If you have established Active Directory user/group schemes, you can leverage that infrastructure when you establish access to your system roles. You can manage your users without the need to duplicate your Windows network directory. You can assign multiple users to a system role either by adding an Active Directory group or via a LDAP (Lightweight Directory Access Protocol) query. The Groups tab of a system role record contains a list of Active Directory groups and LDAP queries that have already been assigned to the role.
When you click Synchronize on the Groups tab, the program gathers a complete list of users in all specified groups and LDAP query results. The role is then updated by adding the users who are not currently assigned to the role and removing users who were previously synchronized but who are not currently in the query results or part of the specified Active Directory group.
When trying to synchronize any system roles, users may receive the following message:
Record operation could not be performed. Error obtaining path to user/group with SID 'S-1-5-21-343818398-1972579041-839522115-31134'. The following paths were tried: .
We are currently evaluating this issue and will update this article when we have more information.