Automated Group Assignment

It is common practice with LDAP, OAuth or SAML authentication to take leverage the information maintained about users in those systems, include organizational structure information, etc., and use this information to assign those users automatically on login to particular groups in the repository. In this way, there is no need to assign users to groups manually.

Once you enable automatic group assignment, every user authenticated by the external authority become a user in the system (if not already defined) and is assigned the proper groups each time they login. Thus, these users will lose any previous manual group assignment at the next login.

In some cases, whether using LDAP or other authentication, is to not depend upon these authentication modes to provide proper group assignment. This is because, those systems are managed by other authorities and are generally not maintained in order to group users so that group assignments logically map.

Instead, it is common to simply use the default group assignment, so that by default, any user is given the Guest group when logging the first time or when created. By default, Guest group is assigned to the Published configuration. In this way, one controls the default presentation to new users, and it is based on a controlled default configuration.

Once the user’s true groups and responsibilities are identified, further groups are assigned to the user.

Automated LDAP Group Assignment

The LDAP configuration window offers a second tab for LDAP driven group assignment. In this case, the groups assignments may be associated to predefined LDAP groups or queries. There are two convenience features helping non LDAP experts retrieve/build the group assignments they need:

The LDAP group data entry allows one to search for groups defined in your LDAP environment and retrieve the exact LDAP query for such groups. This is very useful when planning to use large predefined groups of business users in group assignment.

The LDAP search filter data entry allows one to automatically build a proper query to create an LDAP based virtual group of users. This is very useful in creating small Administrator groups or temporarily groups for a project.

In order to create queries defining LDAP driven group assignment.

MetaKarta does not support nested groups, only direct group memberships. The reason for this limitation is there is no universal way to support nested groups across all types of LDAP servers. Although there is a specific way for Active Directory, it does not work properly in forests or when the query contains special characters, so it cannot be used this way either.

Steps

1.  Sign in as a user with at least the Application Administrator capability global role assignment

2.  Go to MANAGE > Users in the banner.

3.  Select LDAP Authentication from the Authentication type pull-down in the header.

4.  Click on Authentication in the header and select LDAP.

5.  Click on the Group Assignment tab.

6.  Click on the Add icon.

7.  Enter the following:

-       Provide a Name for the query

-       Define the group you wish to associate with users in the query

To assign groups by group name:

8.  Click on the Browse icon in the Group entry

9.  Enter a group name in the LDAP system or search text

10. Select the Distinguished Name for that group

To specify a search filter and include individual users

11. Specify a Search Root like:  CN=company,CN=Users,DC=company,DC=local

12. Click on the Browse icon in the  Search Filter entry and select users in that filter.

To specify a search filter and exclude individual users, you may

13. Specify a Search Root: CN=company,CN=Users,DC=company,DC=local

14. Use the following syntax: (&(!(sAMAccountName=username1))(!(sAMAccountName=username)))

15. Click OK.

Please keep in mind, when you create the first LDAP query for group assignment, you are now switching from native (manually managed) group assignment to LDAP driven (automatic) group assignment for all LDAP users. Any LDAP user will lose any previous native group assignment at the next login.

Similarly, when deleting the last LDAP query for group assignment, you are now switching from LDAP driven (automatic) group assignment, to native (manually managed) group assignment. Any LDAP user will now be only associated to the "Guest" group, until more groups are manually granted to that user.

Automated OAuth Group Assignment

See the details in OAuth Authentication.

In order to support automatic group assignment, specify in the Attribute Mapping tab the corresponding attribute for the security group in MetaKarta. If the attribute group in an OAuth user account information is to be mapped to the security group, the Attribute Mapping tab should look like this:

 

 

In this case, if the user account information for user John has a field called group , MetaKarta will use the value of the field group, e.g. "Business user", as the security group assignment for the user John.

The user account information is returned from the OAuth server to MetaKarta after the OAuth server validates an access token upon a login request.

You may also map individual values assigned to the OAuth attribute that maps to the Groups in MetaKarta.

Please keep in mind, when you populate an OAuth attribute for group assignment, you are now switching from native (manually managed) group assignment to OAuth driven (automatic) group assignment for all OAuth users. Any OAuth user will lose any previous native group assignment at the next login.

Similarly, when deleting the last OAuth attribute for group assignment, you are now switching from OAuth driven (automatic) group assignment, to native (manually managed) group assignment. Any OAuth user will now be only associated to the "Guest" group, until more groups are manually granted to that user.

Steps

1.  Sign in as a user with at least the Application Administrator capability global role assignment

2.  Go to MANAGE > Users in the banner.

3.  Click Configure Authentication.

4.  Go to the Group Mappings tab.

5.  Click the Add Assignment action icon.

Example

 

 

The wildcard (“%”) may be used when configuring group mappings. The % matches zero or more characters.

Automated SAML Group Assignment

See the details in SAML Authentication.