NetIQ Cloud Manager 2.1.5

Quick Start - Organization Manager (System Users)

An Organization Manager has rights to manage users, role assignments, resource assignments, and business services within an organization. This Quick Start explains how to perform Organization Manager tasks in the Cloud Manager console. The information is also available in the Cloud Manager console under Help > How Do I > Organization Manager.

There are two Organization Manager Quick Starts. This one is for System users who are Organization Managers. There is a separate Organization Manager Quick Start for Organization members.

1.0 Creating Business Groups

An organization includes one or more business groups. A business group represents a unit within the organization, such as a department or cost center, with which business services are associated.

A business group can be assigned all of an organization’s resources or only some of the resources. When a business service is created for a business group, it uses only the assigned resources. Multiple business groups can be assigned the same resources, which means that the resources become shared resources.

  1. On the main navigation bar, click Organizations.

  2. Click the Business Groups tab, then click Create.

  3. Provide the following details to define the business group:

    Name: Specify a name for the group. The name should be different than any other business group name.

    Organization: Select the organization for the business group. The organization assignment cannot be changed after the business group is created.

    Description: Provide any additional information to identify the business group.

    Auto Approval: Business service requests require both a Sponsor approval and an Administrator approval. The Sponsor approval is a financial check, and the Administrator approval is a resource capacity check. You can use Auto Approval to bypass one or both of the approvals.

    Sponsor is selected by default. If you don’t want automatic Sponsor approval, you must add sponsors to the group (see Step 4).

    Select Administrator to automatically grant Administrator approval for the group’s business services.

    Costs: The business group inherits the Costs setting from its organization. To change the setting for the business group, click Override, then configure the setting as desired. Show allows group members to see cost information for workloads. Hide prevents group members from seeing cost information.

  4. Assign roles for the business group.

    There are three roles that apply to a business group: Business Group Viewer, Business Service Owner, and Sponsor. By default, users assigned these roles at the organization also have these same roles in the business group.

    1. Click the Users tab, then click the role (Business Group Viewer, Business Service Owner, or Sponsor) that you want to assign to a user.

    2. Click Add.

      Depending on the role that you are adding, the selection dialog box can contain two lists: Members and System Users. The Members list includes all members of the organization, and the System Users list includes all Cloud Manager System users.

    3. Select the users you want to add, then click OK.

      You can Shift-click and Ctrl-click to select multiple users.

  5. Add the resource groups you want the business group to have access to:

    1. Under Membership and Access, click the Resource Groups tab.

    2. Click Add to display the Add Resource Groups dialog box.

      The list displays the organization’s resource groups. A business group is limited to the resource groups assigned to its organization.

    3. Select the resource groups you want to add.

      You can Shift-click and Ctrl-click to select multiple resource groups.

    4. Click OK to add the selected resource groups to the Resource Groups list.

  6. Add the workload templates that you want the business group to have access to:

    1. Under Membership and Access, click the Workload Templates tab.

    2. Click Add to display the Add Workload Templates dialog box.

      The list displays the organization’s workload templates. A business group is limited to the workload templates assigned to its organization.

    3. Select the workload templates.

      You can Shift-click and Ctrl-click to select multiple workload templates.

    4. Click OK to add the selected workload templates to the Workload Templates list.

  7. Add the networks that you want the business group to have access to:.

    The available networks are determined by the VM hosts included in the resource groups. However, to enable you to provide isolated networks for business groups that share the same resource group, the networks from a resource group are not automatically assigned to a business group when you add the resource group. Instead, you must separately add the networks you want assigned to the business group.

    1. Under Membership and Access, click the Networks tab.

    2. Click Add to display the Add Networks dialog box.

    3. Select the networks.

      You can Shift-click and Ctrl-click to select multiple networks.

    4. Click OK to add the selected networks to the Networks list.

  8. Click Save.

2.0 Creating Organization User Accounts

Access to Cloud Manager requires a Cloud Manager user account. Through the account, a user receives rights to perform various roles in the organization.

There are two ways to create user accounts:

  • Manually enter the information for a user account.

  • Import the account information from your LDAP authentication source.

2.1 Manually Creating Users

  1. On the main navigation bar, click Organizations.

  2. Click the Users tab, then click Create to display the Create User dialog box.

  3. Provide the following details to define the user:

    Full Name: Specify the user’s full name as you want it to appear in the Cloud Manager console.

    E-Mail Address: Specify the user’s e-mail address. If necessary, you can specify more than one address; use commas to separate addresses.

    The e-mail address enables the Cloud Manager system to send messages (tasks, notifications, and so forth) to the user as needed.

    If LDAP is being used for authentication (without Novell Access Manager or Novell Cloud Security Services), the e-mail address is also used for login.

    Phone Number: This field is optional. Specify a contact number if desired.

  4. In the Scope field, select the user’s organization from the Organization list.

  5. If you want the user to always be able to view business service costs regardless of the Costs setting for a business group, select Always show costs regardless of business group costs setting.

    A business group’s Costs setting can be set to Show or Hide. The purpose of Always show costs setting is to ensure that business service costs are always visible to the user even if the business group Costs setting is set to Hide.

    For example, you might want to select this option for users who are Organization sponsors or Business Group sponsors. This ensures that sponsors can always see costs even if the organization or business group is set to hide costs.

  6. Assign roles to the user.

    An Organization user can be assigned roles at the organization level, business group level, or business service level. For example, you could make a user a Sponsor for a business group, in which case the user could approve requests for business services from that business group only. Or, you could make the user a Sponsor for the organization, in which case the user could approve requests for business services from all business groups in the organization.

    1. Click the Organization tab to add a role at the organization level, click the Business Group tab to add a role at the business group level, or click the Business Service tab to add a role at the business service level.

    2. Click the role that you want to assign to the user.

      For example, if you selected the Business Group tab and you want to enable the user to create business services for the business group, click Business Service Owner.

    3. Click Add, select the object (organization, business group, or business service) to which you want the role to apply, then click OK to add it to the list.

  7. Add the user to user groups.

    When you add a user to a group, the user inherits the roles assigned to the group.

    1. Click the Membership tab.

    2. Click Add, select the desired user groups, then click OK.

      You can Shift-click and Ctrl-click to select multiple groups.

  8. When you have finished assigning roles and groups to the user, click Save.

    The user is added to the Users list.

2.2 Importing LDAP Users

You can create user accounts by importing information from your LDAP authentication source. After you import a user, you can assign roles to the user.

  1. On the main navigation bar, click Organizations.

  2. Click the Organizations tab, select the target organization for the import, then click Edit to display the Edit Organization dialog box.

  3. On the Users tab, click Members, then click Import.

  4. Authenticate to the LDAP directory:

    1. Click the LDAP tab.

    2. In the LDAP Location section, fill in the following fields:

      Host: Specify the FQDN (fully qualified domain name) or IP address of the host machine running the LDAP server. For example, ldap.mycompany.com or 123.45.67.8.

      Port: Specify the TCP port (on the host machine) where the LDAP server is listening for LDAP connections. The standard port for non-SSL connections is 389. The standard port for SSL connections is 636.

      Use SSL: If you configured the Cloud Manager Application Server to support an SSL connection to the LDAP server (by importing the LDAP server certificate into the Cloud Manager Application Server’s trust store), select this option to enable the secure connection.

    3. In the Search Bind Account section, fill in the following fields:

      DN: Specify the distinguished name of an account that has search rights to the directory location from which you want to import users. For example, cn=Administrator,cn=Users,dc=MyCompany,dc=com

      Password: Specify the password for the account.

      Confirm Password: Confirm the password for the account.

    4. Click Test Connection.

      If the connection is successful, the Test Status is displayed as Passed. If the connection is not successful, validate the connection information and try again.

  5. Import users:

    1. Click the Import tab.

    2. Click Add.

      When you click Add, a new import entry is added to the list. You use the fields below the list to define the entry.

    3. In the DN field, use standard LDAP notation (ou=provo,dc=netiq,dc=com) to specify the distinguished name for the target container or object, then click Validate.

      If you specify a container, all users located within the container are imported. If you only want to import one user, specify the DN of the user object.

    4. If you specified a container for import, select Users.

    5. If you specified a container for import, select Scan Tree if you want to import users located in its subcontainers.

    6. Click Import.

      The imported users are added to the Members list. Users are identified by the icon.

  6. Assign roles to a user.

    An Organization user can be assigned roles at the organization level, business group level, or business service level. If you want to assign an imported user a role at the organization level, continue with the following steps. If you want to assign roles at the other two levels, exit the dialog box and see Assigning Roles to Users and Groups.

    Users must be given roles in order to do anything in the organization. There are six roles that apply at the organization level: Approver, Build Administrator, Business Group Viewer, Business Service Owner, Organization Manager, and Sponsor.

    Role assignments at the organization level are inherited by the organization’s business groups. For example, if you give a user the Business Service Owner role for an organization, the user can create business services for any business group in the organization. If you want to limit the user to a role in specific business group, you must make the role assignment in the business group.

    1. Click the role (Approver, Build Administrator, Business Group Viewer, Business Service Owner, > Organization Manager, or Sponsor) that you want to assign to a user.

    2. Click Add.

      Depending on the role that you are adding, the selection dialog box can contain two lists: Members and System Users. The Members list includes all members of the organization, and the System Users list includes all Cloud Manager System users.

    3. Select the users you want to add, then click OK.

      You can Shift-click and Ctrl-click to select multiple users.

  7. Click Save to close the Edit Organization dialog box.

3.0 Creating Organization User Groups

Rather than assign roles to individual users, you can create user groups and assign roles to the user groups. Users who are added to a group inherit the group’s roles.

User group roles are cumulative. If you add a user to a group, the user retains its directly assigned roles and also gains the inherited roles from the group.

There are two ways to create user groups:

  • Manually enter the information for a user group.

  • Import the group information from your LDAP authentication source.

3.1 Manually Creating User Groups

  1. On the main navigation bar, click Organizations.

  2. Click the User Groups tab, then click Create to display the Create User Group dialog box.

  3. Provide the following details to define the user group:

    Full Name: Specify the group’s full name as you want it to appear in the Cloud Manager console.

    E-Mail Address: This field is optional. If you enter an e-mail address, any messages generated for the group’s roles are sent to the e-mail address. If you don’t enter an e-mail address, the messages are sent to the group members’ addresses.

  4. In the Scope field, select the user’s organization from the Organization list.

  5. In the Type field, select the group’s type:

    • LDAP DN: Select this option to specify an LDAP group. The group’s membership is maintained in the LDAP source. You cannot add users to the group in Cloud Manager.

      Use standard LDAP notation to specify the distinguished name of the user group in the LDAP source (for example, cn=orgmanagers,dc=provo,dc=netiq,dc=com).

    • Cloud Manager: Select this option to create a user group that exists only in Cloud Manager. You maintain the group membership in Cloud Manager. The group can include both users and other groups (including LDAP user groups).

  6. Assign roles to the group.

    An Organization group can be assigned roles at the organization level, business group level, or business service level. For example, you can make a group a Sponsor for a business group, in which case the group could approve requests for business services from that business group only. Or, you can make the group a Sponsor for the organization, in which case the user can approve requests for business services from all business groups in the organization.

    1. Click the Organization tab to add a role at the organization level, click the Business Group tab to add a role at the business group level, or click the Business Service tab to add a role at the business service level.

    2. Click the role that you want to assign to the group.

      For example, if you selected the Business Group tab and you want to enable the group to create business services for the business group, click Business Service Owner.

    3. Click Add, select the object (organization, business group, or business service) to which you want the role to apply, then click OK to add it to the list.

  7. Add members to the group:

    1. Click the Membership tab.

    2. Click Members, then click Add to display the Add Members dialog box.

    3. Select the users and user groups you want to add to the group.

      You can Shift-click and Ctrl-click to select multiple users and groups.

    4. Click OK to add the users and user groups to the Members list.

  8. When you are finished assigning roles and adding members, click Save.

3.2 Importing LDAP User Groups

You can create user groups by importing them from your LDAP authentication source. After you import a group, you can assign roles to the group.

An imported user group’s membership is maintained in the LDAP authentication source. Any users who are members of the user group in the LDAP source receive the roles that are assigned to the user group in Cloud Manager.

An LDAP user group’s members are not imported to Cloud Manager and do not display in the group’s Members list. In addition, you cannot manually add users or user groups to an imported group.

  1. On the main navigation bar, click Organizations.

  2. Click the Organizations tab, select the target organization for the import, then click Edit to display the Edit Organization dialog box.

  3. On the Users tab, click Members, then click Import.

  4. Authenticate to the LDAP directory:

    1. Click the LDAP tab.

    2. In the LDAP Location section, fill in the following fields:

      Host: Specify the FQDN (fully qualified domain name) or IP address of the host machine running the LDAP server. For example, ldap.mycompany.com or 123.45.67.8.

      Port: Specify the TCP port (on the host machine) where the LDAP server is listening for LDAP connections. The standard port for non-SSL connections is 389. The standard port for SSL connections is 636.

      Use SSL: If you configured the Cloud Manager Application Server to support an SSL connection to the LDAP server (by importing the LDAP server certificate into the Cloud Manager Application Server’s trust store), select this option to enable the secure connection.

    3. In the Search Bind Account section, fill in the following fields:

      User DN: Specify an account that has read rights to the directory location from which you want to import user groups. For example, cn=Administrator,cn=Users,dc=MyCompany,dc=com

      Password: Specify the password for the account.

      Password Confirm: Confirm the password for the account.

    4. Click Test Connection.

      If the connection is successful, the Test Status is displayed as Passed. If the connection is not successful, validate the connection information and try again.

  5. Import user groups:

    1. Click the Import tab.

    2. Click Add.

      When you click Add, a new import entry is added to the list. You use the fields below the list to define the entry.

    3. In the DN field, use standard LDAP notation (ou=provo,dc=netiq,dc=com) to specify the distinguished name for the target container or object, then click Validate.

      If you specify a container, all user groups located within the container are imported. If you only want to import one user group, specify the DN of the user group object.

    4. If you specified a container for import, select Groups.

    5. If you specified a container for import, select Scan Tree if you want to import user groups located in its subcontainers.

    6. Click Import.

      The imported user groups are added to the Members list. Users are identified by the icon.

  6. Assign roles to a group.

    An Organization user group can be assigned roles at the organization level, business group level, or business service level. If you want to assign an imported user group a role at the organization level, continue with the following steps. If you want to assign roles at the other two levels, exit the dialog box and see Assigning Roles to Users and Groups.

    User groups must be given roles for the group members to do anything in the organization. There are six roles that apply at the organization level: Approver, Build Administrator, Business Group Viewer, Business Service Owner, Organization Manager, and Sponsor.

    Role assignments at the organization level are inherited by the organization’s business groups. For example, if you give a user group the Business Service Owner role for an organization, the group members can create business services for any business group in the organization. If you want to limit the user group to a role in a specific business group, you must make the role assignment in the business group.

    1. Click the role (Approver, Build Administrator, Business Group Viewer, Business Service Owner, > Organization Manager, or Sponsor) that you want to assign to a user group.

    2. Click Add.

      Depending on the role that you are adding, the selection dialog box can contain two lists: Members and System Users. The Members list includes all Organization user groups and the System Users list includes all System user groups.

    3. Select the user groups you want to add, then click OK.

      You can Shift-click and Ctrl-click to select multiple user groups.

  7. Click Save to close the Edit Organization dialog box.

    The imported user groups are displayed in the User Groups list.

4.0 Assigning Roles to Users and Groups

An Organization user or user group can be assigned roles at the organization level, business group level, or business service level. For example, you can make a user a Sponsor for a business group, in which case the user can approve requests for business services from that business group only. Or, you can make the user a Sponsor for the organization, in which case the user can approve requests for all business services in the organization.

4.1 Assigning Roles

  1. On the main navigation bar, click Organizations.

  2. To assign a role to a user, click the Users tab, select the user, then click Edit to display the Edit User dialog box.

    or

    To assign a role to a user group, click the User Groups tab, select the user group, then click Edit to display the Edit User Group dialog box.

  3. In the Membership and Access section, click the Organization tab to add a role at the organization level, click the Business Group tab to add a role at the business group level, or click the Business Service tab to add a role at the business service level.

  4. Click the role that you want to assign.

    For example, if you selected the Business Group tab and you want to enable the user or group to create business services for the business group, click Business Service Owner.

  5. Click Add, select the object (organization, business group, or business service) to which you want the role to apply, then click OK to add it to the list.

  6. When you have finished adding roles, click Save to save the role changes.

4.2 Role Descriptions

  • Approver: Has rights to approve or deny a business service request based on available resource capacity. Only System users can be Approvers.

  • Build Administrator: Has rights to complete pre-build and post-build configuration for workloads that are deployed through requested business services. Only System users can be Build Administrators.

  • Business Group Viewer: Has rights to view business services for a business group.

  • Business Service Owner: Has rights to create, modify, and delete business services for an organization or for specific business groups within an organization.

  • Organization Manager: Has rights to manage users, roles, resource assignments, and business services within an assigned organization. Both System users and Organization members can be Organization Managers. System users can be assigned as Organization Managers in multiple organizations. Organization members can be assigned as Organization Managers only in their own organization.

  • Sponsor: Has rights to approve or deny a business service request based on financial reasons.

5.0 Generating Reports

You can generate reports showing the business service costs for an organization.

  1. On the main navigation bar, click Reports.

  2. Click Generate to display the Reports dialog box.

  3. In the Report Templates list, select the report you want to generate and the format you want, then click Next.

  4. In the Report Parameters dialog box, select the organization for which to generate the report, then click Generate.

    A report window appears. Depending on the amount of data to be collected, the report might be completed quickly or it might take a while. As soon as the report is completed, it is displayed in the report window, saved to your computer, opened in an associated application, or you are prompted about which action you want to take (depending on your browser configuration).

    If the report is taking a while, you can close the report window and the report continues to generate. If you close the report, its status is shown in the My Reports list. As soon as it is complete, you can view it.

6.0 Legal Notices:

© 2013 NetIQ Corporation and its affiliates. All Rights Reserved. THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.