02-08-2018 01:26 AM - edited 03-01-2019 06:26 AM
Hi
I have an environment with 4 vDCs.
Each vDC belong to a different ldap user group.
Now I have a user which is in two of these four ldap groups.
The user wants to see both vDC instances in the Service End-User interface.
For example the user "Martin".
Martin need access to the Service End-User Interface to administrate some VMs. The VMs are spread over two different vDCs.
Martin is in the ldap groups UCSD_Training and UCSD_Development.
Martin wants to see the vDC_Training and the vDC_Development.
vDC Names | ldap Group Names |
---|---|
vDC_Infrastructure | UCSD_Infrastructure |
vDC_Training | UCSD_Training |
vDC_Testing | UCSD_Testing |
vDC_Development | UCSD_Development |
How should I configure the UCSD that the user can see both vDC instances and administrate the VMs.
I try some things in the manage profiles menu but nothing work correctly.
The user Martin saw always only one vDC.
Thanks and Regards,
Fabian
02-08-2018 09:57 AM
The user needs 2 login profiles.
Phani – or is there a different way?
02-09-2018 12:18 AM
Thanks for the input.
I understand, if an user wants to see a different vDC from an other group he has to change the default profile in "Edit My Profile" settings. That's not very intuitive but it works.
It will be nice to see all vDCs from all groups in the Virtual Ressources menu.
02-09-2018 04:16 AM
Keep in mind that when you order things from the catalog you have to be either in one group or another. Hence you have to swap the profile.
02-28-2018 10:43 AM
IIRC, you should also be able to sign in with your group name without having to use that change profile link.
e.g.
vDC_Infrastructure:myusername
vDC_Training:myusername
02-28-2018 11:50 AM
I think you can since I know there was a bug around that in UCSD 6.5
02-21-2020 02:49 PM
Hello,
Let me followup this thread. I am unable to create profiles for an end user. Is it by design or I am missing something? I have UCSD 6.7 with MSP-based setup. When I add another profile (Manage Profiles) to the user, I can only see his default group in a drop-down list. There are multiple groups visible, but only for MSP admin role (and AllPolicy admin of course), but not for end user. Our users come from the LDAP, so I cannot force them to have multiple LDAP accounts (against company policy). I thought profiles could be used for this purpose, but no luck. Any thoughts?
Cheers,
Krzysztof
03-31-2020 01:41 PM
in my environment:
ucsd 6.7.2.0.67345
non-MSP setup
I used Group share policy to enable the user to see/manage VMs in multiple VDCs.
users & groups are LDAP based.
this is how i went about it:
create group ,eg. ucsd_HR in ActiveDirectory
create group. eg. ucsd_MIS in ActiveDirectory
kickoff the UCSD->System Task-> user& group-> Site_LDAP sync , to read the groups into UCSD.
in UCSD, User&Groups-> Group Share Policy, create a Policy. eg. "allow intergroup Access", edit it , select all groups ,except "Default Group","Domain Users" . i.e. ucsd_HR and ucsd_MIS is included in "allow intergroup Access"policy. suggest to NOT check "Allow resources assignemnt to users" , as user come and go often, compare to groups/Department. it is preferred to have VMs owned by groups rather than owned by user.
create the corresponding VDCs, eg. HR_vdc, MIS_vdc, create a test HR_VM, and a MIS_VM into respective VDCs.
now, at AD side , add user eg. Johnnywalker into ucsd_HR first. on UCSD side, run the LDAP sync , this will read in johnny walker ( assuming u setup ldap to pull in user and auto assign them as service Enduser) . johnnywalker will has a access and base profile to ucsd_HR.
next at AD side, add johnnywalker to ucsd_MIS. on UCSD side, run the LDAP sync , this will read in johnnywalker. johnnywalker will now an additonal access and profile to ucsd_MIS.
now, edit johnnywalker's Access Profile, edit ucsd_HR, uncheck "Show resourecs from all groups the user has", click Sharedgroup "select", browse and select uscd_MIS. ( this modification means, when johhny login and uses HR access profile, he can also see+manage the VMs in MIS 's vdc).
next, again johnnywalker's Access Profile, edit ucsd_MIS, uncheck "Show resources from all groups the user has", click Sharedgroup "select", browse and select uscd_HR. ( this modification means, when johhny login and uses MIS access profile, he can also see+manage the VMs in HR 's vdc).
work-able, but very messy, especially if user belongs to more than 3 groups.
take note:
on AD side, if u assign johnny to ucsd_HR and ucsd_MIS, upon UCSD ldap import , johnny will randomly has base access profile HR, and additional access profile MIS. so, if u want to control the order of base access profile, add user to one group first, ucsd ldap sync, the add user to second group, then ucsd ldap sync, to ensure the first group is always the base access profile.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide