Auto Provisioning provides a mechanism to automatically sync your user licenses in BI Office with security groupings in Active Directory. In effect, it provides a streamlined mechanism to manage user licenses through group membership rather than the manual tools provided in the Admin console.
NOTE: Provisioning has to be enabled from the settings tab before it can be used.
NOTE: Provisioning features are only available with the enterprise license option.
The provisioning interface is on the scheduled tasks tab in the admin console.
The provisioning engine runs on a scheduled basis. the settings for the schedule are set in the settings tab of the console. You can see the count-down to the next run in the yellow highlighted section above. To launch all jobs regardless of the scheduler, click the immediate launch button (blue arrow).
To add a new provisioning job, click the add new job button (black arrow).You are presented with the following dialog:
Security Group - pick the group in the Active Directory to monitor for changes. Only one group can be monitored per job. When you click the select group button, you are prompted to search for the relevant group in the active directory domains you have implemented in BI Office.
License Type – choose the type of the license to use in the job. When changing the License Type, the Client License Pack drop-down menu will change accordingly.
Client License Pack – Choose the specific client license pack to use in the job. New users will be allocated licenses from this pack accordingly.
Role To Add – Role to assign to the users that are added in the job. Users are only added to a single role through this mechanism.
NOTE: see the typical role out scenario below for an explanation on how to set up optimal provisioning.
Once a job is added, you can click the edit or delete buttons to maintain the job listing (red highlight)
Clicking the information icon (red arrow) will show all users who are currently listed as active - or those in the current user "cache". This is the existing baseline stored in the engine to determine who will be added and removed on the next run of the job (incremental edits).
Clicking the reset or clear button (purple arrow), will clear the cache for the job - forcing the engine to do a full evaluation of users without the pre-existing baseline cache.
At any time, you can reset all caches for all jobs using the Clear All button (green arrow).
The following suggests an optimal guide to using provisioning and roles in BI Office:
- Administrators should create an AD group that aligns with each license type and/or pack that is used EXCLUSIVELY for adding and removing users to the system. The group can be used for other purposes (like content security), but generally, it is better to design it for this single purpose only. This group need not designate content access in either BI Office or Analysis Services (and probably shouldn't).
- Secondary groups with different memberships should then be created in the AD for aligning content (and data model) access. These groups should be attached to BI Office roles and/or data model roles in Analysis services. This will allow administrators to independently assign content access rights in BI Office from the license provisioning process enacted in step #1 above.
As users are added or removed from the AD, their access to BI Office in general, and specific BI Office content and data models in particular, will be automatically reflected without manual intervention or custom handling inside BI Office and SSAS.
Assigning users directly to BI Office roles is possible, but should not be used broadly in large deployments. This will ensure that content management is governed almost entirely from group membership in the AD, rather than one-off manual edits inside BI Office.