ViPR 2.2 - Map Users into a ViPR Tenant
Table of Contents
An authentication provider links to an Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) domain and provides access to a set of users from the domain. User mapping provides an additional level of control over the selection of users from the available domains. The use of user mappings is particularly useful where you have multiple domains or where you want to divide users available from a domain between multiple ViPR tenants.
An authentication provider usually specifies a whitelist group which defines the default group of users who will be available as ViPR users to the whole VDC. In addition to the whitelisted group, the available domain users can be mapped based on their group membership or based on attributes defined in their AD/LDAP entry.
By default, the provider tenant assumes that you want all users made available by the authentication provider. If that is not true you can use mappings. Sub-tenants below the provider tenant must specify user mapping; at a minimum, a domain must be specified.
The API and CLI provide the ability to specify mappings when a new tenant is registered and provide support for updating the mappings for all tenants, including the provider tenant. Creating and editing a tenant are functions of a Tenant Administrator. From the ViPR UI, the user mappings for a tenant are specified when you create or edit a tenant.
To create a subtenant, you must be Tenant Administrator in the provider tenant. To modify the mapping of the provider tenant, you must be Tenant Administrator in the provider tenant. To modify mappings in a subtenant, you must be Tenant Administrator in that sub-tenant.
The page below shows the Provider Tenant and an additional tenant called "Accounts". The Provider Tenant has not been explicitly mapped (there is no value in the Mapped Domains field), so it will take on any users from the configured authentication providers on the system that are not mapped to corp.sean.com (the domain to which the Accounts tenant is mapped).
The user mappings must not overlap, so if the Accounts tenant maps users from the same domain as the provider tenant, it must provide additional mappings to differentiate its users. In the example below, the Accounts tenant uses the corp.sean.com domain but maps users with specific attributes, in this case, those with their Department attribute set to Accounts in Active Directory.
The example below shows the use of multiple mapping criteria. All members of the corp.sean.com domain who belong to the Storage Admins group and have their Department attribute set to Accounts AND Company set to EMC, OR belong to the Storage Admins group and have their Department set to EMCAccounts, will be mapped into the tenant.
When any of the mapped users authenticate with ViPR they will have access to the tenant to which they have been assigned.Back to Top
Before you begin
- An authentication provider must have been registered with ViPR and must be for the domain from which you want to map users.
- You must have administrator access to your AD in order to configure groups and attribute mappings.
- You must create the groups or users in AD prior to mapping the users from the ViPR UI.
- If you are using attribute mapping, each user must have the appropriate attribute value set in AD.
- At the ViPR UI, select .
- In the Tenants table, click on the name of the tenant to open it for editing.
- If a domain hasn't already been selected select one from the domain drop-down.
- Specify any groups that you want to use to map users into the tenant.
The group or groups that you specify must exist in AD.
- If you want to use attributes to map users into the tenant, click the
Add Attribute button and enter the name of the attribute and the value or values for the attribute.
For users to be mapped into the domain, the attribute value set for the user must match the attribute value specified in ViPR.
- Save the tenant settings.