Specifying an Application's Directory Permissions
When you map a directory to an application, you can also define the application's ability to add/update/delete users and groups in the directory. To do this, use the 'Permissions' tab in the 'View Application' screen.
Directory permissions are defined at two levels:
- Directory-level permissions are defined on the 'Permissions' tab of the 'View Directory' screen. These permissions apply to each application mapped to the directory, unless the application has its own application-level permissions.
- Application-level directory permissions are defined on the 'Permissions' tab of the 'View Application' screen. If a permission is enabled at directory level, you can enable it for a specific application. For example, you could enable the 'Add User' permission on the 'Customers' directory in JIRA but disable the permission for Confluence.
Take a look at an example.
Disabling a directory-level permission will override any permissions enabled at application level. If a permission is enabled at application level and then subsequently disabled at directory level, the directory-level permission will apply. (The application-level permissions will be 'remembered' and will apply again if re-enabled at directory level.)
How do directory permissions affect the Crowd application (Crowd Administration Console)?
- If a particular permission is turned off at directory level, then no application can perform the related function - not even the Crowd application. So, for example, if you disable the 'Remove User' permission for a directory, then the Crowd Administration Console will not allow you to delete a user from that directory.
- The Crowd application is not bound by application-level permissions, because any user who could log into the Crowd application could change the application-level permissions for the Crowd application anyway.
For details on directory-level permissions, refer to the instructions on specifying directory permissions. Below are instructions on setting the application-level directory permissions.
Permission | Description |
|---|---|
Add Group | Allows the application to add groups to the selected directory. |
Add User | Allows the application to add users to the selected directory. |
Modify Group | Allows the application to modify groups in the selected directory. |
Modify User | Allows the application to modify users in the selected directory. |
Remove Group | Allows the application to delete groups from the selected directory. |
Remove User | Allows the application to delete users from the selected directory. |
Consider carefully whether you allow the deletion of users, as some applications contain historical data, e.g. documents that the user has created. Read When you initially map a directory to an application, all of the application's permissions are enabled by default. But note that disabling a directory-level permission will override any permissions enabled at application level.
To set the directory permissions for an application,
- Log in to the Crowd Administration Console.
- Click the 'Applications' tab in the top navigation bar.
- This will display the Application Browser. Click the 'View' link next to the application you wish to update.
- This will display the 'View Application' screen. Click the 'Permissions' tab.
- This will display a list of directories that are currently mapped to the application, and a set of permission check-boxes. Select a directory from the list on the left.
- The 'Permissions' check-boxes will change to show the application's existing permissions for that directory.
- To enable a directory permission, select the corresponding check-box.
- To disable a directory permission, deselect the corresponding check-box.
Screenshot: Setting directory permissions for an application
On the application permissions screen, the words '(disabled globally)' will appear next to any permission that is disabled at directory level.
RELATED TOPICS
- Using the Application Browser
- Adding an Application
- Integrating Crowd with Atlassian Bamboo
- Integrating Crowd with Atlassian Confluence
- Integrating Crowd with Atlassian CrowdID
- Integrating Crowd with Atlassian Crucible
- Integrating Crowd with Atlassian FishEye
- Integrating Crowd with Atlassian JIRA
- Integrating Crowd with Atlassian Bitbucket
- Integrating Crowd with Acegi Security
- Integrating Crowd with Jive Forums
- Integrating Crowd with Spring Security
- Integrating Crowd with a Custom Application
- Configuring the Google Apps Connector
- Mapping a Directory to an Application
- Effective memberships with multiple directories
- Specifying an Application's Address or Hostname
- Testing a User's Login to an Application
- Enforcing Lower-Case Usernames and Groups for an Application
- Managing an Application's Session
- Deleting or Deactivating an Application
- Overview of SSO
- Configuring Options for an Application
- Disabling the OpenID client app