Re: User in multiple groups

fabian.wirz · ‎02-08-2018

Hi

I have an environment with 4 vDCs.

Each vDC belong to a different ldap user group.

Now I have a user which is in two of these four ldap groups.

The user wants to see both vDC instances in the Service End-User interface.

For example the user "Martin".

Martin need access to the Service End-User Interface to administrate some VMs. The VMs are spread over two different vDCs.

Martin is in the ldap groups UCSD_Training and UCSD_Development.

Martin wants to see the vDC_Training and the vDC_Development.

vDC Names	ldap Group Names
vDC_Infrastructure	UCSD_Infrastructure
vDC_Training	UCSD_Training
vDC_Testing	UCSD_Testing
vDC_Development	UCSD_Development

How should I configure the UCSD that the user can see both vDC instances and administrate the VMs.

I try some things in the manage profiles menu but nothing work correctly.

The user Martin saw always only one vDC.

Thanks and Regards,

Fabian

Orf Gelbrich · ‎02-08-2018

The user needs 2 login profiles.

Phani – or is there a different way?

fabian.wirz · ‎02-09-2018

Thanks for the input.

I understand, if an user wants to see a different vDC from an other group he has to change the default profile in "Edit My Profile" settings. That's not very intuitive but it works.

It will be nice to see all vDCs from all groups in the Virtual Ressources menu.

Orf Gelbrich · ‎02-09-2018

Keep in mind that when you order things from the catalog you have to be either in one group or another. Hence you have to swap the profile.

guthrie · ‎02-28-2018

IIRC, you should also be able to sign in with your group name without having to use that change profile link.

e.g.

vDC_Infrastructure:myusername

vDC_Training:myusername

Orf Gelbrich · ‎02-28-2018

I think you can since I know there was a bug around that in UCSD 6.5

zaleski.krzysztof · ‎02-21-2020

Hello,

Let me followup this thread. I am unable to create profiles for an end user. Is it by design or I am missing something? I have UCSD 6.7 with MSP-based setup. When I add another profile (Manage Profiles) to the user, I can only see his default group in a drop-down list. There are multiple groups visible, but only for MSP admin role (and AllPolicy admin of course), but not for end user. Our users come from the LDAP, so I cannot force them to have multiple LDAP accounts (against company policy). I thought profiles could be used for this purpose, but no luck. Any thoughts?

Cheers,

Krzysztof

teocekn68 · ‎03-31-2020

in my environment:

ucsd 6.7.2.0.67345

non-MSP setup

I used Group share policy to enable the user to see/manage VMs in multiple VDCs.

users & groups are LDAP based.

this is how i went about it:

create group ,eg. ucsd_HR in ActiveDirectory

create group. eg. ucsd_MIS in ActiveDirectory

kickoff the UCSD->System Task-> user& group-> Site_LDAP sync , to read the groups into UCSD.

in UCSD, User&Groups-> Group Share Policy, create a Policy. eg. "allow intergroup Access", edit it , select all groups ,except "Default Group","Domain Users" . i.e. ucsd_HR and ucsd_MIS is included in "allow intergroup Access"policy. suggest to NOT check "Allow resources assignemnt to users" , as user come and go often, compare to groups/Department. it is preferred to have VMs owned by groups rather than owned by user.

create the corresponding VDCs, eg. HR_vdc, MIS_vdc, create a test HR_VM, and a MIS_VM into respective VDCs.

now, at AD side , add user eg. Johnnywalker into ucsd_HR first. on UCSD side, run the LDAP sync , this will read in johnny walker ( assuming u setup ldap to pull in user and auto assign them as service Enduser) . johnnywalker will has a access and base profile to ucsd_HR.

next at AD side, add johnnywalker to ucsd_MIS. on UCSD side, run the LDAP sync , this will read in johnnywalker. johnnywalker will now an additonal access and profile to ucsd_MIS.

now, edit johnnywalker's Access Profile, edit ucsd_HR, uncheck "Show resourecs from all groups the user has", click Sharedgroup "select", browse and select uscd_MIS. ( this modification means, when johhny login and uses HR access profile, he can also see+manage the VMs in MIS 's vdc).

next, again johnnywalker's Access Profile, edit ucsd_MIS, uncheck "Show resources from all groups the user has", click Sharedgroup "select", browse and select uscd_HR. ( this modification means, when johhny login and uses MIS access profile, he can also see+manage the VMs in HR 's vdc).

work-able, but very messy, especially if user belongs to more than 3 groups.

take note:

on AD side, if u assign johnny to ucsd_HR and ucsd_MIS, upon UCSD ldap import , johnny will randomly has base access profile HR, and additional access profile MIS. so, if u want to control the order of base access profile, add user to one group first, ucsd ldap sync, the add user to second group, then ucsd ldap sync, to ensure the first group is always the base access profile.