ACL's and multiple apps in one tenant

Options

I have a questions about the use of ACL's. I have a tenant with 2 app's registered to it.

I have created a user in the app,
I have created a group in that app
I have created/customized an ACL's to add that group to the ACL to give the group only read access.

How do I get the user to have the same permissions in the other app?

I have added the user also to that app, but the group is not visible in that app?

Best Answer

  • LazarescuA
    LazarescuA E Member
    #2 Answer ✓
    Options

    Hello,

    There are 2 different kind of groups: subscription groups (application) and tenant groups. The tenant groups are visible to all application subscriptions in that tenant. The subscription groups are only visible inside the subscription.

    So, you can use the tenant group if you don't want to create the group in every application.

Answers

  • LazarescuA
    LazarescuA E Member
    #3 Answer ✓
    Options

    Hello,

    There are 2 different kind of groups: subscription groups (application) and tenant groups. The tenant groups are visible to all application subscriptions in that tenant. The subscription groups are only visible inside the subscription.

    So, you can use the tenant group if you don't want to create the group in every application.

  • Am I correct to say there are 4 levels were you can create a group:

    • Organization
    • Tenant
    • App
    • Subscription

    The first 3 you can see in the admin, the 4th not.

    Why would you use which? and what acces do you need to have for the different levels?

  • gvicari
    gvicari E Community Moderator
    edited April 22 #5
    Options

    Hey @Jeroen Jansen, the fourth one is the one that you would typically use when adding users to an application. They are visible under the subscription (of the app) in the tenant. A subscription group is where you put your application users, as each application would have its own users per tenant.

  • LazarescuA
    Options

    Hello, @Jeroen Jansen , actually there are only 2 levels where you can create a group:

    • Tenant
    • Application subscription

    At the Organization level you can only add admin users, not groups.

    At the Application Level (the Application definition, accessible from Organization → App Management → Apps) - there is no definition of users/groups as they will pertain to a specific Tenant Subscription.

    So, the two that are available are Tenant groups and Subscription groups.

    From the usage perspective, there are a couple of considerations based on how you want to use them:

    • Tenant groups: they are visible from inside any subscription inside the tenant, they can be used inside CMS (metadata service) ACL's, but they cannot be used as Workflow service Candidate Groups
    • Subscription groups: they are visible only from inside the respective subscription, they can be used in any service running, this is the default expected group definition by our services

    From the creation perspective:

    • Tenant groups can only be created in the Admin Center or via API calls
    • Subscription groups are the groups that you can create in VS Code using our Developer Tools Extensions and they are part of your project. Every time you use VSCode to deploy your project to a new tenant (recommended route for Application development and deployment), you will have the group deployed. You can also create Subscription Groups from Admin Center or API.

    Both of them are present in the IDToken - so you can base your application logic on any of them.

  • LazarescuA
    Options

    You can look at this page for more clarity on Apps/Subscriptions: https://developer.opentext.com/imservices/developertools