The WebStudio user permission roles are configured in access control files (ACL) to define access permissions for each project. By default, LDAP group names and memberships are used. When a user is a member of multiple groups the users have to select the role permission for the new session when they login to WebStudio.

Another option is to define a single LDAP attribute and set the role permission as an attribute value for each user. The following changes are required in BE_HOME/bin/RMS.cdd to use an LDAP attribute.

- disable CDD property be.auth.ldap.type
- update CDD property be.auth.ldap.roleAttr (LDAP attribute used to define users permission role)
- update be.auth.ldap.useRoleDN  (set it to true)
 
Example:
-> LDAP attribute rmsRole defines the ACL role like "Administrator", "Business-User" etc.
 
           <property-group comment="" name="LDAP">
               <property name="be.auth.type" type="string" value="ldap"/>
               <!-- <property name="be.auth.ldap.type" value="openldap"/> -->
               <property name="be.auth.ldap.host" value="localhost"/>
               <property name="be.auth.ldap.port" value="10389"/>
               <property name="be.auth.ldap.adminDN" value="uid=admin,ou=User,ou=beGroup,ou=system"/>
               <property name="be.auth.ldap.adminPassword" value="xxxx"/>
               <property name="be.auth.ldap.baseDN" value="ou=system"/>
               <property name="be.auth.ldap.roleAttr" value="rmsRole"/>
               <property name="be.auth.ldap.uidattr" value="uid"/>
               <property name="be.auth.ldap.objectClass" value="*"/>
               <property name="be.auth.ldap.useRoleDN" value="true"/>
           </property-group>
 
Note:
All users with a valid LDAP account are able to login to WebStudio but only users with a valid permission role are able to work with projects and/or approve changes depending on the permissions defined in the ACL file.