IAM Cloud Classifications are a simple way of roughly grouping your users in ways that are meaningful to your organisation. They are also important from a 'commercial' point of view too, because you are only billed for 'classified' users. User objects - like archived or test accounts - can exist in our system without being classified but they're effectively dead accounts.
Classifications are created with basic conditional rules, described below. Every object in your Active Directory (AD) is compared against your classification rules and assigned into the first classification (they are ordered) the object matches the rules for.
Classifications power downstream features and processes within our products. These include automated licensing for Microsoft 365, access to federated applications, Password Reset, MFA, and identity provisioning.
Classifications, though simple, can be confusing initially. They can also stop users from being able to access services, or potentially delete their email inbox. As such, we suggest that you contact us first if you wish to start maintaining your own classifications. We will be able to walk you through creating classifications and advise you of the common pitfalls. We will use TeamViewer to show you, and if you have the classification rules ready as per below, we will even set up the classification with you.
To setup classifications you will need access to our admin portal (https://portal.iamcloud.net). They can be found under Identities in the menu.
A classification will need a name that defines which users will be part of that classification. Common examples are: Staff and Students, HR, Marketing, and Directors. You can have as many classifications as you require: you can break these down even further, for example, Year 10 students, Year 11 students, etc., or Probation Marketing, Full Marketing.
You then choose if this is an 'And' or an 'Or' classification. Users have to meet all of the rules for an And, but only one of the rules for an Or.
The rules can be based on almost any attribute on the object in AD. From Email to OU, Group Membership, to Extension Attributes. Select the chosen attribute from the list (you can enable Show Advanced Attributes for more options) then use the options to set how you want these to be compared.
Below are some examples of classifications. These have all been used by customers previously, though details have been changed.
- MemberOf = Year11
- Department = Sales
- OU = OU=Staff,DC=example,DC=ac,DC=uk
- For OU: each sub OU will also be classified unless it has its own classification with a higher priority. (See Priority below)
- Mail is Present
- ObjectType = Group
You will also need to prioritise your classifications. By default classifications are in the date order they were created. Your AD objects will be checked against priority 1, then classified that they meet the rules, and checked against the next classification if they don't. This goes on until all objects have been classified, or there are no more classifications to check.
Using the OU example from above, if you had classification 2 as the staff OU, and classification 3 as the retired OU inside the staff OU, then nobody would be classified as retired. You can either make sure the retired OU rule is above the staff OU, or you can add extra rules. If you added the rule that the account has to not be disabled to the staff rule, and disabled to all retired staff, then the retirees would not be classified as staff.
Changing, adding or removing classifications can cause significant downstream changes to the functionality set against existing classifications. In the worst case scenario, a hasty classification change could mean certain users losing access to their applications or being given access to the wrong application. We recommend keeping classifications as simple as your business requirements allow. The more classifications you have the more overhead there is to managing them, and the more complexity and risk there is to making future changes.
If you need any assistance please do not hesitate to contact us on firstname.lastname@example.org