Active Directory Roles synchronization
AD sync is a process where user information, workspaces, and roles are synchronized between your organization's on-premises Active Directory (AD) and your Snorkel Flow instance. This synchronization ensures that user identities and permissions are consistent and secure across both on-premises and Snorkel Flow environments.
Here are some benefits to using AD sync:
- Security and compliance: AD sync helps enforce consistent access policies and ensures that only authorized users have access to specific resources, reducing the risk of data breaches and ensuring compliance with regulations such as GDPR.
- Centralized identity management: By centralizing identity management, user management processes such as provisioning and deprovisioning accounts are streamlined. In addition, it reduces the administrative overhead associated with managing multiple user directories.
- Improved user experience: By synchronizing user identities, users will only need a single set of credentials.
- Efficient resource allocation: You can dynamically assign and revoke access to resources based on users' roles and responsibilities within your organization. This ensures that users will have the appropriate level of access to perform their job functions without granting unnecessary privileges.
If you want to implement AD roles sync on your instance, reach out to your Snorkel representative.
Considerations for AD roles
When users are provisioned to the default workspace without any AD role, they receive the minimum Annotator permissions. Each user can have only one role within the same workspace, but can have different roles for each workspace.
If the superadmin sets up an admission role, the admission role is required for every user to gain access to the workspace, even if a user has other AD roles.
When the AD role for a user changes, the new role overwrites any existing role for that user.
Snorkel Flow completely ignores any roles that are not formatted correctly. This includes, but is not limited to these incorrect formats:
-
- nonexistent roles and workspaces
- prefixes that do not match
- roles that do not meet these formats:
<PREFIX><SEPARATOR><WORKSPACE><SEPARATOR><SF-ROLE>
or<WORKSPACE><SEPARATOR><SF-ROLE>