Manage Active Directory role mapping
An administrator or a user with permission to view and manage roles can view the details of the available Active Directory role mappings.
Prerequisites
Ensure that you are logged in to the Control Room as the administrator.
By default, the Control Room will retrieve all security groups from the Users directory.
To create role mappings with filters for the Users directory along with other organizational units (OU), you must update the um.properties file. In the Control Room, the Users directory is considered similar to the OUs. Therefore, you must define the filter in the um.properties file.
um.ldap.groupmapping.domain.filter='mydomain.com:OU1&groupFilter|OU2&groupFilter|Users&groupFilter'
- Go to domain mydomain.com
- Retrieve all security groups from Organization Unit OU1 that have the group name starts with groupFilter.
- Retrieve all security groups from Organization Unit OU2 that have the group name starts with groupFilter.
- Retrieve all security groups from Users directory that have the group name starts with groupFilter.
This setting ensures that the users from the organization units OU1
and OU2
will be retrieved in addition to the
Users directory.
Multiple Domain Mapping
Mapping supports multiple domains separated by a coma.
um.ldap.groupmapping.domain.filter='mydomain.com:OU1&groupFilter|OU2&groupFilter|Users&groupFilter,mydomain2.com:OU3|OU4'
- Go to domain mydomain2.com
- Retrieve all security groups from Organization Unit OU3.
- Retrieve all security groups from Organization Unit OU4.
Retrieving security groups from nested OUs
Example for retrieving security groups from nested OUs.
In the following example organization, consider "Marketing" as the parent OU with additional nested OUs and security groups located in each of these nested OUs.
- Marketing
- Group 1
- Group 2
- US_OU
- Group 3
- California_OU
- Group 4
- NoCal_OU
- Group 5
- SoCal_OU
- Group 6
um.ldap.groupmapping.domain.filter='mydomain.com:Marketing'
Active Directory role mapping
Navigate to Control Room. From here, these role mappings can be viewed or edited. You can also create new role mappings or restart the role synchronization process between the Control Room and AD.
and the page displays any role mappings that have been created in theThis synchronization process is triggered once a day (1440 minutes) by default once enabled. Synchronizations can be triggered in any interval by changing the number of minutes. It is recommended that interval settings be larger as the represented by the default.