Directory permissions allow you to restrict the way in which directories can be used by mapped applications. Often, administrators need to limit applications to only being able to read — not modify — directory entity data, i.e. the users and groups contained within the directory. You can achieve this by disabling the relevant directory permissions.

Directory permissions are defined at two levels:

  1. Directory-level permissions are defined on the 'Permissions' tab of the 'View Directory' screen. These permissions apply to each application mapped to the directory, unless the application has its own application-level permissions.
  2. Application-level directory permissions are defined on the 'Permissions' tab of the 'View Application' screen. If a permission is enabled at directory level, you can enable it for a specific application. For example, you could enable the 'Add User' permission on the 'Customers' directory in JIRA but disable the permission for Confluence.

Take a look at an example.

Disabling a directory-level permission will override any permissions enabled at application level. If a permission is enabled at application level and then subsequently disabled at directory level, the directory-level permission will apply. (The application-level permissions will be 'remembered' and will apply again if re-enabled at directory level.)

How do directory permissions affect the Crowd application (Crowd Administration Console)?

  • If a particular permission is turned off at directory level, then no application can perform the related function - not even the Crowd application. So, for example, if you disable the 'Remove User' permission for a directory, then the Crowd Administration Console will not allow you to delete a user from that directory.
  • The Crowd application is not bound by application-level permissions, because any user who could log into the Crowd application could change the application-level permissions for the Crowd application anyway.

Below, we tell you about directory-level permissions. You can also read more about application-level directory permissions.

Directory-Level Permissions

Permission

Description

Add Group

Allows applications to add groups to the directory.

Add User

Allows applications to add users to the directory.

Modify Group

Allows applications to modify groups in the directory.

Modify User

Allows applications to modify users in the directory.

Modify Group AttributesAllows applications to modify group attributes in the directory.
Modify User AttributesAllows applications to modify user attributes in the directory including the active option.

Remove Group

Allows applications to delete groups from the directory.

Remove User

Allows applications to delete users from the directory.
(warning) Consider carefully whether you allow the deletion of users, as some applications contain historical data, e.g. documents that the user has created. Read more.

When you add a new directory, all of its permissions are enabled by default.

To specify directory permissions,

  1. Configure a new directory as described in Adding a Directory or select an existing directory from the Directory Browser.
  2. Click the 'Permissions' tab. This will display a list of permissions as shown in the screenshot below.
    • To enable a directory permission, select the corresponding checkbox.
    • To disable a directory permission, deselect the corresponding checkbox.

Screenshot: Directory permissions

Need to grant users permission to access an application?

To control which users within a directory may access a mapped application, see Specifying which Groups can access an Application.

RELATED TOPICS

Specifying an Application's Directory Permissions

Crowd Documentation