Specifying the Directory Order for an Application
When you map multiple directories to an application, you also need to define the directory priority order. The directory order is used for the following:
Authentication only relies on the groups you mapped to the application. Users are authenticated if they belong to a group mapped to the application in the first directory where they exist, or if that directory is mapped to the application using the Allow all users from this directory to authenticate option.
When multiple directories are mapped to an integrated application, and duplicated usernames and group names are used across those directories, the effective group memberships for authorization are determined on the basis of the membership aggregation scheme that has been applied.
In particular, the non-aggregating membership scheme depends on the directory order to determine access permissions for a user.
See Effective memberships with multiple directories for more information.
When a user is added to a group, Crowd adds them to the first directory it has access to in priority order. This applies to both the aggregating and non-aggregating membership schemes.
When a user is removed from a group, the behavior depends on the membership scheme:
- With non-aggregating membership, the user is only removed from the group in the first directory the user is found in.
- With aggregating membership, the user is removed from the group in all directories the user is found in.
See Directory update operations for an explanation of the membership aggregation schemes.
Specify the directory order
- Log in to the Crowd Administration Console.
- In the top navigation bar, click the Applications tab.
- Click View for the application.
- Click the Directories & groups tab to display a list of directories that are currently mapped to the application.
- Drag & drop rows to move a directory higher or lower in the order: