Creating Groups for Users Automatically Added from LDAP

When a user successfully authenticates against LDAP and is automatically added to your system (via the Auto Add User feature), SBM can also establish group membership for the new user. If the user’s LDAP groups already exists in SBM, he or she will be added to those groups. If the groups are not in SBM yet, they can be created using the options described below.

You must manually grant privileges or role assignments to any group that is created in SBM as the result of a new user who is automatically added from LDAP (if you want that group to eventually have its own set of privileges). For example, if you have an LDAP group that needs to have certain privileges to a particular project in SBM, once the group is created, you must grant that group privileges to the project.

Note: When a new group is created in SBM by way of an automatically-added LDAP user, SBM will not add any existing users that have been previously added from LDAP to that group. You must perform a manual update in order to update the group membership for these existing users.

By examining a set of specified attributes and the containers within those attributes, SBM can help ease the group management process for newly-added users. This section describes the operations on the User Map tab of the LDAP Setup & Tools dialog that are related to automatically creating groups.

Group Attributes

Select the LDAP user attribute or attributes that should be examined by SBM for potential user groups. For example, if you select memberOf as the attribute, SBM will only use the containers in the memberOf attribute as possible groups for the new user. Each memberOf LDAP attribute on the user's LDAP account will be examined. You can select more than one attribute and move each of them into the Group Attributes field by clicking the right arrow.

For example, if you want to create groups based off the parameters in both the memberOf and productTeam attributes, you would select:

memberOf
productTeam

In LDAP, user "Joe" might have the following values for these attributes:

memberOf: CN=Domain Admins,DN=Users,DC=Acme,DC=com
memberOf: CN=Managers,DN=Users,DC=Acme,DC=com
productTeam:  OU=DevTeam,DC=Acme,DC=com

SBM would then potentially be able to use any CN, DN, or OU parameter in any attribute to create corresponding groups. You can limit the groups that will be created by specifying specific parameters instead using Group Query Parameters.

Note: If the Group Attribute field is left empty, SBM will consider the entire Full Directory Name (also known as distinguishedName) as the attribute to examine (for example, CN=LDAPTest,OU=QAGroup,DC=acme,DC=com). In this case, the first parameter will be ignored by SBM to avoid creating a group call "LDAPTest" which is typically a user account and not a group. Whenever the distinguishedName attribute is specified, the first parameter will be ignored.

Group Query Parameters

In this field, you can enter the particular parameters you want SBM to process when attempting to create new groups. In effect, this field acts as an additional filter on the Group Attributes you specify. For example, you might only want the CNs and OUs of each attribute examined. In that case, you would enter:

CN,OU

Continuing with the example above, this would only create new groups based off the CNs and OUs in each attribute, which would result in the creation of the following groups:

Domain Admins
Managers
DevTeam

Tip: The Group Query Parameters that you specify are case sensitive. For example, “CN” will not match “cn”. If the LDAP directory contains a mixture of cases, enter multiple variants in the Group Query Parameters field, such as “CN,cn,Cn”.