User management (Active Directory)
If TightGate-Pro is connected to an Active Directory (AD) directory service, users can be automatically authenticated via single sign-on as soon as they have logged on to their workstation in the same AD domain. Furthermore, essential characteristics of the user accounts can be maintained centrally in the AD, which significantly facilitates the administration of TightGate-Pro, especially in larger infrastructures.
What is needed:
Create/change user
Creating or changing a user (or group of users) is done by adding or removing them from the defined security groups on the AD. If a user is a member of the security group TGProUser, he or she can log in. The further options for the user are defined by the membership in corresponding security groups. The first time a user logs on via AD, the user directory is created at TightGate-Pro. This means that the initial login takes a little longer.
This is how it works
To change the attributes desired for a user or user group, the memberships of the users or user groups concerned must be added or removed from the security groups. The next time the user logs in with the TightGate Viewer, the attributes will take effect. An overview of all security groups available for TightGate-Pro is given in the following table with description and recommendation:
| Group name | Authorisation on TightGate-Pro | Recommendation for normal users |
|---|---|---|
| TGProUser | User authorisation from TightGate-Pro | Yes |
| TGtransfer | User authorisation for the file lock. The authorisation can only be granted or withdrawn via this group. Further configuration with regard to transfer directions and permitted file types is only possible via membership in the group(s) TGtransferN. | Yes |
| TGtransferN | Transfer group N; for defining permitted MIME TYPES for file transfer. If a user is in several transfer groups, the rights of the individual groups are cumulated. Membership in the group TGtransfer is mandatory for use. Up to 99 transfer groups can be defined on TightGate-Pro . | Yes |
| TGaudio | Authorisation for sound transfer from the Internet | Yes |
| TGtransferSpool | Authorisation for automatic print output on the Windows workstation. | Yes |
| TGunfiltered | Authorisation to use the Internet without content filters from TightGate-Pro. | Yes |
| TGchromeicon | Display of the Chrome browser in the menu bar of the TightGate viewer | Optional |
| TGopswat | Assignment of the file lock via OPSWAT. Membership in this group is mandatory if OPSWAT is to be used. If an identifier is not in this group, OPSWAT is not used and all group memberships in the TGopswatN groups are ignored. For OPSWAT to be used effectively, membership in a TGopswatN group must also be set. If there is no membership in a TGopswatN group, the standard OPSWAT rule is always used. | Optional |
| TGopswatN | OPSWAT group 1-9 to assign the OPSWAT rule to be used. The group TGopswatN assigns the OPSWAT rule to be used to a user. Only one TGopswatN group may be used per user, otherwise errors may occur. The TGoposwatN groups correlate with the OPSWAT rules created as config . | Optional |
| TGtoricon | Display of the TOR browser in the menu bar of the TightGate viewer –> Instructions for using the TOR browser in TightGate-Pro | Optional |
| TGfiltergroupN | Web filter group N; to assign the forced use of the web filter. Only one web filter group is used per user. If a user is in several web filter groups, TightGate-Pro automatically uses only the rights from the highest web filter group. A cumulation of rights from several groups does not take place. Up to 99 web filter groups can be defined. | Optional |
| TGmaxfilesize | Members in this group may process files larger than 4GB. | Optional |
| TGtransferAuto | Permission to use the automatic file transfer. | Optional |
| TGnoidleTimeout | Selection of whether the identifier is exempt from forced disconnection on inactivity. This does not remove the disconnection when the Maximum Session Duration is reached. | Optional |
| TGbandwidth | Use the bandwidth optimisation of the TightGate viewer. The display quality is reduced by one level, but the required bandwidth is significantly reduced. | Recommended for WAN |
| TGbandwidthhigh | Use of the maximum bandwidth optimisation of the TightGate viewer. Maximum compression is applied at TightGate-Pro. The bandwidth utilisation shrinks to one fifth of the normal bandwidth with this compression, but the CPU consumption at TightGate-Pro rises sharply. Warning: This compression level requires very high CPU resources at TightGate-Pro AND on the local workstation PC, which can affect the performance of the entire TightGate-Pro system. Please contact the technical support of m-privacy GmbH for advice before implementing this compression. | No |
| TGprivileged | Additional authorisation to log in as a privileged user. In addition, membership in the security group TGProUser is always required as well as a TightGate-Pro licence that allows privileged users. | No |
| TGadminMaint | Login as administrator maint | No |
| TGadminConfig | Login as administrator config | No |
| TGadminUpdate | Login as administrator update | No |
| TGadminBackuser | Logon as administrator backuser | No |
| TGadminRoot | Logon as administrator root | No |
| TGadminSecurity | Login as administrator security | No |
Note: Expired passwords also block user accounts that want to log in with Single Sign-on (SSO) via Active Directory or user certificates. If SSO is used, please deactivate the password.
Remove/Delete User
A user is removed by removing him/her from all security groups of TightGate-Pro in AD. After removal from the security groups, the user can no longer log on to TightGate-Pro. If the user account on TightGate-Pro is to be deleted completely, please follow these instructions dieser Instructions.
Notes on Deleting a User Account Using Active Directory The complete deletion of a user is only effective if the user has also been removed from the security groups TGProUser and TGtransfer in the Active Directory. Otherwise, the user is automatically recreated when the user in question attempts a logon.