Skip to content

Users, RBAC and Authentication#

Concepts#

By default, the portal uses local authentication. You can also use LDAP as the source of authentication.

A Role-Based Access Control controls access to modules and data.

Unryo supports multi-tenancy, by providing a very flexible mechanism to partition information by department, business service, site, or any logical group. You can configure fine-grained access to users using any combination of metadata tags.

Manage Users and Groups#

This is the section where you can create, modify, and remove individual user accounts or groups.

Go to Settings > Platform Administration > Users

image

Integration with external authentication services#

The Unryo Platform is currently capable of using LDAP servers as a source of authentication information. You can access this via your Unryo Portal:

Step 1: Click on the gear icon at the top right and then on "Users & Groups".

image

Step 2: Click on the "Auth Backends" tab.

image

You will be able to manage your external authentication services here via a configuration wizard.

image

Step 3: By default, external users the "Default" group, which you can find in the "Groups" tab of the "Users & Groups" page. The "Default" group has somewhat restricted access to the Unryo Platform.

To give your LDAP users different permissions, create a new group with your desired permissions. To make your LDAP users be a part of the new group, you will have to add either:

  • user-members that match your LDAP users or:
  • group-members that match one of the LDAP groups your LDAP user belongs to.

Let us illustrate with an example. By default, userNameField in the "User Search" step and groupNameField in the "Group Search" step of the LDAP configuration wizard are set to sAMAccountName and cn.

Suppose you have an LDAP user whose sAMAccountName is "Geraldo" and that he is a member of a group whose cn is "LDAPUnryoAdmins".

You can grant Geraldo admin privileges on your Unryo Platform by creating a new Unryo group with a user-member called "Geraldo". User-members are in fact regular expressions, so "Ge." and ".aldo" would also make Geraldo a part of the group.

You can also grant all members of "LDAPUnryoAdmins" admin privileges by adding a group-member called "LDAPUnryoAdmins" to an Unryo group with admin privileges. Like user-members, groups-members are regular expressions, so ".Unryo." would also work.