Difference between revisions of "Managing ETH groups"
(New IAM: new policies, new names.) |
(More changes) |
||
| Line 1: | Line 1: | ||
==Introduction== | ==Introduction== | ||
| − | Using [https://www.ethz.ch/services/de/it-services/katalog/identitaet-zugang/identity-access-management.html | + | Using [https://www.ethz.ch/services/de/it-services/katalog/identitaet-zugang/identity-access-management.html access groups] for user management is the recommended practice on our HPC clusters. An access group exported to LDAPS can be used to manage file permissions as well as user membership in a shareholder group. A common scenario is a group ''DEPT-ISG-GROUP'' that includes all members in the group's Leitzahl as well as semester students and visiting guests. |
==Managing access groups for use on our HPC clusters== | ==Managing access groups for use on our HPC clusters== | ||
| Line 10: | Line 10: | ||
:The access group needs to be exported to '''LDAPS'''. For consistency it is recommended to export it to AD (Active Directory), too. | :The access group needs to be exported to '''LDAPS'''. For consistency it is recommended to export it to AD (Active Directory), too. | ||
;Do not change the group name | ;Do not change the group name | ||
| − | :Avoid changing the name of any | + | :Avoid changing the name of any group or contact us if you plan to do so. |
;Use only the ETH-wide LDAPS subtree | ;Use only the ETH-wide LDAPS subtree | ||
:An ETH-wide group defined by any ISG will be in the<br><tt>ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch</tt><br>subtree of LDAPS. Groups specific to a department '''can not''' be used. | :An ETH-wide group defined by any ISG will be in the<br><tt>ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch</tt><br>subtree of LDAPS. Groups specific to a department '''can not''' be used. | ||
| Line 16: | Line 16: | ||
|LDAPS and AD groups || For consistency it is recommended to export it to AD (Active Directory), too. | |LDAPS and AD groups || For consistency it is recommended to export it to AD (Active Directory), too. | ||
|- | |- | ||
| − | |Changing group names || Avoid changing the name of any | + | |Changing group names || Avoid changing the name of any group. |
|- | |- | ||
|LDAPS hierarchy || An ISG-defined group will be in the<br><tt>ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch</tt><br>subtree of LDAPS. | |LDAPS hierarchy || An ISG-defined group will be in the<br><tt>ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch</tt><br>subtree of LDAPS. | ||
| Line 25: | Line 25: | ||
ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch | ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch | ||
| − | subtree in LDAPS. That is the only way that we can provide service to and use services from the whole of ETH yet guarantee there are no collisions among group names or ids. Please contact us if you have any questions regarding using | + | subtree in LDAPS. That is the only way that we can provide service to and use services from the whole of ETH yet guarantee there are no collisions among group names or ids. Please contact us if you have any questions regarding using the IAM and/or LDAPS groups with our HPC clusters. |
==Defining membership in a share== | ==Defining membership in a share== | ||
| − | By default only the people in your LZ (''Leitzahl'') are members of your share. However, you can use one or more LDAPS group exported from | + | By default only the people in your LZ (''Leitzahl'') are members of your share. However, you can use one or more LDAPS group exported from IAM to manage membership in your shareholder group. Any group from the [https://www.bi.id.ethz.ch/orgdb/BaumPre.do ETH organizational hierarchy] |
ou=lz,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch | ou=lz,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch | ||
or from the ISG-defined groups | or from the ISG-defined groups | ||
Revision as of 14:00, 15 April 2019
Contents
Introduction
Using access groups for user management is the recommended practice on our HPC clusters. An access group exported to LDAPS can be used to manage file permissions as well as user membership in a shareholder group. A common scenario is a group DEPT-ISG-GROUP that includes all members in the group's Leitzahl as well as semester students and visiting guests.
Managing access groups for use on our HPC clusters
Our cluster can make use of LDAP groups defined via the ETH Identity and Access Management system. As an ISG you can define a group in the IAM admin tool (main screen→Group management) and export it to LDAPS.
Keep the following points in mind:
- Type of group
- The access group needs to be exported to LDAPS. For consistency it is recommended to export it to AD (Active Directory), too.
- Do not change the group name
- Avoid changing the name of any group or contact us if you plan to do so.
- Use only the ETH-wide LDAPS subtree
- An ETH-wide group defined by any ISG will be in the
ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch
subtree of LDAPS. Groups specific to a department can not be used.
We can only use groups from the
ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch
subtree in LDAPS. That is the only way that we can provide service to and use services from the whole of ETH yet guarantee there are no collisions among group names or ids. Please contact us if you have any questions regarding using the IAM and/or LDAPS groups with our HPC clusters.
By default only the people in your LZ (Leitzahl) are members of your share. However, you can use one or more LDAPS group exported from IAM to manage membership in your shareholder group. Any group from the ETH organizational hierarchy
ou=lz,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch
or from the ISG-defined groups
ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch
can be used. The main benefit of using a group defined by your ISG to define share membership is that the same group can also be used to contral access to your storage.
New and departing users
New members of the specified LDAPS group(s) will be automatically associated with your share while members who lose membership in the specified LDAPS groups are removed from your shareholder group.
Delegating management
You can name one or more people to be the share manager. This person is then generally our contact person regarding the share and, more importantly, has authority to request or confirm changes to the share, such as adding users. In addition a manager also gets the monthly accounting report for the share. You can also request that a user receives the monthly accounting report but has no management authority.
