Difference between revisions of "Test"

From InsightWiki
Jump to navigation Jump to search
Line 1: Line 1:
__FORCETOC__
+
AD Links is an additional module in Insight. It allows users to log in to Insight using their Active Directory account. This is essential for student logins and optional for staff logins. <br> <br>
Synchronisation rules are used by Insight to determine which parents and/or students should be given Insight accounts and which Role (set of permissions) should be applied to their account. The roles themselves are configured via the '''[[Roles]]''' page. <br> <br>
 
  
=Students=
+
As AD Links is an additional module of Insight, a separate charge applies. Please contact <span class="plainlinks">[mailto:sales@tascsoftware.co.uk sales@tascsoftware.co.uk]</span> for further information. <br> <br>
  
In order for students to log in to Insight, you must have purchased the '''[[AD links|AD Links]]''' additional module for Insight. This allows students to log in using their Active Directory details. <br> <br>
+
==Configuration==
  
You can create multiple Synchronisation Rules if required. This allows you to assign different roles to students, depending on which year group they are in. If you want all students to use the same Role then you only need one Synchronisation Rule, otherwise you need one Synchronisation Rule per Role you want to use. <br> <br>
+
You will first need to enter the details of your Active Directory into the fields on this page. Once this has been done, existing student, staff or parent accounts can be linked to the AD by [[users#Creating and deleting users - the sync process|performing a synchronisation]]. <br> <br>
  
Select a Synchronisation Rule then click the '''Edit''' button to edit that rule, or click '''Add''' to create a new rule. This will take you to a new page. Select the year groups that this rule should apply to, then at the bottom of the page select the Role to be given to the students. Click '''Save''' once done. <br> <br>
+
[[Image:adlinks4.jpg|thumb]] <br> <br>
  
=Parents=
+
The '''Check in AD when logging in''' option must be enabled for Active Directory logins (if this is switched off, all AD logins will be disabled). <br> <br>
  
[[Image:parental_sync_rules_list.png|thumb|A list of Synchronisation Rules for parental accounts]]
+
Next enter the '''Domain''', '''Domain reading user''' and '''Domain reading password''' fields. <br>
 +
The domain should be in the form: mydomain.local. Click the '''Check''' button when you have entered these details to confirm that Insight can access the Active Directory. Sometimes, this may say something like "A trust relationship does not exist between x and x" - This is often displayed, it should not cause any issues or be a cause for concern. <br> <br>
  
Parents may need to be given different roles depending on the year group that their child is in e.g. a parent of a Year 13 student may need to see more options (such as exam data) in Insight than a parent of a Year 7 student. <br> <br>
+
By default Insight will check the EmployeeID field for the Admission Number (ADNO) to identify students. This will also be required for staff if you want them to log in using the Active Directory details, but they do not have trusted login accounts in SIMS. <br> <br>
  
Parents may also need to be given different Roles because of their relationship to students. For example, a contact who has Parental Responsibility but also has a Court Order against them may need a limited access Role. <br> <br>  
+
Enable the '''Use alternative AD field in place of EmployeeID''' option if you would prefer to use an AD field other than EmployeeID. You then need to enter your choice of field into the '''Name of alternative field to use''' setting. <br> <br>
  
Click the '''Edit''' button or '''Add''' button to edit or create a rule. <br> <br>
+
'''Use student email addresses from AD''' <br>
 +
The alternative is to use the email addresses in SIMS <br> <br>
  
If a parent has more than one child at school then more than rule may apply to them, one rule per child. This means that a parent may have a different Role for each of their children. See the '''[[#Example|example]]''' below for more information. <br> <br>
 
  
===Parental Options===
+
==Seamless login==
  
When editing/creating a rule, you must select the '''Highest priority''' and '''Lowest priority'''. A parent's Priority number from SIMS must fall between this range in order for the rule to apply to them. <br> <br>
+
An additional benefit of using this method to log in is that it supports Integrated Windows Authentication in supported browsers.  This means that if the user is logged onto a computer within the domain, their account information can be used to log seamlessly into Insight, without requesting them to enter their account details by hand. <br> <br>
  
For the following three options you can choose '''Yes''' (parents must have this attribute), '''No''' (parents must not have this attribute) or '''na''' (it does not matter whether parents have this attribute): <br>
+
To enable this, all of the previous settings must be working correctly. <br> <br>
'''Parental Responsibility''' <br>
 
'''Court Order''' <br>
 
'''Cohabitation''' <br> <br>
 
  
===Example===
+
To implement seamless login, direct those users who you expect to be able to login to the ADSSO.aspx page initially. If the user is not already logged into the domain, they will be redirected to the normal login page, where they can still enter their Active Directory username and password.  Otherwise, depending on their Security Group membership, they will be passed straight through to Insight.
 +
If you do not expect a user to be able to log in this way, they should be directed to the normal login URL. <br> <br>
  
Imagine a parent has two children at school with the following details in SIMS:
+
<!--
{| class="wikitable"
+
Use the staff report to get Person_ID numbers for staff. Open the xml file in Excel
!Relationship!!Priority!!Parental Responsibility!!Court Order!!Cohabiting
+
Save the file as CSV
|-
+
Use the import.vb file to copy the Person_IDs into AD
|Daughter||1||Yes||No||Yes
+
-->
|-
 
|Son||9||Yes||Yes||No
 
|} <br>
 
  
And you have the following rules configured in Insight: <br>
+
==Troubleshooting==
[[Image:parental_sync_rule_example.png]] <br> <br>
 
  
The parent's relationship with the daughter meets all the criteria of the first rule; the parent is the Priority 1 contact and does not have a Court Order. Therefore the parent will have the "Full Access" role when viewing the daughter. <br> <br>
+
===Failed logins===
  
The parent's relationship with the son does not meet the criteria for the first rule. The parent does not have the sufficient Priority level and also has a Court Order. The parent's relationship with the son does meet the criteria for the second rule though, so the parent will have the "Limited Access" role when viewing the son. <br> <br>
+
If users are not able to log in using their AD details then click on the Activity Report link. This will open a window showing the most recent login attempts from AD linked users. This will provide more information as to why the login failed. <br> <br>
  
The rules at the top of the list take priority over those lower down, so if a parent meets the criteria for multiple rules for one of their children, they will always be given a role by the highest rule on the list that applies to them. <br> <br>
+
'''Credentials Not Kerberos''' - User entered an incorrect Password. <br>
 +
'''Principal not found''' - User entered an unknown Username. <br>
 +
 
 +
===Assigning SIMS database IDs to AD records===
 +
 
 +
Many schools will use SIMS AD Provisioning and have their SIMS database perform this job for them. Alternatively, you can use a script from TASC Software to do this provisioning for you. <br> <br>
 +
 
 +
You will need a CSV called INPUT.CSV in the format: ADusername,MISID <br>
 +
You will also need to download this script file: [http://www.tascsoftware.co.uk/wiki/PARS/files/import.vbs import.vbs] <br> <br>
 +
 
 +
First use notepad to edit the script file above by right-clicking on it and selecting the Open With option. The first line of the file is:
 +
CONST strDomain="MyDomain" <br> <br>
 +
 
 +
You need to edit this so that your domain appears between the quotation marks, instead of MyDomain. Save the file, then place it and your CSV file into the same folder with not other contents. Run the import.vbs script and your Active Directory will be updated. <br> <br>
 +
 
 +
[[Category:Additional modules]]
 +
[[Category:Management]]
 +
[[Category:Technical]]

Revision as of 13:11, 29 May 2018

AD Links is an additional module in Insight. It allows users to log in to Insight using their Active Directory account. This is essential for student logins and optional for staff logins.

As AD Links is an additional module of Insight, a separate charge applies. Please contact sales@tascsoftware.co.uk for further information.

Configuration

You will first need to enter the details of your Active Directory into the fields on this page. Once this has been done, existing student, staff or parent accounts can be linked to the AD by performing a synchronisation.

Adlinks4.jpg



The Check in AD when logging in option must be enabled for Active Directory logins (if this is switched off, all AD logins will be disabled).

Next enter the Domain, Domain reading user and Domain reading password fields.
The domain should be in the form: mydomain.local. Click the Check button when you have entered these details to confirm that Insight can access the Active Directory. Sometimes, this may say something like "A trust relationship does not exist between x and x" - This is often displayed, it should not cause any issues or be a cause for concern.

By default Insight will check the EmployeeID field for the Admission Number (ADNO) to identify students. This will also be required for staff if you want them to log in using the Active Directory details, but they do not have trusted login accounts in SIMS.

Enable the Use alternative AD field in place of EmployeeID option if you would prefer to use an AD field other than EmployeeID. You then need to enter your choice of field into the Name of alternative field to use setting.

Use student email addresses from AD
The alternative is to use the email addresses in SIMS


Seamless login

An additional benefit of using this method to log in is that it supports Integrated Windows Authentication in supported browsers. This means that if the user is logged onto a computer within the domain, their account information can be used to log seamlessly into Insight, without requesting them to enter their account details by hand.

To enable this, all of the previous settings must be working correctly.

To implement seamless login, direct those users who you expect to be able to login to the ADSSO.aspx page initially. If the user is not already logged into the domain, they will be redirected to the normal login page, where they can still enter their Active Directory username and password. Otherwise, depending on their Security Group membership, they will be passed straight through to Insight. If you do not expect a user to be able to log in this way, they should be directed to the normal login URL.


Troubleshooting

Failed logins

If users are not able to log in using their AD details then click on the Activity Report link. This will open a window showing the most recent login attempts from AD linked users. This will provide more information as to why the login failed.

Credentials Not Kerberos - User entered an incorrect Password.
Principal not found - User entered an unknown Username.

Assigning SIMS database IDs to AD records

Many schools will use SIMS AD Provisioning and have their SIMS database perform this job for them. Alternatively, you can use a script from TASC Software to do this provisioning for you.

You will need a CSV called INPUT.CSV in the format: ADusername,MISID
You will also need to download this script file: import.vbs

First use notepad to edit the script file above by right-clicking on it and selecting the Open With option. The first line of the file is: CONST strDomain="MyDomain"

You need to edit this so that your domain appears between the quotation marks, instead of MyDomain. Save the file, then place it and your CSV file into the same folder with not other contents. Run the import.vbs script and your Active Directory will be updated.

Retrieved from "https://www.tascsoftware.co.uk/wiki/INSIGHT/index.php?title=Test&oldid=5642"