ViPR 2.2 - Map Users into a ViPR Tenant

Table of Contents

Introduction

This article describes how to map users into ViPR. There are two aspects to adding users to ViPR: adding authentication providers and mapping the available users.

An authentication provider links to an Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) domain and provides access to a set of users from the domain. User mapping provides an additional level of control over the selection of users from the available domains. The use of user mappings is particularly useful where you have multiple domains or where you want to divide users available from a domain between multiple ViPR tenants.

Adding an authentication provider is described in the following article:
Back to Top

Understanding the mapping of users into tenants

Users are added to ViPR using authentication providers. When an authentication provider is created in ViPR, one or more AD/LDAP domains are supplied and are used to provide ViPR users. A domain can be mapped to a single tenant or can provide users for multiple tenants.

An authentication provider usually specifies a whitelist group which defines the default group of users who will be available as ViPR users to the whole VDC. In addition to the whitelisted group, the available domain users can be mapped based on their group membership or based on attributes defined in their AD/LDAP entry.

By default, the provider tenant assumes that you want all users made available by the authentication provider. If that is not true you can use mappings. Sub-tenants below the provider tenant must specify user mapping; at a minimum, a domain must be specified.

The API and CLI provide the ability to specify mappings when a new tenant is registered and provide support for updating the mappings for all tenants, including the provider tenant. Creating and editing a tenant are functions of a Tenant Administrator. From the ViPR UI, the user mappings for a tenant are specified when you create or edit a tenant.

To create a subtenant, you must be Tenant Administrator in the provider tenant. To modify the mapping of the provider tenant, you must be Tenant Administrator in the provider tenant. To modify mappings in a subtenant, you must be Tenant Administrator in that sub-tenant.

The page below shows the Provider Tenant and an additional tenant called "Accounts". The Provider Tenant has not been explicitly mapped (there is no value in the Mapped Domains field), so it will take on any users from the configured authentication providers on the system that are not mapped to corp.sean.com (the domain to which the Accounts tenant is mapped).

Tenants table

The user mappings must not overlap, so if the Accounts tenant maps users from the same domain as the provider tenant, it must provide additional mappings to differentiate its users. In the example below, the Accounts tenant uses the corp.sean.com domain but maps users with specific attributes, in this case, those with their Department attribute set to Accounts in Active Directory.

User mappings for a tenant using AD attributes

The example below shows the use of multiple mapping criteria. All members of the corp.sean.com domain who belong to the Storage Admins group and have their Department attribute set to Accounts AND Company set to EMC, OR belong to the Storage Admins group and have their Department set to EMCAccounts, will be mapped into the tenant.

Using multiple mapping criteria

When any of the mapped users authenticate with ViPR they will have access to the tenant to which they have been assigned.

Back to Top

Map users into a tenant from the ViPR UI

The ViPR UI provides the ability to map users into a tenant based on the AD/LDAP domain, groups and attributes associated with users.

Before you begin

Procedure

  1. At the ViPR UI, select Tenant Settings > Tenants.
  2. In the Tenants table, click on the name of the tenant to open it for editing.
  3. If a domain hasn't already been selected select one from the domain drop-down.
  4. Specify any groups that you want to use to map users into the tenant.
    The group or groups that you specify must exist in AD.
  5. If you want to use attributes to map users into the tenant, click the Add Attribute button and enter the name of the attribute and the value or values for the attribute.
    For users to be mapped into the domain, the attribute value set for the user must match the attribute value specified in ViPR.
  6. Save the tenant settings.
Back to Top