external users
DESCRIPTION
Presentation on working with External Users in Connections v5 including how to configure that feature and some sample screenshots. Given first at Icon UK in London Sept 2014TRANSCRIPT
September 2014
Bringing External Users Into Your Connections 5 WorldGabriella Davis!Technical Director!The Turtle Partnership
01
Let’s talk about me for a minute
✤ Admin of all things and especially quite complicated things where the fun is!
✤ Working with security , healthchecks, single sign on, design and deployment of Domino, ST, Connections and things that they talk to!
✤ Stubborn and relentless problem solver!
✤ Lives in London about half of the time
What’s This All About?
How Does It Work - The Brief Version
What Can An External Person Do?
✤ Be a full member of a Community that allows external users!
✤ Share Files with others as well as Download files shared with you !
✤ See Activity Streams that they are invited into!
✤ Edit Their Profile!
✤ View business cards of anyone who has shared content with them
What Can’t An External Person Do?
✤ See Any Public Content!
✤ Create a community!
✤ Follow people!
✤ See or search the company directory!
✤ Use type-ahead to find people!
✤ See recommended content or people!
✤ Access the Profiles menu!
✤ Access other user profiles!
✤ See @Mentions for them
✤ An existing Community can’t become a Community that allows external users!
✤ Once created as either internal or allowing external user access - a Community cannot be changed!
✤ Only internal users with a specific role can invite and share with external users!
✤ Communites with external users must be restricted
In general an external user is limited to participating in a restricted community they are invited into
This isn’t a bad thing
Let’s set things up or … here comes the technical bit
01
Internal vs External User Directories
✤ Who am I talking to? Who am I sharing with?!
✤ There needs to be a simple way of identifying internal vs external users!
✤ We need to tell Connections how to identify an internal and external user!
✤ There are three ways to do this!
✤ They all involve using TDI scripts
A Quick Catch Up On TDI
✤ To enable external users, the Profile DB must be used as a Directory!
✤ TDISOL found in the Connections install directory!
✤ Updated on Fix Central!
✤ Files we change for External users!
✤ profiles_tdi.properties!
✤ map_dbrepos_from_source.properties!
✤ sync_all_dns
Separate LDAP Branch or Server
✤ In map_dbrepos_from_source.properties!
✤ mode={func_mode_visitor_branch}!
✤ displayName={func_decorate_displayName_if_visitor}!
✤ displayNameLdapAttr=cn!
✤ decorateVisitorDisplayName= - External User!
✤ In profiles_tdi.properties! ! !
✤ source_ldap_url_visitor_confirm!
✤ source_ldap_search_base_visitor_confirm*!
✤ source_ldap_search_filter_visitor_confirm
Separate LDAP Branch or Server
✤ In map_dbrepos_from_source.properties!
✤ mode={func_mode_visitor_branch}!
✤ displayName={func_decorate_displayName_if_visitor}!
✤ displayNameLdapAttr=cn!
✤ decorateVisitorDisplayName= - External User!
✤ In profiles_tdi.properties! ! !
✤ source_ldap_url_visitor_confirm!
✤ source_ldap_search_base_visitor_confirm!
✤ source_ldap_search_filter_visitor_confirm
Separate LDAP Steps
✤ Ensure the External directory is also configured as a Federated Repository in WAS!
✤ otherwise your external users can’t authenticate!
✤ source_ldap_search_base_visitor_confirm must not be empty!
✤ In mapdb_repos_from_source add sync_source_url_enforce=true so TDI doesn’t remove one directory’s entries
LDAP Attribute
✤ This is a bit easier but needs careful managing!
✤ In mapdb_repos_from_source assign an LDAP attribute so that mode=“external”!
✤ displayName={func_decorate_displayName_if_visitor}!
✤ displayNameLdapAttr=cn!
✤ decorateVisitorDisplayName= - External User
LDAP Attribute As A Function
✤ Instead of mapping an LDAP attribute containing “external” to the mode= entry you can use a javascript function!
✤ The function must compute to the word ‘external’ for external users!
✤ It must be placed in profiles_functions.js file
Whatever Method You Choose !
sync_all_dns.bat when done .. on failure check the logs ibmdi.log and SyncUpdates.log
Exployee-Extended Role
✤ Not all internal users / employees can invite external users - they must have the special Connections role!
✤ “Employee-Extended!
✤ The only way to get this role is to be assigned it via wsadmin
Assigning Roles
✤ From /profiles/dmgr01/bin directory!
✤ wsadmin.bat/sh -lang jython -username <wasadmin> -password <password>!
✤ execfile(“profilesAdmin.py”)!
✤ ProfilesService.setRole(“[email protected], EMPLOYEE_EXTENDED)
Securing the Perimeter
Directory Decisions
✤ How will external users register!
✤ Who will have rights to invite external users!
✤ Password quality
Anonymous Access
✤ Disable Anonymous access for all applications!
✤ Edit each application’s “security role to user group mapping” !
✤ Ensure “reader” is not set to “Everyone”
Public Files
✤ External users can’t see public files!
✤ or can they?!
✤ If you use a caching proxy then the public cache will contain information external users shouldn’t see!
✤ Disable public caching in LotusConnections-config.mxl using <genericProperty name="publicCacheEnabled">false</genericProperty>
Working with Libraries
✤ With CCM installed the URL /dm can provide access to any public Libraries!
✤ External users shouldn’t see public ANYTHING!
✤ Ensure the /dm URL is blocked from public interfaces
Desktop Plugin
✤ When using Connections, the interface constantly warns you if you are going to share with internal users!
✤ The desktop plugin doesn’t do that!
✤ This quote from the documentation says it all!
✤ “In addition, some operations might result in unexpected errors” !
Internal and External (Visitor) Views or.. Spot What’s Missing
Internal - Homepage
Visitor Homepage
Internal Community Page
Visitor Community Page
Internal - My Profile
Visitor My Profile
✤ As A Visitor…!
✤ You can add tags but not see existing tag lists!
✤ You can view partial business cards but not full profiles!
✤ You can search for content but that only finds things that are shared with you!
✤ You can share files but only with the Communities you are part of, not with people directly
✤ All of this is good - it keeps your environment secure!
✤ It protects your users from accidentally sharing something unintended!
✤ It doesn’t give up any information the external user doesn’t already know!
!
!
✤ Some things are a bit buggy but hopefully being fixed
01
Questions?
✤ Gab Davis - Technical Director!
✤ The Turtle Partnership!
✤ GabriellaDavis on Skype!
✤ gabturtle on twitter