[Index]

Model: data/LdapUserRoleMappingsDAT

LDAP Custom Role Mappings

To access the latest documentation, go to Documentation and Resources at: https://voss.portalshape.com

Overview

LDAP custom role mapping allows you to apply (in top-down deployments only) customized roles, to LDAP synced and moved users. The default roles are overwritten.

The table describes how LDAP custom role mapping works for LDAP user sync and LDAP user move:

Action Description
LDAP user sync
  • By default, users synced in from LDAP are assigned the role configured in 'User Role(default)', in the LDAP user sync.
  • The role specified in the custom role mapping takes precedence over the 'User Role(default)', when both of the following conditions are met:
    • The user's Active Directory Group Membership matches a group configured in the custom role mapping
    • The hierarchy of the LDAP user sync matches the Target Role Context
LDAP user move
  • By default, users moved manually to a hierarchy (using 'Move Users') are assigned the role specified in 'Set Default Role'.
  • The role specified in the custom role mapping takes precedence over the 'Set Default Role' chosen in 'Move Users', when both of the following conditions are met:
    • The user's Active Directory Group matches a group configured in the custom role mapping.
    • The user's destination hierarchy type matches the Target Role Context.
  • By default, a user moved to a hierarchy automatically (using a filter), is assigned the role specified in the filter in 'Set Default Role'.
  • The role specified in the custom role mapping takes precedence over the 'Set Default Role' defined in the filter, when both of the following conditions are met:
    • The user's Active Directory Group Membership matches a group configured in the custom role mapping.
    • The user's destination hierarchy type (specified in the filter), matches the Target Role Context.

Add a LDAP Custom Role Mapping

In top-down deployments only, this procedure applies customized roles to LDAP synced and moved users, and overwrites default roles.

  1. Log in as Provider or Reseller administrator.
  2. Set the hierarchy to where the LDAP custom role mapping must be added.
  3. Go to (default menus) LDAP Management > LDAP Custom Role Mappings.
  4. Click Add.
  5. Fill out the fields (all are mandatory):
Field Description
Active Directory Group The user's Active Directory group, derived from 'memberOf', from the LDAP Schema. This must be an exact match of the value defined in Active Directory, for example, CN=Administrators,CN=Builtin,DC=test,DC=net.
Target Role Context

The hierarchy for which the custom role mapping will be applied. This must match the hierarchy type where the users are synced, or their destination hierarchy when moved.

For example, if a user is assigned a 'CustomerAdmin' role, and the LDAP user sync is configured at Customer level, then the Target Role Context must be set to Customer. If a user is assigned a 'SiteAdmin' role, and is being moved (manually or automatically) using 'Filter to a Site', then Target Role Context must be set to Site.

Target Role

The role to apply to the user if their Active Directory Group and Target Role Context are matched.

This must be a valid role at the user's destination hierarchy. This can be defined at a specific role or as a macro. For example, if the user is assigned a 'SiteAdmin' role, the role can be defined as the exact name of the role or defined as a macro, which allows re-use for any site name e.g. {{macro.SITENAME}}SiteAdmin.

  1. Click Save.

The DataModel which the admin-user can use to optionally define Role mappings between AD users and VOSS users. Instances of this model is then used by LDAP User Sync and Move User use-cases.

Model Details: data/LdapUserRoleMappingsDAT

Title Description Details
Active Directory Group * A group in the Active Directory (AD) to which the user belongs. This is derived from the 'memberOf' from the LDAP Schema. This must be an exact match of the value defined in Active Directory, e.g. CN=Administrators,CN=Builtin,DC=test,DC=net.
  • Field Name: ad_group
  • Type: String
Target Role Context * This value defines the hierarchy for which the Custom Role Mapping will be applied. This must match the hierarchy type where the users are Synced, or their destination hierarchy when moved.
  • Field Name: role_context
  • Type: String
  • Choices: ["Provider", "Reseller", "Customer", "Site", "IntermediateNode"]
Target Role * The role which will be applied to the user if their AD Group and Target Role Context are matched. This must be a valid role at the user's destination hierarchy. This can be defined at a specific role or defined as a macro.
  • Field Name: target_role
  • Type: String