Specifying an Application's Directory Permissions
When you map a directory to an application, you can also define the application's ability to add/update/delete users and groups in the directory. To do this, use the 'Permissions' tab in the 'View Application' screen.
Directory permissions are defined at two levels:
- Directory-level permissions are defined on the 'Permissions' tab of the 'View Directory' screen. These permissions apply to each application mapped to the directory, unless the application has its own application-level permissions.
- Application-level directory permissions are defined on the 'Permissions' tab of the 'View Application' screen. If a permission is enabled at directory level, you can enable it for a specific application. For example, you could enable the 'Add User' permission on the 'Customers' directory in Jira but disable the permission for Confluence.
Take a look at an example.
Disabling a directory-level permission will override any permissions enabled at application level. If a permission is enabled at application level and then subsequently disabled at directory level, the directory-level permission will apply. (The application-level permissions will be 'remembered' and will apply again if re-enabled at directory level.)
How do directory permissions affect the Crowd application (Crowd Administration Console)?
- If a particular permission is turned off at directory level, then no application can perform the related function - not even the Crowd application. So, for example, if you disable the 'Remove User' permission for a directory, then the Crowd Administration Console will not allow you to delete a user from that directory.
- The Crowd application is not bound by application-level permissions, because any user who could log into the Crowd application could change the application-level permissions for the Crowd application anyway.
For details on directory-level permissions, refer to the instructions on specifying directory permissions. Below are instructions on setting the application-level directory permissions.
Allows the application to add groups to the selected directory.
Allows the application to add users to the selected directory.
Allows the application to modify groups in the selected directory.
Allows the application to modify users in the selected directory.
Allows the application to delete groups from the selected directory.
Allows the application to delete users from the selected directory.
When you initially map a directory to an application, all of the application's permissions are enabled by default. But note that disabling a directory-level permission will override any permissions enabled at application level.
To set the directory permissions for an application,
- Log in to the Crowd Administration Console.
- In the top navigation bar, click Applications.
- Click the application you want to edit.
- Click the Permissions tab.
This displaya a list of directories that are currently mapped to the application, and a set of permission check-boxes.
- From the drop-down list, select a directory.
- Select permissions you wish to allow this application to perform on the selected directory.
Screenshot: Setting directory permissions for an application
On the application permissions screen, the words '(disabled globally)' will appear next to any permission that is disabled at directory level.