Identity Group Mapping
Map your local directory groups into Agilicus AnyX, simplify configuration and maintenance
Identity Group Mapping
When using on-site identity (e.g. Microsoft Active Directory) it is possible to directly map your directory groups to Agilicus AnyX groups. This allows for zero-touch configuration.
As an example, consider that you have a group in Active Directory called “Site 1 SCADA Admins“. You can map this to an Agilicus AnyX group as: “SCADA Admins”, “Site 1 SCADA Admins”, “SCADA Users”. The first would be via a regex sub-string extraction, the second via a direct mapping, and the third by a remapping.
You can also exclude groups, which has a higher preference. This allows you to “remap all except”.
You can configure the group mappings from the Onsite Identity overview screen using the action-button. These are on a per identity-provider basis.
It is helpful to pre-create the Agilicus Groups and have a list at hand.
Case 1: Simple 1:1 Map All Local Groups To AnyX Groups
There is a convenience button ‘MAP ALL GROUPS’. This will create a regular expression-based rule as:
INPUT GROUP: (.*)
OUTPUT GROUP: {0}
PRIORITY: 1What this means is, ‘dot’ -> any character, ‘star’ -> any number of the previous characters, ‘parenthesis’, a named group (the name being the 0-based number of parenthesised groups). So ‘(.*)’ effectively means group 0 is “ALL”. The Output group ‘{0}’ means to use the value from the input group.
Case 2: Prefix Map
Let’s assume you want all input groups that have ‘scada-*’ to map into Agilicus AnyX groups. You would use:
INPUT GROUP: scada-(.*)
OUTPUT GROUP: {0}
PRIORITY: 1This means an input group of scada-hmi-admins becomes an output group of hmi-admins.
Case 3: Remap
Let’s assume you have an input group called ‘BMS-operators’ and you want this replaced with ‘Building Managers’.
INPUT GROUP: BMS-operators
OUTPUT GROUP: Building Managers
PRIORITY: 1In this case no regular expressions are used
Priority
In some cases there will be multiple matches. The top priority one will be used.