Active Directory Groups in User Management

For tenants that have a high turnover for large quantities of users, you can map CDO to your Active Directory (AD) groups instead of adding individual users to CDO for an easier way to manage your user lists and user roles. Any user changes, such as a new user addition or removing existing users, can now be done in Active Directory and no longer need to be done in CDO.

You must have a SuperAdmin user role to add, edit, or delete an Active Directory group from the User Management page. See User Roles for more information.

In the left pane, choose Settings > User Management

Active Directory Groups Tab

In the left pane, choose Settings > User Management > Active Directory Groups. This page shows the Active Directory groups that are currently mapped to CDO. Most importantly, this page displays the role of the Active Directory group as assigned in your Active Directory manager.

Users within an Active Directory group are not listed individually in either the Active Directory Groups tab or the Users tab.

Audit Logs

Audit Logs in CDO record user-related and system-level actions. Key events that are captured by the Audit Logs include:

  • User Login: Records every instance of user authentication.

  • Tenant Association and Disassociation: Tracks user associations with, or disassociations from, tenants.

  • User Role Change: Records any modifications to user roles.

  • Active Directory Groups: Records any addition, deletion, and role changes within AD groups.

  1. In the left pane, click Settings > User Management.

  2. Click the Audit Logs tab. A list of events and activities in the current tenant you are logged into is displayed.

  3. Use the Search text box to find logs for a specific user.

  4. Click the filter icon to refine your search results and view specific events. You can filter the logs based on the Time Range and Event Action.

  5. Click Export to download the details in CSV format.

Audit Logs

Multi-role Users

As an extension along the IAM capabilities in CDO, it is now possible for a user to have multiple roles.

A user can be part of multiple groups in Active Directory, and those groups can be defined in CDO with different CDO roles. The final permissions that a user gets on login are a combination of the roles of all the Active Directory groups that are defined in CDO that the user is part of. For instance, if a user is part of two Active Directory groups and both the groups are added in CDO with two different roles such as edit-only and deploy-only, the user would have both edit-only and deploy-only permissions. This applies to any number of groups and roles.

Active Directory group mappings must only be defined one time in CDO, and managing access and permissions for users can after be achieved exclusively in Active Directory by adding, removing, or moving users between different groups.

Note

If a user is both an individual user and part of an Active Directory group on the same tenant, the user role of the individual user overrides the user role of the Active Directory group.

API Endpoints for Active Directory Groups

If you are a super admin, you can use API endpoints to do the following:

The aforementioned links point to the corresponding sections of the Cisco DevNet website.