Chapter 4. Managing groups

You can use Identity Service (keystone) groups to assign consistent permissions to multiple user accounts.

4.1. Configuring groups with the CLI

Create a group and assign permissions to the group. Members of the group inherit the same permissions that you assign to the group:

  1. Create the group grp-Auditors: 

    $ openstack group create grp-Auditors
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| domain_id   | default                          |
| id          | 2a4856fc242142a4aa7c02d28edfdfff |
| name        | grp-Auditors                     |
+-------------+----------------------------------+

  2. View a list of keystone groups: 

    $ openstack group list --long
+----------------------------------+--------------+-----------+-------------+
| ID                               | Name         | Domain ID | Description |
+----------------------------------+--------------+-----------+-------------+
| 2a4856fc242142a4aa7c02d28edfdfff | grp-Auditors | default   |             |
+----------------------------------+--------------+-----------+-------------+

  3. Grant the grp-Auditors group permission to access the demo project, while using the member role: 

    $ openstack role add member --group grp-Auditors --project demo

  4. Add the existing user user1 to the grp-Auditors group: 

    $ openstack group add user grp-Auditors user1
user1 added to group grp-Auditors

  5. Confirm that user1 is a member of grp-Auditors: 

    $ openstack group contains user grp-Auditors user1
user1 in group grp-Auditors

  6. Review the effective permissions that have been assigned to user1: 

    $ openstack role assignment list --effective --user user1
+----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+
| Role                             | User                             | Group | Project                          | Domain | Inherited |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+
| 9fe2ff9ee4384b1894a90878d3e92bab | 3fefe5b4f6c948e6959d1feaef4822f2 |       | 0ce36252e2fb4ea8983bed2a568fa832 |        | False     |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+

4.2. Configuring groups with the Dashboard

You can use the dashboard to manage the membership of keystone groups. However, you must use the command-line to assign role permissions to a group. For more information, see Configuring groups with the CLI.

4.2.1. Creating a group

  1. Log in to the dashboard as a user with administrative privileges.
  2. Select Identity > Groups.
  3. Click +Create Group.
  4. Enter a name and description for the group.
  5. Click Create Group.

4.2.2. Managing Group membership

You can use the dashboard to manage the membership of keystone groups.

  1. Log in to the dashboard as a user with administrative privileges.
  2. Select Identity > Groups.
  3. Click Manage Members for the group that you want to edit.
  4. Use Add users to add a user to the group. If you want to remove a user, mark its checkbox and click Remove users.