LDAP: Managing groups and user levels

The following properties are available for controlling group membership and/or user levels, and whether that control comes from the external identity provider or internal to NetX itself.

Property Description

This property is very similar to user.directory_auto_create_groups; however, this applies to any subsequent login other than the initial user login.  By default, groups sourced from the remote identity provider are synced at the time of login. If you do not want this behavior, please set this value to "false".

Please note: you can always add Groups in NetX manually, and add LDAP- or SAML-based Users to those NetX-based Groups. These Groups, and their User associations remain outside of this property; those associations are then always managed directly within NetX.

Value options: true / false


By default, Users gain a level at the time of their initial login. Any subsequent changes to their roles in the remote identity provider will not directly affect this User level designation. However, you can set this to true, in which case, these Users' levels will be reset based on either their role membership, or defaulting to the user.directory_auto_add_to_level value.

Please note: if directory.accept_role_changes is set to false, then this property is effectively disabled.

Value options: true / false


This property ONLY applies to SAML-based users, and NOT LDAP-based Users. Additionally, this property is secondary to user.directory_auto_add_to_level. That is, newly created SAML-based users will automatically enter as a Consumer with all the defaults in place; whereas LDAP-based users will not gain access without a Role-to-User-Level mapping (see below).

Warning: in cases of conflict, and positive value for user.directory_auto_add_to_level will override this property.

Value options: true / false


If this value corresponds to an existing Group in NetX, then newly created LDAP- or SAML-based Users will be added to the specified (NetX-based) Group.

Value options: Existing NetX group


For newly created users that do not have a specific level designation from a group membership (see Roles to Groups table below), such users will be set the level associated with this level. Please note that the default is -1, meaning no access. In this case, a user must bring a mapped role from the remote identity provider in order to gain access to the system. If you want to allow any authenticated user from the remote identity provider to gain access, then you must set this to the appropriate user level value (eg 2 for Consumer, see Roles to Groups table below for integer value equivalents). Also note that this behavior can continue to be enforced if user.directory_accept_level_changes is set to true (see below).

Value options: Numerical user level


By default, roles from the remote identity provider (via membership with users that login) are automatically created as Groups in NetX — and in this case, the logging in User is automatically linked to these Groups. However, if you do not want to inherit Groups from roles in the remote system, you can set this property to false. This property applies to users who first login. Please also see directory.accept_role_changes.

Value options: true / false

Roles to groups

Property Level value Group/Role name membership that sets the User to this Level
4 Producer
3 Importer
2 Consumer
1 Browser
9 Administrator
8 Director
7 Manager

Technical workflow

Below is a flowchart of the internal logic of how NetX processes LDAP and/or SAML based remote authentication, focusing on how (and when) Groups and user-levels are applied.

Was this article helpful?
0 out of 0 found this helpful