Configuring the Enterprise to Use Active Directory
Some retailers might have specific requirements in providing authorization for their associates to sign on and access the POS application. For these requirements, the POS application can be configured to use Microsoft Active Directory for Windows to authenticate and authorize POS associates. For more information, refer to Active Directory Concepts.
Before configuring your system with Active Directory authentication, consult with an NCR Representative.
In the Advanced Store solution, by default, the POS uses the Advanced Store CoreDb database to authenticate users. The option to use Active Directory is configurable in the web.config file on the Enterprise Solutions Web Server.
When POS user authentication has been configured to use Active Directory, the user records are located in the Active Directory database. The configuration specified in the web.config file determines the database used to validate the user credentials. This information is necessary so that valid associates signing on to the POS application can be granted access. The web.config file also specifies the LDAP role validation type, domain name, and delimiter, if applicable.
Prerequisites
Before configuring POS user authentication, ensure that the following requirements are met:
- The Enterprise Solutions Web Server has been installed.
- The domain objects in the Active Directory have already been added, defined, and linked.
- The store in the Organizational Hierarchy has been identified.
- The POS terminals in the store have not been started.
Understanding Lightweight Directory Access Protocol (LDAP) Roles
NCR supports two modes of LDAP integration:
- Global Role—A user has the same role everywhere in the organization. For example, a user is a cashier in every store.
- Store-specific Role—A user can have different roles depending on the store they log in from. For example, a user is a team lead in one store, but is a cashier in another store. Alternatively, a user is authorized to work at one store, but not authorized to work in other stores.
The NCR Roles database table lists the Role Codes and associated Role Names, which are set up by the retailer.
- Role Code—The code associated with a user’s function, such as 10 or 20. This code is usually numeric.
- Role Name—The descriptive name associated with a user’s function, such as Cashier or Lead.
The following table is representative of the Roles table.
| Role Name | Role Code |
|---|---|
| Cashier | 30 |
| Department Manager | 20 |
| Store Manager | 10 |
| Store Support | 90 |
| Terminated | 50 |
When determining a user’s role, the NCR enterprise system will look at a user’s AD group membership list and compare it against the NCR Roles table to determine their role.
LDAP role delimiter
The LDAP Role Delimiter is used to separate the organization name from the role code for the Active Directory group name. If the OrgName is being validated, only the users in the Active Directory group that match the OrgName in the login request are permitted to access the POS functions. The OrgName is the data in the Active Directory group before or after the separator character. For example, a user in the Managers_111 AD group would only have access to the Managers functions in OrgName 111 but would not have access to any functions in OrgName 222.
The default delimiter is an underscore, but this value can be changed. When using the underscore (_) delimiter, the AD member names will be formatted as follows:
- OrgName_RoleCode (e.g. 111_10) or
- RoleCode_OrgName (e.g. 10_111)
When deciding on a delimiter to use, it is important to note that the delimiter needs to be a character that is not otherwise used in any AD group name. If an underscore is already used within an AD group name, you should select a new delimiter character.
The delimiter is only applicable when using the RoleCode or RoleName LDAP Authentication Types. If LDAPRoleValidationType is set to RoleCodeOnly or RoleNameOnly, the delimiter is not used.
LDAP role validation types
The LDAPRoleValidationType specifies how the NCR enterprise system will interpret AD groups and assign NCR roles. This is a global setting for POS authorization. The following Role Validation Types are supported:
RoleCodeOnly—Validates the LDAP group against the CoreDb role code only.
- This setting is used when the retailer requires global roles for a user.
- The NCR system expects to find an AD group where the user’s authorized role code is specified.
For example, assume that Store Manager is role code 10. If a user is authorized to be a Store Manager in every store, they need to be a member of an AD group called “10”.
RoleNameOnly—Validates the LDAP group against the CoreDb role name only.
- This setting is used when the retailer requires global roles for a user.
- The NCR system expects to find an AD group where the user’s authorized role name is specified.
For example, if a user is authorized to be a Cashier in every store, they need to be a member of an AD group called “Cashier”.
RoleCode—Validates the LDAP group against the CoreDb org name and role code.
- This setting is used when the retailer requires store-specific roles for a user.
- The NCR system expects to find an AD group where the user’s authorized Org Name (store) and Role Code are specified. They are separated by an LDAP role delimiter.
For example, assume that LDAPRoleDelimeter is set to “_” and Store Manager is role code 10. If a user is authorized to be a Store Manager in stores 111 and 222, they would need to be members of two AD groups: 111_10 and 222_10.
RoleName—Validates the LDAP group against the CoreDb org name and role name.
- This setting is used when the retailer requires store-specific roles for a user.
- The NCR system expects to find an AD group where the user’s authorized Org Name (store) and Role Name are specified. They are separated by an LDAP role delimiter.
For example, assume LDAPRoleDelimeter is set to “_”. If a user is authorized to be a Cashier in stores 111 and 222, they would need to be members of two AD groups: 111_Cashier and 222_Cashier.
LDAP Domain Name
Use LDAPDomainName settings in web.config to determine the data used for authentication.
If LDAPDomainName is set to <DNS name> (e.g. weboffice), the Pre-Windows 2000 user name will be used during authentication and user filtering. This method uses the samAccountName attribute of the user data and is limited to 20 characters.
If LDAPDomainName is set to @<DNS Name>.<domain> (e.g. @weboffice.local), the Post-Windows 2000 user name will be used during authentication and user filtering. This method uses the userPrincipalName attribute of the user data and can support of up to 256 characters. However, the Advanced Store solution supports a maximum of 32 characters for user names.
If using Active Directory for user role authentication, and using Sample Data files, make sure to edit the job codes to match the group names set up in Active Directory.
