Group-based Authorisation - Active Directory and LDAP
Once your LDAP or Active Directory authentication service is up and running, any groups in the LDAP directory that match the criteria set by the various auth <service_name> group
commands will be available as groups in SuperADMIN. Such a group can then be assigned permissions and those permissions will apply to all users in that group.
For example, to allow read access to the bank database for the group "Accounting" you would use a command like:
cat bank access "Accounting" read true
To list the LDAP groups that are available for use by SuperADMIN, use this command:
account groups
Users and groups are only visible in a SuperADMIN console session if they are from the same authentication service that was used to login to the console. This means that if you login as a local SuperADMIN user you will only be able to work with the locally created groups, not any LDAP groups.
To assign permissions to LDAP groups, you must log in to the console as an LDAP user, and this LDAP user must be in the LDAP group assigned for administration by the auth <service_name> adminGroup
command described earlier.