When new user accounts are being provisioned through SAML JIT Provisioning, new SAML groups
are created when the SAML response contains group information, and that group does not yet
exist in
IBM Aspera Shares. A SAML user belonging to multiple groups will get permissions and
settings of all groups the user belongs to. For example, if group A disallows sending to
external users but group B does not, users who belong to both groups are allowed to send to
external users. Settings that require specific handling are as follows:
- Account expiration is only enabled if all groups to which a user belongs specify
account expiration. If account expiration is enabled, the expiration date is set to the
latest expiration date from among all groups.
- For the settings “Server Default”, “Yes” or “Allow”, and “No” or “Deny”, the setting
is set to “Yes” if any group specifies yes, and it is set to “No” if all groups are set
to no. Otherwise it is set to the server default
- For package deletion policy, override is enabled if all groups specify override, or
the least restrictive group setting is less restrictive than the server-wide setting. If
override is enabled, the least restrictive group setting is used. “Do nothing” is less
restrictive than “Delete files after all recipients download all files,” which in turn
is less restrictive than “Delete files after any recipient downloads all files.”
- For advanced transfer settings, override is enabled if all groups specify override or
if any group specifies any transfer rate that is higher than the server default. If
override is enabled, each transfer rate is set to the higher of the highest value from
among the groups and the server default. The minimum rate policy is locked only if all
groups specify the setting.