Right now, we do not use Tenants. Just Groups. We have one group (which has their own role and their own LDAP role mapping) that has a their own group sandbox with their VMs.
This group have asked me how they can let a second group log in and see their group sandbox. So it is like I need to have a group, that has 2 different subgroups (with different LDAP role mappings). Is there a way to pull this off?
Is there a specific reason they must have different LDAP mappings? It seems to me if you’re controlling access to resources via AD, you could just make this second group a member of the current group in AD and never have to change anything in Morpheus.
This is assuming a basic Active Directory RBAC model.
If they must be different AD mappings, Morpheus does have a copy function where you can make a new Morpheus role that is a copy of another role. After creating the new role though, you’ll have to manually keep up the changes you make to either role in both of you want them to stay in sync.
Does that help or do you have something else in mind?
If something else, could you describe the use case a little more?
I think the reason they have different LDAP groups (Active Directory Security Groups to be technically correct, but they use an LDAP server that consults AD), is because people in different organizations have different groups. It is possible to create a Security Group or an LDAP group that two organizations share, but they discourage it because of the fact that they have to maintain that group over time. But the issue is not just “role”, it is “group” here. We have two groups, that want to see the same ecosystem of VMs, et al. One is an engineering group, the other is an operations group. I know I can create a role for each group, and use the first role as a user template for the 2nd, and I think that would be fine, but the fact that they are in different groups altogether might mean that if group 2 logs in, they cannot see group 1s deployments.
I think everyone is okay on this. I simply created different roles, all with their individual LDAP or Security Groups, and put those roles into the same group. Seems to work fine. Very flexible.
If you want your users to see the same VMs you would need a third group that both teams are a member of. The VMs would have to exist in that shared group. Users can belong to more than one group at a time.
Actually, no! I just have both roles set to that group, and when I impersonate both users, they see the same VMs. So I think I have what I want for now!