Thank you for your response.
I think we're getting close to what would be ideal for us. If you're interested in an enhancement request it would be terrific if we could have the option to make it role or group based so that userA, userB, and userD that are members of the app1_monitor group in LDAP could authenticate in the VIEWER or ADMIN roles as assigned.
Our groups are fairly static while users come and go.
Also, is it possible to do user/group management via an API?
Thanks again!