This procedure applies customized roles to LDAP synced and moved users, and overwrites the default roles that are applied following an LDAP User Sync or Move User operation.

Note

This procedure is relevant only for top-down deployments.

Important

For LDAP User Sync

By default, users synced in from an LDAP server are assigned the role configured in the 'User Role (default)' in the LDAP User Sync.
The role specified in the Custom Role Mapping takes precedence over the 'User Role (default)', when both of the following conditions are met:
- The user's Active Directory Group Membership matches a group configured in the Custom Role Mapping.
- The hierarchy of the LDAP User Sync matches the Target Role Context.

For Move User

By default, users moved manually to a hierarchy (using 'Move Users') are assigned the role specified in the 'Set Default Role'.
The role specified in the Custom Role Mapping takes precedence over the 'Set Default Role' chosen in 'Move Users', when both of the following conditions are met:
- The user's Active Directory Group matches a group configured in the Custom Role Mapping.
- The user's destination hierarchy type matches the Target Role Context.
By default, a user moved to a hierarchy automatically (using a filter), is assigned the role specified in the filter in 'Set Default Role'.
The role specified in the Custom Role Mapping takes precedence over the 'Set Default Role' set in the filter, when both of the following conditions are met:
- The user's Active Directory Group Membership matches a group configured in the Custom Role Mapping.
- The user's destination hierarchy type (specified in the filter), matches the Target Role Context,

The DataModel which the admin-user can use to optionally define Role mappings between AD users and VOSS users. Instances of this model is then used by LDAP User Sync and Move User use-cases.

Model Details: data/LdapUserRoleMappingsDAT

Field	Description
Active Directory Group*	A group in the Active Directory to which the user belongs. This is derived from the 'memberOf' from the LDAP Schema. This must be an exact match of the value defined in Active Directory, e.g. CN=Administrators,CN=Builtin,DC=test,DC=net.
Target Role Context*	This value defines the hierarchy for which the Custom Role Mapping will be applied. This must match the hierarchy type where the users are Synced, or their destination hierarchy when moved. For example, if the user is assigned a 'CustomerAdmin' role, and the LDAP User Sync is configured at Customer level then the Target Role Context must be set to Customer. If the user is assigned a 'SiteAdmin' role, and the user is being moved either manually or automatically using 'Filter to a Site', then the Target Role Context must be set to Site. Choose the hierarchy node type from the drop-down list.
Target Role*	The role which will be applied to the user if their Active Directory Group and Target Role Context are matched. This must be a valid role at the user's destination hierarchy. This can be defined at a specific role or defined as a macro, e.g. if the user is assigned a 'SiteAdmin' role then the role can be defined as the exact name of the role or defined as a macro, which allows re-use for any site name e.g. {{macro.SITENAME}}SiteAdmin.

An asterisk * in the title indicates the field is mandatory.
If a field has a default value, it is shown in the Description column.
If the field type is an array, the Field Name has a .[n] suffix, where n is the array index placeholder.
Object and array field names are listed to provide context. If a field belongs to an object or an array, the full field name is shown in dot separated notation.

Title	Description	Details
Active Directory Group *	A group in the Active Directory (AD) to which the user belongs. This is derived from the 'memberOf' from the LDAP Schema. This must be an exact match of the value defined in Active Directory, e.g. CN=Administrators,CN=Builtin,DC=test,DC=net.	Field Name: ad_group Type: String
Target Role Context *	This value defines the hierarchy for which the Custom Role Mapping will be applied. This must match the hierarchy type where the users are Synced, or their destination hierarchy when moved.	Field Name: role_context Type: String Choices: ["Provider", "Reseller", "Customer", "Site", "IntermediateNode"]
Target Role *	The role which will be applied to the user if their AD Group and Target Role Context are matched. This must be a valid role at the user's destination hierarchy. This can be defined at a specific role or defined as a macro.	Field Name: target_role Type: String

Model: data/LdapUserRoleMappingsDAT

LDAP Custom Role Mappings

Model Details: data/LdapUserRoleMappingsDAT