Creating a Role by Using a Group Membership Attribute

If you have created an LDAP group and assigned users to the group, you can use group membership to assign a role to the user. For example, create a first-level managers group and make all first-level managers members of this group. Create other groups to keep upper-level managers. You can create a Role policy that assigns the user a role if the user is a member of a specific group.

You can use the Role policy in an Authorization or Identity Injection policy to protect a web resource.

  1. Click Policies > Policies.

  2. Select the policy container, then click New.

  3. Specify a name for the Role policy, select Identity Server: Roles for the type, then click OK.

  4. In Condition Group 1, click New, then select LDAP Group.

  5. In Condition Group 1, select the conditions the user must meet:

    LDAP Group: Select Identity Server Configuration, the user store, then the Group.

    The following figure illustrates this selection process:

    Comparison: Select the attribute values comparison criteria. For LDAP Group, select Is Member of.

    Value: Select LDAP Group, then select [Current].

    The DN of the authenticated user is compared with the members of the LDAP Group. If the DN of the user matches one of the members, the user matches the condition.

    Result on Condition Error: This sets up the results that are returned if an error occurs while evaluating the condition (for example, the LDAP server goes down). This rule is set up to grant the user the role of ManagersGroup if the condition evaluates to True. If an error occurs, you do not want random users assigned the role of ManagersGroup. Therefore, for this rule, you need to select False.

  6. In the Actions section, click Activate Role.

  7. In Activate Role, specify ManagersGroup and click OK. The name you specify here is the role you want assigned to the users who match the condition.

    Your rule must look similar to the following:

  8. Click OK > OK > Apply Changes.

  9. Click Devices > Identity Servers > Servers > Edit > Roles.

  10. Select the check box next to the name of the role, then click Enable.

  11. Click OK and update Identity Server.

You can now use this role when creating Authorization and Identity Injection policies. For more information, see Authorization Policies and Identity Injection Policies.