We added an external facing ldap server which HEAT has permission to view. It updates the employee records every night (that's the frequency we wanted).
I manually provision people with higher access but we are going to add groups for the largest group - resolver soon. That way its just a role - put into this role they will have the access the next day.
You can pull in AD Groups using something like this knowledge article on the support site: Issue and Resolution #16976
The Document I have re-hosted for easy access.
Once you have the groups against the profiles you could run a business rule or workflow to determine if someone gets a particular role. For example the ChildFold command could cycle through the groups looking for specific values and if one is found then runs a search and link QA to add the role to the employee.
Thanks for the article. I was looking for something that could be run as part of the LDAP connector that is out of the box. The only way I can see doing that is to setup a sync for each group directory.
You cannot do it as part of the LDAP connector, it would be nice however (raise it as a feature request possibly), if there is a field in AD that you can use to determine the role a user should have you can import that field and run a workflow or business rule against it.
Forgot to mention there is an app on the support portal app store to help integrate the cloud with premise AD. Its call he AD Client Utility.
I’ve seen that. On cursory view, however, it seems like it’s a duplication of the cloud LDAP connector? Perhaps I don’t understand it’s purpose.