Manage Groups
You are able to separate users and accounts to specific groups.
Last updated
You are able to separate users and accounts to specific groups.
Last updated
Groups are a mechanism to organize Linked Accounts into a structure that makes sense for your organization. This could be by department, division or team. The group structure (picture it as a directory structure) is something you create that works specifically for you. Groups allow you to create a logical separation between linked accounts and the users who have access to them. Groups impact all aspects of the console (dashboard views, bucket lists, problem files) in the form of a filter. If you are at the top level group, Primary
, then you will see an aggregate of all groups within the console. If you switch to a sub-group, the console will only reflect data for those linked accounts in that group and any sub-groups (if they exist) of that group.
In this model, Antivirus for Amazon S3 users can be tied to a specific group to limit their scope to that group and any down-line groups. Access to down-line groups is always inherited. A user placed in Primary
will have access to all groups as that is the top-level group. A user placed in Primary-->Customers-->CompanyA will have access to CompanyA group resources as well as any group resources below that, but will see nothing and have no awareness of the other company groups listed directly under Customers.
Leveraging groups is not required for successful use of the product. If you have no need for groups, you can skip this section and operate as is.
Navigate to group management with the left navigation menus: Access Management --> Manage Groups
. After the initial install of the product or after an upgrade from a pre-group deployment, there will be one group present by default called Primary. This is the root of the group tree structure.
If you have linked accounts or additional users you will see all of them as shown below because they all initially belong to Primary. Accounts linked after groups are in place will be asked for where they should be located.
All actions taken will be against the current group you are in. If you are in Primary and select Create Group
then you will be create a sub-group inside of Primary. If you want to then create a sub-group of the sub-group, you have to click the sub-group to enter into it and then click Create Group
again.
Best practice is to create the groups needed first, then create the users and link the accounts that tie to those groups. You can create users and link accounts before creating the groups, but they have to reside inside a group, which would be the Primary group. This may temporarily not create the effect you were looking for.
From the Manage Groups page, select the Actions
menu button and choose Create Group
.
You will be presented with the following screen where you can enter the new group name, assign existing users, assign existing accounts and assign existing groups. The latter three fields are optional so you can leave them blank.
Your Manage Groups page should now look as follows:
Repeat this process to create sibling groups to Engineering or child groups. Here is what it would look like with two additional child groups added to Engineering: Dev and Test. Note: I clicked into the Engineering sub-group before creating the two new groups.
You can navigate your way down the tree by clicking into the groups within the table. You can walk your way back up the tree by utilizing the bread crumb trail (shown below) to go up levels. You can move up a single level or however many levels up that are needed.
Here is what the Engineering line item looks like now:
When you add accounts and users they will be reflected on this line as well. Groups, users and linked accounts can be at any level of depth below this group and they will roll up to a single aggregate to give you an understanding of what exists in the group.
Linked accounts can be assigned to a group from within the group page here on Manage Groups or from the Manage Accounts page. When assigning an account from the Manage Groups page, you are adding an existing linked account to the group you are within. This does not move
the account to this group, but rather add it to this group while leaving it associated with whichever group(s) it was already in. If you want the account to only be available from within the group selected, then you need to do that from the Manage Accounts page. The Manage Accounts page will allow you to assign it to a new group and remove the existing groups.
This behavior may be seen if you have linked the accounts prior to groups existing. You may have the linked accounts sitting in the Primary group because you did that operation first. So you assign it to the new group and then end up removing it from the Primary group.
Navigate to the group you'd like to add an account to by clicking through the groups listed on the page: Engineering --> Dev.
You will see a popup that allows you to pick an account from your linked accounts list. You can choose more than one by clicking into the field to see the drop down list of accounts again.
Select the account(s) desired and click the Assign Accounts
button.
You will now see the following:
Continue this process until you have all your linked accounts assigned to the groups of your choice.
Up one more level the Engineering row now looks like this:
That's it! You have now segmented 2 of your linked accounts into unique groups within the product. You can now more easily breakdown the usage between the accounts and the scan results. You can also nail product users down to each group, but that is unnecessary to see the value of groups themselves.
Navigate to Manage Accounts by selecting Access Management --> Manage Accounts
along the left navigation. This will land you on the Linked Accounts
page as seen below.
Notice the two accounts that were added to groups, DevAcct and TestAcct, now show 2 in the Groups column. This is because we just added them each to a new group we created, but also because they were a part of the Primary group already. You can easily modify which groups accounts are a part of by clicking the action menu on each group row and selecting Change Groups
.
This will pop open the following screen where you can simply X
a group away or associate more groups to this account.
Remove groups or add more groups, click the Assign Groups
button then you will see the linked account line updated to reflect. Here is how it looks after removing Primary from the associated groups.
You can also assign groups at the time you initially link the account. A new field has been added to the Link Account screen to associate the new account to a group(s).
Assigning users is much like assigning accounts as seen above in that you can do it from the Manage Groups page or alternately on the Manage Users page. The same implications of where you do it hold true for users in regards to the user being a part of multiple groups if assigning on the Manage Groups page.
Navigate into the group you'd like to assign the user to by clicking the group names in the list until you see group you are assigning to in the crumb trail.
Now click the Actions
menu button and select Assign Users
to see the following popup.
Click the Assign Users
button and the user will be associated to the group and the view will be udpated.
Assigning users can also be done from the Manage Users page. Navigate to that page by select Access Management --> Manager Users
from the left navigation. This will land you on the Manage Users page as seen below.
Notice the user, dev-admin, we associated with the Dev
group shows 2 in the Groups column. This is because we just added this user to a new group, but also because they were a part of the Primary group already. You can easily modify which groups users belong to by clicking the action menu on the user row and selecting Change Groups
.
This will pop open the following screen where you can simply X
a group away or associate more groups to this user.
Remove groups or add more groups, click the Assign Groups
button then you will see the linked account line updated to reflect. Here is how it looks after removing Primary from the associated groups.
You can also assign groups at the time you initially create a new user. A new field has been added to the Create User screen to associate the new user to a group(s).
There may be times when you no longer need a group that was previously created. From the Manage Groups page you can "simply" select the group row action menu and click Delete Group
.
The current caveat to this is the group must be completely empty before you can delete it. So you will have to ensure all of the children, however many generations down, are cleared out before the group can be deleted. If children still exist anywhere down the line, you will see a message as follows.
Simply traverse you way down the tree and remove / delete users, linked accounts and other groups.
If you want to keep particular users, linked accounts or groups move them to another location that you deem appropriate.
If a user, linked account or group is only a part of the particular group you are deleting, then those items will be truly deleted from the console (like no longer exist deleted).
If a user, linked account or group is a part of another group, then they will simply be removed from the group you are deleting and NOT removed from the system.
To filter down into a group, simply click on the Group Picker to get to the Group Picker popup.
Select the group you would like to filter to by click the circle next to the group name and then clicking Set Group
. Click the group name to navigate further down the tree structure. If the group name is a link, then it has children. If it is not a link, there is no further down to go. Below I've navigated down Primary --> Engineering to see the two groups that reside inside the Engineering group. Note that neither is a link so this is the bottom of the tree structure.
You can navigate back up the tree by selecting groups within the group bread crumb trail.
Let's look at this in action. There are 3 accounts within the system with different numbers of S3 buckets in them as seen below.
Therefore, we can easily see the filtering in action on the Bucket Protection page. Navigating to this page in the Primary group, which is the top level group containing all other groups, we should see an aggregate count of the buckets we saw on the Linked Accounts page (49+5+1=55 buckets). We should also see all 3 account represented in the bucket list.
Switching the selected group to Dev
will take us down to 1 bucket.
Switching the selected group to Test
will take us to 5 buckets.
Switching the selected group to Engineering
, the parent of both Dev and Test, will take us to 6 buckets.
Groups create a logical separation between linked accounts. You can have one or many (or none if just parent node) linked accounts in a group and the filtering will break down an aggregate of all accounts. This applies system wide including the Dashboard, Problem Files and Bucket Protection pages (as seen above).
The top left-most part of the menu bar is where the Group Picker () is located. This will be leveraged to switch between groups. The picker will not be presented when there is only one group, the Primary group. Only after a second group has been created will it be available.
With more than one group in place, the Group Picker () will be made available in the left-most portion of the top menu bar.