Minimum authorizations for synchronizing users

Synchronizing RBAC with an LDAP server is typically performed by the RBACAdmins role but you can take this action with a minimum set of permissions.

To perform this procedure with a minimum set of authorizations, you must set up a role with the permissions described below. For the objects you are acting on, you must define authorizations as described below.

Role-level authorizations

  • Role.read
  • Role.modify
  • Role.Manageusers
  • User.*
  • AutomationPrincipal.read
  • LdapConnection.read

Object-level authorizations

Type of object

Authorization required

Additional information

LDAP connection object

LdapConnection.read

Required for Active Directory synchronization.
Currently, you can only manage LDAP connection objects using the BLCLI.

LDAP query object

LdapQuery.read

Required for LDAP server synchronization

Automation Principal

AutomationPrincipal.read

Required for Active Directory synchronization.

Role

Role.Read
Role.Modify
Role.ManageUsers

Required for Active Directory synchronization.

User

User.*

Required for ongoing maintenance of each user created by the Active Directory synchronization process.

Was this page helpful? Yes No Submitting... Thank you

Comments