Rather than assign roles to individual users, you can create user groups and assign roles to the user groups. Users who are added to a group inherit the group’s roles.
User group roles are cumulative. If you add a user to a group, the user retains its directly assigned roles and also gains the roles inherited from the group.
As with users, there are two types of user groups: System and Organization. A System group can be assigned system-level roles (Approver, Build Administrator, Catalog Manager, Cloud Administrator, and Zone Administrator) and organization-level roles (Business Group Viewer, Business Service Owner, Organization Manager, and Sponsor). An Organization user group can be assigned organization-level roles only.
You can create user groups by manually entering information or by importing information from your LDAP authentication source.
Roles that Can Perform This Task: Cloud Administrator, Organization Manager (Organization users only) |
The following steps explain how to create user groups by manually entering information. For information about creating user groups by importing information from your LDAP authentication source, see Importing System User Groups from LDAP and Section 11.1.3, Manually Importing Organization Users from LDAP.
On the main navigation bar, click
.Click the
tab, then click to display the Create User Group dialog box.Provide the following details to define the user group:
Full Name: Specify the group’s full name as you want it to appear in Cloud Manager.
E-Mail Address: This field is optional. If you enter an email address, any messages generated for the group’s roles are sent to the email address. If you don’t enter an email address, the messages are sent to the group members’ addresses.
In the
field, select .In the
field, select the group’s type:LDAP DN: Select this option to specify an LDAP group. The group’s membership is maintained in the LDAP source. You cannot add users to the group in Cloud Manager.
Use standard LDAP notation to specify the distinguished name of the user group in the LDAP source (for example, cn=orgmanagers,dc=provo,dc=netiq,dc=com).
Cloud Manager: Select this option to create a user group that exists only in Cloud Manager. You maintain the group membership in Cloud Manager. The group can include both users and other groups (including LDAP user groups).
Add members to the group:
Click the
tab.Click
, then click to display the Add Members dialog box.Select the users and user groups you want to add to the group.
You can Shift-click and Ctrl-click to select multiple users and groups.
Click
to add the users and user groups to the Members list.Click
.To assign roles to the user, see Assigning Roles to Users and Groups.
Roles that Can Perform This Task: Cloud Administrator |
The following steps explain how to create System user groups by importing information from your LDAP authentication source. For information about creating Organization user groups by manually entering information, see Manually Creating System and Organization User Groups.
An imported user group’s membership is maintained in the LDAP authentication source. Any users who are members of the user group in the LDAP source receive the roles that are assigned to the user group in Cloud Manager.
An LDAP user group’s members are not imported to Cloud Manager and do not display in the group’s
list. In addition, you cannot manually add users or user groups to an imported group.On the main navigation bar, click
.Click
, click the tab, then click .Authenticate to the LDAP directory:
In the Import from Directory dialog box, click the
tab.In the
section, fill in the following fields:Host: Specify the FQDN (fully qualified domain name) or IP address of the host machine running the LDAP server. For example, ldap.mycompany.com or 123.45.67.8.
Port: Specify the TCP port (on the host machine) where the LDAP server is listening for LDAP connections. The standard port for non-SSL connections is 389. The standard port for SSL connections is 636.
Use SSL: If the Cloud Manager Application Server is configured for an SSL connection to the LDAP server, select this option to enable the secure connection.
In the
section, fill in the following fields:User DN: Specify an account that has read rights to the directory location from which you want to import users. For example, cn=Administrator,cn=Users,dc=MyCompany,dc=com
Password: Specify the password for the account.
Password Confirm: Confirm the password for the account.
Click
.If the connection is successful, the Test Status is displayed as
. If the connection is not successful, validate the connection information and try again.Import user groups:
Click the
tab.Click
.When you click
, a new import entry is added to the list. You use the fields below the list to define the entry.In the DN field, use standard LDAP notation (ou=provo,dc=netiq,dc=com) to specify the distinguished name for the target container or object, then click .
If you specify a container, all user groups located within the container are imported. If you only want to import one user group, specify the DN of the user group object.
If you specified a container for import, select
.If you specified a container for import, select
if you want to import user groups located in its subcontainers.Click
.The imported user groups are added to the
list. User groups are identified by the icon.Click
to close the System Configuration dialog box.To assign roles to a user group, see Assigning Roles to Users and Groups.
Roles that Can Perform This Task: Cloud Administrator, Organization Manager |
The following steps explain how to create Organization user groups by importing information from your LDAP authentication source. For information about creating Organization user groups by manually entering information, see Manually Creating System and Organization Users.
An imported user group’s membership is maintained in the LDAP authentication source. Any users who are members of the user group in the LDAP source receive the roles that are assigned to the user group in Cloud Manager.
An LDAP user group’s members are not imported to Cloud Manager and do not display in the group’s
list. In addition, you cannot manually add users or user groups to an imported group.On the main navigation bar, click
.Click the
tab, select the target organization for the import, click to display the Edit Organization dialog box.On the
tab, click , then click .Authenticate to the LDAP directory:
In the Import from Directory dialog box, click the
tab.In the
section, fill in the following fields:Host: Specify the FQDN (fully qualified domain name) or IP address of the host machine running the LDAP server. For example, ldap.mycompany.com or 123.45.67.8.
Port: Specify the TCP port (on the host machine) where the LDAP server is listening for LDAP connections. The standard port for non-SSL connections is 389. The standard port for SSL connections is 636.
Use SSL: If the Cloud Manager Application Server is configured for an SSL connection to the LDAP server, select this option to enable the secure connection.
In the
section, fill in the following fields:DN: Specify the distinguished name of an account that has search rights to the directory location from which you want to import users. For example, cn=Administrator,cn=Users,dc=MyCompany,dc=com
Password: Specify the password for the account.
Confirm Password: Confirm the password for the account.
Click
.If the connection is successful, the Test Status is displayed as
. If the connection is not successful, validate the connection information and try again.Import user groups:
Click the
tab.Click
.When you click
, an new import entry is added to the list. You use the fields below the list to define the entry.In the ou=provo,dc=netiq,dc=com) to specify the distinguished name for the target container or object, then click .
field, use standard LDAP notation (If you specify a container, all user groups located within the container are imported. If you only want to import one user group, specify the DN of the user group object.
If you specified a container for import, select
.If you specified a container for import, select
if you want to import users located in its subcontainers.Click
.The imported user groups are added to the
list. User groups are identified by the icon.Assign roles to a user group.
An Organization user group can be assigned roles at the organization level, business group level, or business service level. If you want to assign an imported user group a role at the organization level, continue with the following steps. If you want to assign roles at the other two levels, exit the dialog box and see Assigning Roles to Users and Groups.
User groups must be given roles in order for group members to do anything in the organization. There are six roles that apply at the organization level: Approver, Build Administrator, Business Group Viewer, Business Service Owner, Organization Manager, and Sponsor.
Role assignments at the organization level are inherited by the organization’s business groups. For example, if you give a group the Business Service Owner role for an organization, the group members can create business services for any business group in the organization. If you want to limit the user group to a role in specific business group, you must make the role assignment in the business group.
Click the role (
, , , > , or ) that you want to assign to a user group.Click
.Depending on the role that you are adding, the selection dialog box can contain two lists:
and . The list includes all members of the organization and the list includes all Cloud Manager System users.Select the user groups you want to add, then click
.You can Shift-click and Ctrl-click to select multiple groups.
Click
to close the Edit Organization dialog box.