Active Directory / LDAP Access Requirements
What is the Service Account used for?
The Moveworks service account in AD/LDAP is typically granted permissions to read users/groups, manipulate user group additions, and read/modify user profile attributes (for unlocking accounts). Below, we list the needed permissions.
If configured, the Moveworks bot can:
- Add users to email distribution groups and security groups
- Check whether users are locked out, alert employees, and unlock accounts upon request
- Check when employees’ AD passwords are expiring
To do this, at a high level, the bot uses a Moveworks service account in AD with the following permissions:
- Read users/groups
- Manipulate user group additions
- Read/modify user profile attributes (for unlocking accounts)
Note: While the Moveworks bot can read from multiple domains, native access skills such as adding users to email groups and unlocking accounts can only be access from one domain.
For the Active Directory integration, please provide us with the following account details for the before-mentioned AD Service Account:
- Service Account Username/Login
- Service Account Password (please ensure the password does not contain any of the following special characters: $, {, }, )
- Host IP or HostName for Active Directory Domain Controller Server to connect to
- For LDAPS, please provide the base64 .pem root CA cert.
Required OU Permissions
- Delegate Read Access to the OUs that contain all relevant Group Objects (Distribution Lists and/or Security Groups).
- Delegate Read Access to the OUs that contain all relevant User Objects.
Required User Object Permissions
For all users who will use the bot (typically employees and contractors), the Moveworks service account in Active Directory needs permission to list users and groups across OUs, and it needs permission to write to user profiles in order to unlock accounts.
We recommend granting Read access to all user attributes. Examples include the user’s department, user’s manager, and password last-set date, however if you need to scope down granular access the following permissions are required:
- For Core Identity, Moveworks needs Read Access to the following user attributes in Active Directory (exact attribute names. may slightly vary per Active Directory installation):
distinguishedName (CN)
- Used to identify users uniquely when querying Active Directory.mail
- Used to identify users across systems.department
- Used to show in People lookup cardsmanager
- Used to show in People lookup cards and approvalslocation
- Used to show in People lookup cardsphone number
- Used to show in People lookup cardsuserAccountControl
- Used to filter out disabled or expired userswhenCreated
- To track newly created accountsobjectCategory
- Used to filter query only for relevant objectsobjectClass
- Used to filter query only for relevant objectslastLogon
- Used to check if the user is active or not
In addition to the attributes above, you may need to grant read or write access to other attributes based on the skills you select to deploy in the Moveworks bot:
- For Password Expiry notifications, Read access to the
pwdLastSet
and/ormsDS-UserPasswordExpiryTimeComputed
attributes - For Contractor Expiry notifications, Read access to the
AccountExpires
attribute. - For Account Access skill to Unlock user accounts, Read access to
lockoutTime
andmsDS-User-Account-Control-Computed
and Write access to thelockoutTime
attribute. - For Adding Users to Distribution and/or Security Groups, Read access to the
memberOf
attribute.
Required Group Object Permissions
For groups management, the Moveworks service account in Active Directory needs the following permissions:
- View group members (users) within a specific group
- Create Distribution Groups
- Add a user to a group (both distribution group and/or security group)
In Active Directory, these permissions are modeled as follows:
- Delegate Read Access to the OUs that contain Distribution and/or Security Groups.
- When Creating Distribution Groups, the service account needs write access to a number of attributes:
name
description
displayName
groupType
mail
alias
managedBy
members
proxyAddresses
sAMAccountName
- When Adding users to a Distribution and/or Security Group, the service account needs write access to the Members field for the group:
- members
Moveworks On-premises Agent Requirements
To connect with your on-premises system, Moveworks relies on the Moveworks Agent, a container-based application that runs behind your firewall and proxies the interaction between your On-premises system, and the Moveworks Platform.
Network Requirements
The machine/VM running the Moveworks Agent should have an IP address within a whitelisted static IP address range so that it can communicate with the On-premises system.
The machine/VM must be able to communicate outbound to the following endpoint based on your environment:
US Region: agent.moveworks.com
US GovCloud Region: agent.moveworksgov.com
EU Region: agent.am-eu-central.moveworks.com
Canada Region: agent.am-ca-central.moveworks.com
Australia Region: agent.am-ap-southeast.moveworks.com
Machine Requirements
Moveworks recommends using a system with the following requirements, which are the same as "t3.medium" if hosted in AWS or a “B2” if hosted in Azure.
- 4 GB RAM
- 2 CPUs
- 30 GB of disk space
OS Requirements:
- VM with Ubuntu 20.04 and above OR RHEL 8.0 and above.
- Latest Version of Docker or Podman must be pre-installed.
Staff Requirements
Configuring the Moveworks agent takes approximately one hour, and is typically done by a member of your organization’s infrastructure team (preferably with hands-on Linux experience). The setup can be handled end to end by your team or can be done over a guided set up call with your Moveworks Customer Success Engineer. Additional meetings may be required based on complexity of issues found during initial installation. e.g: network issues, firewall issues, permission issues, etc.
Updated about 2 months ago