Authorization groups

Authorization groups, also called simply groups, are used to grant permissions to user accounts.

Users in any space with the view group permission can see all groups and group members in their space and its descendants, but only users with modification permissions in the root space can add, update, or delete groups. Users in child spaces cannot add, update, or delete groups, even if they have those permissions.

image4

The above image demonstrates how permissions are assigned to users based on their group memberships. Permissions in black text are granted to the group; permissions in grey text are not granted to the group. The permissions shown are a small sample of the actual available permissions.

A user only in the View group gets only the “view bond” and “view agg” permissions, while a user in the Bond admin group and the View group gets “view bond,” “add bond,”, “change bond,” “delete bond,” and “view agg” permissions. If a user was only a member of the Bond admin group, he or she would not get the “view agg” permission. A user in the Administrator group gets all permissions, so would not need to be added to the View group to be able to see bonds and aggs.

Permissions cannot be assigned directly to users. If a single user requires a unique set of permissions, a group must be created with the appropriate permissions and then the user assigned to that group.

SD-WAN includes a number of default groups that can be used to quickly assign relevant permissions to users. These default groups can be deleted and replaced with custom groups.

Authorization groups are are the same for all spaces. Only users with appropriate permissions in the root space can add, change, or delete groups or change group permissions, but users with appropriate permissions in any space can add users to or remove users from groups.

Listing groups

To view the list of groups, click the gear icon in the navigation menu, then click Groups.

image0

The list of groups is shown. Click a group name to see details about the group.

Adding a group

To add a group, browse to the list page, then click the “Add group” button. This opens the form for creating a group. Complete the form on the Group tab and click “Save”. When creating a new group, only the main tab is shown. After saving the group, the other tabs are shown.

Viewing or updating a group

To view or update a group, navigate to the list page and click the name of the group or the image1 button beside its name. This opens the group page with these tabs:

  • Group: name and membership details
  • Permissions: a matrix of permissions given to users in the group

You cannot make any changes to a group (name, membership, or permissions) that has a permission that you don’t have. For example, a user only in the default “User admin” group, which has permission to update groups, cannot make changes to the Administrator group, because the Administrator group has a number of permissions that a user only in the “User admin” group does not have.

Group fields

Name

The name of the group.

Members

The members control is not available when adding a new group. To manage group members, first save the new group, and then the members control will become available.

To add a user to the group, click his or her email address in the “Available users” list and then click the image2 button to add the user to the “Chosen users” list. To remove a user, click his or her email in the “Chosen users” list, then click the image3 button to remove the user from the list. Then click Save.

Permissions

Shown on the permissions tab, individual permissions appear as a matrix of resources and view/add/change/delete/other permissions. For example, the bond resource has five separate permissions for each action that can be taken on a bond. To assign a permission to a group, ensure the appropriate box is checked.

Deleting a group

To delete a group, navigate to its page and click the Delete button. A confirmation dialog will prompt you to confirm before the group is deleted.