User Group Associations
Automatically add/remove users from user groups in Kion based attributes from your identity provider. This is useful for dynamically determining user permissions.
Ensure you don't have multiple associations for the same group, because they will overwrite each other. If you remove an association, it will not affect previous group membership.
Prerequisites
- Configure the appropriate roles and groups within Kion that represent the different user access levels. For more information, see Getting Started with Permissions.
- Add a SAML or OpenID IDMS to Kion. For more information, see Add a SAML 2 IDMS or Add an OpenID IDMS.
LDAP Sync
You can use an LDAP server you already have configured to bring user group associations into Kion. This is done by adding your LDAP server credentials to your IDMS configuration. For more information, see Add a SAML 2 IDMS.
Manual Configuration
- Login to Kion as an administrator.
- Navigate to Users > Identity Management Systems.
- Click the SAML or OpenID IDMS you would like to configure.
- Select the User Group Associations tab.
- Click Add > Add New. You can also select the Bulk Add option if you want to add several associations at once using the same field descriptions.
- Enter the name of the attribute you’re passing that will be used to evaluate group membership. For example
ADmembership
. - Enter a regular expression that evaluates the attribute. For example,
^cloudtamer-admins
would match a group namedcloudtamer-admins
.
This field supports expression matching characters (such as^
for the beginning of a phrase or$
for the end of a phrase). You can find more information in Google's re2 Syntax article. - Select the Kion user group the matched groups will be added to.
- (Optional) Evaluate users on every log in and remove them from user groups they no long match.
- Click Add.
Demonstration
Troubleshooting
Test logging in with a user account that matches one of the user group associations you specified.
If you don't see the permissions you expected to be applied, review the POST operation against the /api/v1/saml/callback
. Ensure that the assertion for your groups exists and the expected group name comes across in the assertion.
For information on how to review the operation, see Tracing SAML Logins.