Authorization is the main interface in Admin Essentials to view users, groups, and roles. Please note that available views, features, and interactions in the UI are limited based on user permissions.
There are two pathways to access Authorization:
- From the Itential Platform home page, you can navigate to Admin Essentials → Quick Start → Authorization.
- Another way is to click Authorization in the left sidebar to open the accordion menu.
Figure 1: Authorization
Additional information on cloud portal administration for users, groups, and roles can be found in:
Terminology
A list of terms related to Itential Platform users, groups, and roles are defined in the following table.
| Term | Definition |
|---|---|
| User | An entity that can perform specific actions within multiple Itential Platform applications based on group associations. |
| Group | A collection of roles that can be assigned to a user. |
| Role | A collection of granular level privileges that can be assigned to groups. |
| Permission | Authorization granted to an API and a specific page view. |
| Provenance | Refers to the source (origin) of a group. For external groups, this is set to the Itential Platform AAA adapterId. For Itential Platform groups, it is not set. |
Users
All operations within Itential Platform are associated with a user. Itential Platform provides the ability to assign roles directly to users. Also, with Itential Platform groups, administrators are able to manage user membership. Users may be a member of any number of groups and through group membership may be assigned any number of roles.
User roles, whether directly assigned or inherited from a group, determine what the user can see and do within Itential Platform. The final permission set of a user will be a combination of permissions granted to all the roles assigned to the user, or to any groups in which the user is a member.
Viewing & Filtering Users
In Platform 6, the Users page view in Admin Essentials contains the contents of the “Users” and the "Service Accounts" tab.
To view the Admin Essentials → Authorization → Users table, you must have permission for the authorization.getAccounts method. This allows you to access the page, view the list of users, and see their login status.
The indicator circles under the Active column header denote the login status of each user:
● Blue - User is currently logged in.
● Red - User who is deactivated.
● Grey - User who is not logged in.
The Users table can be filtered by login status using the popover menu in the top-right. Click the vertical ellipsis (⋮) to display two filter toggles that:
- Show Active Users Only - Only recently active users are shown in the table.
- Show Deactivated Users - Only deactivated users are shown in the table.
Figure 2: Users Table
Configuring Role Assignments for Users
There are two ways to assign users to Roles:
- Directly
- By groups membership
To assign Roles directly to a user:
- Locate the user you wish to assign. Alternately, you can filter the user list by typing in the
usernamecolumn header search box. - Click the eye icon at the end of the table row to open the View User dialog. The Roles tab displays by default.
- Add or remove role assignments using the checkbox. You can filter the roles list by typing in the Search field.
- Click Close when done.
Roles assigned by Groups are grayed out (disabled). This indicates the assignment is inherited.
Figure 3: View User Roles
Configuring Group Membership for Users
External group memberships for users are managed by the external AAA system and cannot be edited in Itential Platform. A user may only be added or removed from Itential Platform Groups within Authorization. Addition or removal of AAA groups must be performed in the AAA system and will be noticed by Itential Platform the next time the user logs in.
To change the Groups to which a user belongs:
- Click the Groups tab option.
- Find the group in the list. You can filter the list by typing in the column header textbox.
- Add or remove group membership using the checkbox.
- Click Close when done.
Figure 4: View User Groups
Service Accounts
All service accounts on the system are display from the Service Accounts tab. Service Accounts in Admin Essentials allow third-party services and applications to call various Itential Cloud APIs without requiring the use of user account credentials. To access the Itential Cloud API, authorization controls are applied using the OAuth2 Client Credentials grant type.
More detail on Service Accounts is explained here: Using Service Accounts to Access Itential Cloud APIs
Groups
An Itential Platform Group is an account created within the Itential Platform system. Users are assigned to Itential Platform groups through Authorization. In contrast, users are assigned to external groups within the external AAA system. Users cannot be assigned to external groups using Itential Platform. An external group is an account that comes from an external AAA System such as LDAP. An external group cannot be created within Itential Platform.
If User1 is a member of Group1 and starts a job, and User2 is not a member of Group1, then User2 will not be able to see the job.
Assigning Groups to Roles
Groups are assigned to roles in two ways:
- Directly
- By membership in another group
To assign roles directly to a group in Itential Platform:
- Select Authorization → Groups from the navbar on the left. A list of defined groups is displayed.
- Locate the group you wish to assign to a role. Alternately, you can filter the user list by typing in the Name column header search box.
- Click the eye icon at the end of the table row to open the View Group dialog. The Roles tab displays by default.
- In the View Group modal, locate the role you wish to assign.
- Filter the list by typing in the Name or Source search bar.
- Add or remove a role assignment by selecting the checkbox.
- Click Close when done.
Roles which are assigned by other groups are grayed out (disabled). This indicates the assignment is inherited.
Assigning Group Membership
Itential Platform groups and external groups can be given membership to an Itential Platform group; however, neither group can be given membership to an external group.
To assign group membership:
- Select Authorization → Groups from the navbar on the left. A list of defined groups is displayed.
- Locate the group in the list. You can filter the list by typing in the Search field.
- Select the group in the list to view by clicking the eye icon at the end of the table row.
- From the View Group modal, select Groups .
- Add or remove group membership by selecting the checkbox.
- Click Close when done.
Identifying Group Members
To view group members:
- Select the Members tab on the View Group modal to display the members list of users that are direct members of a group. There is no indicator for inherited memberships.
- Locate the member username in the list. You can filter the list by typing in the Search bar.
- Click Close when done.
Roles
A role is a bundle of permissions assigned to users and groups, and it grants permission to access one or more endpoints. Endpoints are defined by each application in the cloud Platform. There are essentially two types of endpoints, as shown below.
| Endpoint | Description |
|---|---|
| API Methods | Represent API Endpoints that read or write data. |
| UI Views | Represent web pages in the browser. A view will typically rely on one or more methods to read/write data. |
The Platform comes with several built-in roles that offer a set of ready-to-use permissions and access levels, and a role may be assigned to any number of users or groups to provide access to the endpoints granted to that role.
All the roles available in Itential Cloud are presented here: Assigning Roles and Permissions
To view roles by endpoint:
- Select Roles from the left-side navigation menu. A table list displays. There is a role for each application installed in the system.
- Optionally, type in the search bar to sort/filter by role, application associated with the role, or by description.
- Click the view icon for your desired role to open the View Role modal, which shows all the API Methods and UI Views for a role. You can sort and filter using the Method and Source fields.
Figure 5: View Role API Methods
Figure 6: View Role UI Views
Clients
The Authorization Clients view displays a list of clients for Service Account. Click on the Clients name in the list to open the Client Details page, which displays the Client ID and a timestamp identifying the date and time a Client Secret was generated. Use the toggle switch located at the top to enable (turn on) or disable (turn off) the Service Account. Authentication is not permitted against disabled Service Accounts.
For security reasons, the ability to edit a Service Account client is protected by the service-accounts:read and service-accounts:write Cloud application roles. To grant a user the right to edit client permissions for a Service Account, you must enable these roles in the groups whose users need to create or modify Service Accounts.
Figure 7: Authorization Clients
Figure 8: Client Details
Exporting Authorization Data
Customers have the ability to export a list of Users, Groups, and Roles from the Authorization interface into a CSV-formatted file, which can be named and saved to a download folder on your system. The CSV data, in turn, can be used as a reference list (data report) to help track what role a user belongs to and see the groups to which each user belongs.
To utilize this export feature you:
- Must have assigned permissions to read/write roles on user and group entities.
- Must have assigned permissions to perform the export.
To export your authorization data:
- Navigate to Admin Essentials → Authorization.
- Click the export icon. A confirmation dialog displays.
- Click the Download button. A copy of a CSV-formatted file is downloaded to your system.
- Go to the location where the CSV file is saved.
- Open the CSV file in your spreadsheet application of choice (e.g., Microsoft Excel, Google Sheets, Smartsheet, etc). In our example, Microsoft Excel is used.
Figure 9: Export Authorization Data
Figure 10: Authorization Data File
The items in the CSV file and what they represent are reference below.
| Column Header | Description |
|---|---|
| User ID | Identifier of the user account. |
| Provenance | The name of the AAA the user comes from. |
| Username | The unique name of the user account. |
| First name | The user’s first name. |
| The email address associated with the user account. | |
| Last Login | The last date and time of login. |
| Active | A boolean to indicate if the user account is active. Uses the values “true/false”. |
| Groups Names | A list of group names to which the user belongs. Each group name includes its provenance. |
| Roles Names | A list of roles which are assigned to the user. |