When AD integration is enabled, the User Roles tab shows the AD mapping and AD Rank of console user roles. Rank determines the order in which AD mapping rules are be evaluated, which is significant if an AD security group would match more than one mapping rule and one of the rules is configured to stop evaluation of other rules.

You can change rank using the arrow keys on the Login Accounts>User Roles page.

Each time a console user logs in, Carbon Black App Control evaluates the user against the AD mapping rules. Mappings will be executed in the order they are ranked on the User Roles page. Each mapping rule can have one of two modes:

• Assign role and continue evaluation - If a user matches the mapping conditions, the mapped role is assigned to the user, and the next mapping rule will be evaluated.
• Assign role and stop evaluation - If a user matches the mapping conditions of a stop evaluation rule, that role will be assigned to the user and system will stop further evaluation. The rank of a rule is a significant factor in the effectiveness of a stop evaluation rule.

Mapping rules that stop evaluation are useful in two cases:

• If you upgrade from previous versions of Carbon Black App Control (Bit9 Server), there are stop evaluation mapping rules that convert each of the previous group mappings to a single role mapping with the same permissions.
• They allow you to deny access to lower ranked rules. For example, if you have temporary workers and assign them to an AD group called “contractors,” you can create a mapping to this group, enable Stop evaluation on that mapping, and rank the rule #1 so that it is evaluated first and stops any further role assignments. Without enabling Stop evaluation, a contractor might match some other, lower-ranked rule, and gain permissions that you do not want to grant.