Use AD Security Groups for SharePoint database permissions

Similar Messages

• Security Group for SharePoint 2013 Online Enterprise 3

  I need to copy all the user account names from one SharePoint Security group to a different SharePoint Security group in the same single tenant.
  I can not figure out how to do this.
  Thanks.
  Dawn

  Call your local Microsoft office (any office may due, but info from your local office will be more accurate), and ask for the
  Account Manager for SMB (small to medium businesses) in the
  education sector.
  Scott Brickey
  MCTS, MCPD, MCITP
  www.sbrickey.com
  Strategic Data Systems - for all your SharePoint needs

• Using a security group to add members to the collection question

  Hi,
  I have a collection created in SCCM 2007 that is using a security group for membership. So I added a computer to the security group in AD but when I go to SCCM and click on the collection I dont see the computer in the collection. Should it show here or
  because it is a security group based membership will it not show the members?
  THanks!

  Details from Active directory are added to SCCM database through discovery methods. Please ensure that AD security group discovery and AD system discovery are enabled in the primary site. If they are enabled, check the frequency set for these discovery
  methods. Once you added these computers to the AD group, you need to wait till the next discovery cycle before it appears in SCCM collections. Till that point, SCCM database will not have information about the group memberships of these computers

• Work email field not filling in for mail enabled security groups in sharepoint

  I've recently been trying to setup alerts to send to mail enabled security groups on our sharepoint site.
  I've created universal mail enabled security groups for this purpose, and populated them with users, and then set those in the alert field, but no one is getting alerts.
  After a lot of investigation, I've found that this is likely because the security groups listed under sharepoint in the people and groups section don't have work email fields filled in. Theres a couple of groups that work which do have this field filled
  in, but everything created recently is missing this. I can't seem to set this field up to be editable instead of importing from AD either. I've confirmed the AD import is working fine, all user details and work email fields are filled out correctly, it is
  only the security groups that are having problems.
  Does anyone have any experience with this?

  As per your description I assume that individual user gets email alert, right ?
  If no then go to central administration > operation > timer job definitions > “web application” view > select your web application in the menu bar to check if Immediate alerts working fine
  If not, please run the following operations:
  stsadm -o setproperty -propertyname alerts-enabled -propertyvalue false -url http://...
   stsadm -o setproperty -propertyname alerts-enabled -propertyvalue true -url http://...
   stsadm -o setproperty -propertyname job-immediate-alerts -propertyvalue "every 5 minutes"  -url http://...
  And then try again.
   At last, if the issue is still there, please check your email server settings in terms of the following articles:
  http://www.sharepoint-tips.com/2007/10/email-alerts-not-getting-sent-while.html
  http://social.technet.microsoft.com/Forums/en-US/sharepointworkflow/thread/36c3b5b5-af03-4f8a-b202-b62db330c21c/
   And if individual user gets an alert then you can create cutomized alert for Sec group
   Please refer
   http://sptoolbox.codeplex.com/releases/view/8255
   hope this will help you
  Regards, Pratik Vyas | SharePoint Consultant | http://sharepointpratik.blogspot.com/

• Security Groups for the alerts in SharePoint 2013?

  By default Microsoft has blocked to add Security Groups for the alerts in SharePoint 2013. It can be enabled but need to change the SharePoint System page setting with the help
  of below link:
  http://thesharepointfarm.com/2013/10/setting-sharepoint-alerts-on-active-directory-security-groups/
  So my query is if I change the page setting then in future if any SharePoint updates/ hotfixes deploy in system so will it cause a problem??

  I would wait as this is not a supported workaround (although it does work).
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Sync Project Online Security Group to SharePoint Security Groups

  Hi,
  Is there any way to sync prject server security group(Custom) into SharePoint Security Groups.
  My scenario is: I created a document library, I want to apply project server security on it, based on project server security groups, for that currently I created a custom group in sharepoint and manualy added the users into that group. That doesn't looks
  good, because if my project online group will change, than manually I have to change sharepoint group too. So what I want is, that sharepoint group is automatically synced with project online group.
  Or is there any other way to assign project online security in document library?
  Thanks
  PSN

  No there is no workaround other then creating a group on Office 365 server.
  SharePoint Online lets you create security groups via the Admin Overview page
  http://technet.microsoft.com/en-us/magazine/hh395478.aspx
  Just found a 3rd part. check if it can help
  http://en.share-gate.com/blog/migrate-to-office-365-configure-sharepoint-to-use-active-directory
  Active Directory Synchronization: Allows you to sync your Active Directory Objects such as users and groups to your Office 365 account. This is a one-way synchronization, which means you continue to manage users On-Premises, and your changes
  will appear on Office 365 SharePoint. However, authentication and passwords are still managed by Office 365. It will be required for Password Sync and Single Sign On (see below).
  If this helped you resolve your issue, please mark it Answered

• Security UPdate for sharepoint will change farm version?

  Security Update for SharePoint will change farm version or not?

  Not all security updates change the farm build #, but some do. It just depends on what is in the security update.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Exchange 2010 Unable to Assign Full Access Permissions using a Security Group

  I've been running into this issue lately.  I cannot seem to use groups to allow full access to mailboxes.  When I add them from the EMC, it will show up when you go to "Manage Full Access Permission...".  After waiting a day and even restarting
  the Information Store service, the permissions do not take effect.  When I view the msExchDelegateListLink attribute of the mailbox account, the group is not listed.
  When I grant a user full permission, it works and updates the attribute.  However, on occasion when I revoke the full access permission for a user is doesn't always remove that user from the msExchDelegateListLink attribute.  So the mailbox
  will still appear in Outlook, but the user isn't able to see new emails.
  Any ideas on what may be going wrong?
  Environment:
  Exchange Server 2010 SP1 Standard
  Windows Server 2008 R2 Standard
  Outlook 2010 SP1 (tried without SP1 as well)
  I was looking over Add-MailboxPermission on Technet (http://technet.microsoft.com/en-us/library/bb124097.aspx) and I noticed that it doesn't mention adding groups.  Is this not possible?

  I never got a proper fix.
  I worked around it by creating a script which gets the members of an AD Mail Enabled security group, and updates the full access based on the groups members.
  Here's a script I'm running every hour which updates permissions. It's probably not the most efficient script ever, but it works. It has several benefits
  1. Managers of the distribution group can add/remove mailbox members using OWA or through the address list
  2. New members of groups are added to FULL Access Permissions
  3. Members removed from the groups are removed from FULL access permissions
  4. Automapping works :)
  5. Maintains a log of access added / removed / time taken etc.
  Obviously I have had to remove domain related information, replace with whatever your domain requirements are, and PLEASE debug it properly in your environent first, don't complain to me if it wipes out a load of access for you or something like that!
  It takes about 5 minutes to run in my environement. Some formatting seems to have got messed up on here, sorry. I hope it is of use!
  # Mailbox Permissions Setter for Exchange #
  # v1.1 #
  # This script will loop through all mailboxes in Exchange and find any where #
  # the type is 'SHARED'. These should be determined to be a GROUP/SHARED mailbox #
  # and access to these mailboxes are controlled by a single ACL, e.g. 'ACL_Shared_Mailbox'. #
  # This script will add any members of these ACLs directly to the Full Access Permissions #
  # of the mailbox and also remove them if they no longer need the access. #
  # Script created by Jon Read, Technical Administration
  # Recent Changes
  # 15/11/2012
  # 1.1 Added exclusions for ACLs that we don't want automapping to happen for
  # 12/11/2012
  # 1.0 Initial script
  #Do not change these values
  Add-PSSnapin *Ex*
  $starttime = Get-Date
  $logfile = "C:\accesslog.txt"
  $logfile2 = "C:\accesslog2.txt"
  $totaladditionstomailboxes = 0
  $totalremovalsfrommailboxes = 0
  $totalmailboxesprocessed = 0
  $totalmailboxesskipped = 0
  # Exclude any ACLs that shouldn't be processed here if they are used for a non-standard purpose and
  # we don't want FULL access mapping to happen. Seperate array values with commas
  $ExcludedACLArray = "DOMAIN\ACL_ExcludedExample"
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-Output "#----------------------------------------------------------------#" >> $logfile
  Write-Output "# Mailbox Permissions Setter for Exchange #" >> $logfile
  Write-Output "# v1.1 #" >> $logfile
  Write-Output "#----------------------------------------------------------------#" >> $logfile
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-output "Start time $starttime ">> $logfile
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  # Set preferred DCs and GCs
  $preferredDC = "preferredDC.domain"
  $preferredGC = "preferredGC.domain"
  Write-Output " PreferredDC = $preferredDC ">> $logfile
  Write-Output " PreferredGC = $preferredGC " >> $logfile
  Set-ADServerSettings -PreferredGlobalCatalog $preferredGC -SetPreferredDomainControllers $preferredDC
  # The first part of this will ADD permissions to the mailbox, reading from an associated ACL.
  # Check for all mailboxes where the type is SHARED. These are the only ones we would
  # want to apply group mailbox permissions to.
  foreach ($mailbox in get-mailbox -resultsize "unlimited" | where-object {$_.RecipientTypeDetails -eq "SharedMailbox"})
  $totalmailboxesprocessed = $totalmailboxesprocessed + 1
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-Output "|-------------------------------------------------------" >> $logfile
  Write-Output "| MAILBOX ADDITIONS: $mailbox " >> $logfile
  Write-Output "|-------------------------------------------------------" >> $logfile
  $mailbox=$mailbox.ExchangeGuid.ToString()
  # For each of them, get the distribution list applied to the mailbox (Starting DOMAIN\ACL_)
  # We then need it to be turned into a string to use later.
  #Declared $changes as 0. if this is set to 0 at the end of the mailbox job, we know no changes were made.
  $changes = 0
  foreach ($distributiongroup in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.User -like "DOMAIN\ACL_*" })
  $skipACL = 0
  #Get the distribution group and put the name in a useable format
  $distributiongroup=$distributiongroup.user.tostring()
  Write-Output "Found ACL $distributiongroup" >> $logfile
  # Check if this distribution group needs to be excluded and if it shouldn't be processed
  # then move onto the next ACL. This will stop FULL access being granted if the mailbox is
  # used for a non-standard purpose. See the start of this script
  # for where these are excluded (ExcludedACLArray)
  foreach ($ACL in $ExcludedACLArray )
  if ($distributiongroup -eq $ACL)
  $skipACL = 1
  Write-Output "ACL $distributiongroup is excluded so skipping mailbox " >> $logfile
  $totalmailboxesskipped = $totalmailboxesskipped + 1
  if ($skipACL -eq 0)
  # Get each user in this group and for each of them, add try to add them to full access permissions.
  foreach ($user in Get-DistributionGroupMember -identity $distributiongroup)
  # Get the user to try, convert to DOMAIN\USER to use shortly
  $user="DOMAIN\" + $user.alias.ToString()
  # Check to see if the user we have chosen from the ACL group already exists in the full access
  # permissions. If they do, set $userexists to 1, if they do not, leave $userexists set to 0.
  # Set $userexists to 0 as the default
  $userexists = 0
  foreach ($fullaccessuser in get-mailbox $mailbox | Get-MailboxPermission)
  # See if the user exists in the mailbox access list.
  # Change $fullaccessuser to a useable string (matching $user)
  $fullaccessuser=$fullaccessuser.user.tostring()
  if ($fullaccessuser -eq $user)
  $userexists=1
  # Break out of foreach if the user exists so we don't unnecessarily loop
  break
  # Now we know if the user needs to be added or not, so run code (if needed) to add
  # the user to full access permissions
  if ($userexists -eq 0)
  Add-MailboxPermission $mailbox –user $user –accessrights "FullAccess"
  Write-Output "Added $user " >> $logfile
  $changes = 1
  $totaladditionstomailboxes = $totaladditionstomailboxes + 1
  #Now repeat for other users in the ACL
  #if changes were 0, then log that no changes were made
  if ($changes -eq 0)
  Write-Output "No changes were made." >> $logfile
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-Output "---------------------------------------------------------------------------------" >> $logfile
  Write-Output " FINISHED ADDING PERMISSIONS" >> $logfile
  Write-Output "---------------------------------------------------------------------------------" >> $logfile
  Write-Output " " >> $logfile
  # The second part of this will REMOVE permissions from the mailbox, reading from an associated ACL.
  ## Check for all mailboxes where the type is SHARED. These are the only ones we would
  ## want to apply group mailbox permissions to.
  foreach ($mailbox in get-mailbox -resultsize "unlimited" | where-object {$_.RecipientTypeDetails -eq "SharedMailbox"})
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-Output "|-------------------------------------------------------" >> $logfile
  Write-Output "| MAILBOX REMOVALS : $mailbox " >> $logfile
  Write-Output "|-------------------------------------------------------" >> $logfile
  $mailbox=$mailbox.ExchangeGuid.ToString()
  #Declared $changes as 0. if this is set to 0 at the end of the mailbox job, we know no changes were made.
  $changes = 0
  # For the current mailbox, get a list of all users with FULLACCESS, and then for each of them
  # check if they exist in the ACL
  foreach ($fullaccessuser in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.Accessrights -like "FullAccess" })
  # Get the security identifier (SSID) of the FULLACCESS user to store for later.
  $fullaccessuserSSID=$fullaccessuser.user.SecurityIdentifier.ToString()
  $fullaccessuser=$fullaccessuser.User.ToString()
  #If user needs to be excluded then skip this bit
  #Users added or removed will only start with 07 (07$, 07T, so only run if the user starts with this.
  #This stops it trying to remove NT AUTHORITY\SELF and other System entries
  if ($fullaccessuser -like "DOMAIN\07*")
  # Set $userexists to be 0. if we find the use user needs to remain, then change it to 1.
  $userexists=0
  # Check if this user exists in the ACL, if not, remove.
  foreach ($distributiongroup in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.User -like "DOMAIN\ACL_*" })
  $distributiongroup=$distributiongroup.user.tostring()
  #Write-Output "Found associated distribution group $distributiongroup" >> $logfile
  # Get each user in this group and for each of them, See if it matches the user in the mailbox.
  foreach ($user in Get-DistributionGroupMember -identity $distributiongroup)
  # Get the user to try, convert to DOMAIN\USER to use shortly
  $userguid = $user.Guid.ToString()
  $user="DOMAIN\" + $user.alias.ToString()
  if ($fullaccessuser -eq $user)
  $userexists=1
  #we have found the user exists so no need to continue
  break
  # If userexists = 0, then they are NOT in the ACL, and should be removed from
  # the full access permissions. Run the code to remove them from full access.
  #CONVERT FULLACCESSUSER TO GUID AND REMOVE $FULLACCESSUSERGUID NOT $USERGUID
  if ($userexists -eq 0)
  Remove-MailboxPermission -Identity $mailbox –user $fullaccessuserSSID –accessrights "FullAccess" -Confirm:$false
  Write-Output "Removed $fullaccessuser " >> $logfile
  $changes = 1
  $totalremovalsfrommailboxes = $totalremovalsfrommailboxes + 1
  # if changes = 0, no changes were made to this mailbox, so log this fact.
  if ($changes -eq 0)
  Write-Output "No changes were made." >> $logfile
  #Put the time in a displayable format
  $endtime = Get-Date
  $runtime = $endtime - $starttime
  $runtime = $runtime.ToString()
  $runtime1 = $runtime.split(".")
  $totaltime = $runtime1[0]
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-Output "|-------------------------------------------------------------------------------------- " >> $logfile
  Write-Output "| SCRIPT COMPLETE : STATS " >> $logfile
  Write-Output "|-------------------------------------------------------------------------------------- " >> $logfile
  Write-Output "| Total Mailboxes Processed : $totalmailboxesprocessed " >> $logfile
  Write-Output "| Total Additions : $totaladditionstomailboxes " >> $logfile
  Write-Output "| Total Removals : $totalremovalsfrommailboxes " >> $logfile
  Write-Output "| Total Mailboxes Skipped due to ACL : $totalmailboxesskipped " >> $logfile
  Write-output "| Start time : $starttime ">> $logfile
  Write-output "| End time : $endtime ">> $logfile
  Write-Output "| **END OF RUN** - Elapsed time : $totaltime " >> $logfile
  Write-Output "|---------------------------------------------------------------------------------------" >> $logfile
  Write-Output " " >> $logfile

• SCCM 2007 database query for AD security group for machines

  dear,
  I am had created security DL in AD for machine to deploy software  and trying to link in SCCM 2007 with collection but could not
  i have tried query base following below link but its does not help
  http://www.windows-noob.com/forums/index.php?/topic/892-deploy-software-through-ad-groups-linked-to-collections-in-sccm/
  type all query but could not find in table (SystemGroupName).
  [email protected]

  Go to properties of you collection and add a new membership rule to add the security group
  SCCM use discovery methods to get information from AD. Make sure AD system discovery and AD security group discovery are enabled for the SCCM site. Once you add machines to the security group, you need to wait till the next discovery cycle is completed.
  The discovery cycle runs on a schedule set by SCCM administrator.

• Using domain security groups in exchange security groups for Office 365

  Hi
  Is there a way to use O365 domain security groups in O365 exchange security groups. This can be done between O365 domain security groups and O365 SharePoint groups.
  BR // Ille

  Sorry I missed your reply.
  I don't believe there is a way to do this yet, security groups used within exchange need to be mail-enabled security groups, these can't then be edited from the office365 portal, just the Exchange administrative centre portal.
  It looks like you currently still need to keep these separate.
  If you use DirSync and sync from your own domain then it is possible, since you manage the groups from your AD rather than Offfice365, but currently just in o365 there doesn't appear to be a way to do this.
  Regards,
  Denis Cooper
  MCITP EA - MCT
  Help keep the forums tidy, if this has helped please mark it as an answer
  Blog: http://www.windows-support.co.uk 
  Twitter:   LinkedIn:

• Migrate security group in SharePoint

  Hi,
      There are some security groups which are renamed. So now we want to do the migrate group to replace the permission of the old groups with the new groups. Is it possible ? can we run the stsadm command for migrating any security group also as
  we do the same for the users.

  Hi,
  I recommend to use the PowerShell command below to update the group name:
  $sites = get-spsite -limit all
  foreach ($site in $sites)
  #change the identity value to the identity of your group in SharePoint site
  $user = get-spuser -identity "c:0+.w|s-1-5-21-327186598-2419249556-1286632975-1156" -web $site.url -ErrorAction SilentlyContinue
  If($user)
  set-spuser -identity $user -displayname "contoso\ADGPkk"
  Write-host –foregroundcolor green “Changed the name for $($site.url)”
  Else
  Write-host –foregroundcolor red “The specified group does not exist in $($site.url)”
  More reference(same for SharePoint 2010):
  http://www.sharepointfire.com/MyBlog/2013/11/renaming-an-ad-group-in-sharepoint-2013/
  Best regards.
  Thanks
  TechNet Community Support
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• Too many AD security groups for ACS 4.1

  We have an issue that when a user is a member of too many Windows AD (2003) security groups (roughly 65) they won't get authenticated by our ACS 4.1.
  The 1st thing we investigated was the Windows Kerberos authentication issue. Which basically says that if a user is a member of more than 70 security groups then Kerberos authentication might fail. However we've used the tokensz.exe tool to calculate that the affected users Kerberos Token size isn't above the problem 12,000 bytes. Link to that issue http://technet.microsoft.com/en-us/library/cc757478%28WS.10%29.aspx
  On the ACS, when a user is a member of too many security groups, the error message is "External user not found". When the user is brought down to the "magic" number of security groups authentication works no problem.
  At the same time on the DC errors can be found in the CSWinAgent.log file.
  CSWinAgent 01/18/2010 12:25:23 A 0063 5720 NTLIB: Insufficient space for all of user [email protected] certificates
  CSWinAgent 01/18/2010 12:25:23 A 0063 5720 NTLIB: Group list buffer is too small for getting full groups list.
  So we are starting to think that the DC and / or CSWinAgent is causing us issues. Has anyone experienced similar issues?
  Thanks
  Stuart

  Hi Stuart,
  We are hitting a bug here.
  CSCse49827            Bug Details
  ACS Remote Agent fails users with too many goups
  Symptom:
  Windows External Database authentication fails on the ACS 4.0 SE if a user is a member of
  too many Windows groups.
  Conditions:
  This is specific to the ACS SE running 4.0.1(42) or earlier using Windows Domain Authentication
  to the ACS Remote Agent.
  Workaround:
  Reduce the number of group memberships the user is part of or reduce the lenght of
  the group names the user is a part of.
  Further Problem Description:
  If a user ia a part of enough windows groups that the number of characters total of all the groups
  exceed 1024 bytes the authentication of that user will fail.  All other users should still authenticate
  without any trouble
  Please upgrade ACS to 4.1.4 and that should fix it.
  First you need to upgrade it to 4.1.1 and then 4.1.4
  Regards,
  ~JG
  Do rate helpful posts

• Install Web Part Using Set up file for Sharepoint 2013

  HI,
      How to install web part to sharepoint 2013 using a setup wizard.
  Suppose i have webpart for some data manipulation process so i need to make a set up for install this web part in any sharepoint system is it possible , programmatically install web part is possible any one have code regarding this or can you suggest me how
  to do this ?
  Thanks & Regards
  SUJIL KUMAR t
  Software developer

  Hi Sujilkumar,
  According to your description, my understanding is that you want to install web part wsp using install wizard.
  In SharePoint, there is no set up wizard to install the web part. If you want to install your custom web part, you can use PowerShell Commands. Before you can deploy a solution package, you need to add it to the solution database of a SharePoint
  Server farm like below：
  add-spsolution c:\yourwsp.wsp
  Then you can install the solution like below：
  Install-SPSolution -Identity <SolutionName> -WebApplication <URLname>
  Here are some detailed articles for your reference:
  how to add a wsp webpart
  Deploy solution packages
  Best Regards
  Zhengyu Guo
  TechNet Community Support

• Creating a security group for S/Mime cert auto-enrolment

  We currently have auto-enrolment rights for an Exchange User cert granted to Domain Users. In our environment this is generating more than 50,000 failed requests each week by service accounts which don't have an email address.
  I would like to create a security group of users with an email address, and grant enrolment rights on the CA to that group.
  I have tried the following script to create such a group, however it's way too slow to be of any use (ours is a large enterprise):
  add-module activedirectoryGet-ADGroup -filter {name -eq "SMime Users"} | ForEach-Object {dsget group -members $_.distinguishedname | dsmod group $_.distinguishedname -rmmbr}Get-ADUser -filter {emailaddress -like "*"} | ForEach-Object {Add-ADGroupMember "SMime Users" -Members $_.SamAccountName}
  Any ideas on a way to bulk add users with an email address to a group? Or another way to achieve the same result?

  On Thu, 6 Feb 2014 19:20:37 +0000, Alen Williams wrote:
  We currently have auto-enrolment rights for an Exchange User cert granted to Domain Users. In our environment this is generating more than 50,000 failed requests each week by service accounts which don't have an email address.
  I would like to create a security group of users with an email address, and grant enrolment rights on the CA to that group.
  I have tried the following script to create such a group, however it's way too slow to be of any use (ours is a large enterprise):
  add-module activedirectoryGet-ADGroup -filter {name -eq "SMime Users"} | ForEach-Object {dsget group -members $_.distinguishedname | dsmod group $_.distinguishedname -rmmbr}Get-ADUser -filter {emailaddress -like "*"} | ForEach-Object {Add-ADGroupMember "SMime Users" -Members $_.SamAccountName}
  Any ideas on a way to bulk add users with an email address to a group? Or another way to achieve the same result?
  Although this group is going to be used for certificate enrollment this
  really isn't the right forum for your question. You should repost to either
  an Active Directory forum or to one dedicated to scripting or Powershell.
  Paul Adare - FIM CM MVP
  urbi et IP -- axelm in <mode=pope>

• How to associate more than one security group for UCM documents?

  When checking in a document we are only able to associate one security group to documents. In our case, a particular document can be seen by more than one group e.g a document can be seen bu both finance and marketing groups.
  How can we associate more than one group for documents?
  Our requirement is related to search. We want to display the documents to the end user based on the security group that is associated with the document. We are planning to use IDM and have all the groups/roles that are possible in the end site (also delivered by same ldap) available in UCM so that when checking in the documents we can associate desired groups who can see these documents.
  Regards,
  Pratap

  One thing before all, is that I suggest that you think through your security model before implementing it in UCM. You should ask yourself questions like :
  - Is security really based on department ?
  - Why two departments need to have access to the same category of document ?
  - Is it really security that I need or classification ? Is it a problem if Accouting have access to Finance or you just don't want Marketing documents in a finance related search ?
  - Maybe what you want is that finance guys to have access to marketing document.
  Without a clear business security model, it's hard to find a UCM security model as it is impossible to associate 2 security groups to one document.