For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Logo
DeveloperAcademyCommunityStatus
  • Service Management
    • Overview
    • Concierge & Ticketing Capabilities Overview
    • Forms
    • Forms - Integration Specific Guides
    • Live Agent Chat / Handoff
    • Triage
    • Approval Mirroring
    • Ticket Interception
    • Generic Ticketing Integration: Ticket Gateway
  • Administration
    • MyMoveworks
    • Organization Information
    • Roles and Permissions
    • MyMoveworks SSO
  • Moveworks Setup
    • Accessing Moveworks Setup
    • First-Time Login via Magic Link
    • Moveworks Setup Modules
    • Moveworks Setup: Module How To Guides
    • Plugin Management
    • Monitor Alerts
    • Audit Logs
    • DSL Fields Defaults
    • Data Crawling View
    • API Playground
    • Setup Homepage
    • Troubleshooting Hub
    • Security and Privacy Settings
    • Configuration Delete
    • Advanced Config Editor
    • Identity configuration
    • Onboarding Stage
  • Security
    • Security
    • Hyperlink & Button Expiry
    • Attachment Handling
    • Moveworks Subprocessors
  • Provision Management
    • Overview
    • Access Software
    • Access Groups
    • Access Account
  • Access Requirements
    • Overview
    • Update Set Modules
    • Ticketing Systems & ITSMs Access
    • Identity and Access Management Systems Access
      • Active Directory & OpenLDAP Access Requirements
      • Microsoft 365 Access Requirements
      • Okta Access Requirements
      • OneLogin Access Requirements
    • Multi-Factor Authentication (MFA) Systems Access
    • Knowledge Access Requirements
    • Email Distribution List Systems Access
    • Facilities Management Access
    • Live Agent Chat Access
    • HR Information System Access
    • Expense Management Access
    • Calendar Management Access
  • Core Platform
    • User Identity
    • Moveworks On-Prem Agent
    • Approvals Engine
    • Entity Catalog
    • Configuration Languages
    • Moveworks Data Objects
    • SIEM
  • Employee Experience Insights
    • Overview
    • Breaking Down the Dashboard
    • Understanding Industry Benchmarks
    • Apps & Services
    • Impact Module
    • EXI Common Use Cases
    • Configure EXI
    • Ticket Backpolling
  • Knowledge Studio
    • Overview
    • Knowledge Studio Configuration
    • AI Powered Recommendations
    • Inspecting & Verifying Sources
    • Publishing Articles
    • Creating Knowledge Articles
    • Resolving IT Tickets Guidance
DeveloperAcademyCommunityStatus
On this page
  • What is the Service Account used for?
  • Required OU Permissions
  • Required User Object Permissions
  • Required Group Object Permissions
  • Moveworks On-premises Agent Requirements
Access RequirementsIdentity and Access Management Systems Access

Active Directory & OpenLDAP Access Requirements

||View as Markdown|
Was this page helpful?
Edit this page
Previous

Microsoft 365 Access Requirements

Next
Built with

What is the Service Account used for?

The Moveworks service account in AD/LDAP is typically granted permissions to read users/groups, manipulate user group additions, and read/modify user profile attributes (for unlocking accounts). Below, we list the needed permissions.

If configured, the Moveworks bot can:

  • Add users to email distribution groups and security groups
  • Check whether users are locked out, alert employees, and unlock accounts upon request
  • Check when employees’ AD passwords are expiring

To do this, at a high level, the bot uses a Moveworks service account in AD with the following permissions:

  • Read users/groups
  • Manipulate user group additions
  • Read/modify user profile attributes (for unlocking accounts)

Note: While the Moveworks bot can read from multiple domains, native access skills such as adding users to email groups and unlocking accounts can only be access from one domain.

For the Active Directory integration, please gather the following account details for the AD Service Account:

  • Service Account Username/Login
  • Service Account Password (please ensure the password does not contain any of the following special characters: $, {, }, )
  • Host IP or HostName for Active Directory Domain Controller Server to connect to
  • For LDAPS, please provide the base64 .pem root CA cert.

Required OU Permissions

  • Delegate Read Access to the OUs that contain all relevant Group Objects (Distribution Lists and/or Security Groups).
  • Delegate Read Access to the OUs that contain all relevant User Objects.

Required User Object Permissions

For all users who will use the bot (typically employees and contractors), the Moveworks service account in Active Directory needs permission to list users and groups across OUs, and it needs permission to write to user profiles in order to unlock accounts.

We recommend granting Read access to all user attributes. Examples include the user’s department, user’s manager, and password last-set date, however if you need to scope down granular access the following permissions are required:

  • For Core Identity, Moveworks needs Read Access to the following user attributes in Active Directory (exact attribute names. may slightly vary per Active Directory installation):
    • distinguishedName (CN) - Used to identify users uniquely when querying Active Directory.
    • mail - Used to identify users across systems.
    • department - Used to show in People lookup cards
    • manager - Used to show in People lookup cards and approvals
    • location - Used to show in People lookup cards
    • phone number - Used to show in People lookup cards
    • userAccountControl - Used to filter out disabled or expired users
    • whenCreated - To track newly created accounts
    • objectCategory - Used to filter query only for relevant objects
    • objectClass - Used to filter query only for relevant objects
    • lastLogon - Used to check if the user is active or not

In addition to the attributes above, you may need to grant read or write access to other attributes based on the skills you select to deploy in the Moveworks bot:

  • For Password Expiry notifications, Read access to the pwdLastSet and/or msDS-UserPasswordExpiryTimeComputed attributes
  • For Contractor Expiry notifications, Read access to the AccountExpires attribute.
  • For Account Access skill to Unlock user accounts, Read access to lockoutTime and **msDS-User-Account-Control-Computed**and Write access to the lockoutTime attribute.
  • For Adding Users to Distribution and/or Security Groups, Read access to the memberOf attribute.

Required Group Object Permissions

For groups management, the Moveworks service account in Active Directory needs the following permissions:

  • View group members (users) within a specific group
  • Create Distribution Groups
  • Add a user to a group (both distribution group and/or security group)

In Active Directory, these permissions are modeled as follows:

  • Delegate Read Access to the OUs that contain Distribution and/or Security Groups.
  • When Creating Distribution Groups, the service account needs write access to a number of attributes:
    • name
    • description
    • displayName
    • groupType
    • mail
    • alias
    • managedBy
    • members
    • proxyAddresses
    • sAMAccountName
  • When Adding users to a Distribution and/or Security Group, the service account needs write access to the Members field for the group:
    • members

Moveworks On-premises Agent Requirements

To connect with your on-premises system, Moveworks relies on the Moveworks Agent, a container-based application that runs behind your firewall and proxies the interaction between your On-premises system, and the Moveworks Platform.

Network Requirements

The machine/VM running the Moveworks Agent should have an IP address within a whitelisted static IP address range so that it can communicate with the On-premises system.

The machine/VM must be able to communicate outbound to the following endpoint based on your environment:

US Region: agent.moveworks.com

US GovCloud Region: agent.moveworksgov.com
EU Region: agent.am-eu-central.moveworks.com
Canada Region: agent.am-ca-central.moveworks.com
Australia Region: agent.am-ap-southeast.moveworks.com

Machine Requirements

Moveworks recommends using a system with the following requirements, which are the same as “t3.medium” if hosted in AWS or a “B2” if hosted in Azure.

  • 4 GB RAM
  • 2 CPUs
  • 30 GB of disk space

OS Requirements:

  • VM with Ubuntu 20.04 and above OR RHEL 8.0 and above.
  • Latest Version of Docker or Podman must be pre-installed.

Staff Requirements

Configuring the Moveworks agent takes approximately one hour, and is typically done by a member of your organization’s infrastructure team (preferably with hands-on Linux experience). The setup can be handled end to end by your team or can be done over a guided set up call with your Moveworks Customer Success Engineer. Additional meetings may be required based on complexity of issues found during initial installation. e.g: network issues, firewall issues, permission issues, etc.