The user receives the union of access rights associated to each group he belongs to.
Example: John Smith belongs to the HR and Finance groups which have been added to Orchestrator. HR group has the Management role and access to the HR folder, Finance has the Executor role, and access to the Finance folder. Being part of both groups, John has the Management and Executor roles and access to both the HR and Finance folders.
The user receives the union of access rights associated to the group he belongs to and the ones explicitly set. Keep in mind that inherited access rights are dependent on group settings, and that explicitly set access rights are independent of group settings.
Example: John Smith has been individually added from AD and explicitly given the Executor role, and access to the Finance folder. The HR group (of which John is a member) has been also added to Orchestrator, and given the Management role and access to the HR folder. John has the Executor and Management roles, and access to both the HR and Finance folders. If he is removed from the HR group at AD level, he loses the Management role and access to the HR folder, but keeps the ones set explicitly.
Since a user receives the union of rights associated to all the groups he belongs to, a Robot gets created for your user based on the configuration made for the first group.
No, if you did not set access-rights explicitly for them. Yes, if you granted them access-rights individually in Orchestrator. Inherited access-rights are are only kept for the duration of the active user session. Only explicitly set access rights persist between sessions. Deleting or deactivating a directory group deletes inherited rights, but does nothing to those which have been explicitly set.
Changes made to your AD groups, like adding, moving or deleting a user are interrogated by Orchestrator at each user login, or once every 60 minutes for active sessions. 60 minutes is the default value and it can be changed in
web.config through the
Updated 2 months ago