Is it possible to attribute roles based in Active directory groups?

I am wondering if there is a way to attribute roles to users that are synchronized with Active Directory base on the AD groups to which user belongs? If yes, how can I do that.
Thank you.


For sure, just connect them under Active Directory Sync in Flow Studio. 1 to 1:

And in the curly brackets, you can specify other things like language or admin level.


Thank you Ola.
I am ashamed because it is pretty obvious… Another consequence of being under pressure.

1 Like


The bellow script does nothing.

Is it a bug or there is an error in the script? Anyone has a solution, workaround or hints on what can I do or try?

I began to create the user with User Level “Work”, User Type “FullUser”, no roles and non specified language or culture. In Active Sync, I associated the “Domain users” group to the User Level “AdministerWorkflows” and “Geral” role (which has access to all pages in the portal (v. 2023.3).

When the user logged in in the portal, no pages were shown and the access to “edit” was blocked, which indicates that the synchronization didn’t changed the roles and user level. In the users administration in Studio, nothing changed after the synchronization. I tested several associations of AD groups and user levels and roles and nothing changed, even after clicking the Sync button, fully refreshing the browser and even restarting IIS more than once.

Finally I deleted the user and recreated it and now I can’t log in with it.

One of the versions of the script, the one is active now:
exec SetUserLevel('AdministerWorkflows'); exec SetUserType('FullUser'); exec SetLanguage('pt'); exec SetCulture('pt-PT');

Thank you in advance.

Are you sure the sync had run:


I checked just now and the last synchronization was less than an hours ago but I still can’t login with the recreated user.

Did the users show up under “users”? And they should also have the “affected by sync source” check box checked. If not, something might be wrong with the ldap setting (or app registration if it is AAD).

There is also a log I think, or if it perhaps is written to the flow servers log. Could you check for potential issues there?

Hello Ola. Yes, it appears under users and I discovered now that if I put a password in Studio, I am able to authenticate with it eve after synchronizing.with the AD.

How about the “affected by sync source” setting and the log?

Hello @OlaCarlander and all.

I haven’t replied before because my work days are still crazy like hell, so I have no time and, since I had to arrange a solutions, I have been putting the roles and user types manually.

I don’t see anything in logs in C:\Novacura\Novacura Flow\Server that “tell me” anything.

Anyway, I have a ticket open in support and I have just sent the logs your colleague asked me, after putting the logging in DEBUG mode.

Thank you.

Yes this might be better to have run through support.

But I see this from that log file, indicating that the ldap is not correctly set up. It seem to not communicate with your DC’s. There are also some records that it cannot reach the license server. Is this behind a firewall? Could it be something blocking the server? Is the flow server in a domain? This feels like something not flow related but rather OS/Windows/Network…

Support didn’t replied yet since I have sent the logs.
I wonder if the user that is registered in the AD syncro configurations needs any special permissions or if it can be a “simple basic user”.

It probably depends on how the AD is set up. Normally it works with just any user since they normally can read the AD but not much more, but that can probably be changed.
In Azure AD (AAD) there are some specifics I know of but not really sure about “old” AD and Ldap. I think this might be an issue for the IT department in charge of the AD. They can also try with an account with higher access just to make sure we are on the right track. So I would sugged to try with a domain admin if possible, and make sure that works, and then work your way down in permissions from there.
Please let us know the result :slight_smile: