Child pages
  • Assign Active Directory groups automatically to users
Skip to end of metadata
Go to start of metadata


Very simple guide as to how to configure automated assignment of Active Directory groups to users in OpenIDM.


  1. An OpenIDM instance with the LDAP connector already configured to integrate with an Active Directory instance and return both Users & Groups.
  2. An existing mapping configuration that is tested and working.

1. Additional connector configuration

  1. Add the ldapGroups attribute to the connector Account schema. Excerpt from the provisioner can be found below along with screenshots:

    "ldapGroups" : {
                        "type" : "array",
                        "nativeType" : "string",
                        "nativeName" : "ldapGroups",
                        "required" : false,
                        "items" : {
                            "type" : "string",
                            "nativeType" : "string"

  2. Update the mapping to use the new ldapGroups attribute.

2. Create roles and assignment

  1. Create a new role for granting access to the group you want to assign:
  2. Go to the Managed Assignments tab. Select "Add Managed Assignments" and "Create New Assignment". Ensure the correct mapping is applied:

    3. Go to "Attributes" and select "ldapGroups". If you have done the prerequisites correctly you should be presented with a dropdown list of group to select from. Choose the group you want to assign and Save:

    4. Return to the role and ensure the assignment has been added:

3. Test the assignment

  1. Try granting the new role to a user in OpenIDM. Select a User and go to the "Provisioning Roles" tab. Select "Add Provisioning Role" and select the new role:
  2. If you examine the user in AD they should now be assigned to the group:
  • No labels