Altus Groups

An Altus group is a collection of user accounts that have the same roles and resource roles. A group can include Altus user accounts and machine user accounts. A group cannot include other groups. All users in a group inherit the roles and resource roles assigned to the group.

As an Altus administrator, you can create a group and manage the group membership. You can also manage the roles and resources assigned to the group. If you are not an Altus administrator, you can add users to and remove users from a group if you have the IamGroupAdmin resource role.

When you create a group, you do not automatically become a member of the group. To become a member of the group, you must add your user account to the group.

You can use groups to manage user access more efficiently. If multiple users require the same roles, you can create a group, add the user accounts to the group, and assign the required roles to the group. All user accounts in the group are assigned the roles assigned to the group.

If you delete a group, users in the group lose the roles that they inherit from the group. To allow a user to retain the group roles, assign the same roles to the user separately.

Working with Groups on the Console

You can create and manage groups on the Altus console.

Creating a Group

Create Altus groups based on the tasks performed by Altus users in your organization.

To create a group:
  1. Sign in to the Cloudera Altus console:

    https://console.altus.cloudera.com/

  2. In the IAM section of the side navigation panel, click Groups.

    The Groups page displays the list of all Altus groups.

  3. Click Create Group.
  4. On the Create Group window, enter the name of the group to create.

    The group name must be unique. The name can be up to 32 characters and can include only alphanumeric characters, hyphens (-), and underscores (_). The first character in the name must be an alphabetic character or underscore.

    The group name is not case sensitive. For example, the group name AAa is equivalent to the group name aaa.

  5. Click Create.

    Altus creates the group and adds it to the list of Altus groups on the Groups page.

Adding a User to a Group

You can add an Altus user or a machine user account to a group. You cannot add a group to another group.

All members of the group inherit the roles and resources assigned to the group.

To add a user to a group:
  1. Sign in to the Cloudera Altus console:

    https://console.altus.cloudera.com/

  2. In the IAM section of the side navigation panel, click Groups.

    The Groups page displays the list of all Altus groups.

  3. Click the name of the group to which you want to add a user.

    The group details page displays information about the group.

  4. Click the Members tab.
  5. If the group does not yet have members, click Add Member.

    If the group already has a list of members, click in the Add a member dropdown box.

  6. Select the name of the user that you want to add to the group.

    The user name you select displays in the list of group members.

To remove a user from a group, click Remove from Group next to the user that you want to remove. Click OK to confirm that you want to remove the user from the group.

Assigning a Role to a Group

When you assign a role to a group, the role is also assigned to all user and machine user accounts in the group.

To assign a role to a group:
  1. Sign in to the Cloudera Altus console:

    https://console.altus.cloudera.com/

  2. In the IAM section of the side navigation panel, click Groups.

    The Groups page displays the list of all Altus groups.

  3. Click the name of the group to which you want to assign a role.

    The group details page displays information about the group.

  4. Click the Roles tab.
  5. Click Update Roles.
  6. On the Update Roles window, select the roles you want to assign to the group.

    To view the permissions that the role grants to the group, click Policies. To remove a role from the group, clear the selected role.

  7. Click Update.

    The roles that you select displays in the list of group roles.

To remove a role from a group, click Unassign Role next to the role that you want to remove. Click OK to confirm that you want to remove the role permissions from the group.

Assigning a Resource Role to a Group

When you assign a resource role to a group, the resource role is also assigned to all user and machine user accounts in the group.

To assign a resource role to a group:
  1. Sign in to the Cloudera Altus console:

    https://console.altus.cloudera.com/

  2. In the IAM section of the side navigation panel, click Groups.

    The Groups page displays the list of all Altus groups.

  3. Click the name of the group to which you want to assign a resource role.

    The group details page displays information about the group.

  4. Click the Resources tab.
  5. Click Assign Resources.
  6. On the Update Resource Roles window, select the Environment resource type.
  7. Select the environment that you want to assign to the group.
  8. Click Update Roles.

    The environment that you select displays in the list of resource roles.

To remove a resource role from the group, click Remove Resource Role next to the environment that you want to remove from the group.

Assigning a Group Membership Administrator

As an Altus administrator, you can create an Altus group and manage the users, roles, and resources assigned to the group. You can also assign other users and groups the IamGroupAdmin role to allow them to manage the users in the group.

To assign a group membership administrator:
  1. Sign in to the Cloudera Altus console:

    https://console.altus.cloudera.com/

  2. In the IAM section of the side navigation panel, click Groups.

    The Groups page displays the list of all Altus groups.

  3. Click the name of the group to which you want to assign a group membership administrator.

    The group details page displays information about the group.

  4. Click the Admins tab.
  5. Click in the Select group or user dropdown box.

    Altus displays the list of Altus groups and users that you can give group membership administrator permissions..

  6. Select the name of a group or user.

    The name of the group or user you select displays in the list of group membership administrators.

To remove group membership administrator permissions from a user or group, click Remove Resource Role next to the user or group for whom you want to revoke membership administrator permissions.

Working with Groups on the Command Line

You can use the CLI to create and manage Altus groups.

Creating and Deleting a Group

You can use the following command to create a group:
altus iam create-group \
--group-name=GroupName  
To delete a group:
altus iam delete-group \
--group-name=GroupName  

The group name must be unique. The name can be up to 32 characters and can include only alphanumeric characters, hyphens (-), and underscores (_). The first character in the name must be an alphabetic character or underscore.

The group name is not case sensitive. For example, the group name AAa is equivalent to the group name aaa.

Managing Users in a Group

Groups can include Altus users or machine users. It cannot include other groups.

The user-id parameter requires the CRN of the Altus user or machine user.

You can use the following command to add a user to a group:
altus iam add-user-to-group \
--group-name=GroupName \
--user-id=UserCRN 
To remove a user from a group:
altus iam remove-user-from-group \
--group-name=GroupName \
--user-id=UserCRN 
You can use the following command to add a machine user to a group:
altus iam add-machine-user-to-group \
--group-name=GroupName \
--user-id=UserCRN 
To remove a machine user from a group:
altus iam remove-machine-user-from-group \
--group-name=GroupName \
--user-id=UserCRN 
To get a list of the users in a group:
altus iam list-group-members \
--group-name=GroupName  
To get the list of groups that a user is a member of:
altus iam list-groups-for-user \
--user-id=UserCRN   

Assigning a Role to a Group

You can use the following command to assign a role to a group:
altus iam assign-group-role \
--group-name=GroupName \
--role=RoleCRN 
To remove a role from a group:
altus iam unassign-group-role \
--group-name=GroupName \
--role=RoleCRN 

The role parameter requires the CRN of the Altus role.

To get a list of the roles assigned to a group:
altus iam list-group-assigned-roles \
--group-name=GroupName 

Assigning a Resource Role to a Group

In addition to a role, you assign a group a resource and resource role to enable the users in the group to create clusters and run jobs and access the resources required for the clusters and jobs. For example, you assign a group a resource role on an environment to enable users in the group to create a cluster using the resources specified in the environment.

You can use the following command to assign a resource role to a group:
altus iam assign-group-resource-role \
--group-name=GroupName \
--resource-role-crn=ResourceRoleCRN \
--resource-crn=ResourceCRN
To remove a resource role from a group:
altus iam unassign-group-resource-role \
--group-name=GroupName \
--resource-role-crn=ResourceRoleCRN \
--resource-crn=ResourceCRN

The resource-role-crn parameter requires the CRN of the resource role you want to assign to the group.

The resource-crn parameter requires the CRN of the resource on which you want to grant the resource role permissions.

To get a list of the resource roles assigned to a group:
altus iam list-group-assigned-resource-role \
--group-name=GroupName 

Assigning a Group Membership Administrator

You can designate any user or group to be a group membership administrator for a group. The group membership administrator can add users to or remove users from the group. You can also assign the group to be its own administrator, in which case all members of the group can add users to or remove users from the group.

You assign the IamGroupAdmin resource role to users and groups to allow them to manage the users in a specified group.

You can use the following command to assign the IamGroupAdmin role to a user:
altus iam assign-user-resource-role \
--user=UserCRN \
--resource-role-crn=ResourceRoleCRN \
--resource-crn=ResourceCRN

The user parameter requires the CRN of the user to whom you want to assign the IamGroupAdmin resource role.

The resource-role-crn parameter requires the CRN of the IamGroupAdmin role.

The resource-crn parameter requires the CRN of the group on which the user will have administrator permission.

To assign the IamGroupAdmin role to a group:
altus iam assign-group-resource-role \
--group-name=GroupName \
--resource-role-crn=ResourceRoleCRN \
--resource-crn=ResourceCRN

The group-name parameter requires the name of the group to which you want to assign the IamGroupAdmin resource role.

The resource-role-crn parameter requires the CRN of the IamGroupAdmin role.

The resource-crn parameter requires the CRN of the group on which the group specified in the group-name parameter will have administrator permission.

For example, to assign the IamGroupAdmin to GroupABC so that GroupABC can manage the users in GroupXYZ, run a command similar to following command:
altus iam assign-group-resource-role \
--group-name=GroupABC \
--resource-role-crn=crn:altus:iam:us-west-1:altus:resourceRole:IamGroupAdmin \
--resource-crn=crn:altus:iam:us-west-1:4e9d74e5-1cad-47d8-b645-7ccf9edbb73d:group:GroupXYZ/54218ac1-187b-40f7-aadb-5ghm96c35xy4

To assign the users in a group to be the administrators of their own group, set the values of the group-name parameter and the resource-crn parameter to refer to the same group.