Administration
Managing Groups
"A Group is a collection of application users. By combining users into a Group, it becomes easier to manage their collective roles and access rights in your application. When you select an existing group and associate a new Protection Group and Roles with that group, all users in that particular Group have the same rights." (excerpt from the caCORE CSM v4.2 Programmer's Guide
)
Table of Contents
Overview
There are two types of groups that the CSM web service can interact with: Local Groups and Linked Grid Grouper Groups. A Local Group is a group that is created and managed directly in the CSM system. A Linked Grid Grouper Group is a local group that is linked to a remote Grid Grouper group. The Grid Grouper group and the linked local group are kept in sync so that all members of the Grid Grouper group are members of the linked local group. For more information related to creating and managing Grid Grouper groups, refer to the Grid Grouper documentation.
The Groups tab of the Access Control Management interface allows CSM application administrators to search for, add and remove local groups. Administrators can also create linked groups that are associated with an external Grid Grouper group. To use the Groups tab, launch the CSM administrative interface and search for the application whose groups you wish to manage. Click on the application name to highlight it, click the View button and click the Groups tab from the Access Control Management interface.
Administrative Access
|
In order to manage CSM applications and resources, you must be logged into a grid account that is configured to be a CSM administrator. During the installation process, it was recommended that at least one grid identity be added as a CSM administrator. If your account was not configured to be a CSM administrator, review step 7 of the Installation Guide. If you have added your grid account as a CSM administrator but you are experiencing an error similar to the one pictured to the right, make sure that you specified the correct grid account in the Credential select box of the Application Access Control interface. |
|
Searching for Groups
The group search interface allows you to search for both local groups and grid grouper linked groups. Enter the name of the group you wish to search for in the Name input box located in the Group Search pane. You may use the * character as a wildcard in your search criteria. Click the Search button and all matching group names will be displayed in the Groups box. Clicking search without entering anything in the Name input box will return all local and linked grid grouper groups associated with the selected CSM application.
|
|
search for all groups
|
Notice that in the search results a small CSM icon appears next to local group names and a small Grid Grouper icon appears next to linked grid grouper group names. Clicking on the name of a group in the search results loads more detail in the display panel on the right side of the interface. The Members box will be populated with the grid users that are associated with the local group or linked grid grouper group. The following two screenshots show details for a local group named Local Group (which has no users) and a linked grid grouper group named Training: Tranees Linked Group (which has many grid users).
|
|
|
local group details
|
linked grid grouper group details
|
Creating a Local Group
To create a new local group, click on the Create Group button located below the Groups search result box. This will launch the Create Group interface. Enter a name for your group and optionally enter a description. Clicking the Create button will create the new local group and update the Groups search results box.
|
|
create a local group
|
Group names must be unique within a CSM application. If you attempt to create a new group with a name that already exists, you will receive the following error message:
|
|
duplicate group name error message
|
Modifying a Local Group
Existing local groups can be modified but linked grid grouper groups may not. To modify a local group, click on its name in the search results box to load its full details in the righthand display frame. The Name and Description values of the local group may be updated, but the Id and Last Updated fields are read only. Once you have finished making changes, click on the Modify button. The Last Updated field should automatically be set to the current date. If you change the local group's name to an preexisting group name, you will receive an error message similar to the one shown in the Creating a Local Group section.
|
|
modify local group
|
Removing a Local Group
To remove a local group, perform a search whose results include the group you would like to delete. Click on the name of the local group in the search results box to highlight it. Click on the Remove Group button to remove the local group. Notice that the Unlink Group button is not clickable when local groups are selected. If you select a linked grid grouper group, the Unlink Group button will be clickable and the Remove Group button will not. Local groups are created and removed while linked grid grouper groups are linked and unlinked.
 | Use caution with this feature! Clicking Remove Group does not prompt for confirmation and cannot be undone. |
Adding Users to a Local Group
To add users to a local group, first click on the name of the group in the search results box. The Local Group panel will update with the group's details and the Members box will display all of the users that are currently added to the group. To add a new user, click the Add button located below the Members box. This will launch the Add Member interface.
|
|
add user to local group
|
Enter the grid identity of the user you would like to add to the local group in the Member Identity input box. For example, a grid identity for the Training grid will look similar to the following:
/O=caBIG/OU=caGrid/OU=Training/OU=Dorian/CN=someUsername
Click the Add button to add the grid user to the local group. The Members box should refresh, showing the user that you added.
|
|
adding a user to local group
|
The Add Member interface includes a Find button for searching for grid users to add to the Member Identity input field. However, in the current release only Dorian Administrators may use this feature. If you are not a Dorian Administrator, you will receive the following error message:
|
|
non dorian admin error message
|
If you are a Dorian Administrator, you can search for users by user id, name, email, user status, grid identity or identity provider. After you have entered your search criteria, click the Search button and all matching user accounts will be displayed in the Users box. Click on the name of the user you wish to add to highlight it and click the Select button. The user's grid identity will be entered in the Member Identity field of the Add Member interface.
Removing Users from a Local Group
To remove a user from a local group, first select the name of the local group in the search results box. The Members box on the right side of the interface will be populated with all of the groups existing users. Click on the grid identity that you wish to remove. Click the Remove button to remove the user from the local group.
| Use caution with this feature! Clicking Remove does not prompt for confirmation and cannot be undone. |
Using Linked Grid Grouper Groups
Rather than managing a group and its users locally, you can link a remotely administrated Grid Grouper group to a local group. Using this approach will synchronize the local group with the remote grid grouper group, making all of the grid grouper group's users members of the local group. The grid grouper group linking process creates a local group that cannot be modified in the CSM admin interface. Adding and removing users must be done using the Grid Grouper service. For more information on adding and removing users from a grid grouper group, refer to the Grid Grouper documentation.
Linking a Grid Grouper Group
To create a new linked grid grouper group, click the Link Group button located below the Groups search results box. The Link Remote Group interface should appear. Enter the full URL of the Grid Grouper service in the Grid Grouper input box, and enter the name of the grid group in the Remote Group Name input box. Enter a name for the local group that will be associated with the linked grid grouper group in the Local Group Name field.
|
|
create a linked grid grouper group
|
). The remote grid group name is Training:Trainees. Click the Link Remote Group button to finish creation of a linked grid grouper group. The Local Group Name value must be unique. If you attempt to link a new grid grouper group using an existing local group name, you will receive an error message. Once the linked grid grouper group is created, clicking on its name in the search results list will populate the Remote Group pane with group details. The Members box should be populated with all of the grid users that are associated with the remote grid group. Notice that the Add and Remote buttons are not clickable. You must use the Grid Grouper Service interface to add and remove users from the grid group.
|
|
linked grid group details
|
Another way to specify the Grid Grouper and Remote Group Name field values is to use the Select Group interface. To launch it, click the Find... button located on the Link Remote Group interface. The Grid Grouper select box should contain all of the Grid Grouper services available on the grid your CSM web application is configured to use. Selecting a Grid Grouper Service from the list will launch a Grid Grouper search that will populate the Select Group box. if there is only one grid group listed in the Grid Grouper select box, the search will launch automatically when the interface appears.
|
|
|
searching the Training Grid Grouper service
|
Grid Grouper search complete
|
In the first example screenshot, notice that the Training Grid Grouper Service is being searched. The blue and white striped bar indicates that a search is running and has not yet completed. Wait for the Grid Grouper Service Successfully Loaded!!! message before you interact with the Select Group search results box. The second example screenshot shows shows a search that has successfully completed.
|
|
selecting a grid group to link
|
Search for the grid group you wish to add by expanding the tree of search results. Clicking one of the small gray arrows ( 
) will expand the tree nodes. The grid group icon ( 
) indicates which entries are grid groups and can be selected for linking. Click on a grid group name and click the Select Group button to link the grid group. In the previously pictured example screenshot, the Trainees grid group located under the Training grid node has been selected.
Unlinking a Grid Grouper Group
To unlink an existing linked grid grouper grid group, first perform a search whose results include the linked group you wish to delete. Click on the name of the linked grid group to highlight it. Click on the Unlink Group button to delete the linked grid group. Note that this removes the local group linked to the remote grid group but does not affect the remote grid group in any way. The group will still exist on the Grid Grouper service and can be re-linked in the future. The only way to delete the remote grid group is to interact directly with the Grid Grouper service.
| Use caution with this feature! Clicking Unlink Group does not prompt for confirmation and cannot be undone. |
Next Steps:
Learn how to manage permissions using the Managing Permissions guide.