From e232b6abeed61cf39f8f4d6dec210aa232250dfa Mon Sep 17 00:00:00 2001 From: "richard.gooding" Date: Wed, 27 May 2026 16:16:59 +0000 Subject: [PATCH] docs(ldap): clarify role resolution for users in multiple groups --- docs/authentication/ldap.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/authentication/ldap.md b/docs/authentication/ldap.md index b38387a4e..777bee60e 100644 --- a/docs/authentication/ldap.md +++ b/docs/authentication/ldap.md @@ -62,6 +62,14 @@ For the above levels there are 4 role mappings which are required fields: - **backupAdminRole** : The user that has administration privileges to create and manage backups. Has read-only access to the rest of the AxonOps server pages and components. - **readOnlyRole** : A basic read-only role that cannot modify any configuration in AxonOps. +!!! info "Users in more than one group" + + Group memberships add up — they never cancel each other out. When a user belongs to several of the mapped groups, AxonOps grants them the **highest** level of access that any of those groups provides. + + - A user who is in both a read-only group and a superuser group is granted **superuser** access. + - Access granted at a broader scope still applies within narrower ones. A user with a `_global_` admin role plus a read-only role on a single cluster keeps **admin** access on that cluster. + - Permissions for different clusters are kept separate. A user who is an admin on one cluster and read-only on another keeps each level on its own cluster. + Distinguished Names that are used in the role mappings can comprise of the following parts which define hierarchical structure in a LDAP directory. - **CN** = Common Name