Directory-Based Access
Managed on-prem deployments can connect Lumetry to an existing LDAP or Active Directory service. Directory users continue to authenticate through the configured identity service, while Lumetry access follows membership in existing directory groups.
How It Works
An administrator configures a read-only directory connection from Access > Directory
(LDAP/AD), tests the connection, and runs synchronization. Imported directory groups can
then be mapped to one of Lumetry's fixed roles, such as Admin, Operator, or Viewer.
The Directory section is shown only when directory management is enabled by the on-prem deployment operator. It is not available in Lumetry SaaS.
For example, mapping an existing LumetryAdmins group to Admin gives members the Admin
role after their next sign-in. No per-user role assignment is required in Lumetry.
Role Sources
The Access member list identifies where each effective role came from:
- Manual: assigned directly by a Lumetry administrator.
- Directory:group-name: inherited from a mapped LDAP/AD group.
- Mission Control: managed by the deployment's membership authority.
Directory-derived assignments are read-only in Lumetry. Add or remove the user from the source directory group to change that access.
Security Behavior
- Directory synchronization is read-only; Lumetry does not write users or groups back.
- Lumetry sends configuration and management requests to the deployment's identity service; the identity service performs LDAP connection tests, synchronization, and authentication.
- The bind password is write-only and is never returned by the Lumetry API.
- Group mappings remain aligned when a Lumetry role's permission set changes.
- Administrators can map only permissions they are themselves allowed to grant.
- Removing the directory connection removes its managed group mappings from Lumetry.
This capability is intended for a single-organization managed deployment. Shared SaaS directory mapping is not supported by this model.