Specifying the Directory Order for an Application
When you map multiple directories to an application, you also need to define the directory priority order. The directory order is used for the following:
Authentication
Authentication only relies on the groups you mapped to the application. Users are authenticated if they belong to a group mapped to the application in the first directory where they exist, or if that directory is mapped to the application using the Allow all users to authenticate option.
Authorization
When multiple directories are mapped to an integrated application, and duplicate user names and group names are used across those directories, the effective group memberships for authorization are determined on the basis of the membership aggregation scheme that has been applied.
In particular, the 'non-aggregating' membership scheme depends on the directory order to determine access permissions for a user.
See Effective memberships with multiple directories for more information.
Directory updates
When a user is added to a group, they are only added to the first writeable directory available, in priority order. This applies for both the aggregating and non-aggregating membership schemes.
When a user is removed from a group, the behavior depends on the membership scheme:
- With non-aggregating membership, the user is only removed from the group in the first directory the user is found in.
- With aggregating membership, the user is removed from the group in all directories the user is found in.
See Directory update operations for an explanation of the membership aggregation schemes.
Specify the directory order
- Log in to the Crowd Administration Console.
- Click the Applications tab in the top navigation bar to display the Application Browser.
- Click View for the application.
- Click the Directories tab to display a list of directories that are currently mapped to the application. Use the blue up-arrow or down-arrow to move a directory higher or lower in the order: