Custom Role Filters

Last updated 2 months ago

Roles are required to apply enforcements on the Users in the Keeper organization. By default the filter is blank. Since the Active Directory names for groups are specific to the organization a default filter cannot be supplied. It will be necessary to decide which Security Groups in Active Directory will be used as roles. If all Security Groups are to be mapped as roles then copying the default Team filter is an easy way to export all groups as Roles. This means the Admin will need to manage each group as a Role and each Group as a Team. Maintenance on many Roles can be unnecessary and a time consuming for the keeper Admin. In this case only one or a few roles may be necessary. Example mapping all Security Groups as Roles and excluding the specific groups Local Admins and Regional Admins.

(&
(objectclass=group)
(!CN=Local Admins)
(!CN=Regional Admins)
(|
(grouptype=-2147483640)
(grouptype=-2147483644)
(grouptype=-2147483646)
)
)

Example mapping only specific Security Groups as Roles. This example groups Local Admins and Regional Admins with an OR (|) operator when including only specific groups.

(&
(objectclass=group)
(|
(CN=Keeper Admins)
(CN=Keeper Users)
)
(|
(grouptype=-2147483640)
(grouptype=-2147483644)
(grouptype=-2147483646)
)
)

An important rule with Role filtering is that if a group the user is in is not exported the user will still be exported, just not assigned to the Role.

Custom Team Filters

Teams are required to share folders and records to other Users in the keeper organization. By default the Team filter maps all security groups to Teams. Roles and Team filters act on security groups. It is valid that some groups would be mapped as both a Role and a Team. For instance an Organization may have LA Admins and LA Users mapped as Roles and then also have all security groups mapped as teams. This would mean LA Admin and LA Users are also a team. Since Roles also act as team please refer to roles for custom filtering examples.

Custom User Filters

The User filter maps User objects in Active Directory. If the user is a member of a security groups which is mapped as a role or team the Bridge will Invite the user and assign them to Roles and Teams of which they are a member based on the Active Directory group membership. Example mapping all Users in Active Directory except specific users. User52 and User58 are excluded by Common Name.

(&
(objectclass=user)
(objectCategory=Person)
(!cn=User52)
(!cn=User58)
)

Example mapping only specific Users in Active Directory. User52 and User58 are included exclusively by Common Name.

(&
(objectclass=user)
(objectCategory=Person)
(|
(cn=User52)
(cn=User58)
)
)

Example mapping all Users in Active Directory which are part of specific groups. Members of the RDP Users & Office Admins group are included.

(&
(objectclass=user)
(objectCategory=Person)
(|
(memberOf=CN=RDP Users,OU=Office Users,DC=keeper,DC=local)
(memberOf=CN=Console Users,OU=Office Users,DC=keeper,DC=local)
)
)

Example mapping all Users in Active Directory except users which are part of a specific group. Members of the RDP Users and Office Users group are excluded.

(&
(objectclass=user)
(objectCategory=Person)
(!memberOf=CN=RDP Users,OU=EDH Office Users,DC=keeper,DC=local)
(!memberOf=CN=Office Admins,OU=EDH Office Users,DC=keeper,DC=local)
)

Example mapping all Users in Active Directory except users which are part of a specific group or any group nested below the specific group. Members of groups RDP Users and Office Users are included as are members of all sub groups of these two groups due to use of the Active Directory OID (:1.2.840.113556.1.4.1941:).

(&
(objectclass=user)
(objectCategory=Person)
(|
(memberOf:1.2.840.113556.1.4.1941:=CN=RDP Users,OU=Office Users,DC=keeper,DC=local)
(memberOf:1.2.840.113556.1.4.1941:=CN=Console Users,OU=Office Users,DC=keeper,DC=local)
)
)

To map only users which are part of a specific OU, or not map users who are in a specific OU please refer to Node filter.

Preview Filter Results

The Preview option under the filter edit box will display the effective result of the filters defined showing the Tree defined by the Node filter and the objects to be exported by the other filters within the tree structure. Teams always display regardless of the tree node selected. Roles and Users display based on their location in the tree. A total count of objects is also displayed below the tree structure. Selecting a Node, Role, Team or User will display the associated Active Directory properties for the object selected. This information is helpful to determine properties and property values that can be used to filter for the object.

Publish Changes

Once your configuration is complete, select Save to to retain your current settings. Once all settings are complete use Publish to push the changes live and activate the integration. Always preview after editing filters before publishing your changes to ensure the filter is implemented as intended.