forked from pivotal-cf/docs-ops-guide
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexternal-user-management.html.md.erb
84 lines (55 loc) · 4.36 KB
/
external-user-management.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
---
title: Adding Existing SAML or LDAP Users to a Pivotal Platform Deployment
owner: Identity
---
<% current_page.data.title = "Adding Existing SAML or LDAP Users to a " + vars.product_name + " Deployment" %>
This topic describes the procedure for adding existing SAML or LDAP users to a [<%= vars.product_name_full %>](https://network.pivotal.io/products/pivotal-cf) (<%= vars.product_name %>) deployment enabled with SAML or LDAP.
The following two ways exist to add existing SAML or LDAP users to your <%= vars.product_name %> deployment:
* [Option 1: Import Users in Bulk](#bulk-import)
* [Option 2: Add Users Manually](#manual)
## <a id='prereqs'></a>Prerequisites
You must have the following to perform the procedures in this topic:
* Admin access to the Ops Manager Installation Dashboard for your <%= vars.product_name %> deployment
* The [Cloud Foundry Command Line Interface](../cf-cli/install-go-cli.html) (cf CLI) v6.23.0 or later
## <a id='bulk-import'></a>Option 1: Import Users in Bulk ##
You can import SAML or LDAP users in bulk by using the UAA Bulk Import Tool. See [the UAA Users Import README](https://github.com/pivotalservices/uaausersimport/blob/master/README.md) for instructions about installing and using the tool.
## <a id='manual'></a>Option 2: Add Users Manually ##
Perform the procedures below to add existing SAML or LDAP users to your <%= vars.product_name %> deployment manually.
### <a id='step-id'></a>Step 1: Create User ##
Perform the following steps to add a SAML or LDAP user:
1. Run `cf target https://api.YOUR-SYSTEM-DOMAIN` to target the API endpoint for your <%= vars.product_name %> deployment. Replace `YOUR-SYSTEM-DOMAIN` with your system domain. For example:
<pre class="terminal">$ cf target http<span>s</span>://api.example.com</pre>
1. Run `cf login` and provide credentials for an account with the [Admin user role](../concepts/roles.html#roles):
<pre class="terminal">$ cf login</pre>
1. Run `cf create-user EXAMPLE-USERNAME --origin YOUR-PROVIDER-NAME` to create the user in UAA. Replace `EXAMPLE-USERNAME` with the username of the SAML or LDAP user you wish to add, and select one of the options below:
- For LDAP, replace `YOUR-PROVIDER-NAME` with `ldap`. For example:
<pre class='terminal'>
$ cf create-user j.smith<span>@</span>example.com --origin ldap
</pre>
- For SAML, replace `YOUR-PROVIDER-NAME` with the name of the SAML provider you provided when configuring Ops Manager. For example:
<pre class='terminal'>
$ cf create-user j.smith<span>@</span>example.com --origin example-saml-provider
</pre>
### <a id='user-role'></a>Step 2: Associate User with Org or Space Role ##
After creating the SAML or LDAP user, you must associate the user with either an Org or Space role.
For more information about roles, see the [Roles and Permissions](../concepts/roles.html#roles) section of the <em>Orgs, Spaces, Roles, and Permissions</em> topic.
#### <a id='org-role'></a>Associate User with Org Role
Run `cf set-org-role USERNAME YOUR-ORG ROLE` to associate the SAML or LDAP user with an Org role. Replace `USERNAME` with the name of the SAML or LDAP user, and replace `YOUR-ORG` with the name of your Org.
For `ROLE`, enter one of the following:
* `OrgManager`: Org Managers can invite and manage users, select and change plans, and set spending limits.
* `BillingManager`: Billing Managers can create and manage the billing account and payment information.
* `OrgAuditor`: Org Auditors have read-only access to Org information and reports.
Example:
<pre class="terminal">
$ cf set-org-role j.smith<span>@</span>example.com my-org OrgManager
</pre>
#### <a id='space-role'></a>Associate User with Space Role
Run `cf set-space-role USERNAME YOUR-ORG YOUR-SPACE ROLE` to associate the SAML or LDAP user with a Space role. Replace `USERNAME` with the name of the SAML or LDAP user, replace `YOUR-ORG` with the name of your Org, and `YOUR-SPACE` with the name of a Space in your Org.
For `ROLE`, enter one of the following:
* `SpaceManager`: Space Managers can invite and manage users, and enable features for a given Space.
* `SpaceDeveloper`: Space Developers can create and manage apps and services, and see logs and reports.
* `SpaceAuditor`: Space Auditors can view logs, reports, and settings on this Space.
Example:
<pre class="terminal">
$ cf set-space-role j.smith<span>@</span>example.com my-org my-space SpaceDeveloper
</pre>