Managing LDAP users in groups

You can link a SOAR group to an LDAP group, which adds authorized members of the LDAP group to the SOAR group. However, the LDAP group membership is controlled by the Active Directory manager. Any changes to the LDAP group membership are reflected in the SOAR group membership.

The following example creates a group that is linked to an Incident Response Team LDAP group.

If a linked LDAP group contains authorized and unauthorized members, only the authorized members are shown and added to the SOAR group. To be an authorized member, the member must belong to the LDAP group that is authorized in the Organization tab.

If you edit a SOAR group that is linked to an LDAP group, you can remove the users that you explicitly added. However, you cannot remove those LDAP users who are part of the linked group. Instead, you must unlink the LDAP group.

Note: Make sure that all authorized members of a linked group log in to the SOAR Platform before that associate the group to any incidents. Members of a linked group who do not log in at least one time cannot receive email notifications.

Deleting LDAP users

You cannot delete an LDAP user directly from the SOAR Platform.

To remove an LDAP user, that user must first be removed from Active Directory. After the user is removed, unlink the user by using the resutil resetuser command and then delete the user from the SOAR Platform. If necessary, make sure to reassign any incidents that were assigned to the user.

To view the options for the resetuser command, enter the following command.

sudo resutil resetuser -help