Role - Group Mappings
The Group Mappings panel lets you identify the LDAP queries used for obtaining user information from an LDAP registry so that information can be associated with the current role.
The Group Mappings panel is only available when you are editing an existing role. The Role wizard does not display this panel when you are creating a new role.
Define an automation principal that is used for accessing the LDAP server. For more information about creating automation principals that can be used when obtaining information from an LDAP server, see Synchronizing users with LDAP servers.
Add or Modify
Click Add to create a new group mapping or select an existing mapping and click Modify. The Group Mappings dialog box opens. It gives you the following options:
The connection to an LDAP server
An automation principal that has the logon credentials needed to access the LDAP server.
A query that obtains group information from the LDAP server.
A query that obtains user information from the LDAP server.
Existing user options
If there are existing users assigned to this role and they are not found among the LDAP users being added to RBAC, you can specify how those users should be handled. Select any of the following:
Delete users not found
Existing users assigned to this role are deleted from the RBAC database. If you select this option, you cannot select any of the following options.
Disable users not found
Existing users assigned to this role are disabled. They continue to be assigned to this role. If you select this option, you cannot also select the Delete users not found option.
Remove users not found from the role
Existing users are removed from this role but remain in the RBAC database. If you select this option, you can also select the Disable users not found option.
If a user already exists in RBAC, is enabled for participation in the synchronization process, and is included in the LDAP users being added as part of the synchronization, the existing RBAC user is modified as follows:
- The user is enabled for Active Directory/Kerberos authentication.
- The user is assigned to the role being synchronized, if he or she is not already included in that role.