Skip to content

Authorizations rules#

In this article, we will see how to define a Rule to assign an authorization to a user coming from an LDAP source automatically.


  • A Rule is the combination of Criteria and Actions, actions will be triggered if the criteria are met.
  • A rule is defined by its logical operator: AND or OR.
    • AND = All criteria must be met
    • OR = One of the criteria must be met
  • The rules engine for entitlements runs ALL rules. So pay attention to their consistency / order.
  • To define a rule, go to the menu Administration > Rules> Rules for assigning authorizations to a user.
  • Add a new rule by clicking on add


It is necessary to define one or more criteria. In our case we have to tap on the LDAP criteria.

GLPI allows you to select multiple LDAP attributes, for example:

  • MemberOf;
  • Email;
  • TelephoneNumber;
  • User ID;
  • Common Name;
  • etc.

Once your criteria has been selected, you must define how GLPI should take this criteria into account by defining an operator, for example:

  • is;
  • contains;
  • finished by;
  • exists;
  • does not exist;
  • etc.

Let´s take a specific case. I want to establish a rule for my users who are members of a group containing the term SECURITY in the name.

  • My criteria therefore will be MemberOf and the action will be contains.
  • Then I enter the value of my criteria. Here it will be SECURITY.

Alt text



An authorization is the combination of the following three concepts:

  • User;
  • Profile;
  • Entity.


User Profile Entity
John technicien Infrastructure

Transformed into an enabling rule:

  • Criteria = User
  • Actions = Entity + Profile

Our criteria being defined, we can now create at least two actions necessary to affect a profile and an entity.

Alt text

GLPI also allows you to influence on other objects or user status, for example:

  • Active ( yes or no );
  • Recursive (yes or no );
  • Default entity;
  • etc.

At this step our rule is functional.

Users with SECURITY in their MemberOf attribute will be Technician in the Infrastructure entity.

To know

The rule will be applied when users log in or at each LDAP synchronization with GLPI.


Documentation GLPI "Users profiles"