Managing user groups#
Enabling the display of groups in blitz.conf#
If Blitz Identity Provider is configured to work with user groups, Groups section appears in the admin console.
To enable the ability to view user groups, you must add blitz.prod.local.idp.groups following settings block:
"groups": {
"profiles": [
{
"attrsMap": {
"INN": "inn",
"NAME": "orgname",
"OGRN": "ogrn",
"desc": "description",
"members": {
"name": "uniqueMember",
"type": "strings"
}
},
"attrsMeta2": [
{
"INN": "inn"
},
{
"NAME": "orgname"
},
{
"OGRN": "ogrn"
},
{
"desc": "description"
},
{
"members": {
"name": "uniqueMember",
"type": "strings"
}
}
],
"filter": "objectClass=organizationgroup",
"groupStore": "389ds",
"id": "orgs",
"type": "mirror",
"memberOfWithNested": true
}
],
"stores": {
"list": [
{
"baseDN": "ou=external,ou=groups,dc=test",
"desc": "Группы",
"id": "389ds",
"idAttrName": "cn",
"ldapStore": "389ds",
"memberOfAttrName": "memberOf",
"membersAttrName": "uniqueMember",
"newGroupAttrs": [
{
"attr": "objectclass",
"format": "strings",
"value": "top,groupOfUniqueNames,organizationgroup"
},
{
"attr": "dn",
"format": "string",
"value": "cn=${id},ou=external,ou=groups,dc=test"
}
],
"searchScope": "SUB",
"type": "ldap_based"
}
]
}
}
Specifics of settings:
in
profiles.groupStore,stores.list.id,stores.ldapStoremust be the identifier of the LDAP directory used to store users;in
profiles.attrsMapandstores.list.idAttrNamemust contain group attributes (classgroups), e.g.name. Attribute names can be named differently if desired, only LDAP attributes of typeStringare supported;in
stores.list.baseDN, you need to check (and correct if necessary) the path in LDAP where organizations are stored. If the path is corrected, accordingly adjust the«value»: «cn=${id},ou=external,ou=groups,dc=test»setting;in
profiles.memberOfWithNestedspecify the valuetrueorfalsedepending on whether you want to search all groups for the user;parameter
membersAttrNamefor Microsoft AD must have the valuememberOf.
Working with groups#
In the section Groups you can search for groups by one of the configured attributes, edit groups, create and delete groups, and manage user membership in groups.
For each group found, its attributes are displayed. In addition, Group Members block displays all users included in the group. For each user the following is displayed:
user identifier;
user name - according to the template defined in the Data sources section (
Username on console).
You can edit group attributes, delete a group, add users to a group using the link Add user…, remove a user from a group, and create new user groups using the link Create a group….
Adding a user to a group:
