Authentication Groups
When configured for platform-wide LDAP/AD user authentication (see The User Management Screen and Configuring User Authentication Settings) the addition of LDAP/AD groups (called authentication groups) to a tenant or project as Tenant/Project Members, Tenant/Project Administrators, or Platform Administrators via the External Authentication tab is supported, as described in Configuring User Authentication Settings.
This feature lets you avoid having to manually add individual users. Each authentication group may be associated with up to one role per tenant or project. A pop-up error dialog appears if you try to assign multiple roles to the same authentication group within a single tenant.
An LDAP/AD user who belongs to one of a tenant's or project's authentication groups, as
declared by the memberOf or isMemberOf attribute
in that user object, can log in and act within that tenant/project.
isMemberOf variant attribute is currently only
supported for the purposes of UI/API login and tenant/project role assignment. The
default authentication package used in the container login feature still requires
memberOf as the group pointer. If isMemberOf needs
to be recognized for container login purposes, then the authentication package will need
to be modified.. Such a user is treated as follows:
- A user who is a member of at least one tenant authentication group can log into a tenant/project using their LDAP/AD credentials.
- A user who is authenticated because of group membership will have their role in a tenant (i.e. member or admin) determined by the role associated with that group.
- A user who is a member of multiple authentication groups for a tenant or project will have the Tenant Administrator role in that tenant if any of those groups are associated with the Tenant Administrator role.
- User privileges persist for the duration of a session. A session lasts until the user logs out, 24 hours pass, or until a Platform Administrator terminates the session as described in Managing User Sessions, whichever comes first.
- Changes to tenant authentication groups and role associations, or changes to group memberships on the LDAP/AD server, will apply to affected users the next time they log in and establish a new session.
The user account for a group-authenticated user is created whenever that user logs in. This behavior has the following implications:
- Login-time account creation for a user will not occur if the Platform Administrator has manually added that user as an externally-authenticated LDAP/AD user. In that case, the user's manually assigned tenant/project roles will take precedence over the effects of any authentication group memberships.
- The Platform Administrator cannot modify the roles assigned to users who belong to an authentication group but who have not been manually added. These changes must happen at the LDAP/AD server level.
- Users who belong to an authentication group will not appear in the User Management screen until they log into HPE Ezmeral Runtime Enterprise or a specific tenant/project for the first time.
- Removing an authentication group user from the User
Management screen does not override their group-based access
permissions, because the affected user will simply be able to log back in and
re-create their user account.
Changing such a user's access privileges requires either removing them from the authentication group at the LDAP/AD server or changing the role associated with the entire authentication group (see Editing an Existing Kubernetes Tenant or Project).