This article describes the user management capabilities in Azure Documenter for a Serverless360 account with Azure Active Directory authentication.
Add user or group
- Users with the Account owner or Owner role can add new users and AD groups to Azure Documenter (hereafter referred to as "product") using the Add user and Add group options in Users tab of the User management section of the product.
The first 500 users/groups from the corresponding Azure Active Directory will be listed, and users can make use of the "Load more" option to load the next set of users/groups.
For Active directory users, users in the retrieved list can be filtered by User principal name using the filter option provided above the user list. If no user is found in the retrieved list, the same filter can be performed directly in the Active directory, which will list the filtered users from the Active directory.
For Active directory groups, groups in the retrieved list can be filtered by group name using the filter option provided above the group list. If no group is found in the retrieved list, the same filter can be performed directly in the Active directory, which will list the filtered groups from the Active directory.
User can be assigned roles in any of the two ways:
1. Direct role assignment
2. Specified access
- Direct role assignment refers to the assignment of a role to a user/group, which will be applicable for the entire product. For instance, assigning a direct role like 'Reader' for a user/group means that the user/group has complete read access to all the document configurations in the product.
Owner role cannot be assigned to AD groups.
- Specified access refers to assigning different roles on different product-specific areas. For instance, if an organisation has two document configurations for its two environments such as Production and Development, a user like a contractor or an AD group with guest users cannot be given even 'Reader' access to Production configuration. In such cases, the user/group can be assigned Specified access, by choosing only the document configurations that the user/group can see, and assign a role for each chosen document configuration, which determines what the user/group members can do inside that document configuration.
Users/groups who are already added to Serverless360 (members of other products of Serverless360, or do not have any product-permission) are available to be added from the Existing user and Existing group tab for Add user and Add group options respectively.
Manage role assignments of users and groups
Managing role assignments of users/groups in the product can be done using several options:
- An individual user or group's role assignments can be managed using the Edit permission option in the Actions column under the Users tab in User management section of the product.
- User/group role assignments can be edited in bulk by selecting the users/groups and clicking the Edit permission option under the Users tab in User management section of the product.
- User/group role assignments for a document configuration can be managed using the Users option in the context menu of the document configuration in the home page of the product.
Only users/groups having direct access to a document configuration can be revoked access when viewing from the document configuration's Users widget.
Remove user or group
Account owners or owners of the product can remove any existing user/group by selecting Remove user/group option in the Actions column, or select the required users and groups and bulk remove them using the Remove option above the users list.
User/group removed from a product still exists in Serverless360's directory. Account owners can remove the users/groups completely from Serverless360 by navigating to Settings -> Users and choosing Remove user/group option.
When an Active Directory user is added directly as a member of Serverless360, the permissions are evaluated against the roles that have been assigned to that user during user operations. If that user is also a member of an AD group that has been added to Serverless360, the group permissions will not be evaluated because the direct user membership in Serverless360 takes precedence.
However, when a user signs in as a member of an AD group, i.e, this user is not added to Serverless360 directly, but the AD group that this user is a member of is added, the permissions of that user are checked against the roles assigned to that group during user operations. When a user belongs to multiple groups, high level permissions are determined by comparing the roles of all the groups.
The same is true when a user signs in as an owner of AD group, i.e, this user is not added to Serverless360 directly, but the AD group that this user is a direct owner of is added.
Although Serverless360 supports direct owners of AD groups, the recommended method of AD group management in Serverless360 is to stick to members of AD groups where the owners are also members of those groups.
AD group authentication occurs in a transitive manner, which means that if a parent group is added to Serverless360, all child groups in all inner levels of that group will be authenticated even if those child groups are not added to Serverless360.
Child groups, on the other hand, can be added if the users of different groups require different permissions based on business needs.