System Access Management for Tenant Users

You can create local tenant groups and users. A federated identity source is not supported at product launch.

Manage Groups

Assign permissions to user groups and control which tasks tenant users can perform.

Create Groups for an S3 Tenant

You can manage permissions for S3 user groups by creating local groups.

Before you begin:

  • You must be signed in to the Tenant Manager using a supported browser.

  • You must have specific access permissions.

To create groups for an S3 tenant:

  1. Select Access Control > Groups.

  2. Click Add to add a group.

  3. Select Local type option.

  4. Enter the group's display name and unique name.

    Note: You can edit the display name later.

  5. Select the tenant account permissions you want to assign to this group. See Permissions for details.

  6. From the Group Policy drop-down list, select how you want to create the group policy that defines which S3 access permissions, members of the group will have.

    7. Option Description
    No S3 Access Default – Users in this group cannot access S3 resources, unless access is granted with a bucket policy. If you select this option, only the root user will have access to S3 resources by default.
    Read Only Access Users in this group have read-only access to S3 resources. For example, users in this group can list objects and read object data, metadata, and tags. When you select this option, the JSON string for a read-only group policy appears. You cannot edit this string.
    Full Access Users in this group have full access to S3 resources, including buckets. When you select this option, the JSON string for a full-access group policy appears. You cannot edit this string.
    Custom Users in this group are granted the permissions you specify. See instructions to implement an S3 client application for details on group policies, language syntax and examples.

  7. If you select Custom, enter the group policy.

    8. Note: Each group policy has a size limit of 5,120 bytes. You must enter a valid JSON formatted string.

    In this example, members of the group are only permitted to list and access their specific folder (key prefix) in the specified bucket. Access permissions from other group policies and the bucket policy should be considered when determining the privacy of these folders.

  8. Click Save

Note: New group policies might take up to 15 minutes to take effect because of caching.

Permissions

Tenant management permissions are assigned to groups and determine which tasks users can perform using the Tenant Manager or the Tenant Management API. A user can belong to one or more groups.

To sign in to the Tenant Manager or to use the Tenant Management API, users must belong to a group that has at least one permission. All users who can sign in can perform the following tasks:

  • View the dashboard

  • Change their own password (for local users)

You can assign the following permissions to a group.

Note: Changes might take up to 15 minutes to take effect because of caching.

Permission Description
Root Access

Provides full access to the Tenant Manager and the Tenant Management API.
Manage Your Own S3 Credentials

Offers access to S3 tenants only, to create and remove your own S3 access keys.

Note: Users without this permission will not see the S3 > My Credentials menu option.
Manage All Containers

  • S3 tenants – This allows you to use the Tenant Manager and the Tenant Management API to create and delete S3 buckets, and to manage the settings for all S3 buckets in the tenant account, regardless of the S3 bucket or group policies.

    Note: Users without this permission will not see the S3 > Buckets menu option.

Manage Endpoints

This enables access for S3 tenants only, to use the Tenant Manager or the Tenant Management API, to create or edit the endpoints used as the destination for StorageGRID platform services.

Note: Users without this permission will not see the S3 > Endpoints menu option.

Clone Groups

Clone an existing group to create new groups more quickly.

Before you begin, you must:

  • Be signed in to the Tenant Manager on a supported browser

  • Have specific access permissions

To clone a group:

  1. Select Access Control > Groups.

  2. Select the group you want to clone.

    3. Note: If your system includes more than 20 items, you can specify the number of rows to be shown on each page at a time. You can then use your browser's find feature to search for a specific item in the currently displayed rows.

  3. Click Clone.

  4. Select Local for the group's type to create a local group.

  5. Enter a Display Name and a Unique Name for the group.

    Note: You can edit the display name later.

  6. Assign permissions to this group.

  7. From the Group Policy drop-down list, select a different option to clone a group for an S3 tenant.

  8. If you selected a Custom policy, update the JSON string as required.

  9. Click Save.

Note: New group policies might take up to 15 minutes to take effect because of caching.

Edit Groups

You can edit a group to change the display name of a local group, or to update permissions.

Before you begin, you must:

  • Be signed in to the Tenant Manager on a supported browser

  • Have specific access permissions

To edit a group:

  1. Select Access Control > Groups.

  2. Select the group you want to edit.

    3. Note: If your system includes more than 20 items, you can specify the number of rows to be shown on each page at a time. You can then use your browser's find feature to search for a specific item in the currently displayed rows.

  3. Click Edit.

  4. If you are editing a local group, update the display name as needed.

    5. Note: You can't change a group's unique name, or edit the display name for a federated group.

  5. Update the permissions as needed.

  6. For an S3 tenant, from the Group Policy drop-down list, select a different option.

  7. If you selected a Custom policy, update the JSON string as required.

  8. Click Save.

Note: Changes might take up to 15 minutes to take effect because of caching.

Removing Groups

Once a group is removed, users who belong to that group will no longer be able to sign in to the Tenant Manager or use the tenant account.

Before you begin, you must:

  • Be signed in to the Tenant Manager on a supported browser

  • Have specific access permissions

To remove a group:

  1. Select Access Control > Groups.

  2. Select the group you want to remove.

    3. Note: If your system includes more than 20 items, you can specify the number of rows to be shown on each page at a time. You can then use your browser's find feature to search for a specific item in the currently displayed rows.

  3. Click Remove – A confirmation message appears.

  4. Click OK to confirm you want to remove the group.

Manage Local Users

Create local users and assign them to local admin groups to determine the Tenant Manager features that users can access. The Tenant Manager includes one predefined local user, named “root.”

Note: You can't remove the root user, although you can add and/or remove local users.

Create Local Users

Create local users and assign them to one or more local groups to control their access permissions. Because local users must be assigned to local groups, you should create the groups before creating the users.

Before you begin, you must:

  • Be signed in to the Tenant Manager on a supported browser

  • Have specific access permissions

To create a local user:

  1. Select Access Control > Users.

  2. Click Create.

  3. Complete the following fields:

    • Full name – The full name for the user, for example, the first name and last name of a person or the name of an application

    • Unique name – A unique username, which will be used by the user to sign in.

    • Deny access – If selected, the user cannot sign in to the tenant account, even if the user belongs to any group.

      • Note: You can use this to temporarily suspend a user's ability to sign in.

    • Password – A password, which will be used by the user to sign in.

  4. In the Group Membership section, select one or more local groups.

    Note: Permissions are cumulative; users have all permissions for all groups they belong to.

  5. Click Save.

Clone Local Users

Clone a local user to create a new user more quickly.

Before you begin, you must:

  • Be signed in to the Tenant Manager on a supported browser

  • Have specific access permissions

To clone a user:

  1. Select Access Control > Users.

  2. Select the user you want to clone.

    3. Note: If your system includes more than 20 items, you can specify the number of rows to be shown on each page at a time. You can then use your browser's find feature to search for a specific item in the currently displayed rows.

  3. Click Clone.

  4. Complete the following fields:

    • Full name – The full name for the user, for example, the first name and last name of a person or the name of an application

    • Unique name – A unique username, which will be used by the user to sign in.

    • Deny access – If selected, the user cannot sign in to the tenant account, even if the user belongs to any group.

      • Note: You can use this to temporarily suspend a user's ability to sign in.

    • Password – A password, which will be used by the user to sign in.

  5. In the Group Membership section, select one or more local groups.

    Permissions are cumulative; users have all permissions for all groups they belong to.

  6. Click Save.

Edit Local Users

Edit local users to change their names, prevent them from being able to access the tenant, or assign them to different groups.

Before you begin, you must:

  • Be signed in to the Tenant Manager on a supported browser

  • Have specific access permissions

To clone a user:

  1. Select Access Control > Users.

  2. Select the user you want to edit.

    3. Note: If your system includes more than 20 items, you can specify the number of rows to be shown on each page at a time. You can then use your browser's find feature to search for a specific item in the currently displayed rows.

  3. Click Edit.

  4. Update the following fields as required:

    • Full name – The full name for the user, for example, the first name and last name of a person or the name of an application

    • Deny access – If selected, the user cannot sign in to the tenant account, even if the user belongs to any group.

      • Note: You can use this to temporarily suspend a user's ability to sign in.

  5. In the Group Membership section, select one or more local groups.

    Permissions are cumulative; users have all permissions for all groups they belong to.

  6. Click Save.

Changes might take up to 15 minutes to take effect because of caching.

Change a Local User's Password

A tenant administrator can change passwords for local tenant users.

Before you begin, you must:

  • Be signed in to the Tenant Manager on a supported browser

  • Have specific access permissions

To alter the password of a local user:

  1. Select Access Control > Users.

  2. Select the user, and click Change Password.

  3. Enter the new password, and click Save.

Remove Local Users

You can permanently remove local users who no longer need to access the StorageGRID tenant account.

Before you begin, you must:

  • Be signed in to the Tenant Manager on a supported browser

  • Have specific access permissions

To remove a user:

  1. Select Access Control > Users.

  2. Select the user you want to remove.

    3. Note: If your system includes more than 20 items, you can specify the number of rows to be shown on each page at a time. You can then use your browser's find feature to search for a specific item in the currently displayed rows.

  3. Click Remove – A confirmation message appears.

  4. Click OK to confirm you want to remove the user.

Note: Changes might take up to 15 minutes to take effect because of caching.