LDAP Custom Role Mappings#

Overview#

LDAP custom role mapping allows you to apply (in top-down deployments only) customized roles, to LDAP synced and moved users. The default roles are overwritten.

The table describes how LDAP custom role mapping works for LDAP user sync and LDAP user move:

Action	Description
LDAP user sync	By default, users synced in from LDAP are assigned the role configured in ‘User Role(default)’, in the LDAP user sync. The role specified in the custom role mapping takes precedence over the ‘User Role(default)’, when both of the following conditions are met: The user’s Active Directory Group Membership matches a group configured in the custom role mapping The hierarchy of the LDAP user sync matches the Target Role Context
LDAP user move	By default, users moved manually to a hierarchy (using ‘Move Users’) are assigned the role specified in ‘Set Default Role’. The role specified in the custom role mapping takes precedence over the ‘Set Default Role’ chosen in ‘Move Users’, when both of the following conditions are met: The user’s Active Directory Group matches a group configured in the custom role mapping. The user’s destination hierarchy type matches the Target Role Context. By default, a user moved to a hierarchy automatically (using a filter), is assigned the role specified in the filter in ‘Set Default Role’. The role specified in the custom role mapping takes precedence over the ‘Set Default Role’ defined in the filter, when both of the following conditions are met: The user’s Active Directory Group Membership matches a group configured in the custom role mapping. The user’s destination hierarchy type (specified in the filter), matches the Target Role Context.

Action

Description

LDAP user sync

By default, users synced in from LDAP are assigned the role configured in ‘User Role(default)’, in the LDAP user sync.
The role specified in the custom role mapping takes precedence over the ‘User Role(default)’, when both of the following conditions are met:
- The user’s Active Directory Group Membership matches a group configured in the custom role mapping
- The hierarchy of the LDAP user sync matches the Target Role Context

LDAP user move

By default, users moved manually to a hierarchy (using ‘Move Users’) are assigned the role specified in ‘Set Default Role’.
The role specified in the custom role mapping takes precedence over the ‘Set Default Role’ chosen in ‘Move Users’, when both of the following conditions are met:
- The user’s Active Directory Group matches a group configured in the custom role mapping.
- The user’s destination hierarchy type matches the Target Role Context.
By default, a user moved to a hierarchy automatically (using a filter), is assigned the role specified in the filter in ‘Set Default Role’.
The role specified in the custom role mapping takes precedence over the ‘Set Default Role’ defined in the filter, when both of the following conditions are met:
- The user’s Active Directory Group Membership matches a group configured in the custom role mapping.
- The user’s destination hierarchy type (specified in the filter), matches the Target Role Context.

Add a LDAP Custom Role Mapping#

In top-down deployments only, this procedure applies customized roles to LDAP synced and moved users, and overwrites default roles.

Log in as Provider or Reseller administrator.
Set the hierarchy to where the LDAP custom role mapping must be added.
Go to (default menus) LDAP Management > LDAP Custom Role Mappings.
Click Add.
Fill out the fields (all are mandatory):

Field	Description
Active Directory Group	The user’s Active Directory group, derived from ‘memberOf’, from the LDAP Schema. This must be an exact match of the value defined in Active Directory, for example, CN=Administrators,CN=Builtin,DC=test,DC=net.
Target Role Context	The hierarchy for which the custom role mapping will be applied. This must match the hierarchy type where the users are synced, or their destination hierarchy when moved. For example, if a user is assigned a ‘CustomerAdmin’ role, and the LDAP user sync is configured at Customer level, then the Target Role Context must be set to Customer. If a user is assigned a ‘SiteAdmin’ role, and is being moved (manually or automatically) using ‘Filter to a Site’, then Target Role Context must be set to Site.
Target Role	The role to apply to the user if their Active Directory Group and Target Role Context are matched. This must be a valid role at the user’s destination hierarchy. This can be defined at a specific role or as a macro. For example, if the user is assigned a ‘SiteAdmin’ role, the role can be defined as the exact name of the role or defined as a macro, which allows re-use for any site name e.g. {{macro.SITENAME}}SiteAdmin.

Field

Description

Active Directory Group

The user’s Active Directory group, derived from ‘memberOf’, from the LDAP Schema. This must be an exact match of the value defined in Active Directory, for example, CN=Administrators,CN=Builtin,DC=test,DC=net.

Target Role Context

The hierarchy for which the custom role mapping will be applied. This must match the hierarchy type where the users are synced, or their destination hierarchy when moved.

For example, if a user is assigned a ‘CustomerAdmin’ role, and the LDAP user sync is configured at Customer level, then the Target Role Context must be set to Customer. If a user is assigned a ‘SiteAdmin’ role, and is being moved (manually or automatically) using ‘Filter to a Site’, then Target Role Context must be set to Site.

Target Role

The role to apply to the user if their Active Directory Group and Target Role Context are matched.

This must be a valid role at the user’s destination hierarchy. This can be defined at a specific role or as a macro. For example, if the user is assigned a ‘SiteAdmin’ role, the role can be defined as the exact name of the role or defined as a macro, which allows re-use for any site name e.g. {{macro.SITENAME}}SiteAdmin.

Click Save.

LDAP Custom Role Mappings

On this page

LDAP Custom Role Mappings#

Overview#

Add a LDAP Custom Role Mapping#