Specifying Directory Permissions
Directory permissions allow you to restrict the way in which directories can be used by mapped applications. Often, administrators need to limit applications to only being able to read — not modify — directory entity data, i.e. the users and groups contained within the directory. You can achieve this by disabling the relevant directory permissions.
Directory permissions are defined at two levels:
- Directory-level permissions are defined on the 'Permissions' tab of the 'View Directory' screen. These permissions apply to each application mapped to the directory, unless the application has its own application-level permissions.
- Application-level directory permissions are defined on the 'Permissions' tab of the 'View Application' screen. If a permission is enabled at directory level, you can enable it for a specific application. For example, you could enable the 'Add User' permission on the 'Customers' directory in JIRA but disable the permission for Confluence.
Take a look at an example.
Disabling a directory-level permission will override any permissions enabled at application level. If a permission is enabled at application level and then subsequently disabled at directory level, the directory-level permission will apply. (The application-level permissions will be 'remembered' and will apply again if re-enabled at directory level.)
How do directory permissions affect the Crowd application (Crowd Administration Console)?
- If a particular permission is turned off at directory level, then no application can perform the related function - not even the Crowd application. So, for example, if you disable the 'Remove User' permission for a directory, then the Crowd Administration Console will not allow you to delete a user from that directory.
- The Crowd application is not bound by application-level permissions, because any user who could log into the Crowd application could change the application-level permissions for the Crowd application anyway.
Below, we tell you about directory-level permissions. You can also read more about application-level directory permissions.
Allows applications to add groups to the directory.
Allows applications to add users to the directory.
Allows applications to modify groups in the directory.
Allows applications to modify users in the directory.
|Modify Group Attributes||Allows applications to modify group attributes in the directory.|
|Modify User Attributes||Allows applications to modify user attributes in the directory including the active option.|
Allows applications to delete groups from the directory.
Allows applications to delete users from the directory.
When you add a new directory, all of its permissions are enabled by default.
To specify directory permissions,
- Configure a new directory as described in Adding a Directory or select an existing directory from the Directory Browser.
- Click the 'Permissions' tab. This will display a list of permissions as shown in the screenshot below.
- To enable a directory permission, select the corresponding checkbox.
- To disable a directory permission, deselect the corresponding checkbox.
Screenshot: Directory permissions
Need to grant users permission to access an application?
- Using the Directory Browser
- Configuring Caching for an LDAP Directory
- Using Naive DN Matching
- Specifying Directory Permissions
- Configuring directories for failover authentication