Skip to content

Members and Users#

In RBAC, a member is a user account that you can assign to an organization or team.

Local users are user accounts that are created and managed directly in the system, while LDAP users are user accounts that tie to your LDAP directory and which are synced into the system.

Note

You can add individual users to organizations and teams; however, the use of groups is preferred for managing permissions at scale. For instance, groups are dynamic and reflect changes in your LDAP directory in real time. As such, whenever your LDAP directory changes, group membership automatically updates without the need for syncing. Whereas, before you can add individual LDAP users to organizations and teams, you must first synchronize them into the system through a scheduled cron job or manual process.

When you assign a group to an organization, all group members obtain the permissions of that organization. When groups are assigned to a team, all group members obtain the permissions of the team while also inheriting the permissions of the parent organization for that team.

Local Users#

Local users are individual user accounts that you create directly in the system, which you can add to both organizations and teams.

Refer to Create users for more information.

LDAP Users#

LDAP users are users that are present in your LDAP directory. To use LDAP users, you must configure authentication with LDAP access, including a user search filter that defines the users who are available in your directory.

  • When you want to add LDAP users to an organization or team, the system deploys an LDAP user search to find those users and adds the full result set to the entity. This search must be a subset of the authentication user search to ensure that only authorized users can be added.

  • LDAP users are synced based on the configured search. Once a user is synced, you can add that user to organizations and teams in the same manner as local users. You can then configure a regularly scheduled cron job to sync LDAP users to keep their information up-to-date.

  • Once an LDAP user has been added to an organization or team, they receive the permissions associated with that entity.

Refer to LDAP for more information.

Membership Hierarchy#

Member access is determined by their placement in organizations and teams. Specifically:

  • Users added to an organization obtain the permissions configured to that organization.
  • Users added to a team obtain the permissions configured to that team, and they also inherit the permissions configured to the team's parent organization.
  • Users who are a member of both an organization and a team gets the permission sets for both entities.

Grants and Individual User Permissions#

Along with the permissions afforded to users through their organization and team memberships, you can also directly assign individual grants to users to provide permissions that are separate from collective affiliations.

Member Listing#

To obtain a list of the members in an organization:

<insert command>

The list that prints includes:

  • Members directly added to the organization
  • Members added through teams in that organization

To obtain a list of the members in a team:

<insert command>

In this case, the list you receive contains only the members that have been directly added to the indicated team.

Removing Members#

When you remove a member from an organization or team, all of the permissions granted to the users who were members of that group are revoked. The direct grants assigned to the user, however, are not affected.