How Group Roles Apply to Active Directory, LDAP

To use either Active Directory or Lightweight Directory Access Protocol (LDAP), you must associate group names with array user roles. You can only assign one role to each group. The role can be:

  • Administrator
  • PowerUser
  • Operator
  • Guest

If a user belongs to a group that is not associated with a role or if the group is disabled, the user will not be able to log in to the array.

When a user belongs to multiple groups, the role mapping differs depending based on the service being used:
  • Active Directory: The most restrictive role is used. This is the role with the fewest privileges.
  • LDAP: The most permissive role is used. This role has the most permissions. Having the most permissions helps ensure backward compatibility.

When an administrator changes the role-based access control (RBAC) rules for a group, those revised roles apply the next time a user logs in. If a user is currently logged in, the revised roles apply the next the user performs an opersation.