It is possible to assign local connection users to sub-organisations instead of permission sets. You might want or need to do this if any of the following apply:
Since sub-organisations cannot use their own local connections, this enables sub-organisations to have the advantages of local authentication whilst maintaining control over resource access and, where necessary, presenting different organisation identifiers to resources.
Once enabled, all users must be assigned to a single organisation by the rules. Any users that the rules do not assign to an organisation, or that are assigned to more than one organisation will not be able to log in.
Before you start creating rules, you may like to discuss things with your IT team and get a list of the relevant attributes and typical values you will encounter from them. Ideally there will be a single attribute to look at which will cover all conditions, but you can look at multiple attributes or have multiple rules.
Set up your mapping rules
From this point, this connection will assign users to organisations based on the rules so it is important that you set up rules to handle all users before you save changes.
It is ok if different rules map to the same organisation - there is only a problem if users get mapped to anything other than one single organisation.
If you want any users to appear directly under the domain organisation, they must be mapped there.
End users will receive an error message and no access if:
Where attributes are multi-valued, such as memberOf, then all of the values are treated as discrete when evaluated for match conditions and if any of the values meet the condition the organisation is assigned. Because of this, it is usually safer to avoid the negative matches such as 'does not contain' when working with multi-valued attributes and stick with the positive matches such as 'contains' or 'matches'.
Permission set and suspend rules are organisation specific so need to be applied under each mapped organisation if you need anything other than all users getting the mapped organisation's default permission sets. The permission sets attribute option is not available.
If you manage a sub-organisation and users are mapped to you, you will see an inherited connection appear under Management > Connections.
Accessing this connection will allow you tofor the users that are mapped to your organisation. See Permission set rules