Skip to main content

Manage remote users and groups

Contributors netapp-mwallis netapp-dbagwell

If you have enabled LDAP authentication on your Astra Control system, you can search for LDAP users and groups, and include them in the approved users of the system.

Add a remote user

Account Owners and Admins can add remote users to Astra Control. Astra Control Center supports up to 10,000 LDAP remote users.

Important Astra Control Center uses the user login attribute, configured when remote authentication is enabled, to search for and keep track of remote users. An attribute of an email address ("mail") or user principal name ("userPrincipalName") must exist in this field for any remote user you wish to appear in Astra Control Center. This attribute is used as the username in Astra Control Center for authentication and in searches for remote users.
Note You cannot add a remote user if a local user with the same email address (based on the "mail" or "user principal name" attribute) already exists on the system. To add the user as a remote user, delete the local user from the system first.
Steps
  1. Go to the Account area.

  2. Select the Users & groups tab.

  3. At the far right of the page, select Remote users.

  4. Select Add.

  5. Optionally, search for an LDAP user by entering the user's email address in the Filter by email field.

  6. Select one or more users from the list.

  7. Assign a role to the user.

    Note If you assign different roles to a user and the user's group, the more permissive role takes precedence.
  8. Optionally, assign one or more namespace constraints to this user, and select Restrict role to constraints to enforce them. You can add a new namespace constraint by selecting Add constraint.

    Note When a user is assigned multiple roles through LDAP group membership, the constraints in the most permissive role are the only ones that take effect. For example, if a user with a local Viewer role joins three groups that are bound to the Member role, the sum of the constraints from the Member roles take effect, and any constraints from the Viewer role are ignored.
  9. Select Add.

Result

The new user appears in the list of remote users. In this list, you can see active constraints on the user as well as manage the user from the Actions menu.

Add a remote group

To add many remote users at once, account Owners and Admins can add remote groups to Astra Control. When you add a remote group, all remote users in that group are available to log in to Astra Control and will inherit the same role as the group.

Astra Control Center supports up to 5,000 LDAP remote groups.

Steps
  1. Go to the Account area.

  2. Select the Users & groups tab.

  3. At the far right of the page, select Remote groups.

  4. Select Add.

    In this window, you can see a list of the common names and distinguished names of LDAP groups that Astra Control retrieved from the directory.

  5. Optionally, search for an LDAP group by entering the group's common name in the Filter by common name field.

  6. Select one or more groups from the list.

  7. Assign a role to the groups.

    Note The role you select is assigned to all users in this group. If you assign different roles to a user and the user's group, the more permissive role takes precedence.
  8. Optionally, assign one or more namespace constraints to this group, and select Restrict role to constraints to enforce them. You can add a new namespace constraint by selecting Add constraint.

    Note
    • If the resources being accessed belong to clusters that have the latest Astra Connector installed: When a user is assigned multiple roles through LDAP group membership, the constraints from the roles are combined. For example, if a user with a local Viewer role joins three groups that are bound to the Member role, the user now has Viewer role access to the original resources as well as Member role access to the resources gained through group membership.

    • If the resources being accessed belong to clusters that do not have Astra Connector installed: When a user is assigned multiple roles through LDAP group membership, the constraints from the most permissive role are the only ones that take effect.

  9. Select Add.

Result

The new group appears in the list of remote groups. Remote users in this group don't appear in the list of remote users until each remote user logs in. In this list, you can see details about the group as well as manage the group from the Actions menu.