EE: LDAP Group Sync to Roles

Target release

Q1 2020

Epic

https://mattermost.atlassian.net/browse/MM-19111

Edition

E20+

Document status

99%

Document owner

@Dennis Kittrell (Deactivated)

Designer

@Michael Gamble (Deactivated)

Tech lead

@Scott Bishel

Technical writers

@Justine Geffen (Deactivated)

QA

@Rohitesh Gupta (Deactivated)

OKR

Improve LDAP onboarding and user administration

Request (CR)

https://mattermost.atlassian.net/browse/CR-266

Request (other)

 

Design Spec

Invision

Technical Spec

https://mattermost.atlassian.net/wiki/spaces/EN/pages/389185820

Test Plan

Test Plan - LDAP Group Sync to Roles

Objective

Enable mapping roles to LDAP Groups from System Console > Groups > Group Configuration


Enabling group sync to roles will add a much needed functionality for LDAP Enterprise customers. With group sync to roles enabled, LDAP administrators can onboard users faster and easier, and most importantly, they will have better access control over content within their MM server. 

Background

Customers using LDAP have been reluctant to sync users to Mattermost since the task of assigning roles and channels is a massive time sink. 

Success metrics

Goal

Metric

Goal

Metric

Increase efficiency of onboarding using LDAP

Increase usage of LDAP group sync by 20%

 

 

User Scenarios

  • AD admin can use AD Groups to manage team/channel ownership. 

    • Adds the ability to provide different permission schemes within a team/channel based upon group membership

    • Enables LDAP-based auditing procedures to remain unchanged

  • Customer can create a MM Admin LDAP group that control admin access

Assumptions

Phases & Milestones

Oct2019NovDec
Design
Develop
QA
Launch

iOS App

Android

Areas Touched

  • Team Hamburger Menu

  • Channel Hamburger Menu

  • Group Config/Profile Screen

  • Team Config Screen

  • Channel Config Screen

  • Chat-Facing Manage Members (both Team and Channel)

    • Disable individual role selection if LDAP sync is turned on and include a tool-tip explaining why

  • System Console Facing Manage Members

    • Disable individual role selection and include a tool-tip explaining why

Competitive Info

  • Spent a short time looking for this functionality in MS teams

  • Slack has AD integration - but may not map roles [martin]

Requirements

Requirement

User Story

Importance

Phase

Jira Issue

Notes

Requirement

User Story

Importance

Phase

Jira Issue

Notes

1

On the Group Profile/Group Configuration screen Create a “Team and Channel Membership” area that allows System Admins to sync all members of a group to specified teams and channels (including role assignment within those teams and channels).

 

HIGH

 

MM-20058

 

2

Add the ability for the System Admin to map roles to specific groups from the Team Configuration screen.

  • From the Channel Configuration screen, under the Groups section add column for “Roles” that enables System Admins to grant access to all members of a specific group.

  • Users list will be displayed on sync

 

 

 

MM-20059

 

3

From the chat facing side - on both the team and channel hamburger menus, a new option “manage groups” will appear under “manage members”.

  • This will open a modal window with a list of all groups within that team or channel. 

  • Each group can be mapped to roles (Member or admin)

  • Groups can also be removed from the team/channel from this screen

  • Permissions remain the same - team and channel admins can add/remove groups from teams and channels

  • Note: Currently only removing groups is supported

 

 

 

 MM-20060

 

4

Mapping to server scoped role - To be managed by a “System Admin” filter in LDAP (just as with guest accounts)

 

 

 

MM-20061

 

5

Investigate separating local sync from LDAP sync

 

 

 

MM-20000

 

Open Questions

Question

Answer

Date Answered

Question

Answer

Date Answered

 

 

 

 

 

 

Out of Scope

  • Members list to be displayed after sync

  • Bots cannot be added to group constrained channels (because the accounts are user-created)

  • Added a group to a channel with specific role (e.g. channel admin) then group is removed from channel - what happens to that channel?

  • When all groups are removed from a channels - could be solved with zero user count on team/channel pages 

  • When this feature is turned on, we disable the ability to change an individual member’s role outside of LDAP - Impacting User, Team and Channel management (both system console and chat-facing)