ACL's and multiple apps in one tenant

Jeroen Jansen · 2024-04-20T20:21:32+00:00

There was an error rendering this rich post.

I have a questions about the use of ACL's. I have a tenant with 2 app's registered to it.

I have created a user in the app,
I have created a group in that app
I have created/customized an ACL's to add that group to the ACL to give the group only read access.

How do I get the user to have the same permissions in the other app?

I have added the user also to that app, but the group is not visible in that app?

Find more posts tagged with

Note:

If there are Accepted Answers, those will be shown by default. You can switch to 'All Replies' by selecting the tab below.

Accepted answers

LazarescuA

Hello,

There are 2 different kind of groups: subscription groups (application) and tenant groups. The tenant groups are visible to all application subscriptions in that tenant. The subscription groups are only visible inside the subscription.

So, you can use the tenant group if you don't want to create the group in every application.

All comments

LazarescuA

Hello,

So, you can use the tenant group if you don't want to create the group in every application.

Jeroen Jansen

Am I correct to say there are 4 levels were you can create a group:

Organization
Tenant
App
Subscription

The first 3 you can see in the admin, the 4th not.

Why would you use which? and what acces do you need to have for the different levels?

gvicari

Hey @Jeroen Jansen, the fourth one is the one that you would typically use when adding users to an application. They are visible under the subscription (of the app) in the tenant. A subscription group is where you put your application users, as each application would have its own users per tenant.

LazarescuA

Hello, @Jeroen Jansen , actually there are only 2 levels where you can create a group:

Tenant
Application subscription

At the Organization level you can only add admin users, not groups.

At the Application Level (the Application definition, accessible from Organization → App Management → Apps) - there is no definition of users/groups as they will pertain to a specific Tenant Subscription.

So, the two that are available are Tenant groups and Subscription groups.

From the usage perspective, there are a couple of considerations based on how you want to use them:

Tenant groups: they are visible from inside any subscription inside the tenant, they can be used inside CMS (metadata service) ACL's, but they cannot be used as Workflow service Candidate Groups
Subscription groups: they are visible only from inside the respective subscription, they can be used in any service running, this is the default expected group definition by our services

From the creation perspective:

Tenant groups can only be created in the Admin Center or via API calls
Subscription groups are the groups that you can create in VS Code using our Developer Tools Extensions and they are part of your project. Every time you use VSCode to deploy your project to a new tenant (recommended route for Application development and deployment), you will have the group deployed. You can also create Subscription Groups from Admin Center or API.

Both of them are present in the IDToken - so you can base your application logic on any of them.

LazarescuA

You can look at this page for more clarity on Apps/Subscriptions: https://developer.opentext.com/imservices/developertools