Add Users to your Foreman Org

You manage access to Foreman for your organization. For someone to **see** your hosts in Foreman, you must add their IDs to your organization. For someone to **change** things in your organization, you must add their IDs to a user group.

Add someone to your Organization

Foreman uses the Wolftech Active Directory for authentication (ensuring you are who you say you are) but it’s own database for authorization (controlling what access you have).

Any account on campus can technically login to Foreman, but only those IDs that you identify in Foreman can see or change your “stuff.”

To add someone to your organization, follow these steps:

  • Click Administer -> Users
  • Click the Create User button
  • On the User tab:
    • Set the Login field to the user’s Unity ID
    • Set the Authorized By field to LDAP-Wolftech
  • On the Organizations tab:
    • Click on the Organization you’re assigning. The selected value will move to the right.

You do not need to fill out any of the other information, like name or e-mail address. These will be read from WolfTech when the person logs in.

This will associate an ID with your organization, but not grant rights.

OIT is working on automation that will update an organization with all the members of a user-group. Until this is tested, be sure to add new people to your Organization. This is especially important if your groups are managed in AD, and not in Foreman.

Grant permissions by adding someone to your User groups

As an organiztion member, a user can see other things in the organization, but by default has no permissions over them.

Permission to manipulate things in Foreman is controlled by Roles associated with User groups.

Use Wolftech groups in Foreman

If your group maintains group of users in the Wolftech Active Directory, you can use those groups in Foreman. You just need to know the name of your AD group.

  • Click Administer -> User Groups
  • Click Create User Group
  • On the User Group tab: enter the Foreman group name, for example “YourADGroupName from Wolftech”
  • On the External Groups” tab: Click +Add external user group and enter the name of your AD group.
  • Click Submit to link the group.

It is important to understand that if you are using an external/Wolftech group to manage Foreman group members, you cannot also add and remove members with Foreman! Wolftech is read from, but never written to. If you want to use a set of base users from Wolftech, but also be able to add additional users with Foreman, see [Use both Wolftech and Foreman native groups] below.

Use seperate Foreman groups

If you don’t manage users with Wolftech, or if you just need some additional quick and dirty user groups, you can use the Foreman GUI.

  • Click Administer -> User Groups
  • Click on the User Group (same name as your Org)
  • On the User Group tab:
    • Click on the User you’re assigning. The selected value will move to the right.

    You also can add an entire existing group to another group (nested groups)

Use both Wolftech and Foreman native groups

The nested group feature can be quite powerful.

As an example, consider the “College of Hypotheticals”

  • with an Wolftech group CHyp-Labadmins containing their Lab system administrators
  • and a Wolftech group CHyp-Part-timers containing their part time (student) admins
  • and they also need to have a group of semi-random faculty build systems with Foreman

They could create three Foreman groups

  • CHyp-Labadmins from Wolftech an External (to Foreman) group
  • CHyp-Part-timers from Wolftech an External (to Foreman) group
  • CHyp-Additional-System-Builders a native Foreman group.

They can then have their CHyp-Admins group (see the next section) contain those three groups, and all would get the necessary Foreman access.

YourOrganization-Admins controls Foreman Access

When you organization was created, a user group named YourOrganization-Admins was made, and assigned the proper roles to manange your organization.

You must add any accounts you want to do work in your organization, either directly, through an intermediate group (read above) or delegate all management to Active Directory by setting an external (to Foreman) group.

Tags: foreman
Edit me