How to pre-map local accounts
Local connections such as LDAP and ADFS will, by default, assume that any account that gets past your own authentication is OK. Permission sets or suspend rules would then be applied.
Whilst this is usually sufficient, you may want or need to restrict access to a pre-selected set of users - e.g. where your directory cannot provide the data to drive a suspend rule. This is known as pre-mapping and is done in two steps:
Doing it in this order is suggested, but not required.
Prerequisites
- A local connection has been set up and is working
- A list of user IDs to upload
Change the connection setting to manual
Go to the connections page (Management > Connections) and then select the local connection you are going to change.
There are two things to check
- The unique user attribute - this must match the values you will be uploading later.
- The create local accounts setting at the bottom - change this from automatic to manual and then save.
From the moment you save, only users that have previously signed in will be able to gain access. Previously unseen users will be denied access until you complete the next step.
Make sure that at least one user has logged in before you change from automatic to manual.
Upload the account identifiers
Go to the list accounts page (Accounts > List) and select the tab for your local connection. This will only be visible if at least one user has logged in.
- Delete any existing local accounts that you do not want to have access
- Select the add mappings button
- Paste your list of account identifiers in the box, one per line
- Click the add button
To see your accounts in the list you will need to refresh the page and re-select your local connection.
You will see more details appear once the accounts have logged in.
Anything to watch out for?
Your unique user identifiers will need to be less than 1024 characters long.
Initially the uploaded unique identifier will appear as the display name in list views. This is updated once the account has logged in, when it will display the value in the display name attribute you specified on the connection.
When unlisted users are denied access, you will see organisation mapping errors in the reports interface.