).

4.1 Access Active Directory

Open Active directory

To access AD, click StartAll programsAdministrative tools Active

Directory Users And Computers You now have access to the AD-tree:

4.2 Distribution Groups


Distribution

groups

The ScanJourCaptiaAdministration entry in the AD tree contains 11 distribution

groups preconfigured by the Wizard of ScanJour Active Directory Connector. These distribution groups together with the configuration .xml file are the basis for alignment between AD and the ScanJour system and the secure transfer of data.

The re-configuration of the database through ScanJour Configuration Manager, that is, Security Groups, Custom Labels, and Contact Types, secures the reception of transferred data. Folder that contains the distribution groups is shown below:

Note that ScanJour distribution groups themselves carry no value but simply doubles as a carrier through which its memberships transfer meaning to the receiving end, that is, WorkZone Content Server:

Example A user that is a member of distribution group 6 in AD becomes a Log-on user and an employee with security level 6 in WorkZone Content Server. The basic edit and delete permissions of the security levels are defined in the Configuration Management program.

5 Creating Organizational Units in AD

OU structure Essential to the ScanJour Active Directory structure is Organizational Units. Your

organizations’ hierarchical structure must be mirrored in your Organizational Units (OUs) in the AD tree.

In a standard WorkZone Content Server installation, all units and unit dependencies are maintained in AD.

However, some customers have opted for customized installations that draw on

data, regarding units, from sources other than AD for a number of reasons. Some have opted for a direct integration and basically maintain the entire hierarchical structure from outside AD while others just feed a shadow AD-structure.


Three common

OU situations

Below is a description of three most common situations regarding Organizational

Units: 1. The OUs must be created from scratch

The customer does not have its OUs or users in AD. The OU structure must be

implemented and each OU created in AD.

2. The OUs need restructuring The customer has implemented AD and has created OUs and users but not in a hierarchy and the OU-structure needs these to fit the ways of SJ AD. The task is to make sure that all the necessary OUs are structured in a

hierarchy that takes the organization’s Unit Access Codes into account, since the user’s OU membership determines which Unit Access Codes are available to each user (recursively from sub-OU to main OU).

3. The OUs need not be transferred The customer has implemented AD and has created OUs but does not want to

change their structure to fit SJ AD. The customer can opt for a transfer that excludes OUs but includes users and security groups. To do this, the configuration file must be customized and the user to unit relationship must be established in an alternate way. Maintenance of the units’ register then needs to be established through integration to a system where this is feasible.

A solution like this may be vulnerable due to the sheer timing between transfers from two or three different sources.

Prerequisites for the examples

The next step of this guide is based on situation 1 above, that is, OUs, users, and security groups (Group Access Codes and Committees) need to be implemented.

5.1 Create an Organizational Unit

How to create an OU

Perform the following steps to create an OU in Active Directory.

OU creation Step Action

1 Active directory Users and computers is accessed and the AD tree is

displayed.

Right-click the domain name at the top of the tree and click

NewOrganizational unit.

2 The New Object – Organizational dialog box appears.

In the Name entry box, enter full name of the OUs, for example, Library.

Create the OU at the top of your organization, for example, <name of

the top of your organization> with each sub entry inside the top

OU.

In this example, Library is the top one. Circulation, Reading Room, and Administration are child OUs to Library.

Click OK to commit the entry.


OU creation Step Action

Right-click the created OU and click Properties.

3 The Library Properties dialog box appears.

In the Description text box, enter library’s abbreviation, for example, LIBR.

Click OK.

The abbreviation is library’s Name Code and part of its ID in the Units Register in WorkZone Content Server.

Important: Note that some restrictions regarding characters and length apply. For more information, see section 12.1 Organizational Unit Name .

For more details about the transfer of additional information from OUs, see section 10.2 Field Data Concerning OUs.

4 Create the additional OUs of your organizations hierarchy one by one.

Right-click <name of the top of your organization> for example,

Library and select NewOrganizational unit

Perform the steps 2 and 3 again.

5.2 Register OUs in ScanJour Active Directory Connector

Configuration of OUs

To perform the transfer and alignment of OU data, SJADConnector needs to register OUs that belong to ScanJour’s AD. If it isn’t registered, the configuration file won’t work correctly.

Register OUs in

SJADConnector Step Action

1 Start SJADConnector.

2 The SJ Active Directory Connector window appears.

Click Edit.

3 The Active Directory Connector Configuration window appears.

In the Domain server section, click Edit.

4 The Domain Server dialog box appears.

In the Section Units section, click Add.

5 The Unit dialog box is displayed.

In the Full name drop-down list, select the OU at the top of your OU hierarchy, for example, Library.

If two or more OUs have the same full name, they are distinguished by their Distinguished name in relevant dialog box.

For instance, two organizational units in different departments are both

called Sec, that is, Secretariat. In AD they are displayed like this:

SEC <DN : OU=SEC,OU=DEP1,DC=udvad,DC=local> SEC <DN : OU=SEC,OU=DEP2,DC=udvad,DC=local>

(SEC is the name and the following string is the distinguished name - DN.)

Select the Recursive checkbox. The child OUs of the selected one

will be transferred as well.


Register OUs in SJADConnector

Step Action

Note: By enabling recursive, this becomes a onetime setup, because now all your future sub-OUs are instantly known to the SJADConnector.

Click OK.

6 The Domain Server dialog box appears.

Click OK to exit.

7 In the Configuration file section of the Active Directory Connector

Configuration window, click Save to commit you recent changes to the configuration file.

Click Exit.

8 The SJ Active Directory Connector window appears.

Click Exit to finish.


6 Create users in Active Directory

Create a user You create in the OU each user according to their executive unit in WorkZone

Content Server. Note: Even though you may already have users in your AD, they must be located in the users’ organizational OU and not in a separate user-catalog. Move your users to OU where they belong to comply with ScanJour default configuration.

Step Action

1 Access Active directory Users and computers and the AD tree is

displayed.

Right-click the OU to which you want to add the user.

In the context menu, select NewUser.

2 The New Object – User dialog box is displayed.

Specify the following required values:

First name

Last Name

User logon name

The following values are filled in automatically:

Full Name

User logon name (pre-Windows 2000)

Click Next.

Note: Some restrictions regarding characters and length apply, as well

as User logon name (pre-Windows 2000) restrictions. See section 12.2 User Name .

3

Specify the following values:

Password

Confirm password

Enable the required set of password rules taking into

consideration the Group policy of your company.

Click Next.

Information: Group Policy is a feature of Microsoft Windows NT family of operating systems. It provides the centralized management and configuration of computers and remote users in an Active Directory environment. That is, it manages user rights in a computer network, for example, with regard to password security.

Click Next.

Click Finish to create the user.

4 Right-click the user you have just created and select Properties.

5 In the <user name> Properties dialog box on the General tab:

The following text boxes can be filled in or edited in a default configuration - () indicates the text box is already filled in but may be

edited:


Step Action

First name ()

Last Name()

Description

Telephone number

E-mail

Click the Address tab.

6 Under the tab Address the following text boxes can be filled in or edited in a default configuration - () indicates the text box is already

filled in but may be edited:

Street

Zip/postal code

Country/Region

7 To complete creating the user, add user to a ScanJour

distribution group. For more information, see section 7

Distribution Group membership Essential to User-transfer.


7 Distribution Group membership Essential to User-

transfer

User security code membership

If we transfer data from AD to ScanJour as defined in previous sections, only the registered OUs would be transferred.

To transfer the users and user details, you must include them to one of 9

distribution groups, which secure the alignment of a corresponding

security level. ScanJourCaptia<database name>-<security code>

Note: The distribution groups can be found in the AD-tree under the entry Scan-jourAdministration. See section 4.2 Distribution Groups for more details.

<Procedure name >

Step Action

1 The AD-tree contains a list of users that you have created.

Right-click the user and select Properties.

2 In the <user name> Properties dialog box, click the Member Of tab.

Click Add.

3 The Select groups dialog box appears.

In the Enter the object names to select field, start typing the name of

the distribution group into which you want to include the user and click Check Names.

4 The Multiple Names Found dialog box is displayed.

Select the distribution group.

Click OK.

5 Click OK in the following dialog boxes to verify the user(s)’ membership.

7.1 Users become log-on users and employees in WorkZone

Content Server

Transferred AD user

When data is transferred from AD to Scanjour, Users become:

Log-on user in WorkZone Content Server’s user register. In a default configuration, user logon name (pre Windows 2000) is transferred to User Name in WorkZone Content Server and is equal to the users ID.

Employee in WorkZone Content Server’s Employee register and can be

used in the user interface list boxes such as Case handler.

7.2 Create or copy users

Copy or create a new user

The other way of creating a user is to copy a model user.

This way there is a good chance that this model user has the necessary distribution group memberships, for example, security code 6, and required Access Codes. You can change the user default settings as required.


7.3 Discontinue users

Dealing with User Access Codes

Before discontinuing a user in AD it is essential to investigate whether the user has been using User Access Codes. If the user has been applying User Access Codes to cases, documents or addressees, you have two options:

1. You can choose to manually change the Access Codes on the objects in question from the user interface in WorkZone Content Server before discontinuing the user.

2. You can choose to let the Administrator take care of it in the Configuration Management program in the module Lost and Found. The administrator needs to be a member of the System Access Code IADM to deal with objects that no one can see in the user interface any longer, refer to

Configurtion_Management_Online_Help-.chm, topic on Lost and Found for further information.

After AD Connector transfer

When the user has been discontinued in AD and a transfer has been taking place (either manually or as a scheduled task), be aware of the following:

Discontinued users remain in WorkZone Content Server’s User register but

without any permission. The user’s security code is now 0 which equates no access to the database.

Discontinued users continue to be employees in Scanjour’s Employee Register and are therefore still “owners” of terminated cases or archived documents.

Discontinued users’ User Access Codes have been terminated.

7.4 Change a user’s Organizational Unit

Dealing with change of OU

When a user is moved from one OU to another in the AD tree, it only affects the Unit Access Codes of moved user. However, you should be aware of the following:

A changed OU will affect all cases, documents, and addressees where the user has been applying Unit Access Codes. These can no longer be viewed by the Case handler only members of the former case handler’s Responsible Unit.

The objects will not appear in Lost and Found for the simple reason that the

rest of the members of the unit in question can still view it.

All the objects of the moved user will need to have Responsible Unit text box updated: either manually per object or multi edited by a user with the System Access Code MULTIEDIT.

8 Distribution Groups “Groups” and “Committees”

The purpose of

“Groups” and “Committees”

The purpose is to be able to unite users across the organization with regard to the

following:

Shared Group Access Codes regardless of Organizational unit

An AD Group (Global Security Group) which is a member of the distribution group ScanJourCaptia<database name>Groups.

Shared Committees

An AD Group (Global Security Group) which is a member of the distribution group ScanJourCaptia<database name>Committees.

Organization An AD Group can be a member of both distribution groups if the context makes

sense, for example, a Committee called Agenda may be a Group Access Code to


protect the work of the Committee Agenda.

However, when you organize your AD-tree, ScanJour recommends you to consider creating two individual OUs under the domain that the ScanJour AD Groups are part of, to separate them from other AD Groups in your general AD tree:

1. One that contains Group Access Codes, for example, named SJ Access Codes

2. An one that contains Committees, for example, SJ Committees System Access Codes

Some AD Groups are mandatory such as the System Access Codes that are automatically generated by a script when the ScanJour system is initialized. In section 14 System Access Code you can find a list of these mandatory Access Codes.

Corporate Access Codes

If your organization has opted for a Corporate Solution employing Corporate Access Codes, see section 18 Corporate Access Code for details.

8.1 Create Group Access Codes

Group Access Codes

In the following steps of this guide it is presupposed that the above mentioned organization of your SJ AD-tree has been implemented.

Note: If you still need to create your SJ AccessCode OU, see section 5.1 Create an Organizational Unit, steps 1 and 2 for more details.

Create a Group Access Code

Perform the following steps:

Step Action


displayed.

Right-click the OU in which you wish to organize your Group Access Codes,

(for example, SJ Access Codes in the AD-tree) and select NewGroup.

2 The New Object – Group dialog box is displayed.

In the Group name text box, enter the name of the Group, for example, CONFIDE1.

Note: Your entry is not case-sensitive but must be within the length specified in Configuration Management – max 30 characters. Other

important restrictions regarding characters apply. For more information, see section 12.3 Group Name .

The pre-Windows 2000 text box is automatically filled in.

Leave Group scope and Group type as they are.

Click OK.

3 Right-click the Group you just created, for example, CONFIDE1 and select

Properties.

4 In the <group name> Properties dialog box on the General tab click

Add.

Important: Leave the Description text box blank!

5 Click the Members tab.

Click Add.


Step Action

6 You can add both individual users and groups (of users), that is, group

access codes as members, see below this step guide “Group Access Code member of Group Access Code”.

In the Select Users, Contacts or Computers dialog box, start typing the name of the user or users you wish to make members.

Click Check Names:

If there is only one match, the name appears directly in the Enter the object names to select text box area

If there are multiple matches, the Multiple Names dialog box is shown

In the Multiple Names dialog box you can:

Select the name you were looking for

Hold the Ctrl key while you select more than one name.

Click OK.

Tip: Alternately, if you know from the start you are looking for several users you can separate entries with semicolon – hen;pel;elp

7 After the name (or all the names you have selected) in step 6 appear in

the Select Users, Contacts or Computers dialog box in the Enter the object names to select text box area click OK.

8 In the <group name> Properties dialog box, the added members are

listed.

Click OK to verify.

Group Access Code member of Group

Access Code

You can add groups (of users) ,that is, group access codes as members of group access codes. In this way, you can make a whole batch of users into members of a group access code at the same time.

Example: You have a group access code, for instance, Confide1. Now you wish to populate it. First you add an individual user – User A. Then you wish to add batches of users. To do this, you can add the group access code Confide2 and Confide7. In this way you add all the members of Confide2 and Confide7 at the same time.

Group access code Confide5 is already a member of Confide2. Therefore, the members of Confide5 are also members of Confide1. See the diagram below.


8.2 Prepare the Group Access Code for Transfer

Group Access Code “Groups” membership

If you transferred data from AD to ScanJour at this point, your Group Access Code CONFIDE1 would not be transferred. It will be another Global Security group in your general AD tree. To complete creating the group access code, it must become a member of the

distribution group: ScanJourCaptia<database name>-<Groups> This is the tag that makes it recognizable to the configuration file and is an important prerequisite.

Step Action


displayed.

Click the OU ScanJourCaptiaAdministration to open it. Right-click the

ScanJourCaptia<database name>-<Groups> distribution group and

select Properties

2 In the <database name>-<Groups> dialog box, click the Members

tab.

Click Add.

Enter the Group Access Code name, for example, CONFIDE1 (or part of

it)

Click Check Names.

Select the group.

Click OK.

3 Click OK in the following dialog boxes to verify the membership.


After AD Connector

transfer

When the next transfer has been performed (either manually or as a scheduled task), the Group Access Code, for example, CONFIDE1, has been added to the

profiles of its members in WorkZone Content Server. The added Group access code now allows its members to:

Apply this access code to entities.

Access entities protected by this access code.

8.3 Create a Committee

Committee In the following section of this guide, it is presupposed that the above mentioned organization of your SJ AD-tree has been implemented. If you still need to create your SJ Committee OU, see section 5.1 Create an Organizational Unit, steps 1 and 2.

Create a

Committee

Perform the following steps:

Step Action


displayed.

Right-click the OU in which you wish to organize your Group Access Codes used as committees, for example, SJ Committee, in the AD-tree (left side).

In the context menu select NewGroup.

2 The dialog box New Object – Group is displayed.

In the Group name text box, enter the name of the Group, for

example, AGENDA.

Note: Your entry isn’t case-sensitive but must be within the length specified in Configuration Management – maximum of 30 characters. Other important restrictions regarding characters apply. See section 12.4 Committee Name .

The pre-Windows 2000 text box is automatically filled in.

Leave Group scope and Group type as they are.

Click OK.

3 Right-click the group you just created, for example, AGENDA and select

Properties.

4 In the <group name> Properties dialog box on the General tab, click

Add.

Important: Leave the Description text box blank.

5 Click the Members tab.

Click Add.

6 In the Select Users, Contacts or Computers dialog box, enter part of

the name of the user or users you wish to make members.

Click Check Names:

If there is only one match, the name appears directly in the Enter


Step Action

the object names to select text box area.

If there are multiple matches, the Multiple Names dialog box is displayed.

In the Multiple Names dialog box you can:

Select the name you were looking for

Hold the Ctrl key while you select more than one name

Click OK.

Tip: Alternately if you know from the start you are looking for several users you can separate entries with semicolon – hen;pel;elp

7 After the name (or all the names you have selected in step 6) appears in

the Select Users, Contacts or Computers dialog box in the Enter the object names to select: text box area, click OK.

8 The dialog box <group name> Properties with the added members is

displayed.

Click OK to verify.

8.4 Prepare the Committee for Transfer

Group Access Code “Groups”

membership

If we transferred data from AD to ScanJour at this point, our Committee AGENDA would not be transferred. It would just be another Global Security group in your

general AD tree. To complete creating the group access code, for the Committee, it must become a member of the distribution group: ScanJourCaptia<database name>-<Committees>

This is the tag that makes it recognizable to the configuration file.

Step Action

1 Active directory Users and computers is accessed and the AD tree is

displayed.

Click the OU ScanJourCaptiaAdministration to open it in the right pane.

Right-click the distribution group:

ScanJourCaptia<database name>-<Committees>.

Choose Properties.

2 In the dialog box <database name>-<Committees>, click the

Members tab.

Click Add.

Enter the Committee name, for example, AGENDA, and click Check Names.

Click OK.

3 Click OK in the following dialog boxes to verify the membership.

After AD Connector

When the next transfer has been taking place (either manually or as a scheduled task), two things happen:


transfer The committee, for example, AGENDA, has been created in ScanJour

Addressee Register under the Contact Type “U” and the Addressee Code, for

example, AGENDA

Members of the Committee, for example, AGENDA, have been added as Contact References to a Contact group named AGENDA in WorkZone Content Server.

9 When You Have Finished All Configurations

Manual trail transfer

After you configure your SJ AD and system according to the prior steps of this guide, you must initialize a trial transfer.

The window SJ Active Directory Connector is shown and you click on Display Only in order to catch errors in the set up in AD (mind you not errors dependent

on actual data in the database).

9.1 Initialize Transfer of Data

Transfer from AD to

WorkZone Content Server

When you have corrected any errors that the trial caught, you are ready to transfer for real.

When you click on the button Transfer in SJADConnector data is transferred from AD to WorkZone Content Server database according to the alignment described in the configuration file

9.2 Re-enable the Scheduled Transfer Task

Enable task After transfer has been completed successfully, you must re-enable the

Scheduled Transfer Task. See section 3.3 Create a scheduled task

transfer, step 3-4 in reverse.

This task will now handle the alignment of data changes and new creations between AD and WorkZone Content Server.

10 Field to Field Transfer between AD and SJ

Default configuration

This chapter of the guide describes the default configuration with regard to transfers from AD-fields to fields in WorkZone Content Server.

Changes to the default configuration may only be made in collaboration with — or

the knowledge of — your software provider, for example, ScanJour A/S. Customer specific changes, additions or removals of data, to cater for the customer’s organization or AD-setup, are done in the configuration file: SJADConfiguration<database name>.xml

In the tables below you can see where changes can be made: in the rows without a check mark () in the Mandatory dependency column.

Furthermore, the table shows you how the transfer of information is mapped (or aligned) field by field. However, note the following exclusions:


The fields automatically transferred via SOM, for example, the field Registered by in the Addressee Register.

The tables created for the internal audit of the transfer itself.

Any relations to Access Codes. Field to field

mapping

The field to field information mapping in the default configuration between AD and

ScanJour database is marked in the columns Mandatory value and Mandatory dependency.

If the Mandatory value column is checked () in the row, for example, user

logon name, this means that the value is mandatory in AD and will be transferred. If the value is missing the data can’t be aligned.

If the Mandatory Dependency column is checked () in the row, for

example, user logon name, this means that the data will always be filled in according to the equivalent AD-field or in case of a note according to the convention specified in the note, for example, (7).

Transferred field information from AD to WorkZone Content Server that

becomes a Name Code will always be transferred capitalized, for example, ELP.

10.1 Field Data Concerning Users

User table Field information regarding users

Name in AD GUI

ADSI name WorkZone Content

Server register

WorkZone Content Server field

Mandatory value

Mandatory dependency


sAMAccountName employee name_code (7)


sAMAccountName employee name:name_code (7)

First name givenName employee name:name1 Last name Sn employee name:name2 Telephone number

telephoneNumber employee address:phone_no(address_type=HA)

Street streetAddress employee address:address1(address_type=HA)

Zip/postal code postalCode employee address:postcode(address_type=HA)

Country/region c employee address:country_code(address_type=HA)

E-mail Mail employee address:email(address_type=HA)

Description Description employee text employee location_code (1)

employee resigned (2)

employee name:end_date (2)


sAMAccountName users user_name (7)


Name in AD GUI

ADSI name WorkZone Content

Server register


Mandatory value


objectSid users Sid (8)

users Ntauthentication (3)

users Ntname (4)

users Authority (5)

users bem (6) Notes:

(1) Is filled in as the name_code of the OU containing the user. May be overridden by a customer AD-field

(2) Is only filled in if the employee is no longer transferred from AD. Left blank if the employee is transferred again at a later date

(3) Is filled in as default value “J”

(4) Is filled in as <domain name>\<sAMAccountName>

(5) Is filled in as the Name Code of the OU containing the superior level OU in the OU register if it has the value “MYNDIGHE;” otherwise is left blank

(6) Is filled in as user_name –name:name1 name:name2

(7) All these fields will be filled in with the same value. The value either comes from sAMAccountName or an alternative specified field.

If an alternative field is specified, the <SJName> tag must mention the field name ‘user_name’. For example, if using the description field in AD for the name_code, the following piece of XML should be added:

<userField>

<ADName>description</ADName>

<SJName>user_name</SJName>

<mandatory>true</mandatory>

</userField>

(8) This field is selected in the default configuration, and ScanJour recommends you not to change it. If, however, it is for some reason necessary to read the

users’ SIDs from a different field, it may be configured in the configuration XML-file under the tag <userSIDADFieldname> in the <configuration> section. In such situations ScanJour recommends using the securityIdentifier field, as it has the appropriate format and is not used by Microsoft.

10.2 Field Data Concerning OUs

OU table Field information regarding OUs is listed below:

Name in AD GUI

ADSI name WorkZone Content Server

register


Mandatory value


Description Description (1) OU name_code

Description Description (1) OU name:name_code

OU’ens navn OU OU name:name1

OU parent_ou (2)

OU end_date (3)


Notes (1) This field is selected in the default configuration, however it is possible to

change it in the Active Directory Connector Configuration window in the

Organizational unit AD field to use as identifier text box.

Note: You can specify each OU’s Name Code explicitly.

(2) Is filled in as the Name Code of the immediate superior (the parent) OU in AD, if this is being transferred. Otherwise it remains blank.

(3) Is only filled in if the OU no longer is transferred from AD. Left blank if the OU is transferred again at a later date.

10.3 Field Data Concerning the Distribution Group “Groups”

Groups Global security groups that are the members of the Groups distribution group are

only transferred into Group Access Codes if at least one user is a member of the Global security group in question.

10.4 Field Data Concerning the Distribution Group “Committees”

Committees = committee

Field information regarding Committees is listed below:

Name in AD GUI

ADSI name Scan·Jour Captia

register

Scan·Jour Captia field Mandatory value


Group name (pre-Windows 2000)

sAMAccountName contact name_code x x

Group name (pre-Windows 2000)

sAMAccountName contact name1 x

contact end_date x x (1)

Notes: (1) Is only filled in if the committee no longer is transferred from AD. Left

blank if the committee is transferred again at a later date.


11 ADSI Field Names

Making changes to the configuration file

This chapter of the guide is aimed at the technician of the software provider who is in charge of the customization of the configuration file SJADConfiguration<database name>.xml

In the table below you can see what the ADSI equivalent of AD field names.

11.1 ADSI Field Names for OUs

ADSI field names for OUs

The table below shows the ADSI equivalent of the AD field names for OUs:

AD Field name ADSI Field name

Name ou

Description description

Street street

City l (lowercase L)

State/province st

Zip/postal Code PostalCode

Country/region c

11.2 ADSI Field Names for the Description Group “Groups”

ADSI names for “Groups”

The table below shows the ADSI equivalent of the AD field names for “Groups”:


Name name


E-mail mail

Notes Info


11.3 ADSI Field Names for Users

ADSI names for users

The table below shows the ADSI equivalent of the AD field names for Users:


General

First name givenName

Initials initials

Last name sn


Office physicalDeliveryOfficeName

Telephone number telephoneNumber

E-mail mail

Web page WWWHomePage

Address

Street streetAddress

P.O. Box postOfficeBox

City l (lowercase L)

State/province st

Zip/Postal Code postalCode

Country/region C

Telephones

Home homePhone

Pager pager

Mobile mobile

Fax facsimileTelephoneNumber

IP Phone ipPhone

Organization

Title title

Department department

Company company

12 Character Restrictions

Character restrictions

Some character restrictions apply to OUs, User Names, Global security groups and Global distribution groups. Note: In general ScanJour strongly discourages the use of any other characters, symbols or digits than the ones mentioned below. If you ignore this, it can have serious consequences for the success of your transfer.


12.1 Organizational Unit Name Restrictions

Allowed characters in the name_code for organizational

units

The following restrictions apply to the name_code (with standard configuration this is the value in the Description field):

1. Maximum length is 30 characters. However, it must not exceed the length of Address Type A’ s Address Code as configured in Configuration

Management, see section 2.2 Configuration of Contact Types.

2. The only allowed characters are:

a. Letters (including Æ, Ø and Å)

b. Digits

c. The following special characters:

Period (.)

Underscore (_)

Dash (-)

12.2 User Name Restrictions

User names in WorkZone

Content Server

The following restrictions apply to user logon name for WorkZone Content Server:

1. The User Name in the User logon name (pre-Windows 2000) text box in AD has a maximum length of 20 characters. This is an AD restriction. WorkZone Content Server allows up to 30 characters. You can utilize this by opting for an alternative field for the transfer of Name Code/User Code.

2. The User Name in the User logon name (pre-Windows 2000) text box must not exceed the length of Address Type M’ s Address Code as configured in Configuration Management, see section 2.2

Configuration of Contact Types.



b. Digits


Period (.)

Underscore (_)

Dash (-)


12.3 Group Name Restrictions

Allowed characters in Group names in AD

The following restrictions apply to the AD field Group name (pre-Windows 2000) in Global Security groups used for Group Access Codes.

1. All letters are converted to uppercase when transferred.

2. Maximum 30 characters are converted, additional characters are cut off.

3. The only letters and digits allowed are:

A to Z

0 through 9.

4. The only special characters allowed are:

Underscore (_)

Dash (-).

5. The characters Æ, Ø and Å are converted as shown below:

Æ = AE

Ø = OE

Å = AA.

Important: Æ, Ø, and Å are treated as two characters.

6. All special characters other than the above will be removed.

7. Spaces are converted into dashes (-).

12.4 Committee Name Restrictions

Allowed characters in Committees

The following restrictions apply to the AD field Group name (pre-Windows 2000).

1. Maximum length is 30 characters. However, it must not exceed the length of Address Type U’s Address Code as configured in Configuration Management (or any alternative Address Types generated), see section 2.2 Configuration of Contact Types.



b. Digits


Period (.)

Underscore (_)

Dash (-)

13 Name Code Stripping

Default handling of Name Code

If your User Name (Name Code) exceeds 20 characters or AD prefixes you do not want to transfer, stripping the name before transferring from AD is an option.

Normally the Name Code in WorkZone Content Server’s database is transferred as follows:

Users: <pre-Windows 2000 logon> name.

Units: <pre-Windows 2000 logon> name or other AD-field (default=description) or alternatively custom integration explicitly amended in the configuration file.

“Groups”: <pre-Windows 2000 logon> name.


“Committees”: <pre-Windows 2000 logon> name.

Stripping of xml-elements

The Name Code instances mentioned above can be manipulated in the manner described below before they are stored in ScanJour’s database. It is possible to strip a defined leading and/or trailing part of a string of the data

from AD. This is done by utilizing one of the following XML-element in the configuration file: SJADConfiguration<database name>.xml

The elements are:

leading: <stripPrefix>

trailing: <stripPostfix>

The XML-element must be entered as a sub-element of the <domain> element in order to facilitate the possibility of different Name Code stripping for alternate

domains. Only Name Codes with the defined part of the string are stripped; all others are left unchanged. Only one prefix and one postfix can be stripped for each kind.

The attribute

‘kind’

Both elements have a non-mandatory attribute “kind.” The attribute’s legal values

are:

user – User Codes will be stripped.

unit – the Unit Codes (OUs in AD) will be stripped.

group – Group Access Codes, codes will be stripped.

committee - committee’s codes will be stripped.

Note: Exclusion of the attribute will be interpreted as kind=”user”.

The part of the string you wish to strip should always be written in CAPITAL

LETTERS since they are Name Codes.

13.1 Examples of Stripping

Example 1 <stripPrefix>T-</stripPrefix>

This stripping string will result in all User Codes from the relevant domain beginning with “T-“will be stripped of these; all others will be left as they are:

AD Code SJ Code

T-VIGGO VIGGO

HUGO HUGO

Example 2

<stripPrefix kind=”user”>T-</stripPrefix>

<stripPostfix>O</stripPostfix>

This stripping string will result in all User Codes from the relevant domain beginning with “T-“ and ending in “O” will be stripped of these if they meet the criteria.


AD Code SJ Code

T-VIGGO VIGG

HUGO HUG

Example 3

<stripPrefix kind=”unit”>OU-</stripPrefix>

<stripPostfix kind=”unit”>Z-</stripPostfix>

This stripping string will result in all OU codes from the relevant domain beginning

with “OU-“ and ending in “-Z” will be stripped of these if they meet the criteria.

AD Code SJ Code

OU-DEP1 DEP1

OUDEP2-Z OUDEPD2

14 System Access Codes

System Access Codes

The following groups of System Access Codes (subsections 14.1 WorkZone Content Server System Access Codes and 14.2 ScanJour Configuration Management System Access Codes) are mandatory. Usually they are scripted, but

if they are not in you AD, they must be created manually. The three extraordinary System Access Codes (subsection 14.3 Extraordinary System Access Codes) are not mandatory but an option. These cannot be created in AD but must be executed by SQL.

System Access Codes provide its members extended rights and access to the

system through the interface of the system or module they refer to.

14.1 WorkZone Content Server System Access Codes

WorkZone Content Server System Access

Codes

In the table below you have an overview of the System Access Codes available with regard to WorkZone Content Server

System Access Codes Comments

ALLEEMNER Corporate Access Code.

If the Corporate configuration is chosen, then the

Access Code field of cases and documents must never be left blank. Therefore, all these objects of the system that should be visible to all users must have the Access Code ALLEEMNER.

This is a System Access Code that all users of the Corporate configuration must be members of.

CONFIGADM Members of CONFIGADM have the rights to distribute menu and list configurations.

DEJOURNALADM Members of DEJOURNALDM have the rights to dejournalize (to make a traceable move of



misplaced) archived documents from one case to another.

LISTCONF Members of LISTCONF have rights to edit lists in

their own profile.

MENUCONF Members of MENUCONF have the rights to edit menus.

MULTIEDIT Members of MULTIEDIT have rights to batch edit

from lists.

RAPDEF Members of RAPDEF have rights to create Crystal Report Definitions in WorkZone Content Server.

RECORD_ACCESS Externally used System Access Code, for example,

CMS.

Members of RECORD_ACCESS have rights to mitigate a citizen’s request for access from a third party system. The system user of the third party system is the member.

UNLOCKADM Members of UNLOCKADM have rights to unlock the

following relations in WorkZone Content Server between:

Case and contact

Document and case

Case and case

Document and document

Contact and contact

All users can lock (and members of UNLOCKADM can unlock) the above-mentioned relations from the menu of the Action Icon in WorkZone Content Server GUI.

CONTENT_SERVICES Members of CONTENT_SERVICES have rights to

enable and disable Content Services.

FILINGPERIOD Members of FILINGPERIOD have rights to edit filing period data in Captia Web Client.

14.2 ScanJour Configuration Management System Access Codes

Configuration Management System Access Codes

In the table below, you have an overview of the System Access Codes available with regard to the individual modules and functions in ScanJour Configuration Management.


DATAADM Members of DATAADM have rights to the following modules in Configuration Management:

Countries and PostCodes

Custom Label



Custom Domain

Addressee (Contacts)

Filing period

Stopwords

Classification Scheme

Facet Dictionary

Subnumbers

Applied Case Number Format

Document Format

Register Security

DIAGADM Members of DIAGADM have rights to the following module in Configuration Management:

Trace Output

PROFILADM Members of PROFILADM have rights to the following

modules in Configuration Management:

Restricting Profiles

Preference Profiles

Record Access

IADM Members of IADM have rights and access to the

following module in Configuration Management:

Lost and Found

PROFILADM Members of PROFILADM have rights and access to

the following modules in Configuration Management:

Restricting Profiles

Preference Profiles

Record Access

USERADM Members of USERADM have rights and access to the following modules in Configuration Management:

Owner

Users

Use Log

FESD_WS Externally used System Access Code.

Members of FESD_WS have rights to call WorkZone

Content Server Open WSI and gain access from a third party system. The system user of the third-party system is the member.

14.3 Extraordinary System Access Codes

Extraordinary System Access Codes

The following extraordinary system access codes are optional: AFDADM, MEDARBADM, and STJERNEADM.

They can be launched if the customer’s organizations deem it necessary in dealing


with maintenance and security issues in their own solution.

Warning: Most customers will be able to control access rights through Active Directory and AD Transfers, and will therefore have no need for the following access codes. However, because these access codes partly impair the control of what the user can view in the database, ScanJour only recommends these system

access codes to be implemented if the customer can notcontrol the access rights through Active Directory alone. Notes:

These access codes cannot be created from Active Directory, but must be created directly in the database, see section 14.3.1 SQL-Creation of the Extraordinary System Access Codes below for method.

Be aware that the rights allocated to the user by these system access

codes cannot be executed by Active Directory.


AFDADM If this system access code is allocated to a user, the user can create or amend units.

MEDARBADM If this system access code is allocated to a user, the user can create or amend employees.

STJERNEADM If this system access code is allocated to a user with security code 9, this user will now have rights to allocate ’*’ access code to any user.

Notes:

’*’ access code is the only access code that can be allocated in this way.

The ’*’ access code allocates the user access

rights to all domains, otherwise protected by individual access codes or access code

strings.

14.3.1 SQL-Creation of the Extraordinary System Access Codes

The system access codes must be created in the access_code_domain table, but

only if it is opted for by the organization. At least one user must be allocated per

access code once they have been created.

They are created by executing the following SQL commands:

1. Execute the following if you want to allocate at least one user the system access code MEDARBADM:

insert into access_code_domain(access_code, access_code_type,

system)

select 'MEDARBADM', 'INDBLIK', 'J' from dual

where not exists (select null from access_code_domain where

access_code = 'MEDARBADM');

commit;

2. Execute the following if you want to allocate at least one user the system

access code AFDADM:


system)

select 'AFDADM', 'INDBLIK', 'J' from dual


access_code = 'AFDADM');


commit;

3. Execute the following if you want to allocate at least one user the system

access code STJERNEADM


system)

select 'STJERNEADM', 'INDBLIK', 'J' from dual


access_code = 'STJERNEADM');

commit;


15 Recommendations and Advice

Advice Below you will find a number of recommendations, best practices, and general advice concerning SJADConnector and pre-transfer snags.

15.1 Event Log

Event log monitoring

ScanJour recommends that you monitor your first transfer of user data from AD to WorkZone Content Server with SJADConnector.

The trial transfer is described in section 9.1 Initialize Transfer of Data. However, as mentioned, this doesn’t necessarily catch everything. All errors, whether they show up in the status of the transfer or not, are reported in Windows event log. You should therefore monitor the event log carefully through the initial transfer. Correct the errors that show up and repeat the process while

monitoring the event log. You are done when the event log has nothing to report.

You check the event log in the Event Viewer: Click Start Control panel Administration tools Event Viewer.

As a last precaution you should run a total update enabled transfer. To do this, in Window SJ Active Directory Connector select the total update checkbox before starting a transfer.

15.2 One Configuration File per Database

Transferring You should only have one configuration file per database. In other words, you

should make sure your scheduled task(s) utilize the correct configuration file. And

you should always disable the Scheduled Task if you decide to transfer manually. Always only one transfer per database at any time.

If you are doing major maintenance in AD, it is prudent to stop your scheduled task while you are manually monitoring you transfer. Remember to re-enable the task when you are done, see section 9.2 Re-enable the Scheduled Transfer Task.

15.3 Do not Change the Name Codes

Name Codes If you need to change user names, unit names, or pre-Windows 2000 group

names, do not make these changes in AD without pre-analyzing and mapping the consequences. If you do, the transfer will catch the changes and report them as errors.

If it is essential that a user changes his/hers, for example, initials,

ScanJour recommends to delete this user and create a new one. Be aware, though, that in this event you have a major administrative task of cleaning up: old cases, all objects protected with a User Code, personal and

general drafts that weren’t yet archived, ownerships of reminders, personal preferences in GUI, and so on, now ought to have ownership transferred or mass edited or moved. If you do nothing, these objects will now be owned by an inactive user and none redistributed objects holding User Access Codes will have to be handled by Lost and Found in Configuration Management.

You should also model the new user on the old, see section 7.1 Users become log-on users and employees in WorkZone Content Server.


15.4 Domain Server Connection

Domain server For each domain server you must enter the name of the server (or its IP address). If the program isn’t run as a trusted user of the domain, then you have to supply the User Name and password of a user that have the permissions to read in ADs file catalog.

The domain name may also be entered as a LDAP Distinguished Name as:

DC=scanjour,DC=dk

Encryption of Password

The AD Connector supports specification of logon information to be used for reading from the domain. This information is stored in the XML configuration file in the form of a username and a password. In previous versions, the password was stored in unencrypted form, but in versions starting from Captia 4.5 SP1, the password is stored in encrypted form. For backwards compatibility, the connector can use a password stored in

unencrypted form too. If decryption of the password fails, the replicator tries to

use the password exactly as read from the configuration file. As in earlier versions it is still possible to avoid specifying any logon information in the Connector itself. Instead, it can be run under an account with the needed permissions to read from the domain.

The password is encrypted in such a way that it can only be decrypted on the same machine as the one that was used during encryption - which is performed when you click OK in the Domain Server dialog box where the logon information has been specified. This means that if you move the XML configuration file to another server for use with the AD Connector there, you need to reenter the password of the logon

information in the Domain Server dialog box after having moved the XML configuration file to the new server.

15.5 Users

Users The list Groups identifying ScanJour Captia users in the Domain server

window in SJADConnector lists the global distribution groups that identify users to be transferred.

If a user is a member of more than one, note that the user then automatically is allocated the highest security code.

15.6 OUs and Units

OUs and units The list Units in the Domain server window in SJADConnector lists the

organizational units that identify OU to transfer into units in WorkZone Content

Server.

If an OU has had the Recursive check box selected all underlying OUs will be

transferred as well, see section 5.2 Register OUs in ScanJour Active Directory Connector, step 5.

15.7 Scheduled Transfer Task

Automatic transfer task

When your transfer is error free (and the event log is as well) you must configure a scheduled transfer task at a regular interval between 2 hours and once a day depending on the size of your organization.

You can set up a scheduled task from the Wizard, see section 3.3 Create a


scheduled task transfer.

If you change your scheduled task or make changes to the configuration file, make

sure the configuration is reflected in the command line parameters, see section 17 Monitoring the Transfer.

15.8 Mapping of AD Fields to WorkZone Content Server Fields

Mapping of AD fields

The configuration file contains alignment information regarding which AD field is transferred to which ScanJour database field (WorkZone Content Server GUI text box). This information can be maintained directly in the configuration file, which is an XML-file. Note: There is no GUI through which you can maintain this. Changes must be made manually directly in the XML-file using a text editor.

The XML-file contains a number of <userField>, <UnitField>

and<CommiitteeField> with specifications of what is transferred from where to

where. Changes can be made but it is prudent to do so with the knowledge of your software provider and your ScanJour technician, see sections 10 Field to Field Transfer between AD and SJ and 11 ADSI Field .

15.9 Lost Entities Restored with IADM

Lost entities

When data has been transferred from AD to ScanJour, a scheduled task periodically checks whether there are any lost, that is, inaccessible, entities such as cases, documents, tasks or contacts in the database. This task was preconfigured when the system was installed; refer to

InstallGuide_EnterpriseServer.docx for further information. Because the scheduled task is executed periodically, members of the System

Access Code IADM can view these lost entities in the module Lost and Found in Configuration Management.

IADM insures

against loss of data

Typically, when a corporation makes organizational changes or employees resign,

there is a possible risk that there will be entities, such as cases and documents, which no one has the access codes to see or change. These entities can be lost. IADM prevents the loss and is used to administrate such lost entities through a module in Configuration Management, Lost and Found, refer to Configuration_Management_Online_Help.chm, topic on Lost and Found.

Lost and Found

The purpose of the Lost and Found module is to find these entities and make them accessible. Then users with access to the module can exchange the void access code and make the entities accessible in WorkZone Content Server to personnel in charge of handling redistribution.


16 Command Line Parameters

Parameters Command line parameters are used while running the Scheduled Task, see section 3.3 Create a scheduled task transfer step 3 and 4, and its default setting from the initial setup may be changed. To change the setup, open the Scheduled Task Window and select the Task tab. In the Run text box, you can see the default command line parameters.

In the table below is an overview of command line parameters including their default values and comments:

Parameter Default value Comment

/db=<database name> No default. Indicates the ScanJour Database in

question.

/window

/nowindow or

/wizard

If the database is specified, /window is the default.

If the database is not specified, /wizard is the default.

Indicates whether the program should show GUI and whether it should be the transfer status window

(\window) or the Wizard (\wizard).

/forceupdate No default value. Configuration file changes since last transfer will be checked

Indicates that all data (user, user information, and so on) needs to be totally updated.

If it isn’t indicated modified-date in AD is compared with the last transfer.

/config=<file name> SJADConfiguration<database

name>.xml Indicates the location of the configuration file in question.

/setsid=<SystemUser> No default. This user must be present in the AD, but should not be included as member of any of the administrative groups or access code groups.

The effect is that the system user is

looked up in the domain where the SID is read and is written into the

database, so that the user can log on to WorkZone Content Server.

Normal replication is not performed - only this single user is handled.

17 Monitoring the Transfer

Check quality of transfer

You can at any time check the quality of your transfer from AD to WorkZone Content Server. Each time you have made essential changes to your AD or the SJADConnector, you can check the quality of the transfer.

17.1 Check quality of transfer

How to check Step Action

1 Start SjADConnector.

The Window SJ Active Directory Connector is shown.

2 Click Display only (a trial transfer from AD to the display only).

If you have deviated from the conventions of AD registrations, they will


How to check Step Action

show up in the window with error where info is usually shown.

3 Now correct your mistakes.

Repeat steps 1-2.

4 If your trail transfer comes up without any errors in your status window.

Click Transfer.

5

Even if the transfer has been completed successfully, check your Event Viewer:

Click Start Control panel Administration tools Event Viewer

The event log may catch transfer problems that won’t show up in your status window, see section 15.1 Event Log.

18 Corporate Access Code

Introduction If your organization has opted for an installation that utilizes Corporate Access

Codes there are some minor deviations from the previous chapters. However, in general the methods previously described in Active Directory also apply here.

Overview The following is described below: 18.1 Prerequisites 18.2 Configuring the Transfer from Active directory 18.3 Special Access Codes for the Corporate Solution in AD

18.1 Prerequisites

Prerequisites The following is assumed: The database has been installed to support Corporate Access Codes, refer to

InstallGuide_Database.docx, Chapter 4.2. for further information. The scheduled task for Lost and Found has been set up; refer to

InstallGuide_EnterpriseServer.docx for further information. It’s a standard Corporate configuration. Knowledge of how the Corporate Access Codes are used, refer to

Captia_Online_Help.chm, topic on Corporate Access Code for further information.

Knowledge of how your organization wishes to utilize the Corporate Solution.

18.2 Configuring the Transfer from Active directory

The configuration of corporate access codes includes creating organizational units for the corporation. The organizational units are transferred from Active Directory (AD) as OUs. This means that the organizational units must exist in AD, before you can transfer between AD and the database. You can create the organizational units in AD as described in section 5 Creating Organizational Units in AD.


A typical OU configuration in AD:

The four levels of a standard Corporate Installation:

<OMYND> = Executive Authority <UMYND>= Authority/department

<AFD>= Section <KT>=Office

Mind you that the normal rules apply:

1) Top level OU must be known to SJADConnector, see section 5.2 Register OUs in ScanJour Active Directory Connector.

2) Users are always placed at the “kontor level” (office level), for example, KT1, see section Create users in Active Directory.

The effect of the above configuration will result in the following: the end-user AA,

for instance, who is a member of the OU KT1 (office 1), will organizationally be

placed in the framework: UMYND2, in AFD2, in KT1 – all under OMYND and segregated from any other Authorities sharing the same database of OMYND. This means that when AA creates, for example, a case in WorkZone Content Server, the case is automatically supplied with the access code string: UMYND2 & ALLEEMNER: UMYND2 is the access code of the Authority to which AA belongs.

ALLEEMNER is a dummy access code assigned to entities if none is inherited

from either class or case. All users are members of this access code. See also section 18.3.1 ALLEEMNER – Default Group Access Code.

Note: It is possible to have more than the four levels presented above, and they

can be labeled differently to mirror the customer’s organization. However, this must be taken into account during the organization’s analysis of their

Corporate Installation.

Step Action

To configure the transfer

from AD

1 Do the following:

• Open the configuration file SJADConfiguration<database name>.xml

on the server, where the replication is to be made.

• Search for the text <unitField> and add the following <unitField>

statement after the existing:

<unitField>

<ADName>st</ADName>

<SJName>OU_GRP</SJName>

<mandatory>false</mandatory>

</unitField>

This addition will have the effect that the field OU_GRP is replicated from the State/province field in AD.

Note: If you want to use the City field or the Zip/Postal Code field

instead of the State/province field, you must replace the text <ADName>st</ADName> with one of the following:

• <ADName>l</ADName> (representing the City field).

• <ADName>postalCode</ADName> (representing the Zip/Postal

Code field).


Step Action

Save and close the configuration file.

2 Open Active Directory as described in section 5.1 Create an

Organizational Unit.

The Active Directory Users and Computers window appears.

Note: On the left side of the window, you will find the organizational

units that you made.

3 Do the following for each OU:

• In the tree structure in the left part of the window, right-click the

name of the organizational unit to be transferred.

• In the pop-up menu for the organizational unit, select Properties

The <organizational unit> Properties window appears.

4 On the General tab select one of the following values in the

State/province field according to the way your organization wants to utilize the Corporate Solution:

• OVERMYN, if the organizational unit belongs to the overmyndighed level

(executive authority).

• MYNDIGHE, if the organizational unit belongs to the myndighed level

(authority/department).

• AFDELING, if the organizational unit belongs to the afdeling level

(section).

• KONTOR, if the organizational unit belongs to the kontor level (office).

Notes:

• This implies that you selected the State/province field in step 1, and

that you are using the standard solution of the corporate access code

system. If you are using a modified solution, the naming for the

organizational units might be different.

• You can alter the names of these values and even have more than four

levels in order to mirror ones organization.

5 Click OK.

The <organizational unit> Properties window closes.

6 Repeat step 3 to 5 for every organizational unit that needs to be

transferred.

7

Proceed with the transfer as described in section 9 When You Have Finished All .

18.3 Special Access Codes for the Corporate Solution in AD

Overview A special group is required in AD, before the Corporate Solution (CACS) works

properly. This is described in section 18.3.1 ALLEEMNER – Default Group Access Code.


18.3.1 ALLEEMNER – Default Group Access Code

Corporate Access Code

All cases and documents in the Corporate Solution are created with an Access Code string of a minimum of 2 Access Codes:

1 Organizational Access Code and 1 Group Access Code. These strings are the foundation of the hermetic segregation between each individual Authority (Myndighed) in the database of the Corporate Solution. However, when a class or document has no inherited Group Access Code, that is, either from the Class or the Case a document is attached to, a default group access code is necessary in order to comply with the rule of minimum 1

Organizational Access Code and 1 Group Access Code. This default group access code is ALLEEMNER.

2013 r2 active directory configuration...

Documents