Authorizations rules#
In this article, we will see how to define a Rule to assign an authorization to a user coming from an LDAP source automatically.
Reminder
- A Rule is the combination of Criteria and Actions, actions will be triggered if the criteria are met.
- A rule is defined by its logical operator: AND or OR.
AND
= All criteria must be metOR
= One of the criteria must be met
- The rules engine for entitlements runs ALL rules. So pay attention to their consistency / order.
- To define a rule, go to the menu
Administration
>Rules
>Rules for assigning authorizations to a user
. - Add a new rule by clicking on
add
Criteria#
It is necessary to define one or more criteria. In our case we have to tap on the LDAP criteria.
GLPI allows you to select multiple LDAP attributes, for example:
MemberOf
;Email
;TelephoneNumber
;User ID
;Common Name
;- etc.
Once your criteria has been selected, you must define how GLPI should take this criteria into account by defining an operator, for example:
is
;contains
;finished by
;exists
;does not exist
;- etc.
Let´s take a specific case. I want to establish a rule for my users who are members of a group containing the term SECURITY in the name.
- My criteria therefore will be
MemberOf
and the action will becontains
. - Then I enter the value of my criteria. Here it will be
SECURITY
.
Actions#
Reminder:
An authorization is the combination of the following three concepts:
- User;
- Profile;
- Entity.
Example
User | Profile | Entity |
---|---|---|
John | technicien | Infrastructure |
Transformed into an enabling rule:
Criteria
= UserActions
= Entity + Profile
Our criteria being defined, we can now create at least two actions necessary to affect a profile and an entity.
GLPI also allows you to influence on other objects or user status, for example:
Active
( yes or no );Recursive
(yes or no );Default entity
;- etc.
At this step our rule is functional.
Users with SECURITY
in their MemberOf
attribute will be Technician
in the Infrastructure
entity.
To know
The rule will be applied when users log in or at each LDAP synchronization with GLPI.