Authorizations rules#

In this article, we will see how to define a Rule to assign an authorization to a user coming from an LDAP source automatically.

Reminder

A Rule is the combination of Criteria and Actions, actions will be triggered if the criteria are met.
A rule is defined by its logical operator: AND or OR.
- AND = All criteria must be met
- OR = One of the criteria must be met
The rules engine for entitlements runs ALL rules. So pay attention to their consistency / order.

To define a rule, go to the menu Administration > Rules> Rules for assigning authorizations to a user.
Add a new rule by clicking on add

Criteria#

It is necessary to define one or more criteria. In our case we have to tap on the LDAP criteria.

GLPI allows you to select multiple LDAP attributes, for example:

Once your criteria has been selected, you must define how GLPI should take this criteria into account by defining an operator, for example:

Let´s take a specific case. I want to establish a rule for my users who are members of a group containing the term SECURITY in the name.

My criteria therefore will be MemberOf and the action will be contains.
Then I enter the value of my criteria. Here it will be SECURITY.

Reminder:

An authorization is the combination of the following three concepts:

Example

User	Profile	Entity
John	technicien	Infrastructure

Transformed into an enabling rule:

Our criteria being defined, we can now create at least two actions necessary to affect a profile and an entity.

GLPI also allows you to influence on other objects or user status, for example:

At this step our rule is functional.

Users with SECURITY in their MemberOf attribute will be Technician in the Infrastructure entity.

To know

The rule will be applied when users log in or at each LDAP synchronization with GLPI.

Last update: 21/03/2023