4.4 Linking roles to LDAP

You can set up roles in MyID that are linked to groups in your LDAP. If you link the role to a group in the LDAP, any users in the directory that belong to that group automatically get assigned the corresponding role in MyID.

You must create roles in MyID that have the same names as the groups in the directory.

When you add a user to MyID, the user is automatically assigned the corresponding role. If you change the user's group in the directory, the user is assigned the role corresponding to the new group, and has the existing linked group role removed from their list of roles.

When you set up the link to the directory group, you can specify a scope for the role. This scope is used whenever MyID automatically assigns a linked role.

Important: The roles assigned based on LDAP group membership cannot override the group role restrictions set up in MyID. When the account is synchronized with the directory, any invalid roles are removed; if you edit a person, any invalid roles are highlighted on screen, and you must remove them manually.

Note: If you have the Update user information in the directory configuration option set to Yes, users will not be able to be assigned roles based on groups in the LDAP; this is because this option indicates that MyID is the primary source for user data, and information is pushed from MyID to the directory but not the other way around. LDAP linked roles rely on synchronization from the LDAP to MyID, which does not occur when Update user information in the directory is set to Yes.

You can combine LDAP linked roles with group default roles; the user is assigned the roles linked to their LDAP group in addition to the roles set as defaults for their group within MyID. For details of setting up default roles, see section 4.3, Default roles.

4.4.1 Default Active Directory groups

For your MyID roles, do not use the names of any of the groups present in Active Directory by default; for example:

• Domain Users
• Domain Admins
• Enterprise Users

and so on.

This is because MyID uses the memberOf LDAP function to retrieve information about the groups to which a member belongs, but this function does not retrieve information about the built-in Active Directory security groups.

You must create new groups in the directory to match the names of the roles within MyID.

4.4.2 Setting up linked roles

To set up a linked role:

1. From the Configuration category, select Edit Roles.

2. Click Show/Hide Roles and make sure that the role you want to link is displayed.

   

   Note: The Linked to LDAP Group row appears only if you have set the Link to LDAP Groups option on the LDAP page of the Operation Settings workflow.

3. Click the icon in the Linked to LDAP Group row.

   When a role is linked, the icon is a green tick.

   When a role is not linked, the icon is a red cross.

   Note: You cannot link system roles; for example, the Startup User role, or the Activation User role.

4. To link the role to a directory group with the same name:

   

   1. Select the Link Role to LDAP Group checkbox.
   2. Select the default scope to be used for the role from the list.
   3. Click OK.
5. Click Save Changes.

4.4.3 Example

For example, if you have the following groups in your directory:

• Sales

• Marketing

• Support

You would create three roles in MyID with the same names. You may also have roles in MyID that are not linked to any directory groups. For example, the roles in MyID may be:

• Sales – linked

• Marketing – linked

• Support – linked

• Cardholder – not linked

• Help Desk – not linked

Susan Smith works for your organization in the Sales department. When you add her account to MyID, she is automatically assigned the Sales role. You can also assign her any other roles that are not linked to groups; for example, the Cardholder role.

If Susan Smith moves departments to Marketing, her record in the directory is updated to move her from the Sales group to the Marketing group. When MyID synchronizes with the directory, her MyID account is assigned the Marketing role, and the Sales role is removed from her account. The Cardholder role, which was assigned to her account manually and is not linked to a group, is unaffected.

Note: If you manually assign a role that is linked to a directory group, the next time MyID synchronizes with the directory, the linked role is removed unless the user is in the linked group. For example:

• Susan Smith is in the Sales group. She is automatically assigned the Sales role. You manually add the Cardholder and Support roles to her account. When MyID synchronizes with the directory, Susan Smith retains the Sales and Cardholder roles, but the Support role is removed.

You can use this feature to remove an obsolete role from all users in the MyID database. For example:

• The Cardholder role is no longer required for any users, but many users are still assigned the role. Create a dummy group in the directory that contains no users, then link the Cardholder role to that LDAP group. When MyID synchronizes with the directory, the Cardholder role is removed from all users.