Assigning/Revoking User Roles (LDAP/AD/SAML)

If the Platform Administrator configured the deployment to use LDAP or Active Directory user authentication (see The User Authentication Screen), then there are two ways to assign/revoke user roles.

NOTE If the platform handles user authentication, then you will manage user assignments on the authentication server as described in Assigning/Revoking User Roles (Local).

LDAP/AD user accounts in the deployment fall into two groups:

Auto-added from a tenant authentication group: See Automatically Added.
Manually added by the Platform Administrator: See Manually Added.

Automatically Added

The tenant/project roles for users who have been automatically added via a tenant authentication group cannot be changed in the User Assignment screen. These users are based on LDAP/AD group membership, and the deployment grants the roles specified by the tenant authorization groups every time one of these users logs in. The Platform Administrator can temporarily delete an automatically-added user, but the account will be re-created next time the user logs in. See Configuring User Authentication Settings.

To permanently remove such a user's role in a tenant or project, either remove that user's groups from the tenant's authorization groups, or change the user's group membership at the LDAP/AD server. If that user has a current session, then they will be able to continue accessing the deployment until that session expires; however, a Platform Administrator can end the session at any time, as described in Managing User Sessions.

Manually Added

The Platform Administrator may choose to manually add an LDAP/AD-based user account for various reasons, such as:

If the user needs to be granted Platform Administrator privileges.
If the deployment is not using group-based authentication for tenant/project and container access.
If the tenant and/or project roles require manual management, as exceptions to group-based authentication settings.

If you are manually adding a user who already has an account that was automatically created by logging in and being granted group-level privileges, then you must first delete that existing user account and then re-add that user account manually, including granting the desired privileges.

NOTE See User Authentication for more information on how the deployment handles user authentication.

To manually add an external user:

Open the User Management screen (see The User Management Screen).
Click the Add User button to open the Add New User screen.
Check the External User check box.
Provide the login name of the user in the Login field.
Click the Submit button to save your changes.

The User Management screen refreshes to include the name of the newly-added user.
Click the Details button for the newly-added user to open the User Details screen for that user.
Click the Assign button, and then assign the desired tenant/project roles to the user as described in Assigning/Revoking User Roles (Local).