Mapping Group Membership for LDAP
This section explains how to map group membership to user roles.
You must first configure the PCE to use LDAP authentication and then map PCE roles to that server's groups.
When a user attempts to log in, the PCE queries the server(s) to find that user. It grants the user permissions based on any roles associated with the LDAP groups to which the user belongs.
You have the following options for changing user permissions:
For a group of users, remap the LDAP group to a different PCE role.
For an individual user, move the user to an LDAP group mapped to a different PCE role using the LDAP server.
You can also perform these user management activities:
Add a user to a PCE role.
On the PCE, map the PCE role to an LDAP group.
On your LDAP server, add the user to that LDAP group.
Remove a user from a PCE role by removing it from the corresponding LDAP group on your LDAP server.
Users can have memberships in several roles, which gives them access to all the capabilities available for each role.
For example, a user is a member of both the docs and eng groups, and the docs group is mapped to "Ruleset Manager" while the eng group is mapped to "Ruleset Provisioner." In this case, the user obtains all permissions assigned to the "Ruleset Manager" and "Ruleset Provisioner" roles.
Note
The PCE checks LDAP membership information when a user attempts to log in.
You do not need to reload the authentication configuration when adding or removing users.