9.6 Creating Users and Groups

Access to Cloud Manager requires a Cloud Manager user account. Through the account, a user receives rights to perform various roles in the Cloud Manager system, in an organization, or in both. Rights can also be assigned to user groups to enable all members of the group to perform specific roles.

You can create users and groups by manually entering information or by importing information from your LDAP authentication source.

9.6.1 Manually Creating Users

  1. On the main navigation bar, click Getting Started, then click Create Users and Groups (in the Set Up Your Cloud Environment list).

    or

    On the main navigation bar, click Users, then click the Users tab.

  2. On the Users tab, click Create to display the Create User dialog box.

  3. Provide the following details to define the user:

    Full Name: Specify the user’s full name as you want it to appear in NetIQ Cloud Manager.

    E-Mail Address: Specify the user’s e-mail address as defined in their LDAP authentication account. If necessary, you can specify more than one address; use commas to separate addresses.

    The e-mail address enables the Cloud Manager system to send messages (tasks, notifications, and so forth) to the user as needed.

    Phone Number: This field is optional. Specify a contact number if desired.

  4. Select the user’s scope:

    Organization: An organization scope enables the user to perform roles within a specific organization. The roles are Approver, Build Administrator, Business Group Viewer, Business Service Owner, Organization Manager, Sales Manager, and Sponsor.

    To give the user an organization scope, select Organization, then select the organization in which to place the user.

    System: A system scope enables the user to administer the Cloud Manager system. The roles are Approver, Build Administrator, Catalog Manager, Cloud Administrator, and System View. In addition, a System user can be given any of the organization roles.

    NOTE:System scope also implies the Zone Administrator role, though it is not explicitly listed. Instead, specific zones are associated to these users, making the Zone Administrator role implicit.

  5. (Organization user only) If you want the user to always be able to view business service costs regardless of the Costs setting for a business group, select Always show costs.

    An organization’s or business group’s Costs setting can be set to Show or Hide. The purpose of the Always show costs setting is to ensure that business service costs are always visible to the user even if the Costs setting is set to Hide.

    For example, you might want to select this option for users who are Sponsors. This ensures that the users can always see costs even if the organization or business group is set to hide costs.

  6. (System user only) Assign system-level roles to the user.

    The system-level roles are Approver, Build Administrator, Catalog Manager, Cloud Administrator, and System View. These roles can be assigned only to System users.

    NOTE:System scope also implies the Zone Administrator role, though it is not explicitly listed. Instead, specific zones are associated to these users, making the Zone Administrator role implicit.

    1. To assign the Approver, Build Administrator, Catalog Manager, or Cloud Administrator role, click the System tab, click Add, select the desired roles, then click OK.

    2. To assign the Zone Administrator role, click the Zone tab, click Add, select the desired zone, then click OK.

  7. Assign organization-level roles to the user.

    The organization-level roles are Approver, Build Administrator, Business Group Viewer, Business Service Owner, Organization Manager, Sales Manager, and Sponsor. The Approver, System View, and Build Administrator roles can be assigned only to System users. The Sales Manager role can be assigned only to Organization users. The other roles can be assigned to both System users and Organization users.

    Several of the roles can be assigned at the organization, business group, or business service level. For example, you can make a user a Sponsor for a business group, in which case the user can approve requests for business services from that business group only. Or, you can make the user a Sponsor for the organization, in which case the user can approve requests for all business services in the organization.

    1. Click the Organization tab to add a role at the organization level, click the Business Group tab to add a role at the business group level, or click the Business Service tab to add a role at the business service level.

    2. Click the role that you want to assign

      For example, if you selected the Business Group tab and you want to enable the user to create business services for the business group, click Business Service Owner.

    3. Click Add, select the object (organization, business group, or business service) to which you want the role to apply, then click OK to add it to the list.

  8. Ignore the Membership tab at this time.

    The Membership tab lets you add users to groups. You must create the groups first. This task is discussed in Manually Creating User Groups and Importing User Groups from LDAP

  9. When you have finished assigning roles to the user, click Save.

For more information about users and roles, see Section 11.0, Setting Up and Managing Users.

9.6.2 Manually Creating User Groups

Rather than assign roles to individual users, you can create user groups and assign roles to the user groups. Users (and other user groups) that are added to a group inherit the group’s roles.

User group roles are cumulative. If you add a user to a group, the user retains its directly assigned roles and also gains the roles inherited from the group.

  1. On the main navigation bar, click Getting Started, then click Create Users and Groups (in the Set Up Your Cloud Environment list).

    or

    On the main navigation bar, click Users.

  2. Click the User Groups tab, then click Create to display the Create User Group dialog box.

  3. Provide the following details to define the user group:

    Full Name: Specify the group’s full name as you want it to appear in NetIQ Cloud Manager.

    E-Mail Address: This field is optional. If you enter an e-mail address, any messages generated for the group’s roles are sent to the e-mail address. If you don’t enter an e-mail address, the messages are sent to the group members’ addresses.

  4. Select the group’s scope:

    Organization: An organization scope enables the group to be assigned roles within a specific organization. The roles are Business Group Viewer, Business Service Owner, Organization Manager, Sales Manager, and Sponsor.

    To give the group an organization scope, select Organization, then select the organization in which to place the group.

    System: A system scope enables the group to be assigned roles for the Cloud Manager system. The roles are Approver, Build Administrator, Catalog Manager, Cloud Administrator, and System View. In addition, a System group can be given any of the organization roles.

    NOTE:System scope also implies the Zone Administrator role, though it is not explicitly listed. Instead, specific zones are associated to these users, making the Zone Administrator role implicit.

  5. (System user groups only) Assign system-level roles to the group.

    The system-level roles are Approver, Build Administrator, Catalog Manager, Cloud Administrator, and System View. These roles can be assigned only to System user groups.

    1. To assign the Approver, Build Administrator, Catalog Manager, or Cloud Administrator role, click the System tab, click Add, select the desired roles, then click OK.

    2. To assign the Zone Administrator role, click the Zone tab, click Add, select the desired zone, then click OK.

  6. Assign organization-level roles to the group.

    The organization-level roles are Approver, Build Administrator, Business Group Viewer, Business Service Owner, Organization Manager, Sales Manager, and Sponsor. The Approver and Build Administrator roles can be assigned only to System user groups. The other roles can be assigned to both System and Organization user groups.

    Several of the roles can be assigned at the organization, business group, or business service level. For example, you can make a user group a Sponsor for a business group, in which case the group members can approve requests for business services from that business group only. Or, you can make the user group a Sponsor for the organization, in which case the group members can approve requests for all business services in the organization.

    1. Click the Organization tab to add a role at the organization level, click the Business Group tab to add a role at the business group level, or click the Business Service tab to add a role at the business service level.

    2. Click the role that you want to assign.

      For example, if you selected the Business Group tab and you want to enable the user group to create business services for the business group, click Business Service Owner.

    3. Click Add, select the object (organization, business group, or business service) to which you want the role to apply, then click OK to add it to the list.

  7. Add members to the group:

    1. Click the Membership tab.

    2. Click Members, then click Add to display the Add Members dialog box.

    3. Select the users and user groups you want to add to the group.

      You can Shift-click and Ctrl-click to select multiple users and groups.

    4. Click OK to add the users and user groups to the Members list.

  8. When you have finished assigning roles and adding members, click Save.

For more information about user groups and roles, see Section 11.0, Setting Up and Managing Users.

9.6.3 Importing Users from LDAP

You can create users by importing information from your LDAP authentication source. You can import users as System or Organization users. After you import a user, you can assign roles to the user.

  1. On the main navigation bar, click Getting Started, then click Create Users and Groups (in the Set Up Your Cloud Environment list).

    or

    On the main navigation bar, click Organizations.

  2. If you want to import Organization users, click the Organizations tab, select the target organization for the import, click Edit to display the Edit Organization dialog box, then click Import (located above the Members list on the Users tab).

    or

    If you want to import System users, click Configuration (on the main navigation bar) to display the System Configuration dialog box, click System Users, click the Members tab, then click Import.

  3. Authenticate to the LDAP directory:

    1. Click the LDAP tab.

    2. In the LDAP Location section, fill in the following fields:

      Host: Specify the FQDN (fully qualified domain name) or IP address of the host machine running the LDAP server. For example, ldap.mycompany.com or 123.45.67.8.

      Port: Specify the TCP port (on the host machine) where the LDAP server is listening for LDAP connections. The standard port for non-SSL connections is 389. The standard port for SSL connections is 636.

      Use SSL: If the Cloud Manager Application Server is configured for an SSL connection to the LDAP server, select this option to enable the secure connection.

    3. In the Search Bind Account section, fill in the following fields:

      DN: Specify an account that has search rights to the directory location from which you want to import users. For example, cn=Administrator,cn=Users,dc=MyCompany,dc=com

      Password: Specify the password for the account.

      Password Confirm: Confirm the password for the account.

    4. Click Test Connection.

      If the connection is successful, the Test Status is displayed as Passed. If the connection is not successful, validate the connection information and try again.

  4. Import users:

    1. Click the Import tab.

    2. Click Add.

      When you click Add, an new import entry is added to the list. You use the fields below the list to define the entry.

    3. In the DN field, use standard LDAP notation (ou=provo,dc=netiq,dc=com) to specify the distinguished name for the target container or object, then click Validate.

      If you specify a container, all users located within the container are imported. If you only want to import one user, specify the DN of the user object.

    4. If you specified a container for import, select Users.

    5. If you specified a container for import, select Scan Tree if you want to import users located in its subcontainers.

    6. Click Import.

      The imported users are added to the Members list. Users are identified by the icon.

  5. When you have finished importing users, click OK or Save to close the dialog box.

  6. Assign roles to the users:

    1. On the main navigation bar, click Users.

    2. Click the Users tab, select the user to whom you want to assign roles, then click Edit.

    3. (System user only) Assign system-level roles.

      The system-level roles are Approver, Build Administrator, Catalog Manager, Cloud Administrator, and System View. These roles can be assigned only to System users.

      NOTE:System scope also implies the Zone Administrator role, though it is not explicitly listed. Instead, specific zones are associated to these users, making the Zone Administrator role implicit.

      1. To assign the Approver, Build Administrator, Catalog Manager, Cloud Administrator, or System View role, click the System tab, click Add, select the desired roles, then click OK.

      2. To assign the Zone Administrator role, click the Zone tab, click Add, select the desired zone, then click OK.

    4. Assign organization-level roles.

      The organization-level roles are Approver, Build Administrator, Business Group Viewer, Business Service Owner, Organization Manager, Sales Manager, and Sponsor. The Approver and Build Administrator roles can be assigned only to System users. The Sales Manager role can be assigned only to Organization users. The other roles can be assigned to both System users and Organization users.

      Several of the roles can be assigned at the organization, business group, or business service level. For example, you can make a user a Sponsor for a business group, in which case the user can approve requests for business services from that business group only. Or, you can make the user a Sponsor for the organization, in which case the user can approve requests for all business services in the organization.

      1. Click the Organization tab to add a role at the organization level, click the Business Group tab to add a role at the business group level, or click the Business Service tab to add a role at the business service level.

      2. Click the role that you want to assign

        For example, if you selected the Business Group tab and you want to enable the user to create business services for the business group, click Business Service Owner.

      3. Click Add, select the object (organization, business group, or business service) to which you want the role to apply, then click OK to add it to the list.

    5. When you have finished assigning roles to the user, click Save.

For more information about users and roles, see Section 11.0, Setting Up and Managing Users.

9.6.4 Importing User Groups from LDAP

You can create user groups by importing them from your LDAP authentication source. After you import a group, you can assign roles to the group.

An imported user group’s membership is maintained in the LDAP authentication source. Any users who are members of the user group in the LDAP source receive the roles that are assigned to the user group in Cloud Manager.

An imported user group’s members are not imported and do not display in the group’s Members list. In addition, you cannot manually add users or user groups to an imported group.

  1. On the main navigation bar, click Getting Started, then click Create Users and Groups (in the Set Up Your Cloud Environment list).

    or

    On the main navigation bar, click Organizations.

  2. If you want to import Organization user groups, click the Organizations tab, select the target organization for the import, click Edit to display the Edit Organization dialog box, then click Import (located above the Members list on the Users tab).

    or

    If you want to import System user groups, click Configuration (on the main navigation bar) to display the System Configuration dialog box, click System Users, click the Members tab, then click Import.

  3. Authenticate to the LDAP directory:

    1. Click the LDAP tab.

    2. In the LDAP Location section, fill in the following fields:

      Host: Specify the FQDN (fully qualified domain name) or IP address of the host machine running the LDAP server. For example, ldap.mycompany.com or 123.45.67.8.

      Port: Specify the TCP port (on the host machine) where the LDAP server is listening for LDAP connections. The standard port for non-SSL connections is 389. The standard port for SSL connections is 636.

      Use SSL: If the Cloud Manager Application Server is configured for an SSL connection to the LDAP server, select this option to enable the secure connection.

    3. In the Search Bind Account section, fill in the following fields:

      User DN: Specify an account that has read rights to the directory location from which you want to import users. For example, cn=Administrator,cn=Users,dc=MyCompany,dc=com

      Password: Specify the password for the account.

      Password Confirm: Confirm the password for the account.

    4. Click Test Connection.

      If the connection is successful, the Test Status is displayed as Passed. If the connection is not successful, validate the connection information try again.

  4. Import user groups:

    1. Click the Import tab.

    2. Click Add.

      When you click Add, an new import entry is added to the list. You use the fields below the list to define the entry.

    3. In the DN field, use standard LDAP notation (ou=provo,dc=netiq,dc=com) to specify the distinguished name for the target container or object, then click Validate.

      If you specify a container, all user groups located within the container are imported. If you only want to import one user group, specify the DN of the user group object.

    4. If you specified a container for import, select Groups.

    5. If you specified a container for import, select Scan Tree if you want to import user groups located in its subcontainers.

    6. Click Import.

      The imported user groups are added to the Members list. User groups are identified by the icon.

  5. When you have finished importing user groups, click OK or Save to close the dialog box.

  6. Assign roles to the groups:

    1. On the main navigation bar, click Users.

    2. Click the User Groups tab, select the user group to which you want to assign roles, then click Edit.

    3. (System user groups only) Assign system-level roles.

      The system-level roles are Approver, Build Administrator, Catalog Manager, Cloud Administrator, and System View. These roles can be assigned only to System user groups.

      NOTE:System scope also implies the Zone Administrator role, though it is not explicitly listed. Instead, specific zones are associated to these user groups, making the Zone Administrator role implicit.

      1. To assign the Approver, Build Administrator, Catalog Manager, System View, or Cloud Administrator role, click the System tab, click Add, select the desired roles, then click OK.

      2. To assign the Zone Administrator role, click the Zone tab, click Add, select the desired zone, then click OK.

    4. Assign organization-level roles.

      The organization-level roles are Approver, Build Administrator, Business Group Viewer, Business Service Owner, Organization Manager, Sales Manager, and Sponsor. The Sales Manager can be assigned only to Organization user groups. The Approver and Build Administrator roles can be assigned only to System user groups. The other roles can be assigned to both System and Organization user groups.

      Several of the roles can be assigned at the organization, business group, or business service level. For example, you can make a user group a Sponsor for a business group, in which case the group members can approve requests for business services from that business group only. Or, you can make the user group a Sponsor for the organization, in which case the group members can approve requests for all business services in the organization.

      1. Click the Organization tab to add a role at the organization level, click the Business Group tab to add a role at the business group level, or click the Business Service tab to add a role at the business service level.

      2. Click the role that you want to assign

        For example, if you selected the Business Group tab and you want to enable the user group to create business services for the business group, click Business Service Owner.

      3. Click Add, select the object (organization, business group, or business service) to which you want the role to apply, then click OK to add it to the list.

    5. When you have finished assigning roles to the user group, click Save.

For more information about user groups and roles, see Section 11.0, Setting Up and Managing Users.