Creating groups for an S3 tenant

You can manage permissions for S3 user groups by importing federated groups or creating local groups.

Before you begin

Procedure

  1. Select ACCESS MANAGEMENT > Groups.
    The Groups page appears and lists the current groups.
    screenshot showing Access Control > Groups page
  2. Select Create group.
    Step 1 (Choose a group type) appears.
    screenshot showing Add Group dialog box
  3. Select the Local group tab to create a local group, or select the Federated group tab to import a group from the previously configured identity source.
    Attention: If single sign-on (SSO) is enabled for your StorageGRID system, users belonging to local groups will not be able to sign in to the Tenant Manager, although they can use client applications to manage the tenant's resources, based on group permissions.
  4. Enter the group's name.
    If you selected... Enter...
    Local group Both a display name and a unique name for this group. You can edit the display name later.
    Federated group The unique name of the federated group.
    Note: For Active Directory, the unique name is the name associated with the sAMAccountName attribute. For OpenLDAP, the unique name is the name associated with the uid attribute.
  5. Select Continue.
    Step 2 (Manage permissions) appears.
  6. For Access mode, select one of the following choices:
    • Read-write (default): Users can log into Tenant Manager and manage the tenant configuration.
    • Read-only: Users can only view settings and features. They cannot make any changes or perform any operations in the Tenant Manager or Tenant Management API. Local read-only users can change their own passwords.
    Note: If a user belongs to multiple groups and any group is set to Read-only, the user will have read-only access to all selected settings and features.
  7. Select the Group permissions for this group.
    See the information about tenant management permissions.
  8. Select Continue.
    Step 3 (Set S3 group policy) appears.
  9. Select a group policy to determine which S3 access permissions the members of this group will have.
    Option Description
    No S3 Access Default. Users in this group do not have access to S3 resources, unless access is granted with a bucket policy. If you select this option, only the root user will have access to S3 resources by default.
    Read Only Access Users in this group have read-only access to S3 resources. For example, users in this group can list objects and read object data, metadata, and tags. When you select this option, the JSON string for a read-only group policy appears in the text box. You cannot edit this string.
    Full Access Users in this group have full access to S3 resources, including buckets. When you select this option, the JSON string for a full-access group policy appears in the text box. You cannot edit this string.
    Custom Users in the group are granted the permissions you specify in the text box.

    See the instructions for implementing an S3 client application for detailed information about group policies, including language syntax and examples.

  10. If you selected Custom, enter the group policy.

    Each group policy has a size limit of 5,120 bytes. You must enter a valid JSON formatted string.

    In this example, members of the group are only permitted to list and access a folder matching their username (key prefix) in the specified bucket. Note that access permissions from other group policies and the bucket policy should be considered when determining the privacy of these folders.
    Adding a custom group policy to a tenant group
  11. Select the button that appears, depending on whether you are creating a federated group or a local group:
    • Federated group: Create group
    • Local group: Continue
    If you are creating a local group, step 4 (Add users) appears after you select Continue. This step does not appear for federated groups.
  12. Select the check box for each user you want to add to the group, then select Create group.
    Optionally, you can save the group without adding users. You can add users to the group later, or select the group when you add new users.
    A confirmation message appears in the upper right corner of the page.
  13. Select Finish.

    The group you created appears in the list of groups. Changes might take up to 15 minutes to take effect because of caching.