Importing group members from LDAP

GuardiumĀ® Insights allows you to populate groups by importing members from an LDAP connection. This topic describes how to do this.

Before you begin

By default, you must be assigned the Administrator role to be able to manage groups.
Important: If you have policy rules that use groups as rule conditions, modifying the groups by adding or removing members will result in reactivation of group members.

To open the Groups page, select Groups in the main menu. Open this menu by clicking the main menu icon (main menu)

Draft comment: jcalder@ca.ibm.com
  • (&(objectclass=person)(emailAddress=j*))
  • emailAddress

About this task

This topic describes how to import groups from an existing LDAP connection. You can import these groups when working with an individual group (after you have opened it).

Note: You cannot modify group members if the group has been imported from and kept in sync with Guardium or imported from and kept in sync with LDAP. In addition, you cannot import group members from a CSV file or LDAP connection to a parent group.

Procedure

  1. In the Groups page, determine which group you want to import to and then click on the group or select its checkbox and click Open.
  2. In the Members tab, click Add member > Import from LDAP.
  3. In the Import from LDAP wizard page, select the LDAP connection that you want to import from.
  4. If your LDAP requires authentication, you will be prompted to provide the bind password again.
  5. Select the import approach:
    • Import from LDAP on regular schedule: To import the group members on a regular basis, choose this radio button. When this is selected, the group synchronization takes place according to the Group synchronization schedule that you set in the Tenant settings.
    • Import once and decouple: Choose this if you want to import the group members only once.
  6. Click Next.
  7. In the Specify filter criteria page:
    1. Set the search filter scope. To search only the root of the LDAP server, select One level. To search subdirectories, select Sub-tree.
    2. Search filter: Enter the search filter string. For example, to search for people with email addresses that begin with the letter V, enter (&(objectclass=person)(emailAddress=V*)). To learn more about LDAP group member import filter options, see this topic.
    3. Set the Attribute to import as the group member. For example, you can set the emailAddress as the group member.
      Note: If you are importing to a tuple group, specify the attributes to import for each of the connection fields.
    4. To add a prefix to imported values, select the Add prefix to imported values checkbox. Then select the type of prefix to add.
      • If you specify Wildcard, the values will be prefixed with *.
      • If you specify String, the values will be prefixed with the string that you specify in the String to add as prefix field.
      • If you specify Advanced (bind values), you can select the group that contains bind values for the filter.
  8. Click Next.
  9. The Preview and import page provides a sample of the group members that will be imported. It also allows you to refine the group import as follows:
    • Maximum group members to import: Specify a number between 1 and 1,000,000 as the maximum number of group members to import.
    • If you want the import to be appended to the existing members in the group, select Append members from LDAP to the existing group members. If you want the import to replace all existing members in the group, select Clear the group and replace with the contents from the LDAP import.
  10. Click Import to import the members to the group.