Introduction to Groups
A group represents a specified set of users. A group always belongs to one organization, but can contain users from different organizations.
In CentraSite, groups are used for the following purposes:
To assign roles to groups of users. Assigning roles to a group confers the permissions associated with the role to each member of the group.
To give a group of users access to a specific object in the registry.
To identify the group of individuals who are authorized to approve certain types of requests.
To identify the target audience for certain policy actions. For example, the intended recipients of an email action.
System Groups
System groups are shipped with CentraSite. When a user is added to CentraSite, CentraSite automatically adds the user to a specified system group depending on the organization to which the user belongs. The membership of these groups cannot be manually updated or deleted by an administrator. CentraSite provides the following system-defined groups:
System Group | Contains... |
Everyone | All users, including guests. Ensure users who publish assets to your registry know that this group includes guest users, and that if they grant access to this group, they enable access by anonymous users. This group should only be granted permission to view registry objects. It should not be granted permission to modify or delete registry objects. |
Users | All users in an organization. Every organization has a Users group. By default, the Asset Provider and Asset Consumer roles are assigned to this group, which gives these roles to every user in the organization. |
Members | All users in an organization or any of its descendant organizations (children, children's children, and so on). Every organization has a Members group. Every user you add to CentraSite automatically becomes a member of the Everyone group. |
CentraSite manages the membership of these groups automatically. You cannot delete system groups or edit their membership. You can, however, assign roles and instance-level permissions to system group and use them in all of the same ways as you can a regular user-defined group.
Custom Groups
CentraSite supports static groups and nested groups.
You can create locally managed groups that are defined and maintained within CentraSite. This is a group that consists entirely of active users who are registered in CentraSite. The membership of the group is maintained in CentraSite. You can perform administrative tasks manually on the group in CentraSite, such as adding or removing users from the group. You can switch a locally managed group to an externally managed group.
You can also create externally managed groups that are imported from the external authentication system. You cannot change the name or membership of an externally managed group within CentraSite; CentraSite maintains the membership of externally managed groups by automatically synchronizing with the external authentication system. If the externally managed group includes members who are not existing users of CentraSite, those members does not become CentraSite users as a result of adding the group to CentraSite. If you subsequently add those individuals to CentraSite, however, they automatically becomes members of this group. You cannot switch an externally managed group to a locally managed group.
When you import a group from CentraSite's external authentication system, CentraSite fetches the group's details from the authentication system, creates an externally managed group, and synchronizes (updates) the group's membership in CentraSite.
Whenever a new user is added from the external authentication system, CentraSite queries the external system to determine in which groups the user is a member. If any of those groups have been imported into CentraSite, the user is automatically added to the corresponding externally managed groups in CentraSite. The newly added user automatically receives the permissions and roles that are associated with the corresponding groups.
The removal of a user from a group can be done only in the external authentication system. Whenever a user is removed from the external authentication system, the corresponding user no longer receives the permissions and roles that are associated with the corresponding externally managed groups in CentraSite.
Note:
After the group information is imported, CentraSite does not attempt to keep it synchronized with the authentication system. Any change of the externally managed group is not synchronized with CentraSite. If a user is newly added to the externally managed group in the authentication system at a later stage, in order to keep CentraSite synchronized with the authentication system, you must manually reimport the external group in CentraSite. Likewise, if a user is removed from the externally managed group the authentication system, the corresponding CentraSite user is not automatically deactivated. The CentraSite user associated with a deleted external user must be deactivated manually in CentraSite.
When CentraSite executes a request that references an externally managed group, it accesses the external authentication system to resolve the group's membership. It performs the requested activity for each user who is a member of the specified group and is also a registered user on CentraSite. Users that are named in the externally managed group but are not registered as CentraSite users are ignored.
Assume that User1, User2, User3, User4, and User5 are defined on the external authentication system, and do not belong to any group on the external authentication system. Assume that all of these users except User1 have already been imported from the external authentication system to CentraSite, but do not yet belong to any group in CentraSite. Now assume that a group called GroupA is created in the external authentication system, and GroupA has members User1, User2, and User3.
If GroupA is imported to CentraSite, the registered CentraSite users User2 and User3 become members of GroupA in CentraSite, as the membership of the group is maintained in external authentication system (User 1 is not registered in CentraSite, therefore it is not available as a member in Group A). You cannot add more users manually to GroupA in CentraSite, since CentraSite just refers to the external authentication system for the membership details. However, if User4 and User5 are added to GroupA in the external authentication system, they also become members of the GroupA in CentraSite when the automatic synchronization occurs.
In this scenario, User1 is not yet a member of GroupA in CentraSite, since User1 is not a registered user in CentraSite. To add User1 to the group in CentraSite, you would define User1 as a user in CentraSite and associate this user with GroupA in the external authentication system.
If your external authentication system already defines groups of users who are significant to your SOA environment (for example, SOA Architects, SOA Project Review Team, or SOA Managers), add them to CentraSite as externally managed groups. Doing so simplifies maintenance by eliminating the need to update two systems when the membership of a group changes.
Note:
Groups that are nested in the external authentication are supported by CentraSite. If you are using LDAP, only the recurse up option is supported for group resolution. The recurse down option is not supported.