Previously, for On premise versions, Archibus had some configuration files that allowed the authorization process (to give a role to the user based on an AD security group). In SaaS, this is not possible as it is not considered as a standard feature.
The suggestion is to add this process as standard for SaaS, as there are several companies that require it. The process would work like this:
• Customer IT team creates the needed groups in AD, using archibus-identifiable encoding (e.g., starting with an ARCH prefix)
• Archibus admins create new roles in Archibus, with the same encoding than the used in AD
• When the user logs into Archibus, the SSO process should validate not only the user and password existence, but also will check the security group assigned to the user in AD, and will reply it on AFMUSERS in Archibus.
• If the user has always the same group in AD, its record in afmusers will keep the same role assigned. If the user security group has changed in AD, the next time the user will log into Archibus, its role will be changed.