Default Security Domain Mappings

Document created by RSA Information Design and Development on Jun 13, 2017Last modified by RSA Information Design and Development on Jun 13, 2017
Version 2Show Document
  • View in full screen mode

By default, the system places all users from an external LDAP identity source in the top-level security domain. Configuring security domain mappings allows you to override the default behavior so that the system places users from a particular LDAP identity source, or from a specific organizational unit within the identity source, into a specific security domain.

For example, if you want to map the users in your sales force to the “Corporate” security domain and your salespeople are stored in your LDAP directory under “ou=sales,dc=example,dc=com” then you can create a mapping between the security domain named “Corporate” and “ou=sales,dc=example,dc=com” distinguished name (DN). After the mapping is created, users in the sales ou appear as being managed by the “Corporate” security domain instead of the top-level security domain.

Consider the following:

  • When no security domain mappings exist, the system adds users to the top-level security domain.

  • When multiple security domain mappings exist, the system applies the most specific mapping to a new user record.

    For example, suppose there are two mappings for users in the external identity source based on ou=sales and ou=commercial,ou=sales. A user in ou=commercial,ou=sales is created using the rule for ou=commercial,ou=sales, but a user in ou=retail,ou=sales is created using the rule for ou=sales.

  • Security domain mappings are applied only to users who have never been managed in the deployment.

    • Prior to configuring security domain mapping, if an administrator performs an administrative action that affects a user, for example, enabling the user for on-demand authentication, that user is added to the top-level security domain.

    • After mapping, previously managed users remain in the security domain to which they currently belong. You must use the Security Console to move the users to another security domain manually. Updating the default security domain mappings for an identity source does not move all users in that identity source to the updated security domain.

  • Delegated administration is enhanced by default security domain mappings. The mappings add users to security domains that are managed by specific administrators whose scope is restricted to the security domain. In this way, only administrators with the correct scope are allowed to manage users, and there is no need for a Super Admin to add the users to the security domain manually.

  • Each security domain mapping points to a distinguished name in the external identity source, and the mapping applies to all objects within the DN except when a more specific mapping exists.