Yes Zammad will update users roles according to the ldap sync, you can create many security groups to add/fix this issue via AD, if i understand your question right
Yes, Zammad does update users roles according to the ldap sync for the defined associations which is great. But it does also reset the role assignments of other roles which are not associated with AD security groups - which is not desirable.
Here is an example:
Defined roles: Agent, Mitarbeiter, External, SomeOtherRole
ldap sync: see above (only for Agent and Mitarbeiter)
Let’s say User1 is assigned to the role External and User2 is assigned to the role SomeOtherRole.
After the ldap sync both do not have that role anymore - no matter whether User1 and User2 are Agent or Mitarbeiter or none.
If you have a user that have 1 role LDAP Sync and 1 role not
Then ldap will of course reset to what ldap has,
You will need to create a ldap SG also for the roles missing in the ldap sync
I understand you want ldap to only enable roles which you have set up under ldap and leave roles you have manually assigned directly to the user, you would need to change your request to enhancement request, but for me personally this could get messy very quickly, especially if you want to limit a role assignment you have to go over all the attached users/customers and revoke it one by one,
I guess I have to rethink my distribution of roles and groups.
Too bad membership of Groups and Organizations cannot be synced through LDAP.
That would be helpful to organize the users of our departments and their corresponding helpdesk agents.
Or is that hidden somewhere where I haven’t looked yet?
Not sure what you mean there, i have organizational groups set up in AD, and then in Zammad ldap integration you assign them to Zammad roles which then are configured according to zammad groups and access
As for Organizations, you can use the set up within zammad to assign automatically using the “Domain based assignment” but if you want many organizations from the same Domain, you would need to submit a enhancement request to automate this i guess.
if you want many organizations from the same Domain
Yes. We have only internal “customers” but from multiple departments. I’d like to group them into separate organizations. For the agents, reporting etc.