Organisation mapping
It is possible to assign local connection users to sub-organisations instead of permission sets. You might want or need to do this if any of the following apply:
- You have sub-organisations with their own scopes so that they can subscribe to different content.
- You have offices or campuses in other locations who need local visibility of active users
Advantages
Since sub-organisations cannot use their own local connections, this enables sub-organisations to have the advantages of local authentication whilst maintaining control over resource access and, where necessary, presenting different organisation identifiers to resources.
Limitations
Once enabled, all users should be assigned to a single organisation by the rules. Any users that the rules do not assign to an organisation will not be able to sign in. If rules disagree about a user's organisation then if you have a SAML connector the user is offered a choice of organisations; if you have any other type of connector the user will not be able to sign in.
How to assign users to organisations
Before you start creating rules, you may like to discuss things with your IT team and get a list of the relevant attributes and typical values you will encounter from them. Ideally there will be a single attribute to look at which will cover all conditions, but you can look at multiple attributes or have multiple rules.
- On the Management > Connections page select the local connection you want to use
- If you will have different people assigning permissions under the mapped organisations, add contact details on the contacts tab so that they know who to come to for help.
- At the bottom of the details tab, check the box to use organisation mapping instead of permission sets
- Select the organisation tab
Set up your mapping rules
- Click the add rule button
- Give it a name
- In the 'When' area:
- Enter the name of the attribute in your local source. Attribute names are case sensitive.
- Select your condition, e.g. contains, starts with
- Enter your comparison
- If you need to add other conditions, add additional lines with the plus button and specify if any or all conditions must be met as appropriate. You can add as many lines as you need to.
- Enter the name of the attribute in your local source. Attribute names are case sensitive.
- Select the organisation to assign the user to when the condition is met. If you have a large number of organisations you can start typing the name for a shorter list. Having unique organisation names is an advantage.
- When happy, click done and set up any other rules you need. You can create as many rules as are necessary to map all users.
- Use the save button when done and subsequent logins will use these new rules. (The save button is hidden whilst you are adding or editing rules)
- Click the add rule button
- Save
From this point, this connection will assign users to organisations based on the rules so it is important that you set up rules to handle all users before you save changes.
It is ok if different rules map to the same organisation - there is only a problem if users get mapped to anything other than one single organisation.
Anything to watch out for?
If you want any users to appear directly under the domain organisation, they must be mapped there.
End users will receive an error message and no access if:
- Rules do not map them to any organisation
- Rules match them to more than one organisation
Where attributes are multi-valued, such as memberOf, then all of the values are treated as discrete when evaluated for match conditions and if any of the values meet the condition the organisation is assigned. Because of this, it is usually safer to avoid the negative matches such as 'does not contain' when working with multi-valued attributes and stick with the positive matches such as 'contains' or 'matches'.
Permission set and suspend rules are organisation specific so need to be applied under each mapped organisation if you need anything other than all users getting the mapped organisation's default permission sets. The permission sets attribute option is not available.
How to handle users assigned to your organisation
If you manage a sub-organisation and users are mapped to you, you will see an inherited connection appear under Management > Connections.
Accessing this connection will allow you to define permission set assignment rules and account suspend rules for the users that are mapped to your organisation. See Permission set rules