Identity Management provides an interface for managing admins, users and permissions. This can be found in the app under the section called Identity Management on the main navigation menu.
User accounts can be configured to authenticate using four different authentication types:
- Local Authentication - This type of user authenticates against the local database
- Active Directory - Authentication for the user occurs via a configured Active Directory server
- LDAP - Authentication for the user occurs via a configured LDAP authentication server
- Azure Active Directory Authentication for the user occurs over OAuth 2.0 via a configured Azure Active Directory authentication server
When users execute write operations within the tool, their actions are recorded and can be accessed via Change History.
Installation (Enterprise Only)¶
The hierarchy of management can be understood as: Installation > Domains > Organizations > Groups/Roles/Users. An installation is the DivvyCloud software suite comprising of API/Webservers, Cloud Harvesting, Automation system and database. DivvyCloud can be deployed in a flexible manner from running entirely on a single server to scaling across multiple servers for performance and redundancy.
Domains (Enterprise Only)¶
Domains are a collection of Organizations and allow for domain administrators to manage Organizations.
Organizations (Enterprise Only)¶
Organizations allow for complete isolation between Cloud Accounts, resources and users on a installation. Cloud Accounts and their resources can only belong to one Organization and cannot be modified or viewed from another Organization.
With the exception of domain admins, users may only belong to a single Organization. Domain admins my change between organizations but within their current session cannot modify or view Cloud Accounts, or the cloud’s resources, without first changing to the correct organization.
All other users are Basic Users and must be explicitly granted permissions via the Role Based Access system. The system is comprised of 1) Users, 2) Groups, 3) Roles, and 4) Scopes.
Groups are used to organize users together for the same set of permissions. Eg. Power Users, View Only, AWS-Development-Team, etc.
Permissions are defined by a Role. A Role consists of a name, description and one or more permissions:
- All Permissions - Permission to execute any action within the role scope
- View - Permission to view resources within the scope
- Provision - Permission to create new resources
- Manage - Permission to manage the resources in scope
- Delete - Permission to destroy resources
A Role can then be associated with one or more Cloud Accounts or Resource Groups which is called the Scope of the Role. Many roles can be associated with a group. Likewise many Scopes can be associated with a Role.
Once a Group with Roles is created that is scoped to some resources, a user can be created and added to the group. Authenticate with this new user’s account and you will see the clouds or groups granted to the user.
For more information see the detailed articles below.
- Active Directory
- Active Directory Authentication Server Setup
- Lightweight Directory Access Protocol (LDAP)
- LDAP Authentication Server Setup
- Azure Active Directory
- New App Registration
- Existing App Registration
- Domain Admins
- Organization Users
- User Groups
- Role Permissions & Scopes