Directory permissions allow you to restrict the way in which directories can be used by mapped applications. Often, administrators need to limit applications to only being able to read — not modify — directory entity data, i.e. the users, groups and roles contained within the directory. You can achieve this by disabling the relevant directory permissions.
Directory permissions are defined at two levels:
- Directory-level permissions are defined on the 'Permissions' tab of the 'View Directory' screen. These permissions apply to each application mapped to the directory, unless the application has its own application-level permissions.
- Application-level directory permissions are defined on the 'Permissions' tab of the 'View Application' screen. If a permission is enabled at directory level, you can enable it for a specific application. For example, you could enable the 'Add User' permission on the 'Customers' directory in JIRA but disable the permission for Confluence.
Take a look at an example.
Disabling a directory-level permission will override any permissions enabled at application level. If a permission is enabled at application level and then subsequently disabled at directory level, the directory-level permission will apply. (The application-level permissions will be 'remembered' and will apply again if re-enabled at directory level.)
 | How do directory permissions affect the Crowd application (Crowd Administration Console)?
- If a particular permission is turned off at directory level, then no application can perform the related function - not even the Crowd application. So, for example, if you disable the 'Remove User' permission for a directory, then the Crowd Administration Console will not allow you to delete a user from that directory.
- The Crowd application is not bound by application-level permissions.
|
Below, we tell you about directory-level permissions. You can also read more about application-level directory permissions.
Directory-Level Permissions
| Permission |
Description |
| Add Group |
Allows applications to add groups to the directory. |
| Add User |
Allows applications to add users to the directory. |
| Add Role |
Allows applications to add roles to the directory. |
| Modify Group |
Allows applications to modify groups in the directory. |
| Modify User |
Allows applications to modify users in the directory. |
| Modify Role |
Allows applications to modify roles in the directory. |
| Remove Group |
Allows applications to delete groups from the directory. |
| Remove User |
Allows applications to delete users from the directory.
Consider carefully whether you allow the deletion of users, as some applications contain historical data, e.g. documents that the user has created. Read more. |
| Remove Role |
Allows applications to delete roles from the directory. |
When you add a new directory, all of its permissions are enabled by default.
To specify directory permissions,
- Configure a new directory as described in 2.2 Adding a Directory or select an existing directory from the Directory Browser.
- Click the 'Permissions' tab. This will display a list of permissions as shown in the screenshot below.
- To enable a directory permission, select the corresponding check-box.
- To disable a directory permission, deselect the corresponding check-box.
Screenshot: 'Directory Permissions'
See Also
To control which users within a directory may access a mapped application, see 3.4 Specifying which Groups can access an Application.
Related Topics
Crowd Documentation
