Creating a Role by Using an LDAP Attribute

You can assign a user to a role by using a value found in any LDAP attribute in your directory. The following example uses the objectClass attribute because every object in an LDAP directory has an objectClass attribute that contains the object classes to which the object belongs. This attribute contains the name of the object class that was used to create the object and the names of the superior object classes of this class. For example, perform the following steps to create a Role policy for users who were created with the User object class:

  1. Click Policies > Policies.

  2. Select the policy container, then click New.

  3. Specify a name for the Role policy, select Identity Server: Roles for the type, then click OK.

  4. In Condition Group 1, click New, then select LDAP Attribute.

  5. In Condition Group 1, select the conditions the user must meet:

    LDAP Attribute: Select the objectClass attribute. If you have not added this attribute, it does not appear in the list. Scroll to the bottom of the list, click New LDAP Attribute, specify objectClass for the name, then click OK.

    If you are using eDirectory™ for your LDAP directory, specify standard LDAP names for the attributes. Access Manager does not support spaces or colons in attribute names.

    Comparison: Select how you want the attribute values to be compared. For the objectClass attribute, select String > Contains Substring.

    The objectClass attribute is a multi-valued attribute and, for most objects, contains multiple values. For example, in eDirectory, users created with the User object class have User, organizationalPerson, person, ndsLoginProperties, and top as values in the objectClass attribute.

    Mode: Select Case Insensitive.

    Value: Select Data Entry Field and specify User as the value.

    Result on Condition Error: This sets up the results that are returned if an error occurs while evaluating the condition. For example, the LDAP server goes down. This rule grants the user the role of UserClass if the condition evaluates to True. If an error occurs, you do not want random users assigned the role of UserClass. Therefore, for this rule, you need to select False.

  6. In the Actions section, click Activate Role.

  7. In the Activate Role box, type UserClass, then click OK.

    This role is assigned to users who match the condition.

  8. Click OK > OK > Apply Changes.

  9. Click Identity Servers > Edit > Roles.

  10. Select the check box next to the name of the role, then click Enable.

  11. Click OK and update Identity Server.

You can now use this role when creating Authorization and Identity Injection policies. For more information, see the following: