Configure OAuth Security

The Jive Connector uses OAuth Specifies a process for resource owners to authorize third-party access to their server resources without providing credentials. authentication when connecting to your Jive system. To enable the connector to connect by way of OAuth, you must install the BA Insight Jive Connector add-on to your Jive system. The steps below describe how to obtain, install, and use that app to set up OAuth security for the connector.

Install the BA Insight Jive Connector Add-on into Jive.

  1. Download the add-on from your local connector installation.
    1. Go to: http://<host>:<port number>/OAuth.aspx where <host> is the FQDN, hostname, or IP of the server where the connector is installed, and <port number> is the port number chosen in during the installation process.
    2. An upload and authorization page appears. In the Upload the add-on into Jive section, Click the Jive Add-on package link, and download the add-on.
  2. Log in to Jive as an administrator to add the Add-on.  Click Manage > Add Ons, and upload the package you just downloaded from the connector.

Retrieve the Client ID and Secret

  1. In the Jive administration portal, click Add-ons > All Add-ons > Installed.
  2. Find the Add-on that you just uploaded, click the sprocket icon then click View Client ID and Secret. Copy these values for use in the next steps.

Generate the Token and Authorization ID

  1. On the BA Insight Jive Connector OAuth page (see Install the BA Insight Jive Connector Add-on into Jive), click Next.
  2. In the Authorize the add-on section, complete the following fields.
    1. Authorization ID: This ID you choose; this ID is used when configuring the connector in later steps.
    2. Jive Instance URL: The URL to your Jive system.
    3. Client ID: The client ID found in the previous section.
    4. Client Secret: The secret found in the previous section.
  3. Click Authorize.
  4. You are prompted to login to Jive. Use the account that you wish to use when crawling Jive.
    1. This account should have read access to all of the items you wish to crawl, as well as the ability to read all users, groups, and security settings in your site.
  5. After logging in, you are asked if you wish to allow access to Jive. Click Allow.
  6. The token is generated, and a success message appears.

How to Configure Your Connection

Add the Connection Information

Use the following steps to add a connection Connection defines the how Connectivity Hub connects to your Source System (which contains your documents, graphics, etc.,). Your Connection includes identifying elements such as: URL of the BA Insight web service connector you are using, (File Share connector, SharePoint Online connector, etc.), Authentication mode, User Accounts and Credentials, Database information (for database connectors) to the Connector Framework. This tells the Connector Framework how to access your source system Your Source System is the repository where your data is stored (data to be indexed). This repository is managed by applications such as: - SharePoint O365 - SharePoint 2013/16/19 - Documentum - File Share - OpenText - Lotus Notes - etc. Your Source System repository can also be a database such as SQL or Oracle. via the connector installed in the previous chapter.

  1. In the connector framework, on the Connections tab, select WebService Connection from the “Add New” dropdown list.
  2. Enter the basic connection data:
    1. Title: The name used for the connection.
    2. Content Owner: The Sharepoint user who will have full access to all content crawled by this connection. Typically this is a service account.
    3. Discovery Group (optional): Any AD A directory service for Windows domain networks. A hierarchical structure that stores information about objects on the network. Used to manage permissions and control access to critical network resources. group that will also be granted access to all items crawled by this connection.
    4. Web Service: The URL to the connector web service, installed in the previous chapter.
      The URL should be in the format:
         http://<host>:<port number>/dataconnector.asmx
      where <host> is the FQDN, hostname, or IP of the server where the connector is installed, and <port number> is the port number you chose during installation.
  3. Click Connect or Refresh Web service. The page re-loads with additional options.
  4. Complete the information to connect to Jive.
    1. Authorization ID is the ID generated in Generate the Token and Authorization ID.
    2. Return all items as Public will tell the connector to ignore security set in jive, and allow all users to find the Jive content in your SharePoint search results.

Configure the AD Settings Page

The Active Directory A directory service for Windows domain networks. A hierarchical structure that stores information about objects on the network. Used to manage permissions and control access to critical network resources. (AD) configuration is required. This configuration ensures that the security provided on items in the source system is maintained in the SharePoint search index Contains data from your source system. Your search application instance (Elasticsearch, SharePoint Online, etc.) contains the search indexes. One search index per content source..

  1. Click the AD Settings tab.
  2. If you have configured another Connector and wish to use the same security mapping, use the Master Security Connection. Select the existing connection that will serve as the master for this connection.
    • Typically, this setting is only used when there are multiple connections to the same source system.
  3. Default Domain:
    1. You must specify this entry using the fully qualified domain name format.
    2. This is the domain where your AD user accounts exist.
    3. The source system users are mapped to these domain accounts, and security groups are created or populated based on the settings below.
  4. Group Creation Mode: This setting determines how Connector Framework creates groups in the AD.
    The following selections are available:
    1. Native:
      1. Groups are not created.
      2. This mode does not use AD security groups, and requires additional software / functionality to support this mode.
    2. Manual:
      1. Groups are not automatically created in AD during the security synchronization job Loads User and Group tables and executes the mapping based on the connector configuration..
      2. However, administrators can manually trigger group creation using the Security Mapping page.
    3. Automatic:
      1. Groups are automatically created in AD when you Run a Security Synchronization Task.
  5. Delay Group Synchronization:
    1. This option, when selected, enables Connector Framework to only populate AD groups with members after the each group is used to secure items in the SharePoint index.
    2. This option reduces the number of groups that a user is assigned to in AD by excluding the groups that are not necessary for Connector security.
    3. When this option is enabled, the first security synchronization operation does not add the members into the groups in AD.
    4. You must perform a full crawl after you Run a Security Synchronization Task.
    5. The full crawl identifies which groups are used to Connector Framework. Another (second) security synchronization operation is performed in order to populate the groups in use.
  6. Synchronize Group Users Only:
    1. Leave this setting selected in order to flatten the security structure of the source system.
    2. This operation prevents AD groups from containing child groups. If you leave this option selected and if the source system has hierarchical groups, these groups are expanded (in other words, the users of the child groups are assigned to the parent).
  7. Dynamic Group Threshold:
    1. This setting determines the minimum number of users that must be present in a source system group in order for that group to be marked as a dynamic group in the Connector Framework and created in the AD.
    2. Dynamic groups are added to the item ACL, and users are granted access to that item when the user is a member of the group in AD.
    3. Below this threshold, the group is marked as expanded. At crawl time, users in expanded groups are added to the item ACL as individuals.
    4. For more information, contact your BA Insight representative.
  8. Active Directory Login:
    1. This setting identifies the account that is used to create groups and to insert users into these groups in your AD.
    2. Enter the Authentication Mode, Domain Account, and Password. Use the drop-down menu in Authentication Mode to select:
      1. Service Account: This mode uses the: SharePoint Search Service Account to access the database when crawling. SharePoint Timer Service Account when Connector Framework tasks are running. SharePoint Central Admin application pool account when performing tasks (such as setup and configuration) in the Connector Framework UI.
      2. Impersonate: Enter the valid AD user name and password.
  9. Group OU Location:
    1. This setting identifies where the groups created by the connector framework will reside in your Active Directory.
    2. BA Insight recommends the default SharePoint Groups, or a similar location where all groups created by the Connector will reside.
    3. The purpose of creating a Group OU is to maintain SharePoint groups that are separate from the other central AD groups.
    4. This separation reduces any potentially negative security impact, because the SharePoint groups do not interfere with other groups or the security of any other system or OU.
      • Note: Make sure this location exists and that the Active Directory Login account information has group management privileges.
  10. Group Naming Format:
    1. This is the naming format that is used when creating groups in AD.
    2. The following variables are available / should be used: [TITLE] is replaced with the connection name [GROUP] is replaced with the system's group name.
  11. Active Directory Update Method Override:
    1. Select this operation if you want to override the standard method of adding users to groups.
    2. This option should be used only in multi-domain environments when standard methods fail.
  12. All Users Group:
    1. Select this operation to create an All Users Group that contains all of the valid users in your source system.
    2. At index time, any group marked Public in the source system is made available to this group. In this case, public documents in the source system are restricted in SharePoint to the valid source system users.

Configure the Users/Group Sync

The user/group sync page is used to allow VB scripts to act on the user / group mapping, allowing for advanced configuration.  More information on available scripts and methods can be found in the web help.

Complete the Connection Setup

Click “Save” to store the connection configuration. Before proceeding to Creating and Configuring a Content Source, you must run the Datastore Types Load Collects the types of data from your source system. Runs on a set schedule. Requires a log level which logs information and Security Sync Loads User and Group tables and executes the mapping based on the connector configuration. jobs.

These jobs connect to the source system to find the object types available to be crawled, and create the security mapping of users and groups from the source system into the Connector Framework and Active Directory.

To run these jobs:

  1. In the connector framework UI, go to the Tasks tab.
  2. Select the connection from the Item dropdown list.
  3. Select the Datastore Types Load from the Job Definitions dropdown list.
  4. Set the remaining options as you desire – default values are fine for normal operation.
  5. Click theStart Job button.
  6. Repeat steps 1-5, but select “Security Sync” in step 3.
  7. Watch the job status table at the bottom of the page to see the status of the jobs.
    • Click the “Refresh” button at the top of the table to see the updated status.