Specifying an Application's Directory Permissions
When you map a directory to an application, you can also define the application's ability to add/update/delete users and groups in the directory. To do this, use the 'Permissions' tab in the 'View Application' screen.
Directory permissions are defined at two levels:
- Directory-level permissions are defined on the 'Permissions' tab of the 'View Directory' screen. These permissions apply to each application mapped to the directory, unless the application has its own application-level permissions.
- Application-level directory permissions are defined on the 'Permissions' tab of the 'View Application' screen. If a permission is enabled at directory level, you can enable it for a specific application. For example, you could enable the 'Add User' permission on the 'Customers' directory in Jira but disable the permission for Confluence.
Take a look at an example.
Disabling a directory-level permission will override any permissions enabled at application level. If a permission is enabled at application level and then subsequently disabled at directory level, the directory-level permission will apply. (The application-level permissions will be 'remembered' and will apply again if re-enabled at directory level.)
How do directory permissions affect the Crowd application (Crowd Administration Console)?
- If a particular permission is turned off at directory level, then no application can perform the related function - not even the Crowd application. So, for example, if you disable the 'Remove User' permission for a directory, then the Crowd Administration Console will not allow you to delete a user from that directory.
- The Crowd application is not bound by application-level permissions, because any user who could log into the Crowd application could change the application-level permissions for the Crowd application anyway.
For details on directory-level permissions, refer to the instructions on specifying directory permissions. Below are instructions on setting the application-level directory permissions.
Permission | Description |
|---|---|
Add Group | Allows the application to add groups to the selected directory. |
Add User | Allows the application to add users to the selected directory. |
Modify Group | Allows the application to modify groups in the selected directory. |
Modify User | Allows the application to modify users in the selected directory. |
Remove Group | Allows the application to delete groups from the selected directory. |
Remove User | Allows the application to delete users from the selected directory. |
Consider carefully whether you allow the deletion of users, as some applications contain historical data, e.g. documents that the user has created. Read When you initially map a directory to an application, all of the application's permissions are enabled by default. But note that disabling a directory-level permission will override any permissions enabled at application level.
To set the directory permissions for an application,
- Log in to the Crowd Administration Console.
- In the top navigation bar, click Applications.
- Click the application you want to edit.
- Click the Permissions tab.
This displaya a list of directories that are currently mapped to the application, and a set of permission check-boxes. - From the drop-down list, select a directory.
- Select permissions you wish to allow this application to perform on the selected directory.
Screenshot: Setting directory permissions for an application
On the application permissions screen, the words '(disabled globally)' will appear next to any permission that is disabled at directory level.