Creating groups for a Swift tenant

You can manage access permissions for a Swift tenant account by importing federated groups or creating local groups. At least one group must have the Swift Administrator permission, which is required to manage the containers and objects for a Swift tenant account.

Before you begin

Procedure

  1. Select ACCESS MANAGEMENT > Groups.
    The Groups page appears and lists the current groups.
    screenshot showing Access Control > Groups page
  2. Select Create group.
    Step 1 (Choose a group type) appears.
    Tenant Add Swift Group Local
  3. Select the Local group tab to create a local group, or select the Federated group tab to import a group from the previously configured identity source.
    Attention: If single sign-on (SSO) is enabled for your StorageGRID system, users belonging to local groups will not be able to sign in to the Tenant Manager, although they can use client applications to manage the tenant's resources, based on group permissions.
  4. Enter the group's name.
    If you selected... Enter...
    Local group Both a display name and a unique name for this group. You can edit the display name later.
    Federated group The unique name of the federated group.
    Note: For Active Directory, the unique name is the name associated with the sAMAccountName attribute. For OpenLDAP, the unique name is the name associated with the uid attribute.
  5. Select Continue.
    Step 2 (Manage permissions) appears.
  6. For Access mode, select one of the following:
    • Read-write (default): Users can log into Tenant Manager and manage the tenant configuration.
    • Read-only: Users can only view settings and features. They cannot make any changes or perform any operations in the Tenant Manager or Tenant Management API. Local read-only users can change their own passwords.
    Note: If a user belongs to multiple groups and any group is set to Read-only, the user will have read-only access to all selected settings and features.
  7. For Group permissions, make one of the following choices:
    • Select the Root Access check box if users need to sign in to the Tenant Manager or Tenant Management API. (Default)
    • Unselect the Root Access check box if users do not need access to the Tenant Manager or Tenant Management API. For example, unselect the check box for applications that do not need to access the tenant. Then, assign the Swift Administrator permission to allow these users to manage containers and objects.
  8. Select Continue.
    Step 3 (Set Swift group policy) appears.
  9. Select the Swift administrator check box if the user needs to be able to use the Swift REST API.
    Attention: Swift users must have the Root Access permission to access the Tenant Manager. However, the Root Access permission does not allow users to authenticate into the Swift REST API to create containers and ingest objects. Users must have the Swift Administrator permission to authenticate into the Swift REST API.
  10. Select the button that appears, depending on whether you are creating a federated group or a local group:
    • Federated group: Create group
    • Local group: Continue
    If you are creating a local group, step 4 (Add users) appears after you select Continue. This step does not appear for federated groups.
  11. Select the check box for each user you want to add to the group, then select Create group.
    Optionally, you can save the group without adding users. You can add users to the group later, or select the group when you create new users.
    A confirmation message appears in the upper right corner of the page.
  12. Select Finish.

    The group you created appears in the list of groups. Changes might take up to 15 minutes to take effect because of caching.