This tab also has a function to suspend accounts base on rules.
Permission sets control which resources are accessible to your users and can be applied based on any attribute in your directory - for example if your directory has an attribute that identifies whether someone is staff or student in some way, you can use that difference to assign different permission sets and control access.
When you add a new connection, there will be one rule set up already to assign any default permission sets to your local accounts and this may be enough for your needs.
If you hover over the default permissions rule you will see an option to disable it if you do not want to assign default permission sets.
There are two other ways to specify permission sets: by rules and by attribute. Both can be used together, with and without also assigning default permission sets. Rules look at the values of attributes and make decisions based on those attributes, whilst a permission set attribute directly specifies the permission set name to use.
Before you start creating rules, you may like to discuss things with your IT team and get a list of the relevant attributes and typical values you will encounter from them. To add a rule:
When you want to assign a permission set when memberOf contains Visitor OR when memberOf contains walk-in you would specify both conditions and select when any conditions are met.
When you want to assign a permission set only when memberOf contains Staff AND when memberOf contains Teaching you would specify both conditions and select when all conditions are met.
Move your mouse over the rule and select edit or remove.
Rules are removed as soon as you hit delete in the confirmation box, but editing (as with adding) requires you to save changes before they are applied.
To assign rules by attribute, you will need to store the permission sets names (e.g. abc#students) against an attribute in your directory and then specify that attribute in the interface. This option is not available if you are mapping users to organisations.
The permission sets attribute is disabled by default, so you must first enable it. You can then use the edit button to specify the attribute:
On LDAP connections there is the usual typeahead to help you find the attribute. For ADFS connections you must again enter the claim name exactly.
Multi-valued attributes can be very useful here as they allow you to pass multiple permission set names and all values passed will be assigned. In Active Directory, the rarely used 'other' attributes may be useful (e.g. otherFacsimileTelephoneNumber, otherPager, etc).
Expired permission sets will still be assigned if they match any rule or are specified by attribute. It is recommended that you not set expiry dates on permission sets.
When passing permission set names by attribute: if you pass a permission set name that does not exist in the same organisation as the user, they will not be applied and access may be affected. If you have an LDAP connection you can see these values by using the test mappings function.