Active Directory security groups are mapped to WordPress’ roles by using the Permissions > Role equivalent groups (REG). If a user belongs to multiple security groups which are all mapped to WordPress roles, every WordPress role is assigned to the user.

When are REGs synchronized?

Role equivalent groups are synchronized

  • after the user has been successfully logged in
  • after the Sync to WordPress feature has been executed automatically or by hand.

How Role Equivalent Groups are synchronized

We assume that the administrator does not want to use REGs if no mappings has been defined.

To handle the most common cases we decide between five situations:

  • If a user is created and REGS are not defined: the user gets the WordPress role Subscriber assigned. We assume that in this case the administrator does not want to use REGs.
  • If a user is created, REGs are defined and the user belongs to none of the REGs: no WordPress role is assigned to the user
  • If a user is updated, REGs are defined and the user does not belong to any REG: the user loses all its previous roles and no role is assigned. We assume that the administrator does want to use REGs but the user does not belong to any of these REGs.
  • If a user is updated and no REG is defined: the user’s previous role will not be changed
  • In any other case the user gets his WordPress roles assigned based upon his security group membership and the defined REGs.