User Management Guide

orcharhino supports advanced user management options including user groups, roles and permissions, filters, LDAP authentication, and context based restrictions.

This user management guide collects documentation on all of these features as well as how they interrelate in a single place. It is meant to complement the relevant documentation found in the management UI chapter:

Finally, the context menu section is also relevant to orcharhino’s user management. User access in orcharhino is restricted based on context which represents real world organizational structures. An organization might be a business unit and a location might be a data centre.

orcharhino’s user management consists of users, roles, and permissions.

Restricting access to different parts is convenient in order to avoid accidental changes by unauthorised personnel if your orcharhino is administered by more than one person. orcharhino provides the possibility to assign specific roles with fine-grained access filtering configurations to every user.

User Roles and User Group Roles

A role is a set of permissions that can be allocated to desired users or user groups. Every user has one or more roles and obtains all permissions that are defined within. Refer to roles on how to create and assign roles to users and user groups.

Note that you can create any number of roles fitting your needs but you have to save them first before providing them with filters.

Depending on the number of users with access to your system, it might be more efficient to create groups to bundle permissions instead of targeting users individually. Refer to user groups on how to create and manage user groups.

Roles and Filters

Filters are part of the roles and describe a set of allowed actions on a specific element, i.e. a resource type. You have to create a filter for every resource type you want to be accessible by users with a specific role. For example, you can create a filter of the resource type host which allows the role to only edit a specified list of hosts instead of all hosts.

By default, every user bears at least the permissions of the anonymous role which can be edited but not deleted. The permission set of the anonymous role will be automatically granted to every user account within orcharhino. You can edit this role and even deprive it of all of its filters, but you cannot delete the role itself.

Refer to the roles page on how to view, create, and edit filters.

Filters and Resource Types

A resource type describes entities of the orcharhino that require permissions to interact with. They are similar to the types of resources that are managed by orcharhino, like hosts, products, or content views. The number of actions available varies for each resource type. The default actions to which permissions can be granted to for almost every resource type are view, create, edit, and destroy.

Please note that some filters depend on each other in order to take proper effect. For example, the permissions of the reports resource type are only valid if the user also has access to the orcharhino dashboard and the permission to view hosts.

Validating User Accounts via LDAP

The most convenient way to manage orcharhino user accounts is to connect orcharhino to an LDAP server. This allows you to delegate the task of authentication and authorization of orcharhino users to a trusted source in your environment. Refer to the creating an LDAP authentication source section on how to attach an existing LDAP server to your orcharhino.