Work with User Groups

To manage user access to specific artifacts (for example, to different namespaces in the Archival service), you can group users with the same roles and permissions together under user groups.

User Groups

When you create an organization account, Smart Trading Cloud automatically creates the following default groups to differentiate user permissions:

  • All Users

    • The All Users group contains all the users belonging to your organization account. Users in this group have minimum permissions, such as logging into services, viewing general organization's information with no access to administrative part of the Smart Trading Cloud services.

    If you set up auto-registration through registered domains, all the self-registered users will be added to this group.

    When you add a user to another user group or remove this user from that group, you can still find this user in the All Users group. You cannot remove users from the All Users group.

  • Administrators

    • The Administrators group contains users with administrator permissions. Only administrators can modify account properties and add/remove users. To give administrator permissions to a user, add this user to the Administrators group.

  • Applications

    • The Applications group contains pseudo users created to facilitate interaction between Smart Trading Cloud applications and artifacts in the cloud environment. The purpose of this group is to provide a centralized way of managing and granting access to resources for other applications or services that need to interact with the system. By assigning permissions to a Applications group, administrators can control access to resources at a higher level, rather than individually managing permissions for each application or service.

    When you subscribe to a service (for example, MFT), Smart Trading Cloud automatically creates a system user account for you under the Applications user group. You can create application user accounts manually under the Applications user group. You can identify system user accounts by the icon against them in the Users listing pane.

Note You cannot remove default user groups and change their names.

Service-specific user groups

When you subscribe to Smart Trading Cloud services, for some of them, Smart Trading Cloud creates service-specific user groups with pre-defined permissions. These user-groups are used to manage, which users of your organization have access to a specific service rather than all services available to the organization.

For more information on service-specific groups, refer to the corresponding help topics for FHIR App Developer Portal for FHIR, Endpoint Directory, Compute service, and Member Account service.

You can create more user groups and add users to these groups depending on the roles you want to give them. One user can belong to several groups.

  1. On the User Management page ( on the left navigation bar), in Groups, click .
  2. Enter the user group name and click Create.

After you have created a new user group, you can add existing users to this group.

  1. On the User Management page ( on the left navigation bar), in Groups, select the default user group All Users.
  2. In the right pane, under Users, select the check box next to the user(s) you want to add to the group and click Add To Another Group.

    3. - or -

    Select a user and then, in the right section with the list of groups the user belongs to, click .

  3. Select the user group(s) you want to add the user(s) to, and then click Add.

-or-

  1. On the User Management page ( on the left navigation bar), in Groups, select the group you want to add users to.
  2. In the right pane, under Users, click Add.
  3. Select the user(s) you want to add to this group and click Add.
  1. On the User Management page ( on the left navigation bar), in Groups, select the group from which you want to move a user.
  2. In the right pane, under Users, select the check box next to the user and click Move to Group.
  3. Select the group to which you want to move the user and click Move.
  1. On the User Management page ( on the left navigation bar), in Groups, select the default user group All Users.
  2. In the right pane, under Users, from the list of users displayed, click on the User Name you want to view information about. In the right section under Member of the Groups, the group names are listed to whom the selected user belongs to.
  1. On the User Management page ( on the left navigation bar), under User Groups, click the group name that you want to delete.
  2. On the top-right corner, click .

While configuring OIDC federation for your organization, you can also configure group mapping to enable Smart Trading Cloud to automatically update the list of groups to which the user, who is logging in, belongs.

Group Roles

You can assign roles to user groups to control which users in the group have access to what actions within the Smart Trading Cloud services. Roles contain permissions that specify the actions that a user is allowed to perform. You can add group roles to a user group that are linked to certain services.

You can add new group roles or remove ones that already exist within a user group. By default, Smart Trading Cloud assigns Regular User group role for all the services your organization has subscribed to for the All Users user group. This means that, by default, all of the services are accessible to all users of your organization.

Similarly, Smart Trading Cloud provides Administrator group roles for all the services for the Administrators user group.

You can remove any of the group roles specified for these services based on your requirement. However, you cannot remove Regular User role for the Account Service.

The following scenarios describe how you can utilize group roles to control user access to different services:

  • Paul Smith, an organization account administrator of Health Inc., had created a user group QA, with the Regular User role for the service App Developer Portal for FHIR, as shown below.

    Now, he wants the users of the QA group to have access to the service Managed File Transfer. To fulfill this requirement, Paul can add a Regular User role to the Managed File Transfer service in the QA group, as shown below.
  • Paul Smith has created a user group SDCAdministrators and added specific users to the group whom he wants to assign administrator permissions. Paul wants all the users of this group to be able to access the Member Consent Service and also be able to make changes to the service. To fulfill this requirement, Paul can add an Administrator group role to the Member Consent Service.
  • Health Inc. needs some data maintenance work for which Paul Smith has invited few external users from outside his organization. Paul wants the external users to be able to access the Account Service but not make changes to the service. To fulfill this requirement, Paul can create a group ExternalUsers and add the required users to it. He can then assign a Viewer group role to Account Service. The users of the ExternalUsers group will be able to access the Account Service but not make any changes to it.
  • Paul Smith no longer wants all the users of his organization to have access to Member Consent Service. To fulfill this requirement, for the All Users group, Paul can remove the Regular User role assigned to Member Consent Service.
  1. Go to the User Management page ( on the left navigation bar).
  2. In User Groups, select the user group you need from the list.
  3. In the right pane, under the group name, expand Group Roles.
  4. Find the service you want to manage access to and click .
  5. On the Add Service Role dialog, select the role you want to assign to this user group and click Add.

- or -

  1. Go to the Role Management page ( on the left navigation bar).
  2. In the left pane where roles are listed, next to Service, select a service you want to manage access to.
  3. In the roles list, review what each role allows and select the required role.
  4. In the right pane, on the Groups tab, click Add and select a group to assign this role to.

Next time the users of this group open the service, they will be allowed to perform actions specified in role permissions.

  1. Go to the User Management page ( on the left navigation bar).
  2. In User Groups, select the user group you want to remove a role from.
  3. In the right pane, under the group name, expand Group Roles.
  4. Find the service you want to manage access to.
  5. Against the group roles available for the service, click for the role you want to remove for this service. Or, to delete all the roles available under the service, click .

Note: You cannot remove the Administrator role or the Regular User role from the All Users or Administrators groups for Account Service.

Group Attributes

Smart Trading Cloud uses an access control method based on attributes to manage the access of user groups to specific artifacts of a service activated for an organization account. An attribute is a string value that belongs to a specific (required) user group and its users to provide them with access to a specific URL. This access control method uses an intelligent, fine-grained, and context-aware authorization model that grants access to resources only if the user possesses the required attribute. The use of attributes allows you to provide additional context for Smart Trading Cloud to evaluate if the request is legitimate and to grant or deny access.

In Smart Trading Cloud, the attribute is automatically created when an account administrator activates a Smart Trading Cloud service. The user groups (all users) that belong to this account automatically get the attribute (for example, service/repository) that allows them to access the service.

As an administrator, you can also add attributes manually if you want to give specific user groups access to specific artifacts.

  1. On the User Management page ( on the left navigation bar), in Groups, select the user group to which you want to add an attribute.
  2. In the right pane, under the group name, click next to Group Attributes.
  3. Enter the attribute you want to add, and then click Add.

 

Related Materials

Environment Promotion