# Authorizations rules

In this article, we will see how to define a **Rule** to assign an authorization to a user coming from an LDAP source automatically.

{% hint style="info" %}
**Reminder**&#x20;

* A **Rule** is the combination of **Criteria** and **Actions**, actions will be triggered if the criteria are met.&#x20;

* A rule is defined by its logical operator: **AND** or **OR**.&#x20;
  * **`AND`** = All criteria must be met&#x20;
  * **`OR`** = One of the criteria must be met&#x20;

* The rules engine for entitlements runs ALL rules. So pay attention to their consistency / order.
  {% endhint %}

* To define a rule, go to the menu **`Administration`** > **`Rules`**> **`Rules for assigning authorizations to a user`**.

* Add a new rule by clicking on **`add`**

## Criteria

It is necessary to define one or more criteria. In our case we have to tap on the LDAP criteria.

GLPI allows you to select multiple LDAP attributes, for example:

* **`MemberOf`**;
* **`Email`**;
* **`TelephoneNumber`**;
* **`User ID`**;
* **`Common Name`**;
* etc.

Once your criteria has been selected, you must define **how** GLPI should take this criteria into account by defining an **operator**, for example:

* **`is`**;
* **`contains`**;
* **`finished by`**;
* **`exists`**;
* **`does not exist`**;
* etc.

Let´s take a specific case. I want to establish a rule for my users who are members of a group containing the term SECURITY in the name.

* My criteria therefore will be **`MemberOf`** and the action will be **`contains`**.
* Then I enter the value of my criteria. Here it will be **`SECURITY`**.

![Alt text](/files/BGICIfEF9EMIoEUEkgaN)

## Actions

Reminder:

An **authorization** is the combination of the following three concepts:

* User;
* Profile;
* Entity.

**Example** :

| User | Profile    | Entity         |
| ---- | ---------- | -------------- |
| John | technicien | Infrastructure |

Transformed into an enabling rule:

* **`Criteria`** = User
* **`Actions`** = Entity + Profile

Our criteria being defined, we can now create at least two actions necessary to affect a profile and an entity.

![Alt text](/files/lP5S5paJ1ZcGukR4E2XO)

GLPI also allows you to influence on other objects or user status, for example:

* **`Active`** ( yes or no );
* **`Recursive`** (yes or no );
* **`Default entity`**;
* etc.

At this step our rule is functional.

Users with **`SECURITY`** in their **`MemberOf`** attribute will be **`Technician`** in the **`Infrastructure`** entity.

{% hint style="success" %}
**To know**

The rule will be applied when users log in or at each LDAP synchronization with GLPI.
{% endhint %}

## References

[Documentation GLPI "Users profiles"](https://glpi-user-documentation.readthedocs.io/fr/latest/modules/administration/profiles/profiles.html#administration)

&#x20;  &#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.glpi-project.org/tutorials/rules/authorizations_assignment_rules.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.