Directory permissions allow you to restrict the way in which directories can be used by mapped applications. Often, administrators need to limit applications to only being able to read — not modify — directory entity data, i.e. the users and groups contained within the directory. You can achieve this by disabling the relevant directory permissions.
Directory permissions are defined at two levels:
- Directory-level permissions are defined on the 'Permissions' tab of the 'View Directory' screen. These permissions apply to each application mapped to the directory, unless the application has its own application-level permissions.
- Application-level directory permissions are defined on the 'Permissions' tab of the 'View Application' screen. If a permission is enabled at directory level, you can enable it for a specific application. For example, you could enable the 'Add User' permission on the 'Customers' directory in JIRA but disable the permission for Confluence.
Take a look at an example.
Disabling a directory-level permission will override any permissions enabled at application level. If a permission is enabled at application level and then subsequently disabled at directory level, the directory-level permission will apply. (The application-level permissions will be 'remembered' and will apply again if re-enabled at directory level.)
How do directory permissions affect the Crowd application (Crowd Administration Console)?
- If a particular permission is turned off at directory level, then no application can perform the related function - not even the Crowd application. So, for example, if you disable the 'Remove User' permission for a directory, then the Crowd Administration Console will not allow you to delete a user from that directory.
- The Crowd application is not bound by application-level permissions, because any user who could log into the Crowd application could change the application-level permissions for the Crowd application anyway.
Below, we tell you about directory-level permissions. You can also read more about application-level directory permissions.
Directory-Level Permissions
Permission | Description |
|---|---|
Add Group | Allows applications to add groups to the directory. |
Add User | Allows applications to add users to the directory. |
Modify Group | Allows applications to modify groups in the directory. |
Modify User | Allows applications to modify users in the directory. |
| Modify Group Attributes | Allows applications to modify group attributes in the directory. |
| Modify User Attributes | Allows applications to modify user attributes in the directory including the active option. |
Remove Group | Allows applications to delete groups from the directory. |
Remove User | Allows applications to delete users from the directory. |
Consider carefully whether you allow the deletion of users, as some applications contain historical data, e.g. documents that the user has created. Read When you add a new directory, all of its permissions are enabled by default.
To specify directory permissions,
- Configure a new directory as described in Adding a Directory or select an existing directory from the Directory Browser.
- Click the 'Permissions' tab. This will display a list of permissions as shown in the screenshot below.
- To enable a directory permission, select the corresponding checkbox.
- To disable a directory permission, deselect the corresponding checkbox.
Screenshot: Directory permissions
Need to grant users permission to access an application?
To control which users within a directory may access a mapped application, see Specifying which Groups can access an Application.