This tab also has a function to suspend accounts base on rules.

Permission sets control which resources are accessible to your users and can be applied based on any attribute in your directory - for example if your directory has an attribute that identifies whether someone is staff or student in some way, you can use that difference to assign different permission sets and control access.

When you add a new connection, there will be one rule set up already to assign any default permission sets to your local accounts and this may be enough for your needs.

If you hover over the default permissions rule you will see an option to disable it if you do not want to assign default permission sets.

Additional ways to allocate permission sets

There are two other ways to specify permission sets: by rules and by attribute. Both can be used together, with and without also assigning default permission sets. Rules look at the values of attributes and make decisions based on those attributes, whilst a permission set attribute directly specifies the permission set name to use.

By rules

Before you start creating rules, you may like to discuss things with your IT team and get a list of the relevant attributes and typical values you will encounter from them. To add a rule:

  1. Click the add rule button

  2. Give it a name

  3. In the 'When' area:

    1. Enter the name of the attribute in your local source. Attribute names are case sensitive.

    2. Select your condition, e.g. contains, starts with

    3. Enter your comparison

    4. If you need to add other conditions, add additional lines with the plus button and specify if any or all conditions must be met as appropriate. You can add as many lines as you need to.

  4. Select the permission sets to apply. If you have a large number of sets you can start typing the name for a shorter list

  5. When happy, click done and set up any other rules. You can create as many rules as you need to.

  6. Use the save button when done and subsequent logins will use these new rules. (The save button is hidden whilst you are adding or editing rules)


When you want to assign a permission set when memberOf contains Visitor OR when memberOf contains walk-in you would specify both conditions and select when any conditions are met.

When you want to assign a permission set only when memberOf contains Staff AND when memberOf contains Teaching you would specify both conditions and select when all conditions are met.

Editing and removing rules

Move your mouse over the rule and select edit or remove.

Rules are removed as soon as you hit delete in the confirmation box, but editing (as with adding) requires you to save changes before they are applied.

Multi-value attributes and rules

By attribute

To assign rules by attribute, you will need to store the permission sets names (e.g. abc#students) against an attribute in your directory and then specify that attribute in the interface. This option is not available if you are mapping users to organisations.

The permission sets attribute is disabled by default, so you must first enable it. You can then use the edit button to specify the attribute:

On LDAP connections there is the usual typeahead to help you find the attribute. For ADFS connections you must again enter the claim name exactly.

Multi-valued attributes can be very useful here as they allow you to pass multiple permission set names and all values passed will be assigned. In Active Directory, the rarely used 'other' attributes may be useful (e.g. otherFacsimileTelephoneNumber, otherPager, etc).

Anything to watch out for?

Expired permission sets will still be assigned if they match any rule or are specified by attribute. It is recommended that you not set expiry dates on permission sets. 

When passing permission set names by attribute:  if you pass a permission set name that does not exist in the same organisation as the user, they will not be applied and access may be affected. If you have an LDAP connection you can see these values by using the test mappings function.