group-based (memberOf) access profile synchronization

[chicobento]

Motivation

Current access profile demands changing ldap schema, which is very intrusive and almost impossible to change in bigger companies with stable ldap structures.

Proposal

Proposal is to get user access profile based on memberOf: we should be able to define the view/admin/superuser/write profile via ldap groups, i.e: if user is memberOf "matomo-admins" group then user gets proper admin permission.

[snake14]

Hi @chicobento . Thank you for taking the time to create this issue. That seems like an interesting proposal. It sounds like we would need to add some new configs to allow mapping specific LDAP memberOf groups to Matomo user roles. I'll add this enhancement idea to our backlog to reviewed and prioritised by our Product team.