Active Directory / LDAP Access Requirements

What is the Service Account used for?

The Moveworks service account in AD /LDAP is typically granted permissions to read users/groups, manipulate user group additions, and read/modify user profile attributes (for unlocking accounts). Below, we list the needed permissions.

If configured, the Moveworks bot can:

  • Add users to email distribution groups and security groups
  • Check whether users are locked out, alert employees, and unlock accounts upon request
  • Check when employees’ AD passwords are expiring

To do this, at a high level, the bot uses a Moveworks service account in AD with the following permissions:

  • Read users/groups
  • Manipulate user group additions
  • Read/modify user profile attributes (for unlocking accounts)

ℹ️

Note: While the Moveworks bot can read from multiple domains, native access skills such as adding users to email groups and unlocking accounts can only be access from one domain.

For the Active Directory integration, please provide us with the following account details for the before-mentioned AD Service Account:

  • Service Account Username/Login
  • Service Account Password (please ensure the password does not contain any of the following special characters: $, {, }, )
  • Host IP or HostName for Active Directory Domain Controller Server to connect to
  • For LDAPS, please provide the base64 .pem root CA cert.

Required OU Permissions

  • Delegate Read Access to the OUs that contain all relevant Group Objects (Distribution Lists and/or Security Groups).
  • Delegate Read Access to the OUs that contain all relevant User Objects.

Required User Object Permissions

For all users who will use the bot (typically employees and contractors), the Moveworks service account in Active Directory needs permission to list users and groups across OUs, and it needs permission to write to user profiles in order to unlock accounts.

We recommend granting Read access to all user attributes. Examples include the user’s department, user’s manager, and password last-set date, however if you need to scope down granular access the following permissions are required:

  • For Core Identity, Moveworks needs Read Access to the following user attributes in Active Directory (exact attribute names. may slightly vary per Active Directory installation):
    • distinguishedName (CN) - Used to identify users uniquely when querying Active Directory.
    • mail - Used to identify users across systems.
    • department - Used to show in People lookup cards
    • manager - Used to show in People lookup cards and approvals
    • location - Used to show in People lookup cards
    • phone number - Used to show in People lookup cards
    • userAccountControl - Used to filter out disabled or expired users
    • whenCreated - To track newly created accounts
    • objectCategory - Used to filter query only for relevant objects
    • objectClass - Used to filter query only for relevant objects
    • lastLogon - Used to check if the user is active or not

In addition to the attributes above, you may need to grant read or write access to other attributes based on the skills you select to deploy in the Moveworks bot:

  • For Password Expiry notifications, Read access to the pwdLastSet and/or msDS-UserPasswordExpiryTimeComputed attributes
  • For Contractor Expiry notifications, Read access to the AccountExpires attribute.
  • For Account Access skill to Unlock user accounts, Read access to lockoutTime andmsDS-User-Account-Control-Computed and Write access to the lockoutTime attribute.
  • For Adding Users to Distribution and/or Security Groups, Read access to the memberOf attribute.

Required Group Object Permissions

For groups management, the Moveworks service account in Active Directory needs the following permissions:

  • View group members (users) within a specific group
  • Create Distribution Groups
  • Add a user to a group (both distribution group and/or security group)

In Active Directory, these permissions are modeled as follows:

  • Delegate Read Access to the OUs that contain Distribution and/or Security Groups.
  • When Creating Distribution Groups, the service account needs write access to a number of attributes:
    • name
    • description
    • displayName
    • groupType
    • mail
    • alias
    • managedBy
    • members
    • proxyAddresses
    • sAMAccountName
  • When Adding users to a Distribution and/or Security Group, the service account needs write access to the Members field for the group:
    • members

Moveworks On-premises Agent Requirements

To connect with your on-premises system, Moveworks relies on the Moveworks Agent, a container-based application that runs behind your firewall and proxies the interaction between your On-premises system, and the Moveworks Platform.

Network Requirements

The machine/VM running the Moveworks Agent should have an IP address within a whitelisted static IP address range so that it can communicate with the On-premises system.

The machine/VM must be able to communicate outbound to https://agent.moveworks.com and https://agent.moveworksgov.com for Moveworks GovCloud deployments.

Machine Requirements

Moveworks recommends using a system with the following requirements, which are the same as "t3.medium" if hosted in AWS or a “B2” if hosted in Azure.

  • 4 GB RAM
  • 2 CPUs
  • 30 GB of disk space

OS Requirements:

  • VM with Ubuntu 20.04 and above OR RHEL 8.0 and above.
  • Latest Version of Docker or Podman must be pre-installed.

Staff Requirements

Configuring the Moveworks agent takes approximately one hour, and is typically done by a member of your organization’s infrastructure team (preferably with hands-on Linux experience). The setup can be handled end to end by your team or can be done over a guided set up call with your Moveworks Customer Success Engineer. Additional meetings may be required based on complexity of issues found during initial installation. e.g: network issues, firewall issues, permission issues, etc.