Difference between revisions of "Managing ETH groups"
(Adds step-by-step instructions for adding a subgroup to a top group.) |
|||
| Line 32: | Line 32: | ||
[[File:IAM2.png|thumb|Export ETH group to LDAPS]] | [[File:IAM2.png|thumb|Export ETH group to LDAPS]] | ||
| + | |||
| + | <div style="clear: both"></div> | ||
== Adding a subgroup to an ETH group == | == Adding a subgroup to an ETH group == | ||
| − | An ETH group used for cluster access can include entire subgroups. This makes it easy to include, for example, an entire Leitzahl of a shareholder as well as individual guests. | + | An ETH group used for cluster access can include entire subgroups. This makes it easy to include, for example, an entire Leitzahl of a shareholder as well as individual guests to the top ETH group since changes to the subgroups are automatically reflected in the top group. |
| + | |||
| + | Step-by-step instructions for an example of adding the ID-HPC-BETA subgroup to the ID-HPC-EULER top group are shown below. After this is done, ID-HPC-EULER includes everyone in ID-HPC-BETA. | ||
| + | |||
| + | '''Select the top group''' | ||
| + | |||
| + | 1. Go to the [https://www.password.ethz.ch IAM admin tool]. From the main screen select “Group management” and then “Select group”:<br> | ||
| + | [[File:Iam-subgroup.2.png|555px|Home screen → “Group management” → “Select group”]]<br>The group search page (“Select a Role”) will open. | ||
| + | |||
| + | 2. Enter the name of the the top group and click the green “Search” button:<br> | ||
| + | [[File:Iam-subgroup.3.png|555px|Enter the name of the the top group and click the green “Search” button.]]<br>The group information page (“Role - Summary”) for the top group will open. | ||
| + | |||
| + | 3. Edit the group by clicking on the pencil icon:<br> | ||
| + | [[File:Iam-subgroup.4.png|555px|Click the pencil icon to edit the top group.]]<br>The group modification page (“Modify Role Data”) will show open. | ||
Revision as of 08:17, 28 June 2019
Contents
Introduction
Using ETH groups for user management is the recommended practice on our HPC clusters. An ETH group exported to LDAPS can be used to manage file permissions as well as user membership in a shareholder group. A common scenario is a group DEPT-ISG-GROUP that includes all members in the group's Leitzahl as well as semester students and visiting guests.
Managing ETH groups for use on our HPC clusters
Our cluster can make use of LDAP groups defined via the ETH Identity and Access Management system. As an ISG you can define a group in the IAM admin tool (main screen→Group management) and export it to LDAPS (Owner & Presence → Target Systems: LDAPS).
Keep the following points in mind:
- Type of group
- The ETH group needs to be exported to LDAPS. For consistency it is recommended to export it to AD (Active Directory), too.
- Do not change the group name
- Avoid changing the name of any group or contact us if you plan to do so.
- Use only the ETH-wide LDAPS subtree
- An ETH-wide group defined by any ISG will be in the
ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch
subtree of LDAPS. Groups specific to a department can not be used.
We can only use groups from the
ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch
subtree in LDAPS. That is the only way that we can provide service to and use services from the whole of ETH yet guarantee there are no collisions among group names or ids. Please contact us if you have any questions regarding using the IAM and/or LDAPS groups with our HPC clusters.
Exporting an ETH group to LDAPS
Adding a subgroup to an ETH group
An ETH group used for cluster access can include entire subgroups. This makes it easy to include, for example, an entire Leitzahl of a shareholder as well as individual guests to the top ETH group since changes to the subgroups are automatically reflected in the top group.
Step-by-step instructions for an example of adding the ID-HPC-BETA subgroup to the ID-HPC-EULER top group are shown below. After this is done, ID-HPC-EULER includes everyone in ID-HPC-BETA.
Select the top group
1. Go to the IAM admin tool. From the main screen select “Group management” and then “Select group”:
The group search page (“Select a Role”) will open.
2. Enter the name of the the top group and click the green “Search” button:
The group information page (“Role - Summary”) for the top group will open.
3. Edit the group by clicking on the pencil icon:
The group modification page (“Modify Role Data”) will show open.
