Create and Manage Users

Overview

From the Suite Admin perspective, a user refers to two main roles: the suite administrator and the tenant administrator.

The Users List Page

When you navigate to the Users page from the Suite Admin Dashboard, you see a summary of configured users at the top of the page which displays the following details:

  • The total number of CloudCenter Suite users

  • The total number of Suite Admin users

  • The total number of Workload Manager users

  • The total number of Action Orchestrator users

  • The total number of Cost Optimizer users

  • The total number of cross-module users – users who can access multiple CloudCenter Suite modules.

Any user who is a member of the Suite Admin, Product Admin, or Module Admin groups are identified by the admin icon (displayed in the following screenshot) attached to their profile display.

The Groups column identifies the groups to which each admin belongs. 

Similarly, the icon for each user differs based on their permissions as identified in the following screenshots:

Type of CloudCenter Suite UserIcon in the Suite Admin UI
Suite Administrator


Suite User

SSO User

The Suite Administrator

The suite administrator:

  • Is configured as part of the Initial Administrator Setup process. 

  • Is responsible for all user roles for all modules. As such, all CloudCenter Suite of modules share the same user base.

  • Can add other suite administrators.

    Suite Administrator must exercise control over the number of suite administrator configured for the CloudCenter Suite as they have the highest level of permissions and privileges in the CloudCenter Suite!

You can add additional users in the Suite Admin or for each module beyond the OOB Suite Admin Groups. These users can be assigned to any module, group, or tenant depending on why they were added in the first place.

Groups have roles and depending on the group to which a user is added, that user inherits the roles associated with the assigned group.


Tenant Administrator

A user created with administrative permission at the tenant level is referred to as a Tenant AdminA tenant admin does not have visibility into the Suite Admin Dashboard

  • While each user can be assigned a specific role with access to individual modules, each module also has its' own pre-defined roles and groups. 

  • The Suite Admin leaves it to the tenant admin to manage these roles and groups at the tenant level for each module.

  • While a suite administrator can add unlimited tenant admins, it is better to have close control on the number of tenant admins for each module as they have the highest level of permissions and privileges for that module.

Tenant admins can perform the following tasks:

  • Manage users, groups and tenants WITHIN their tenant hierarchy.

  • Access modules made available for their tenant(s).

  • Execute a subset of tasks as permitted by the suite administrator or their parent tenant.

The following image identifies a sample multi-tenant environment.

Each (sub)tenant does not have any default suite admin group and cannot execute Module Lifecycle Management or Kubernetes Cluster Management functions – they can only execute User Tenant Management functions at their tenant level.

Create a User 

To create a CloudCenter Suite user, follow this procedure.

  1. Navigate to the Suite Admin Dashboard > Users page.

  2. Click Add User.

  3. Enter the details for this user in the Add User form.

  4. Optional. Disable the Auto Generate Password switch if you prefer to provide your own password. If enabled, the system sends an email to the user with the link so the user can generate the password. 

    To use this feature, you should have already configured the Base URL and the Email Setup to ensure that the URL is accessible and that an email can be sent to the user. See Base URL Configuration and Email Settings for additional details.

    Be sure to configure these two functions before opting to send an email to the user as this information is required to construct the links to reset the password for a new or existing user.

  5. Optional. Provide name-value pairs for the field to be displayed and the value to be provided so the user can add more information at a later point. Some examples of name-value pair can be Designation, Badge ID, Location, Department, Phone, and other details.

  6. Select the group(s) to which this user must belong. 

    A user without a group can only view the landing page and not be able to navigate anywhere else!  

  7. Click Save. The newly added user can now be added to any group.


Until you add this newly-created user to a group, this user will have no role or ability to perform any actions.

Create Another Suite Administrator 

To create another suite administrator for the Suite Admin, besides the administrator created as part of the Initial Administrator Setup process, follow this procedure.

  1. Follow the process above to Create a User.

  2. Navigate to the Suite Admin Dashboard > Groups page.

  3. Locate the suite administrator group to which you want to add this user.

  4. Assign the newly added user to the suite administrator group.

This newly-assigned suite administrator now has all administrative abilities associated with the suite administrator group. 

Create a Tenant Administrator

To create a tenant admin, follow this procedure.

  1. Follow the process above to Create a User.

  2. Navigate to the Suite Admin Dashboard > Groups page.

  3. Locate the tenant admin group to which you want to add this user.

  4. Assign the newly added user to the tenant admin group.

This newly-assigned tenant admin now has all administrative abilities associated with the tenant admin group. 

Create a User with a Module-Specific Role

A module administrator refers to a user who can administer any of the CloudCenter Suite modules. The suite administrator can add a user to a module-specific role to make this user a module administrator. See Understand Roles for details.

Importing User Data

To import Active Directory data, you must follow a manual process to import user data. See SSO Setup for additional details.

Disabled Users

Only an user administrator can disable a user. Once disabled, the user's profile updates to display this state.

User Actions

On the Users list page, the Actions column displays a dropdown list of actions (displayed in the following screenshot) that each user can perform based on group membership and permissions. The list display begins with the available Suite Admin action for this user followed by the module-level actions. 

The following table identifies the actions available at the Suite Level.

Suite-Level Actions

Multi-Select Action?

Description

Edit User

No

Users with suite administrator permissions and/or tenant administrator permissions for this tenant can edit any user's profile by changing the first/middle/last name and email, Configure metadata details, Configure groups, Reset password, or disable the user.

Reset PasswordNo
Disable/Enable UserNoOnce disabled, you must first enable a user to assign the user to a group and to see other Actions for this user.

Delete User

No

As each user/tenant/sub-tenant may have a separate set of dependencies, multi-selection is not possible for this action. See the Delete User section below for additional details.

While this function is possible in this release, selecting multiple users to delete at the same time may lead to unpredictable consequences. Only delete one user at a time.

Impersonate UserNoA suite administrator or a tenant administrator can temporarily sign into the CloudCenter Suite as a different user. See the Impersonate User section below for additional details.
Manage GroupsNo

Users with suite administrator permissions and/or tenant administrator permissions for this tenant can manage groups. See Custom Groups by Admin for additional details.

Module-Level Actions

This is a fluid list based on which module-specific actions were made available for each tenant, user, and module. See Manage Module-Specific Content for additional details
Generate API KeyA suite administrator can generate an API key for any user. See API Key for details.

Disable/Enable User

The Enable column allows administrators to individually enable or disable CloudCenter Suite users. Any user is enabled by default.

If a user deletion is in process, this user is automatically moved to the Disabled state as described in the Delete User section below.

Delete User

When you, as the administrator, attempt to delete a CloudCenter Suite user (or tenant or sub-tenant), the Suite Admin triggers a confirmation process to verify (with each module) that the resource can be deleted. If all product modules confirm the deletion, then the user (or tenant or sub-tenant) deletion is permitted to proceed. If the resource cannot be deleted the module returns a failure message with information about associated resources.

As this process confirms with each module, the notification in the UI header continues to remain in the spinning state until the verification process is complete. This latency is based on the number of modules associated with this user. During this process, the user is placed in a disabled state (Delete Pending) until the deletion can be confirmed by all modules as displayed in the following screenshot.


Impersonate User

User impersonation allows you to temporarily sign into any CloudCenter Suite module as a different user. Suite and tenant administrators can impersonate all other users in their tenants and sub-tenants and take any action, regardless of the permission level of the user being impersonated.

There are a number of reasons why you might want to impersonate a user:

  • To help another user troubleshoot an issue. 

  • To make changes on behalf of another user (for example, a user is away on vacation and you want to manage content managed by the user on vacation).

Restrictions

When impersonating another user, be aware of the following restrictions:

  • Impersonators appear as themselves in the change history.

  • You can only impersonate one user at a time.

  • If the user you impersonate has permission to modify your role, you cannot modify your own CloudCenter Suite role access for the duration of the impersonation.

  • A tenant admin can impersonate a user within the entire sub-tenant tree – this behavior supports multiple troubleshooting and content management scenarios.

  • A tenant admin can not impersonate a suite admin.

  • Module Admins who manage user/groups for their module(s) are not allowed to impersonate users.

  • When impersonating an Admin user (who has permission to manage groups, disable user, or delete user), then these actions cannot be performed for the originally logged in user – even if this user is an admin.

Logs

In the history and log files, the Tenant ID and email of the admin who impersonated a user will be displayed for the actions taken during the impersonation session.

When an administrator impersonates another user and performs any operation, the log files will display the original User ID, the impersonated User ID, and the impersonated user’s Tenant ID in the POD details for the corresponding service as visible in the following DEBUG snippet:

./common-framework-suite-idm-85dc97c79f-zjf4l:[[originalUserId=1&userId=2&tenantId=1]] 2019-07-23 19:14:39,742 DEBUG com.cisco.cpsg.idm.controller.helper.UserHelperImpl [http-nio-8080-exec-4] - product list for user 2: [com.cisco.cpsg.prodregistry.api.v1.dto.ProductDto@77771337, com.cisco.cpsg.prodregistry.api.v1.dto.ProductDto@2c1c70b0]
./common-framework-suite-idm-85dc97c79f-zjf4l:[[originalUserId=1&userId=2&tenantId=1]] 2019-07-23 19:14:40,161 DEBUG com.cisco.cpsg.idm.controller.helper.UserHelperImpl [http-nio-8080-exec-6] - product list for user 2: [com.cisco.cpsg.prodregistry.api.v1.dto.ProductDto@620f9219, com.cisco.cpsg.prodregistry.api.v1.dto.ProductDto@63c2a6be]

Process

To create a CloudCenter Suite user, follow this procedure.

  1. Navigate to the Suite Admin Dashboard and click your account profile dropdown and click the Impersonate User link (displayed in the following screenshot) to initiate the process.

    Alternately, you can navigate to the Users page and click the Actions dropdown (displayed in the following screenshot) for the required user.

  2. In the Impersonate User popup displayed in the following screenshot, enter the Tenant Login ID and email address for the user to be impersonated.

  3. Click Start to begin the impersonation session and click Confirm to confirm the impersonation for this user.

  4. Once you confirm, you see a new header in the UI to indicate that you are impersonating the identified user. The Last Login session details changes based on the impersonation details as displayed in the following screenshot.

    You can exit the impersonation session in one of two ways:

    • Click Logout in your account profile dropdown to exit the impersonation mode and log out of the Suite Admin UI.

    • Click Exit Impersonation in the impersonation header to exit the impersonation mode and continue to work in the Suite Admin UI.

  • No labels
© 2017-2019 Cisco Systems, Inc. All rights reserved