Subscriber Discussion

Active Directory Integration In VMS Systems

UI
Undisclosed Integrator #1
Oct 09, 2014

I recently came into a discussion about integration of Active Directory (AD) in VMS systems, but I do not know in what degree different VMS systems actually integrate AD. Single sign on would theoretically be logical and easily achieved (by allowing AD users or groups to be added as users in the VMS system) , but how about full blown access control? Are there any VMS that actually use AD to configure what cameras users have access to in detail and what kind of access whey should have (View, Control, Playback...)

SP
Sean Patton
Oct 09, 2014

So you you talking about setting the permissions in AD? With Genetec you can pull in entire AD Security Groups and their included users, and then set the permissions for those groups (as far as what they can do) in Genetec itself. I've always assumed thats how other manufacturers work their LDAP integration.

(1)
Avatar
Ryan Hulse
Oct 09, 2014

For exacqVision the configuration of granular permissions (cameras, playback, etc.) is performed and stored in exacqVision. You can map those permissions to AD users or AD groups, so you don't need to manage the *users* in exacqVision, but the *permissions* are managed in exacqVision.

Single sign-on is supported as well.

(1)
(1)
UI
Undisclosed Integrator #1
Oct 10, 2014

Yes my assumption as to how this was probably handled by different VMS systems was: Bring AD Groups into the VMS system where each group is assigned access to the VMS and then use AD to assign specific AD users to the AD groups according to what access they need, and not the other was around (bring cameras and other items from the VMS into AD and assign cameras... to each AD-user/AD-group)

For example:

Make an AD-Group: Name=VMS_View_cameras_only
Assign this group to a operator usergroup on the VMS system that have only view for the cameras.

Make an AD-Group: Name=VMD_Full_camera_control
Assign this group to a operator usergroup on the VMS system that have full control for the cameras.

Make an AD-Group: Name=VMD_Administrators
Assign this group to a administrator usergroup on the VMS system.

Am I right in assuming this is the way that most VMS systems do AD/LDAP integration?

RS
Robert Shih
Aug 01, 2023
Independent

Going to revive this from the dead, but as physical security becomes more tied in with cybersecurity and MSSPs demand greater control over things, how advanced has integration with Active Directory and even its Azure counterpart come along? Also, what about implementation of security protocols like FIDO2 and tokens like Yubikey?

Avatar
Josh Hendricks
Aug 04, 2023
Milestone Systems

Milestone supports AD as well as any external identity providers with support for OpenID Connect including Azure AD, Okta, Auth0, ADFS, etc.

For AD integration, we don’t store any properties directly in AD. Instead, when you add a user or group to a role in Milestone, some basic information is stored in Milestone including the SID, domain, and group/account name.

Every 10 minutes a sync is done with AD to make sure the identities still exist, and if not, they are removed from Milestone so that you don’t have to manually clean things up.

Ideally you’ll add groups to Milestone roles so that you don’t need to manually add users in Milestone after adding users in AD. And since a user can be a part of more than one role, you can choose to setup roles and AD groups based on granular permissions. For example, you might have AD groups named “VMS-View-Live” and “VMS-View-Playback” with corresponding roles in Milestone. If User123 needs both live and playback, add them to both groups in AD and nothing more is needed in Milestone.

With Azure AD and other OIDC providers, role assignment is done based on a claim name/value that you define in the roles. You can use any claims available to the application setup in the identity provider. Often group names or ids are used.

Support for multi-factor authentication is up to the identity provider so as long as that supports/requires a Yubikey for MFA login, users will be prompted by the identity provider for it for a successful authentication.

UI
Undisclosed Integrator #2
Aug 04, 2023

Pretty much all of our VMS deployments include AD integration. We see demand for Azure AD and MFA requests coming in more often but due to complexity involved on the customer side most cases they settle with the basic AD tie in. We also do more cardholder AD integrations where we pull cardholders from AD to make it easier to manage them and the added security benefit of credentials being revoked the moment a cardholder is removed from AD. This saves the additional work of going in the access control software to disable a cardholder or forgetting to remove old accounts.

RS
Robert Shih
Aug 04, 2023
Independent

Which VMS are you going with for these scenarios?

UI
Undisclosed Integrator #2
Aug 04, 2023

Most of our installs are Genetec but most enterprise VMS support AD integration

(1)
RS
Robert Shih
Aug 04, 2023
Independent

For me, import and integration are different. Actually synchronizing permissions in real time to onboard or offboard employees in a production environment has its intricacies and I recall that VMS software often only imported these things on command. Can Genetec receive a push from AD to add a new account for example?

UI
Undisclosed Integrator #2
Aug 04, 2023

Yep, as users are added and deleted in AD, they are automatically added or deleted as users and/or cardholders in Genetec

RS
Robert Shih
Aug 04, 2023
Independent

Good, and can those credentials correlate to maybe a Yubikey that can be used for both physical and digital access?

UI
Undisclosed Integrator #2
Aug 07, 2023

I'd recommend to contact your local Genetec rep for a deep dive in all the options.

RS
Robert Shih
Aug 08, 2023
Independent

Is Network Optix capable of this?

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions