Roles through Active Directory

As you remember from the previous chapter there are two kinds of roles in Congrid:

  • Company wide roles (applied for all projects of the company)
  • Project specific roles (only applied for a particular project)

These roles can also be configured through active directory. This allows a company to utilize their existing project groups and AD configuration to automatically grant different user rights to Congrid.

This is how the AD to role mapping works in practise: Each role in Congrid can have a list of AD groups associated with it. If the user belongs to any of those AD groups she will be automatically granted the corresponding roles in Congrid. The AD groups of the user are checked against the role configuration in Congrid at each successful AD login.


The role to AD group mapping is based on arbitrary AD group names and there is no validation for the correctness of these names.

The next chapters discuss the different role types and how they are configured through AD.

Company wide roles

Company wide roles are roles that are associated to a user and impact all the projects of the company. An example of a company wide role is COMPANY_ADMIN which has access rights to the administrative parts and all the projects in Congrid.

Lets take an example with two users

Alice is part of the following AD groups (configuration on AD side):

Bob is part of the following AD groups (configuration on AD side):

Charlie is part of the following AD groups (configuration on AD side):

Congrid is configured with the following company level role to AD group mapping

As as result of this configuration both Alice and Charlie have the COMPANY_ADMIN 
role in Congrid. Alice is a COMPANY_ADMIN in Congrid because she belongs to AD groupd 
CONGRID_ADMIN and Charlie is a COMPANY_ADMIN in Congrid because he belongs to AD
group IT_ADMIN


The AD to Congrid role mapping for company wide roles in Congrid site is always configured by Congrid personnel. Therefore the AD administrator will need to inform Congrid about the AD group names she wants to have for different company wide roles.

Project specific roles

The project specific roles function similarly as the company wide roles but as name suggests they are only valid for a project.

The project has four different roles that can be configured:

  • PROJECT_LIVE_ADMIN - Project administrator
  • PROJECT_LIVE_EDIT - Can edit project data through Live web portal
  • PROJECT_LIVE_VIEW - Can view project data through Live web portal
  • PROJECT_CLIENT_ADMIN - Can use the mobile application

As with the company wide roles, each project role can have a list of AD groups associated with it. An empty list for any number of the roles is a valid configuration.

Project specific role to AD group mappings are configured through Congrid API. Below is an example request to create a new project with a AD group to role mapping.

curl -X POST -H "Content-Type: application/json" -H "Congrid-API-Token: YOUR-API-TOKEN" \
  -d '{
   "name": "Project with AD config",
   "startedAt": "2015-09-22",
   "projectCode": "AD-PROJECT",
   "adConfiguration": {
   		"projectClientAdmin": ["PROJECT_A_USERS"],
   		"projectLiveAdmin" : ["LIVE_ADMIN", "GENERAL_ADMIN"],
   		"projectLiveEdit" : ["PROJECT_A_USERS"],
   		"projectLiveView" : ["ACCOUNTING", "MANAGEMENT"]
}' ""
var request = require("request");

var options = { method: 'POST',
  url: '',
   { 'congrid-api-token': 'YOUR-API-TOKEN',
     'content-type': 'application/json' },
   { name: 'Project with AD config',
     startedAt: '2015-09-22',
     projectCode: 'AD-PROJECT',
      { projectClientAdmin: [ 'PROJECT_A_USERS' ],
        projectLiveAdmin: [ 'LIVE_ADMIN', 'GENERAL_ADMIN' ],
        projectLiveEdit: [ 'PROJECT_A_USERS' ],
        projectLiveView: [ 'ACCOUNTING', 'MANAGEMENT' ] } },
  json: true };

request(options, function (error, response, body) {
  if (error) throw new Error(error);


Example response:

  "addressId": "noPqstWrmmbe3V0brWXDeV5kkoxNuxqi",
  "id": "Ao0jiNzuqHHqOaVW1MNPadLo7bmqSkR0",
  "modifiedAt": "2017-04-11T12:32:11.326496Z",
  "ownerId": "LNfTQ5rokGH8pIcxTeOWL0b5r3SOdkRU",
  "adConfiguration": {
    "projectClientAdmin": [
    "projectLiveAdmin": [
    "projectLiveEdit": [
    "projectLiveView": [
  "moduleIds": [
  "name": "Project with AD config",
  "projectCode": "AD-PROJECT",
  "startedAt": "2015-09-22",
  "statusId": "ACTIVE"


If you update the adConfiguration of a project you will need to provide all the values for the different properties inside it. The API considers properties that are left out to be reset to null.

results matching ""

    No results matching ""