Difference between revisions of "Managing ETH groups"
(Updates to pointers for ISGs.) |
(Updates and clarifications.) |
||
| Line 27: | Line 27: | ||
We can only use groups from the | We can only use groups from the | ||
| − | ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch | + | ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch |
| − | subtree in LDAPS. That is the only way that we can provide service to and use services from the whole of ETH yet guarantee there are no collisions among group names or ids. | + | subtree in LDAPS. That is the only way that we can provide service to and use services from the whole of ETH yet guarantee there are no collisions among group names or ids. Please contact us if you have any questions regarding using [[NETHZ]] and/or LDAPS groups with our HPC clusters. |
| + | ==Defining membership in a share== | ||
| + | |||
| + | By default only the people in your LZ (''Leitzahl'') are members of your share. However, you can use one or more LDAPS group exported from [[NETHZ]] to manage membership in your shareholder group. Any group from the [https://www.bi.id.ethz.ch/orgdb/BaumPre.do ETH organizational hierarchy] | ||
ou=lz,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch | ou=lz,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch | ||
| − | + | or from the ISG-defined groups | |
| − | |||
| − | |||
ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch | ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch | ||
| + | can be used. The main benefit of using a group defined by your ISG to define share membership is that the same group can also be used to contral access to your storage. | ||
| − | + | In addition, individual users can be added to the share upon request. Access to storage '''can not''' be managed this way. | |
| − | |||
| − | |||
| − | |||
| − | ==New and | + | ==New and departing users== |
| − | New members of the specified LDAPS group(s) will be automatically associated with your share while members who lose membership in the specified LDAPS groups are removed from your shareholder group. By default users are removed after | + | New members of the specified LDAPS group(s) will be automatically associated with your share while members who lose membership in the specified LDAPS groups are removed from your shareholder group. By default users are removed after 2 months though can be changed upon request. These individual changes to the shareholder groups are ''only'' for share management and not file permission management. |
==Delegating management== | ==Delegating management== | ||
| − | You can | + | You can name one or more people to be the share manager. This person is then generally our contact person regarding the share and, more importantly, has authority to request or confirm changes to the share, such as adding users. In addition a manager also gets the monthly accounting report for the share. You can also request that a user receives the monthly accounting report but has no management authority. |
Revision as of 17:16, 28 November 2016
Contents
Introduction
Using NETHZ groups for user management is the recommended practice on our HPC clusters. A NETHZ group exported to LDAPS can be used to manage file permissions as well as user membership in a shareholder group. A common scenario is a group DEPT-ISG-GROUP that includes all members in the group's Leitzahl as well as semester students and visiting guests.
Managing NETHZ groups for use on our HPC clusters
Our cluster can make use of NETHZ groups. As an ISG you can define a group in the NETHZ admin tool (main screen→Admin Tasks→Gruppen verwalten) and export it to LDAPS. Don't forget to click on the aktualisieren link after updating the group!
Keep the following points in mind:
- Type of group
- The NETHZ group needs to be exported to LDAPS. For consistency it is recommended to export it to AD (Active Directory), too.
- Sync the changes
- You need to click on the aktualisieren link for the changes to take effect!
- Do not change the group name
- Avoid changing the name of any NETHZ group or contact us if you plan to do so.
- Use only the ETH-wide LDAPS subtree
- An ETH-wide group defined by any ISG will be in the
ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch
subtree of LDAPS. Groups specific to a department can not be used.
We can only use groups from the
ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch
subtree in LDAPS. That is the only way that we can provide service to and use services from the whole of ETH yet guarantee there are no collisions among group names or ids. Please contact us if you have any questions regarding using NETHZ and/or LDAPS groups with our HPC clusters.
By default only the people in your LZ (Leitzahl) are members of your share. However, you can use one or more LDAPS group exported from NETHZ to manage membership in your shareholder group. Any group from the ETH organizational hierarchy
ou=lz,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch
or from the ISG-defined groups
ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch
can be used. The main benefit of using a group defined by your ISG to define share membership is that the same group can also be used to contral access to your storage.
In addition, individual users can be added to the share upon request. Access to storage can not be managed this way.
New and departing users
New members of the specified LDAPS group(s) will be automatically associated with your share while members who lose membership in the specified LDAPS groups are removed from your shareholder group. By default users are removed after 2 months though can be changed upon request. These individual changes to the shareholder groups are only for share management and not file permission management.
Delegating management
You can name one or more people to be the share manager. This person is then generally our contact person regarding the share and, more importantly, has authority to request or confirm changes to the share, such as adding users. In addition a manager also gets the monthly accounting report for the share. You can also request that a user receives the monthly accounting report but has no management authority.
