Set LDAP User Group Mapping Rules
Suppose you have configured different User Groups and Access Groups to provide these User Groups with least privilege access to authorized resources. In that case, you can easily enforce these access restrictions based on any appropriate user information being maintained in your LDAP Server by using LDAP User Group mapping rules.
If you have configured different User Groups and Access Groups to provide these User Groups with least privilege access to authorized resources, you can easily enforce these access restrictions based on any appropriate user information being maintained in your LDAP Server by using LDAP User Group mapping rules.
To use attribute-based access control based on the department, you created different CloudConnexa User Groups and Applications and have configured Access Groups restricting each User Group to access only applications authorized for that department. For example, User Group HR can access App A, X, and Y, and User Group Finance can access App B and Z. Now what is left to do is to get the department information when a user logs in with LDAP and assign the user to the correct CloudConnexa User Group. LDAP User Group Mapping Rules allow you to map the values of a LDAP attribute selected to represent the Group to specific CloudConnexa User Groups.
Once you have mapped the attribute being sent across by the IdP to UserGroup in the Attribute Mapping step(refer to Set Private LDAP authentication for Users), add a LDAP User Group Mapping rule by following the steps below:
Navigate to Settings > User Authentication.
Click Edit, which is located in the top right corner.
Click User Group Mapping in the Private LDAP section.
Check that the User Group Sync from LDAP switch to ON.
Click Add Rule.
Enter the value(s) set in the LDAP attribute and select one of the CloudConnexa User Groups from the drop-down it should map to. Provide a Priority to the rule, with 1 being the highest.
Note
If the LDAP provided value matches with multiple rules, the one with the highest priority will be used to map the User to the CloudConnexa User Group. If the value does not match with any of the mapping rules, the User will be mapped to the CloudConnexa User Group configured in the Unmapped LDAP User Groups section.
Click Add Rule
Click Cancel to exit.
Note
CloudConnexa will receive any user configuration change made on the LDAP Server after the user’s next successful authentication. If a user is deleted or disabled on the LDAP Server, the user must be deleted from CloudConnexa.
Edit a User Group Mapping Rule
To edit a User Group Mapping Rule, follow the steps below:
Navigate to Settings > User Authentication.
Click Edit, which is located in the top right corner.
Click User Group Mapping in the Private LDAP section.
The list of rules will be shown in the User Group Mapping Rules table with the Edit and the Delete icons for each rule record. Each rule record will also have Decrement and Increment icons.
Click the Edit icon next to the rule record that needs to be changed.
Make the required changes.
Click Update Rule.
Click Cancel to exit.
Change the priority of a User Group Mapping Rule
If the LDAP provided value matches with multiple rules, the one with the highest priority will be used to map the User to the CloudConnexa User Group. If the value does not match with any of the mapping rules, the User will be mapped to the CloudConnexa User Group configured in the Unmapped LDAP User Groups section.
To change the priority of a rule, you can edit it and change the priority value, or you can use the Decrement and Increment icons by following the steps below:
Navigate to Settings > User Authentication.
Click Edit, which is located in the top right corner.
Click User Group Mapping in the Private LDAP section.
The list of rules will be shown in the User Group Mapping Rules table with the Edit and the Delete icons for each rule record. Each rule record will also have Decrement and Increment icons.
Click the Increment/Decrement icons next to the rules to arrange the rules by the needed priority in the table. The priorities of the affected rules are automatically updated.
Click Cancel to exit.
Delete a User Group Mapping Rule
To delete a User Group mapping rule, follow the steps below:
Navigate to Settings > User Authentication.
Click Edit, which is located in the top right corner.
Click User Group Mapping in the Private LDAP section.
The list of rules will be shown in the User Group Mapping Rules table with the Edit and the Delete icons for each rule record. Each rule record will also have Decrement and Increment icons.
Click the Delete icon next to the rule record that needs to be deleted.
Click Delete in the confirmation dialog box.
Click Cancel to exit.