Product Documentation

Configure groups

In Citrix Application Delivery Management (ADM), a group can have both feature-level and resource-level access. For example, one group of users might have access to only selected Citrix ADC instances; another group to only a selected few applications, and so on. When you create a group, you can assign roles to the group, provide application-level access to the group, and assign users to the group. All users in that group are assigned the same access rights in Citrix ADM.  

To create user groups and assign roles to user groups:

  1. In Citrix ADM, navigate to System > User Administration > Groups.

  2. Click Add.

  3. In the Group Name field, enter the name of the group.

  4. In the Group Description field, type in a description of your group. Providing a good description of the group helps you to understand the role and function of the group in a better way at a later point.  

  5. In the Roles section, add or move one or more roles to the Configured list.

    Note: Under the Available list, you can click New or Edit and create or modify roles. Alternatively, you can navigate to System > User Administration > Users and create or modify users.

    localized image

    Note

    You can create a new role by clicking New, or you can navigate to SystemUser Administration > Users and create new users from this screen.

  6. Click Next. On the Authorization Settings tab, you can provide authorization settings for the following four groups:

    • Instances

    • Applications

    • Configuration Templates

    • StyleBooks

    By default, your user can access all the above groups. You can clear the check boxes and provide selective access for each of these groups.

    For example:

    • You can clear Instances check box and select only the required instances that you want to provide access to your users.

    • Clear All Applications check box and select only the required applications and templates. When you add applications to a group in Citrix ADM, you can use regex to search and add the applications that meet the regex criteria for the groups. The users who are bound to these groups can access only those specific applications. The regex expression specified is persisted in Citrix ADM. That is, Citrix ADM allows the regex provided in the Add Regular Expression text box to be stored in the system and dynamically updates the authorization scope whenever new applications meet this regex expression. When new applications are added to the system, Citrix ADM applies the search criteria to the new applications, and the application that meets the criteria is dynamically added to the group. You do not have to manually add the new applications to the group. The applications are updated dynamically in the system, and the respective group users can see the applications under appropriate modules in Citrix ADM.

      When you add applications to a group in Citrix ADM, you can use regex to search and add the applications that meet the regex criteria to the groups. The users who are bound to these groups can access only those specific applications. The regex expression specified is persisted in Citrix ADM. That is, Citrix ADM allows the regex provided in the Add Regular Expression text box to be stored in the system and dynamically updates the authorization scope whenever new applications meet this regex expression. When new applications are added to the system, Citrix ADM applies the search criteria to the new applications, and the application that meets the criteria is dynamically added to the group. You do not have to manually add the new applications to the group. The applications are updated dynamically in the system, and the respective group users can see the applications under appropriate modules in Citrix ADM.

    • Clear All Configuration templates check box to allow access to only the required templates.

    • Clear All StyleBooks check box and select the required StyleBooks that your user can access.

      You can select the required StyleBooks when you create groups and add users to that group. When your user selects the permitted StyleBook, all dependent StyleBooks are also selected. The config packs of that StyleBook are also included in what the user has access to.

      localized image

    • Clear All DNS Domain Names check box and add the domain names from the list that you want your users to access.

  7. Click Create Group.

  8. In the Assign Users tab, select the user from the Available list and add the user to the Configured list.  For example, “dadmin”.

    localized image

    Note: You can also add new users by clicking New.

  9. Click Finish.

Note

As a Citrix ADM admin, you can provide either “view-only” permission or “view and edit” permission to your users for individual ADM module UIs based on access policy settings in RBAC. If the user is assigned to two or more groups, that is, if the user is internally mapped to more than one authorization scope and more than one access policy, ADM takes a union of all those groups’ permissions and authorizes the user accordingly.

For example, consider that User1 is assigned to a group that has two access policies, P1 and P2. Each policy has a different type of permission. P1 has “read-only” permission, while P2 has “view and edit” permission. You want your user to view a set of applications as part of the P1 policy, and edit a different set of applications as part of the P2 policy. But as a default behavior, Citrix ADM combines the two permission types and assigns the “view and edit” permission to the user. So your user will now be able to view and edit all the applications.

ADM doesn’t support such use cases where you can assign different types of permissions to the same user. You can assign only one type of permission to your users. ADM can either allow User1 to view all apps or a selected set of apps, or allow User1 to view and edit all apps or selected set of apps.

Mapping of RBAC when upgrading Citrix ADM from 12.0 to 12.1

When you upgrade Citrix ADM from 12.0 to 12.1, you do not see the options to provide “read-write” or “read” permissions while creating groups. These permissions have been replaced by “roles and access policies,” which give you more flexibility to provide role-based permissions to the users. The following table shows how the permissions in release 12.0 are mapped to release 12.1:

12.0 Allow Applications Only 12.1
admin read-write False admin
admin read-write True appAdmin
admin read-only False readonly
admin read-only True appReadonly

Configure groups