With the Permission page you can restrict which users of your Active Directory users are allowed to login.

Permission options of Next ADI

Permissions

Authorize by group membership

This option authorizes only members of the given Active Directory security groups to gain access to WordPress. The authorization occurs after the authentication. If you disable this option every Active Directory user below the Base DN can log in. The roles of the user are still defined by the Role equivalent groups.

Authorization group(s)

If you have enabled Authorize by group membership you must provide the names of the Active Directory security groups which should have access to the WordPress instance. Only users being member of one of the configured Active Directory security groups can log into the WordPress instance.

Role equivalent groups

Enter the names of the Active Directory security groups which correspond to WordPress’ roles. Every mapping has to be defined in its own row. A whole list of WordPress’ Roles and Capabilities can be found at: http://codex.wordpress.org/Roles_and_Capabilities (3.8 Capability vs. Role Table).

Please note that group memberships cannot be checked across multiple domains: Let’s suppose you have two domains A and B. A has a security group named A-1 and B has a security group named B-1. The user who wants to login is member of both domains. During the login only the first authenticated domain is used. Because of this he is a member of A-1 but not B-1. Any Role equivalent group for B-1 will not be assigned.

Examples for this option

ad-group = wp-role

wordpressadmins = administrator
wordpressmoderator = editor
wordpressuser = contributor

If an Active Directory user is member of multiple security groups and all of them are mapped to WordPress roles, the roles are accumulated. If the user belongs to the security groups Sales_SEC and Financial_SEC and the “Role equivalent group” contains the following configuration

Sales_SEC = editor
Financial_SEC = author
Developer_SEC= administrator

then he belongs to the WordPress roles editor and author.

If you imported users from primary groups for example “Domain Users” via “id:513”, you still have to enter the group name here.

Domain Users = editor

Clean existing Roles

If this option is enabled, it will remove all previous assigned WordPress roles while updating the user and assigning the roles configured in “Role equivalent groups”.

Defining Multisite “super admins”

WordPress has a special role called “super admin” which is only available in Multisite environment. A Super Admin has access to the Multisite network administration and can do everything. Please note the following:

  1. As mentioned, the role super admin can only be assigned inside a Multisite environment.
  2. Because of security reasons the role super admin can only be assigned in a profile configuration and not in site configuration. You will see an error message if you try to assign the role inside a site configuration.
  3. After a user with role “super admin” has been synchronized for the first time he is added to the admin user list in WordPress Multisite.
Synchronized super admin inside the Multisite network user list