EE: LDAP Group Sync to Roles

Target release	Q1 2020
Epic	https://mattermost.atlassian.net/browse/MM-19111
Edition	E20+
Document status	99%

Document owner	Dennis Kittrell (Deactivated)
Designer	Michael Gamble (Deactivated)
Tech lead	Scott Bishel
Technical writers	Justine Geffen (Deactivated)
QA	Rohitesh Gupta (Deactivated)
OKR	Improve LDAP onboarding and user administration
Request (CR)	https://mattermost.atlassian.net/browse/CR-266
Request (other)
Design Spec	Invision
Technical Spec	Groups-to-Roles Technical Specification
Test Plan	Test Plan - LDAP Group Sync to Roles

Objective

Enable mapping roles to LDAP Groups from System Console > Groups > Group Configuration

Enabling group sync to roles will add a much needed functionality for LDAP Enterprise customers. With group sync to roles enabled, LDAP administrators can onboard users faster and easier, but most importantly, they will be encouraged to maximize their usage/seat count.

Background

Customers using LDAP have been reluctant to sync users to Mattermost since the task of assigning roles and channels is a massive time sink.

Success metrics

Goal	Metric
Increase efficiency of onboarding using LDAP	Increase usage of LDAP group sync by 20%

User Scenarios

AD admin can use AD Groups to manage team/channel ownership.
- Adds the ability to provide different permission schemes within a team/channel based upon group membership
- Enables LDAP-based auditing procedures to remain unchanged
Customer can create a MM Admin LDAP group that control admin access

Assumptions

Phases & Milestones

Design

Develop

QA

Launch

iOS App

Android

Areas Touched

Team Hamburger Menu
Channel Hamburger Menu
Group Config/Profile Screen
Team Config Screen
Channel Config Screen
Chat-Facing Manage Members (both Team and Channel)
- Disable individual role selection if LDAP sync is turned on and include a tool-tip explaining why
System Console Facing Manage Members
- Disable individual role selection and include a tool-tip explaining why

Competitive Info

Spent a short time looking for this functionality in MS teams
Slack has AD integration - but may not map roles [martin]

Requirements

	Requirement	Importance	Jira Issue
1	On the Group Profile/Group Configuration screen Create a “Team and Channel Membership” area that allows System Admins to sync all members of a group to specified teams and channels (including role assignment within those teams and channels).	HIGH	MM-20058
2	Add the ability for the System Admin to map roles to specific groups from the Team Configuration screen. From the Channel Configuration screen, under the Groups section add column for “Roles” that enables System Admins to grant access to all members of a specific group. Users list will be displayed on sync		MM-20059
3	From the chat facing side - on both the team and channel hamburger menus, a new option “manage groups” will appear under “manage members”. This will open a modal window with a list of all groups within that team or channel. Each group can be mapped to roles (Member or admin) Groups can also be removed from the team/channel from this screen Permissions remain the same - team and channel admins can add/remove groups from teams and channels Note: Currently only removing groups is supported		MM-20060
4	Mapping to server scoped role - To be managed by a “System Admin” filter in LDAP (just as with guest accounts)		MM-20061
5	Investigate separating local sync from LDAP sync		MM-20000

Open Questions

Question	Answer	Date Answered

Out of Scope

Members list to be displayed after sync
Bots cannot be added to group constrained channels (because the accounts are user-created)
Added a group to a channel with specific role (e.g. channel admin) then group is removed from channel - what happens to that channel?
When all groups are removed from a channels - could be solved with zero user count on team/channel pages
When this feature is turned on, we disable the ability to change an individual member’s role outside of LDAP - Impacting User, Team and Channel management (both system console and chat-facing)