Adding/Updating Users to Corps Management (IT)
Corps Management Security Model
Citrix: Access to the application requires Citrix. if the user does not already have citrix, it will need to be pushed out to them before they can access the system. While we're here, don't forget to give the user access to the "CMD" icons!
Unit/Location: The location(s) under the divisional headquarters that the person works at or needs access to (AD Groups were set up to define Units under the divisional OU). A user can be placed in as many location specific AD groups needed to perform their job.
Roles/Groups: The term used to define a group of user permissions. The groups are generally job-based roles (bookkeeper, Corps Officer, Statistician).
Permissions: Specific tasks that a user can do (or not do) within the application.
Command Help Desk staff will have the ability to set up users themselves without having to go to THQ IT for assistance. It will be important for you to understand the security model so that access is successful.
Location Based AD Groups
Each Command OU will have a list of locations that are associated with a corps. Locations will appear as such:
- USECM - EPA - Allentown Temple
- USECM - EPA - Berwick Corps
- USECM - EPA - Bethlehem Corps
- USECM - EPA - Bethlehem Temple
To Do: The DHQ IT staff will add users to 1 or more of these location based AD Groups.
Role Based AD Groups
Each Command OU will have 9 Role AD Groups that they can add users to. 4 will be for the Corps Level; and 6 will be for the DHQ level. Examples include:
Corps Level
- USECM - NJ - Bookkeepers
- USECM - NJ - Corps Admin Aid
- USECM - NJ - Corps Officers
- USECM - NJ - Default Permissions
DHQ Level
- USECM - NJ - DHQ Corps Cadets
- USECM - NJ - DHQ Statisticians (should only include the DHQ Statistician and the DHQ Program Secretary)
- USECM - NJ - DHQ with Corps Review Rights
- USECM - NJ - DHQ Youth Department
- USECM - NJ - IT Support Staff
- USECM - DHQ Finance
To Do: The DHQ IT staff will add users to 1 or more of these role based AD Group. Most users will be placed in the 'Default Permissions' group unless there is a reason to put them in another group which has increased access.
Helpful Notes
- To understand what each role will have access to, click here for the security matrix
- A user will need both a ‘location’ AD Group and a ‘role’ AD Group
- A corps user can access only his/her corps information; a divisional user can access all corps within the division; a territorial user can access all information.
- You can add a user to more than one ‘location’ AD Group if the user has responsibility to do work in more than one location
- You can add a user to more than one ‘role’ AD Group if the user has responsible to do work in more than 1 functional role.
- If the user cannot determine the appropriate role, assign the “default’ role within the ‘role’ AD Group.
- The bookkeeper role will be limited to staff who have bookkeeping responsibilities.
- If a divisional users does data entry for corps, he/she only needs the divisional location AD group since the division can access any corps data.
How to Add a User to AD Groups (no AD account)
- A user will submit a ticket to the divisional help desk.
- The divisional help desk will create an AD account for the user
- The divisional help desk will push out citrix to the user
- The divisional help desk will add the user to at least 1 'location' and 1 ‘role’ AD Group
How to Move a User to different AD Groups
*appropriate when moving to a new location, changing positions within the same location
- A user will submit a ticket to the divisional help desk
- The divisional help desk will move the user from the old AD group(s) to the new AD Group(s) making sure that 1) the user is in at least one ‘location’ AD group and 2) the user is in at least one ‘role’ AD Group
How to Give ‘MORE’ access to a User using AD Groups
*appropriate when a user needs more access and it has been confirmed with the Corps Officer
Each ‘role’ group has different permissions; the user can be added to more than one ‘role’ group to give them more access when appropriate.
Troubleshooting
If a user cannot access the environment, try these steps.
- Ensure the user has an active AD Account
- Ensure they have Citrix on the computer they are trying to access. If they don't, here are some instructions you can provide them to download Citrix from the App Store: Citrix from the AppStor OR access the web-version of the application: https://sactx.usaeast.org
- **Ensure the user is in both a location AD group AND a role AD Group**
Known Error Message #1
This is a known error and occurred when a user was in an AD group that did not get mapped to the application correctly. If you get this error, transfer the ticket to THQ IT Help Desk with the name of the AD groups you added the user to so that we can troubleshoot.
How to Report a Corps no Longer is Active
If the IT department sees that a ‘location’ AD group exists for a corps hat is no longer operations, do NOT delete the group. Transfer the ticket to the IT Help Desk and provide details as to why the corps is no longer operational (i.e. closed, merged with X corps, part of another Corps). We converted data from other LN applications that will need to be resolved before AD groups are deleted.
Security Matrix
If you are interested in seeing a list of all roles and the specific permissions associated with each, here is the matrix.