Summary


Classifications are essential to your tenancy as only classified users flow through our systems and into a federated application. Every object on your Active Directory (AD) is compared against your classification rules and assigned into the first one who's rules the object meets.


Cloud Drive Mapper drives, licences for Office 365, access to federated apps, and other features like 'Known Password Reset' and 'Self-Service Password Reset' all work via classifications.




Setup


Classifications, though simple, can be confusing initially. They can also stop users from being able to access services, or potentially delete their email inbox. As such, we suggest that you contact us first if you wish to start maintaining your own classifications. We will be able to walk you through creating classifications and advise you of the common pitfalls. We will use TeamViewer to show you, and if you have the classification rules ready as per below, we will even set up the classification with you.


To setup classifications you will need access to our admin portal (https://portal.iamcloud.com). They can be found under Identities in the menu.


A classification will need a name that defines which users will be part of that classification. Common examples are: Staff and Students, HR, Marketing, and Directors. You can have as many classifications as you require: you can break these down even further, for example, Year 10 students, Year 11 students, etc., or Probation Marketing, Full Marketing.


You then choose if this is an 'And' or an 'Or' classification. Users have to meet all of the rules for an And, but only one of the rules for an Or.


Rules

The rules can be based on almost any attribute on the object in AD. From Email to OU, Group Membership, to Extension Attributes. Select the chosen attribute from the list (you can enable Show Advanced Attributes for more options) then use the options to set how you want these to be compared.


Examples

Below are some examples of classifications. These have all been used by customers previously, though details have been changed.


  • MemberOf = Year11
  • Department = Sales
  • OU = OU=Staff,DC=example,DC=ac,DC=uk
    • For OU: each sub OU will also be classified unless it has its own classification with a higher priority. (See Priority below)
  • Mail is Present
  • ObjectType = Group


Priority

You will also need to prioritise your classifications. By default classifications are in the date order they were created. Your AD objects will be checked against priority 1, then classified that they meet the rules, and checked against the next classification if they don't. This goes on until all objects have been classified, or there are no more classifications to check. 


Using the OU example from above, if you had classification 2 as the staff OU, and classification 3 as the retired OU inside the staff OU, then nobody would be classified as retired. You can either make sure the retired OU rule is above the staff OU, or you can add extra rules. If you added the rule that the account has to not be disabled to the staff rule, and disabled to all retired staff, then the retirees would not be classified as staff.


Warning

Licencing, Cloud Drive Mapper and federated access are all currently not available for you to set up. If you create classifications, any users that get re-classified will lose access to these services. Depending on your choices during setup this could mean that these users lose their email inbox. If you create new classifications, please make sure you also let us know what you want to be available for those classifications so we can set it up for you.