EE: LDAP Group Sync to Roles
- Dennis Kittrell (Deactivated)
- Rohitesh Gupta (Deactivated)
Target release | Q1 2020 |
|---|---|
Epic | |
Edition | E20+ |
Document status | 99% |
Document owner | @Dennis Kittrell (Deactivated) |
|---|---|
Designer | @Michael Gamble (Deactivated) |
Tech lead | @Scott Bishel |
Technical writers | @Justine Geffen (Deactivated) |
QA | @Rohitesh Gupta (Deactivated) |
OKR | Improve LDAP onboarding and user administration |
Request (CR) | |
Request (other) |
|
Design Spec | |
Technical Spec | |
Test Plan |
Objective
Enable mapping roles to LDAP Groups from System Console > Groups > Group Configuration
Enabling group sync to roles will add a much needed functionality for LDAP Enterprise customers. With group sync to roles enabled, LDAP administrators can onboard users faster and easier, and most importantly, they will have better access control over content within their MM server.
Background
Customers using LDAP have been reluctant to sync users to Mattermost since the task of assigning roles and channels is a massive time sink.
Success metrics
Goal | Metric |
|---|---|
Increase efficiency of onboarding using LDAP | Increase usage of LDAP group sync by 20% |
|
|
User Scenarios
AD admin can use AD Groups to manage team/channel ownership.
Adds the ability to provide different permission schemes within a team/channel based upon group membership
Enables LDAP-based auditing procedures to remain unchanged
Customer can create a MM Admin LDAP group that control admin access
Assumptions
Phases & Milestones
Areas Touched
Team Hamburger Menu
Channel Hamburger Menu
Group Config/Profile Screen
Team Config Screen
Channel Config Screen
Chat-Facing Manage Members (both Team and Channel)
Disable individual role selection if LDAP sync is turned on and include a tool-tip explaining why
System Console Facing Manage Members
Disable individual role selection and include a tool-tip explaining why
Competitive Info
Spent a short time looking for this functionality in MS teams
Slack has AD integration - but may not map roles [martin]
Requirements
Requirement | User Story | Importance | Phase | Jira Issue | Notes | |
|---|---|---|---|---|---|---|
| 1 | On the Group Profile/Group Configuration screen Create a “Team and Channel Membership” area that allows System Admins to sync all members of a group to specified teams and channels (including role assignment within those teams and channels). |
| HIGH |
|
| |
| 2 | Add the ability for the System Admin to map roles to specific groups from the Team Configuration screen.
|
|
|
|
| |
| 3 | From the chat facing side - on both the team and channel hamburger menus, a new option “manage groups” will appear under “manage members”.
|
|
|
|
| |
| 4 | Mapping to server scoped role - To be managed by a “System Admin” filter in LDAP (just as with guest accounts) |
|
|
|
| |
| 5 | Investigate separating local sync from LDAP sync |
|
|
|
|
Open Questions
Question | Answer | Date Answered |
|---|---|---|
|
|
|
|
|
|
Out of Scope
Members list to be displayed after sync
Bots cannot be added to group constrained channels (because the accounts are user-created)
Added a group to a channel with specific role (e.g. channel admin) then group is removed from channel - what happens to that channel?
When all groups are removed from a channels - could be solved with zero user count on team/channel pages
When this feature is turned on, we disable the ability to change an individual member’s role outside of LDAP - Impacting User, Team and Channel management (both system console and chat-facing)