Managing object groups
Use object groups to control user access to objects such as assembly instances, deployment locations, infrastructure keys, network packages, and secret groups.
Controlling access to object groups
You control access to object groups by using user groups. That is, you control what objects a user can access and what permissions the user has for those objects by using user groups. This method of access control is called object-based access control (OBAC).
For example, you can create an object group of network package and deployment location objects. You can assign user groups with different permissions to that object group in the following way:
- A user group that has permissions that specify that the users can update the network packages, but view only the deployment locations that are associated with that object group.
- Another user group that allows the users to update both the network packages and deployment locations that are associated with the object group.
A user can be a member of multiple user groups. If a user is a member of more than one user group that is assigned to the object group, the user's permissions are combined. That is, the user's effective permissions for the object group are the combination of all the permissions in their user groups.
Viewing object groups
To view your object groups, click the navigation menu , then click Network automation object groups page.
. The object groups are listed on theObject group permissions
You must have the OBJECTGROUP_READ
permission to
view object groups. If you don't
have the OBJECTGROUP_READ
permission, you can view only the names of the object groups that your
objects are members of.
OBJECTGROUP_WRITE
permission to
complete the following tasks: - Create or modify object groups.
- Assign user groups to object groups.
- Assign permissions to object groups.
- Move objects to another object group.
Default object groups
Consider the following points about default object groups when you are working with object groups:
- If you want to assign objects to a user group, you must first move the objects to an object group that is not the default group.
- If you create an object and don't specify an object group, the object is added to the default object group automatically.
- You have the same roles and permissions for objects in the default object group that are assigned to you in the Identity and Access Management (IAM) access management system. You can't add or remove user groups from the default object group, or set permissions for the default object group.
- In IBM® Cloud Pak for Network Automation, objects can belong to only one object group. If multitenancy is enabled, a default object group is created for each tenant. Everyone who has access to the tenant can access objects in the default group. If multitenancy is not enabled, a single system-wide default object group is created. Everyone who has access to the system can access objects in the default group.