Set up LDAP Custom Role Mappings

This feature is used to apply customized roles to LDAP Synced and moved users, and to overwrite the default roles that are applied to them following an LDAP User Sync or Move User operation.

Important

For LDAP User Sync

  • When a user is synced in from an LDAP server, by default they are assigned the role configured in the ‘User Role (default)’ in the LDAP User Sync.
  • If the user’s Active Directory Group Membership matches a group configured in the Custom Role Mapping, and the hierarchy of the LDAP User Sync matches the Target Role Context, then the role specified in the Custom Role Mapping will take precedence over the ‘User Role (default)’.

For Move User

  • When a user is moved to a hierarchy manually using ‘Move Users’, by default they are assigned the role specified in the ‘Set Default Role’.
  • If the user’s Active Directory Group matches a group configured in the Custom Role Mapping, and the user’s destination hierarchy type matches the Target Role Context, then the role specified in the Custom Role Mapping will take precedence over the ‘Set Default Role’ chosen in ‘Move Users’.
  • When a user is moved to a hierarchy automatically using a filter, they are assigned the role specified in the filter in ‘Set Default Role’ by default.
  • If the user’s Active Directory Group Membership matches a group configured in the Custom Role Mapping, and the user’s destination hierarchy type, specified in the filter matches the Target Role Context, then the role specified in the Custom Role Mapping will take precedence over the ‘Set Default Role’ set in the filter.

Procedure

  1. Log in as provider or reseller administrator.
  2. Set the hierarchy path to where the LDAP Custom Role Mapping must be added.
  3. Choose LDAP Management > LDAP Custom Role Mappings.
  4. Click Add.
  5. Complete the following mandatory fields:
Field Description
Active Directory Group* A group in the Active Directory to which the user belongs. This is derived from the ‘memberOf’ from the LDAP Schema. This must be an exact match of the value defined in Active Directory, e.g. CN=Administrators,CN=Builtin,DC=test,DC=net.
Target Role Context*

This value defines the hierarchy for which the Custom Role Mapping will be applied. This must match the hierarchy type where the users are Synced, or their destination hierarchy when moved.

For example, if the user is assigned a ‘CustomerAdmin’ role, and the LDAP User Sync is configured at Customer level then the Target Role Context must be set to Customer. If the user is assigned a ‘SiteAdmin’ role, and the user is being moved either manually or automatically using ‘Filter to a Site’, then the Target Role Context must be set to Site.

Choose the hierarchy node type from the drop-down list.
Target Role* The role which will be applied to the user if their Active Directory Group and Target Role Context are matched. This must be a valid role at the user’s destination hierarchy. This can be defined at a specific role or defined as a macro, e.g. if the user is assigned a ‘SiteAdmin’ role then the role can be defined as the exact name of the role or defined as a macro, which allows re-use for any site name e.g. {{macro.SITENAME}}SiteAdmin.
  1. Click Save.