Authorization realms and groups

Authorization realms associate users with roles and work with authentication realms to determine which users can access Deployment Automation. This topic describes how to create authorization realms and groups.

Create an Internal Storage authorization realm

Internal Storage type authorization realms are stored in the Deployment Automation database and use internal role management.

The default authorization realm, Internal Security, is of the Internal Storage type, and includes the following default groups:

  • Admin Group
  • Approve Group
  • Configuration Group
  • Deploy Group
  • Read Only Group

You can create additional Internal Storage authorization realms to meet your needs.

To create an Internal Security authorization realm:

  1. Navigate to Administration > Security.

  2. Select the Authorization (Groups) tab.

  3. In the side menu, select Authorization Realms.

  4. Click the Create Authorization Realm button.

  5. In the dialog box that opens, in the Name field, enter a unique name for the new authorization realm.
  6. In the Type field, select Internal Storage.
  7. Click Save.

Back to top

Create an LDAP authorization realm

An LDAP authorization realm works through an external LDAP server and uses external LDAP role management.

Deployment Automation includes an internal database for storing security information and provides an integration with the Lightweight Directory Access Protocol (LDAP). LDAP is a widely-used protocol for accessing distributed directory information over IP networks.

If you are implementing a production version of Deployment Automation, we recommend setting up the LDAP integration. If you are evaluating Deployment Automation, the LDAP integration is not necessary, and full security is configured and enforced by the server.

To create an LDAP authorization realm:

  1. Navigate to Administration > Security.
  2. Select the Authorization (Groups) tab.
  3. In the side menu, select Authorization Realms.
  4. Click the Create Authorization Realm button.
  5. In the dialog box that opens, in the Name field, enter a unique name for the new authorization realm.
  6. In the Type field, select LDAP.
  7. Specify the following details:

    Field Description
    User Group Attribute (Optional) The name of the attribute that contains role names in the user directory entry. If user groups are defined in LDAP as an attribute of the user, the Group Attribute configuration must be used.
    Group Search Base (Optional) The base directory for running group searches, for example:

    ou=employees,dc=mydomain,dc=com.
    Group Search Filter (Optional) The LDAP filter expression used when searching for user entries.

    The name will be substituted in place of 0 in the pattern, for example: uid={0}. If this is not part of the DN pattern, wrap the value in parenthesis, for example: ud=(0).
    Group Name (Optional) The directory name used to bind to LDAP for searches, for example:

    cn=Manager,dc=mycompany,dc=com.

    If left empty, an anonymous connection will be made. The Group Name is required if the LDAP server cannot be anonymously accessed.
    Search Group Subtree This option enables you to search the subtree for the roles.
  8. Click Save.

Example: To limit the LDAP authorization realm to the automation group, apply the LDAP filter:

  1. Navigate to Administration > Security.

  2. Select the Authorization (Groups) tab.

  3. Create or edit an LDAP authorization realm associated with your authentication realm.

  4. In the Create Authorization Realm dialog box, in the Group Search Filter field, specify the name of the automation group:

    (&(name=automation)(member={0}))

    This filter limits the import of groups from LDAP to just the automation group.

Back to top

Create groups

Groups are logical containers that enable you to grant permissions to multiple users. Group members automatically share a group's permissions. Permissions are granted to groups (or all users), not individual users. Additionally, when you assign a role to a group, all the group members are automatically assigned to that role.

To create a group:

  1. Navigate to Administration > Security.

  2. Select the Authorization (Groups) tab.

  3. In the side menu, select Groups.

  4. Click the Create Group button.

  5. In the Name field, provide a name for the group.

  6. In the Authorization Realm field, select the authorization realm you want to use.
  7. Click Save.

Groups are valid only for the selected authorization realm.

Back to top

See also: