Difference between revisions of "Managing ETH groups"
(More changes) |
|||
| Line 3: | Line 3: | ||
Using [https://www.ethz.ch/services/de/it-services/katalog/identitaet-zugang/identity-access-management.html access groups] for user management is the recommended practice on our HPC clusters. An access group exported to LDAPS can be used to manage file permissions as well as user membership in a shareholder group. A common scenario is a group ''DEPT-ISG-GROUP'' that includes all members in the group's Leitzahl as well as semester students and visiting guests. | Using [https://www.ethz.ch/services/de/it-services/katalog/identitaet-zugang/identity-access-management.html access groups] for user management is the recommended practice on our HPC clusters. An access group exported to LDAPS can be used to manage file permissions as well as user membership in a shareholder group. A common scenario is a group ''DEPT-ISG-GROUP'' that includes all members in the group's Leitzahl as well as semester students and visiting guests. | ||
| − | ==Managing | + | ==Managing ETH groups for use on our HPC clusters== |
Our cluster can make use of LDAP groups defined via the [https://www.password.ethz.ch/ ETH Identity and Access Management] system. As an ISG you can define a group in the [https://www.password.ethz.ch IAM admin tool] (main screen→Group management) and export it to LDAPS. | Our cluster can make use of LDAP groups defined via the [https://www.password.ethz.ch/ ETH Identity and Access Management] system. As an ISG you can define a group in the [https://www.password.ethz.ch IAM admin tool] (main screen→Group management) and export it to LDAPS. | ||
Keep the following points in mind: | Keep the following points in mind: | ||
;Type of group | ;Type of group | ||
| − | :The | + | :The ETH group needs to be exported to '''LDAPS'''. For consistency it is recommended to export it to AD (Active Directory), too. |
;Do not change the group name | ;Do not change the group name | ||
:Avoid changing the name of any group or contact us if you plan to do so. | :Avoid changing the name of any group or contact us if you plan to do so. | ||
Revision as of 13:37, 9 May 2019
Contents
Introduction
Using access groups for user management is the recommended practice on our HPC clusters. An access group exported to LDAPS can be used to manage file permissions as well as user membership in a shareholder group. A common scenario is a group DEPT-ISG-GROUP that includes all members in the group's Leitzahl as well as semester students and visiting guests.
Managing ETH groups for use on our HPC clusters
Our cluster can make use of LDAP groups defined via the ETH Identity and Access Management system. As an ISG you can define a group in the IAM admin tool (main screen→Group management) and export it to LDAPS.
Keep the following points in mind:
- Type of group
- The ETH group needs to be exported to LDAPS. For consistency it is recommended to export it to AD (Active Directory), too.
- Do not change the group name
- Avoid changing the name of any group or contact us if you plan to do so.
- Use only the ETH-wide LDAPS subtree
- An ETH-wide group defined by any ISG will be in the
ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch
subtree of LDAPS. Groups specific to a department can not be used.
We can only use groups from the
ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch
subtree in LDAPS. That is the only way that we can provide service to and use services from the whole of ETH yet guarantee there are no collisions among group names or ids. Please contact us if you have any questions regarding using the IAM and/or LDAPS groups with our HPC clusters.
By default only the people in your LZ (Leitzahl) are members of your share. However, you can use one or more LDAPS group exported from IAM to manage membership in your shareholder group. Any group from the ETH organizational hierarchy
ou=lz,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch
or from the ISG-defined groups
ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch
can be used. The main benefit of using a group defined by your ISG to define share membership is that the same group can also be used to contral access to your storage.
New and departing users
New members of the specified LDAPS group(s) will be automatically associated with your share while members who lose membership in the specified LDAPS groups are removed from your shareholder group.
Delegating management
You can name one or more people to be the share manager. This person is then generally our contact person regarding the share and, more importantly, has authority to request or confirm changes to the share, such as adding users. In addition a manager also gets the monthly accounting report for the share. You can also request that a user receives the monthly accounting report but has no management authority.
