This page last changed on Jul 29, 2009 by smaddox.

Within any given directory, you can choose the groups and roles to which each user belongs. Note that a user's group membership is particularly important, as groups are often used to control access to applications.

Groups

The Crowd Administration Console provides two ways of adding users to or removing users from a group:

  • The group management screen for a specific group — Here you can add many users at once to the selected group.
  • The user management screen for a specific user — Here you can add the selected user to one or more groups at a time.

Full instructions are in Adding Users to a Group and Removing Users from a Group.

Roles

As previously announced, roles are now deprecated in Crowd. We have not changed the functionality of roles in Crowd 2.1, but we do recommend that you move away from the use of roles in your Crowd installation so that you will not be adversely affected by the planned redesign of role functionality. Roles are disabled by default when you create a new LDAP directory. We recommend that you leave roles disabled, unless you have existing data that includes roles.

At present, the implementation of roles in Crowd is identical to the implementation of groups. This design does not provide much useful functionality, so we are planning to redesign the way Crowd supports roles. If you would like to help us to design better role-based access control, please add a comment to the improvement request CWD-931, letting us know how you would like to see it work.

To add a user to a role,

  1. Log in to the Crowd Administration Console.
  2. Click the 'Users' link in the top navigation bar.
  3. This will display the User Browser. Select the relevant directory, locate the user you wish to add, and click the link on the user's name.
  4. This will display the 'User Details' screen. Click the 'Roles' tab.
  5. A list of the user's current roles (if any) will be displayed, as shown on the screenshot below. Select the relevant role from the drop-down box below the list, then click the 'Add' button.

Screenshot: Managing a user's roles



Multiple Directories

When Crowd determines a person's access to an application based on their membership of a group, what happens if the same username exists in more than one directory? Crowd will look for group membership only in the first directory where the username appears, based on the order of directories mapped to the application. See Specifying the Directory Order for an Application.

For example:

  • Two directories are mapped to Application A: The Customers directory and the Partners directory.
  • The Customers directory is mapped first in the 'Directory Order' for Application A.
  • A username jsmith exists in both the Customers directory and the Partners directory.
  • The user jsmith is a member of group G1 in the Customers directory and group G2 in the Partners directory.
  • Crowd will grant the user access to Application A based on membership of G1. For purposes of granting access to this application, Crowd will not consider jsmith a member of group G2.

RELATED TOPICS

Crowd Documentation


console-principalgroups.jpg (image/jpeg)
View User Groups.png (image/png)
UserRoles.png (image/png)
UserRoles.png (image/png)
View User Groups.png (image/png)
Document generated by Confluence on Nov 30, 2010 23:53