Configure a Realm for User Group Restriction
This article discusses how to restrict realm access to members of a group(s).
Discussion
To configure a realm for group restrictions first navigate to the Data Store tab.
If your group information is stored in the Membership data store configure the settings below:
Field | Value | Note |
|---|---|---|
User Group Check Type | <Allow Access/Deny Access> | If Allow Access is selected all users will be denied access except for those belonging to groups specified in the User Groups field. If Deny Access is selected then all users will be granted access except for those users belonging to groups specified in the User Groups field. |
User Groups | <group1, group2, group3> | This field defines what groups in the data store are referenced. The format is <group><comma><space><group> (ex. group1, group2). |
Groups Field | memberOf | This field determines which attribute in the data store is referenced for group membership. In environments using Microsoft Active Directory the attribute is "memberOf" (case sensitive). |
Groups | memberOf | This field, located in the Profile Fields section, determines which attribute in the data store is referenced for group membership in a multiple user store environment. Under normal circumstances the value entered should match the one specified in Membership Connection Strings --> Groups Field |
If your group information is stored in the Profile data store configure the following options
Field | Value | Note |
|---|---|---|
Allowed User Groups | <group1, group2, group3> | This field defines what groups in the data store are referenced. The format is <group><comma><space><group> (ex. group1, group2). When this field is configured all users will be denied access except for those belonging to groups specified. |
Groups | memberOf | This field, located in the Profile Fields section, determines which attribute in the data store is referenced for group membership in a multiple user store environment. Under normal circumstances the value entered should match the one specified in Membership Connection Strings --> Groups Field |
Invalid Group Error
In newer versions of SecureAuth, there is a field titled Groups (reached through Data Store > Profile Fields > Groups) which must be populated for the Group Restrictions function to operate correctly. For customers with Active Directory data stores, this field should be set to memberOf (case-sensitive). If the field is not configured properly, users may receive an Invalid Group error message even if they are members of the appropriate access group(s).