Overview

There are two main concepts when dealing with LDAP groups:

Ensuring group membership when importing remote Users
Controlling the groups which will be imported and used by Datameer

Enforcing Group Membership

To enforce that users are a direct member of specific group (or groups) you can configure this under the Query Options section of the Authentication configuration page:

Enter fully qualified Distinguished Names (DN) for each group, one per line. After correctly configuring this, Datameer X only accepts users with direct group membership in any of these groups. Using this query option doesn't limit the global groups coming in to Datameer X but only enforces membership. That means for each qualifying user Datameer X still imports all of its remote groups into Datameer.

As an example, given the following remote User/Group setup and assuming the group names are actually full DNs such as CN=Finance,OU=EMEA,DC=example,DC=com:

User	Groups
adam	DasUsers,IT,Finance,SomeOtherGroup
bob	DasUsers,IT,Finance,Executives
chris	DasUsers,SomeOtherGroup
david	DasUsers,Finance,SomeOtherGroup
eric	BusinessAnalysts,SomeOtherGroup
frank	IT,Finance,SomeOtherGroup

Configuring the Groups section of Query Options with the DN of DasUsers results in the following users being available for import:

adam
bob
chris
david

If all available users are imported, the following groups are imported into Datameer X

DasUsers
IT
Finance
SomeOtherGroup
Executives

Note that only members of DasUsers are available to import.

Controlling Available Groups

In addition to enforcing group membership, Datameer X also provides the ability to control what groups from the remote system are imported when users are added to the system. This gives the administrator the ability to exclude extraneous groups which might be pulled into the system. In addition to excluding groups, Datameer X supports only including certain groups. This allows the administrator to control what groups are available to use for the sharing features of Datameer. This can be especially important when using Secure Impersonation, for example.

This group filtering is setup using the Group Filtering section of the Authentication administration page:

The rules for this configuration are as follows:

Filter expression are Java regular expression patterns which are applied to the group's name.
In either the Include These Groups or Exclude These Groups fields, enter one filter expression per line.
If a group matches an exclude filter expression, that group is explicitly excluded from Datameer.
When there are no include filters, then all groups are included, except those explicitly excluded.
With any include patterns specified, only groups matching one of the patterns and not explicitly excluded are available.
Selecting Ignore Case enables a case insensitive matching.

By way of example, given the same user set as above, you could specify the following filters

Include These Groups	<EMPTY>
Exclude These Groups	SomeOtherGroup

After importing all available users, the Datameer X User/Group setup is:

User	Groups
adam	DasUsers,IT,Finance
bob	DasUsers,IT,Finance,Executives
chris	DasUsers
david	DasUsers,Finance
eric	BusinessAnalysts
frank	IT,Finance

If You want to include a specific set of groups and pull in remote groups you don't care about, you could set it up as follows:

Include These Groups

IT

Finance

BusinessAnalyst

Exclude These Groups

<EMPTY>

The following results occur after importing all users:

User	Groups
adam	IT,Finance
bob	IT,Finance
david	Finance
eric	BusinessAnalysts
frank	IT,Finance

Notice chris hasn't been imported. This is to demonstrate that after performing the filtering, if a user has NO groups, then this user isn't available for Datameer. To avoid this, you can set a configuration variable which adds these users to a default group.

Combining the Above Methods

These two group filtering mechanisms can be combined to support the following requirements:

You have a group that defines the set of users you want to access Datameer.
You don't actually want to import that group into Datameer X since it is really only a meta-group.
You have a few groups that you want to include in Datameer X for sharing purposes.

To achieve this, you can set up the DasUsers group membership filter in Groups under Query Options.

And under Group Filters you configure the following:

Include These Group	<EMPTY>
Exclude These Groups	SomeOtherGroup

This way, you can enforce membership in the group DasUsers, but not import that group into Datameer. You also exclude SomeOtherGroup for demonstration purposes. The results from importing all available users using this configuration:

User	Groups
adam	IT,Finance
bob	IT,Finance,Executives
david	Finance
eric	BusinessAnalysts
frank	IT,Finance

Browser not supported