17.2. Creating User Groups

With Red Hat Satellite, you can assign permissions to groups of users. You can also create user groups as collections of other user groups. If using an external authentication source, you can map Satellite user groups to external user groups as described in Section 17.2.1, “Configuring External User Groups”.
User groups are defined in an organizational context, meaning that you must select an organization before you can access user groups.

Procedure 17.6. To Create a User Group:

  1. Navigate to AdministerUser groups to view the user groups on your Satellite.
  2. Click New User Group.
  3. On the User group tab, specify the name of the new user group and select group members from the list of users. To include a previously-created user group, select the check box next to the name of the group to be added.
  4. On the Roles tab, select the roles you want to assign to the user group. Alternatively, select the Administrator check box to assign all available permissions.
  5. Click Submit to create the user group.

17.2.1. Configuring External User Groups

Users authenticated through external sources are automatically created on the Satellite server the first time they log in. This does not apply to external user groups that must be mapped to user groups created manually in the Satellite GUI. Members of the external user group then automatically become members of the Satellite user group and receive the associated permissions.

Prerequisites

The configuration of external user groups depends on the type of external authentication:
  • If using an LDAP source, make sure the LDAP authentication is correctly configured. Navigate to AdministerLDAP Authentication to view and modify the existing sources. For instructions on how to create an LDAP source, see Section 20.1, “Using LDAP”. Take note of the LDAP group names you want to use.
  • If your Satellite is enrolled with the IdM/IPA or AD server as described in Chapter 20, Configuring External Authentication, take note of the external group names you want to use. To find the group membership of external users, execute the id command on Satellite:
    # id username
    Here, username is the name of the external group member. Note that Satellite allows you to configure external groups only after at least one external user authenticates for the first time. Also, at least one user must exist in the external authentication source.

Procedure 17.7. To Configure an External User Group:

  1. Navigate to AdministerUser Groups. Click New User Group.
  2. On the User group tab, specify the name of the new user group. Do not select any users as they will be added automatically when refreshing the external user group.
  3. On the Roles tab, select the roles you want to assign to the user group. Alternatively, select the Administrator check box to assign all available permissions.
  4. On the External groups tab, click Add external user group and select the authentication source:
    • If using an LDAP source, select its name from the Auth source drop-down menu.
    • If using IdM/IPA or AD, select EXTERNAL from the Auth source drop-down menu.
    Specify the exact name of the LDAP or external group in the Name field.
  5. Click Submit.

Important

LDAP user groups are refreshed automatically through a scheduled task (cron job) synchronizing the LDAP Authentication source (every 30 minutes by default). If the user groups in the LDAP Authentication source change in the lapse of time between scheduled tasks, the user can be assigned to incorrect external user groups. This is corrected automatically when the scheduled task runs. You can also refresh the LDAP source manually by executing foreman-rake ldap:refresh_usergroups or by refreshing the external user groups through the web interface.
External user groups based on IdM/IPA or AD are refreshed only when a group member logs in to Satellite. It is not possible to alter user membership of external user groups in the Satellite GUI, such changes are overwritten on the next group refresh. To assign additional permissions to an external user, add this user to an internal user group that has no external mapping specified. Then assign the required roles to this group.