: Map a Tenant for Authorization Through Common Services
Focus
Focus

Map a Tenant for Authorization Through Common Services

Table of Contents

Map a Tenant for Authorization Through
Common Services

Learn how to map a tenant for authorization through the
Common Services
.
If you want to grant authorization to your users by passing the login information through your Security Assertion Markup Language (SAML) provider, you can map your identity federation to a tenant or tenant service group (TSG) hierarchy. By using the tenant mapping, you no longer have to add users and access directly through
Common Services
, but that option is still available.
After you add an identity federation and add an identity federation owner, the federation owner can map tenants for authorization. In addition to adding an admin as a federation owner, you must also give that admin a role that has permissions to assign and remove access policies on the given tenant, such as the following:
  • IAM Administrator
  • Multitenant IAM Administrator
  • Multitenant Superuser
  • Superuser
  • Custom role that includes
    iam.federation_mapping.update
    and
    iam.federation_mapping.delete
  1. Use one of the various ways to access
    Common Services
    Identity & Access
    .
  2. Select
    Identity & Access
    . Only one way is shown here.
  3. Select
    Identity & Access/Access Management
    Identity Federations
  4. Scroll or search to find your identity federation.
  5. Select
    Edit Tenant Mapping for Authorization
    .
  6. Select which tenants can map users to the identity federation users and
    Save
    .
    Inheritance applies the same way as it does in access management, so if you map a tenant at the top level of the hierarchy, the mapping is inherited by the child tenants nested below it so that the parent can manage them.
    The identity federation owner can now manage the user access for all the selected tenant service groups.
  7. Go to your identity provider’s console to configure user access policies. The console details look similar to the following, but all providers are slightly different. The attribute must be named
    accessPolicies
    .
    1. (Optional)
      Use a predefined role to assign a predefined set of permissions to a user. For details and syntax, see properties for predefined roles.
    2. (Optional)
      Use a custom role to assign a custom set of permissions to a user. For details and syntax, see properties for custom roles.

Recommended For You