Figure 16-3 Filr Processes Metadata to LDAP Users and Groups Visible to Filr Users
Letter |
Details |
---|---|
Filr directs and coordinates the processing of metadata for users and groups. |
|
Filr retrieves and stores the metadata in the SQL appliance or server. |
|
After metadata retrieval, Filr directs the Filr Search (Lucene) indexer to process it for viewing in the Filr apps. |
|
Organization Users and groups are either synchronized from the LDAP identity stores (shown) or created directly in Filr (not shown). |
|
After the metadata is processed for users and groups, Filr users can see them in the Filr apps (Letter F). |
|
Filr apps for desktops, mobile devices, and web access let Filr users interact with the users and groups that are made accessible through Filr. |
The following are key points to consider and understand regarding user visibility in Filr.
LDAP Synchronization Is Key: As explained in How Filr Makes LDAP Users and Groups Visible, LDAP metadata must be imported and processed to make user and group objects visible.
After the initial LDAP import, user and group metadata in Filr must be kept in sync with back-end LDAP identity stores, as explained in Synchronization Process Overview.
All Filr System Components Must Online: For Filr users to appear in the various dialogs and lists, the Filr appliance, the Filr Search appliance, and the SQL database must all be online.
Who Can See Whom: For various reasons, such as security, large numbers of users, and so on, it might be necessary to limit user visibility.
Starting in Filr 2.0, administrators can restrict which users can see each other. See User Visibility
in the Filr 4.3: Administrative UI Reference.
User-Visibility Is Either Restricted or Not From a user-visibility standpoint, there are only two conditions:
Limited Visibility: A user account has a user-visibility limitation applied; therefore, the user can see only other members of the groups it belongs to.
Unlimited Visibility: Either the user’s account has no user-visibility limitation applied, or an override is in place. In both cases, the user can see all other users on the system.
Group Visibility: Cannot be restricted; all groups are visible to all users.
In the default state, there are no user-visibility limitations in Filr.
User-visibility functionality relies on group membership.
In the figure below
Group A contains User A
Group B contains User A and User B.
Group C contains User C and User X.
Users D and E are not members of a group.
Filr admins apply user-visibility limitations to groups. Users within the affected groups can then only see other members of the groups that they belong to.
For example, after a user-visibility limitation is applied to Group A, User A can only see User B. (User B’s ability to see other users is not affected because User B is not in Group A.)
You cannot restrict group visibility.
You can apply user-visibility limitations to individual users.
For example, an administrator might restrict User C rather than Group C. User C could then only see User X. (User X, on the other hand, could still see all users on the system.)
A user with user-visibility limitations applied who is not a member of a group, cannot see any other users on the system. Of course, the user can still see all groups, but not being able to see user comments, etc. inhibits effective collaboration through Filr.
Adding a user to a group immediately applies the group’s visibility limitations.
For example, if User E is added to Group A, its user-visibility is immediately limited to seeing only User A.
Applying an override to a user account lifts all user-visibility limitations from that user account.
Applying new user-visibility limitations doesn’t affect overrides. User B is now restricted, but User A can still see all other users.