Configure groups

In Citrix Application Delivery Management (ADM), a group can have both feature-level and resource-level access. For example, one group of users might have access to only selected Citrix ADC instances; another group to only a selected few applications, and so on. When you create a group, you can assign roles to the group, provide application-level access to the group, and assign users to the group. All users in that group are assigned the same access rights in Citrix ADM.  

Create a user group

  1. In Citrix ADM, navigate to System > User Administration > Groups.

  2. Click Add.

    The Create System Group page is displayed.

  3. In the Group Name field, enter the name of the group.

  4. In the Group Description field, type in a description of your group. Providing a good description of the group helps you to understand the role and function of the group in a better way at a later point.  

  5. In the Roles section, add or move one or more roles to the Configured list.

    Note Under the Available list, you can click New or Edit and create or modify roles. Alternatively, you can navigate to System > User Administration > Users and create or modify users.

    localized image

  6. Click Next. On the Authorization Settings tab, you can provide authorization settings for the following resources:

    • Autoscale Groups
    • Instances
    • Applications
    • Configuration Templates
    • StyleBooks
    • Domain Names

    Categories in authorization settings

    You might want to select specific resources from the categories to which users can have access.

    Autoscale Groups:

    If you want to select the specific autoscale groups that user can view or manage, perform the following steps:

    1. Clear the All AutoScale Groups check box and click Add AutoScale Groups.

    2. Select the required autoscale groups from the list and click OK.

    Instances:

    If you want to select the specific instances that user can view or manage, perform the following steps:

    1. Clear the All Instances check box and click Select Instances.

    2. Select the required instances from the list and click OK.

      localized image

    Applications:

    The Choose Applications list allows you to grant access to a user for the required applications. This list provides you the following options:

    • All Applications: This option is selected by default. It adds all applications that are present in the Citrix ADM.

    • All Applications of selected instances: This option appears only if you select instances from the All Instances category. It adds all the applications present on the instance.

    • Specific Applications: This option allows you to add the required applications that you want users to access. Click Add Applications and select the required applications from the list.

    You can use regular expressions to search and add the applications that meet the regex criteria for the groups. The specified regex expression is persisted in Citrix ADM. To add regular expression, perform the following steps:

    1. Click Add Regular Expression.

    2. Specify the regular expression in the text box.

    3. Click the + icon.

      localized image

    The regular expression is stored in the system and updates the authorization scope when new applications match the regular expression.

    Citrix ADM matches the stored regular expressions with new applications. The application matching the regular expression is added to the group. The users of the group can view and manage the application.

    Configuration Templates:

    If you want to select the specific configuration template that user can view or manage, perform the following steps:

    1. Clear the All Configuration templates check box and click Add Configuration Template.

    2. Select the required template from the list and click OK.

      localized image

    StyleBooks:

    If you want to select the specific StyleBook that user can view or manage, perform the following steps:

    1. Clear the All StyleBooks check box and click Add StyleBook to Group.

    2. Select the required StyleBooks from the list and click OK.

      localized image

      You can select the required StyleBooks when you create groups and add users to that group. When your user selects the permitted StyleBook, all dependent StyleBooks are also selected. The config packs of that StyleBook are also included in what the user has access to.

    Domain Names:

    If you want to select the specific domain name that user can view or manage, perform the following steps:

    1. Clear the All Domain Names check box and click Add Domain Name.

    2. Select the required domain names from the list and click OK.

  7. Click Create Group.

  8.  In the Assign Users section, select the user in the Available list, and add the user to the Configured list.

    Note

    You can also add new users by clicking New.

    localized image

  9. Click Finish.

Note

As a Citrix ADM admin, you can provide either “view-only” permission or “view and edit” permission to your users for individual ADM module UIs based on access policy settings in RBAC. If the user is assigned to two or more groups, that is, if the user is internally mapped to more than one authorization scope and more than one access policy, ADM takes a union of all those groups’ permissions and authorizes the user accordingly.

For example, consider that User1 is assigned to a group that has two access policies, P1 and P2. Each policy has a different type of permission. P1 has “read-only” permission, while P2 has “view and edit” permission. You want your user to view a set of applications as part of the P1 policy, and edit a different set of applications as part of the P2 policy. But as a default behavior, Citrix ADM combines the two permission types and assigns the “view and edit” permission to the user. So your user will now be able to view and edit all the applications.

ADM doesn’t support such use cases where you can assign different types of permissions to the same user. You can assign only one type of permission to your users. ADM can either allow User1 to view all apps or a selected set of apps, or allow User1 to view and edit all apps or selected set of apps.

Mapping of RBAC when upgrading Citrix ADM from 12.0 to later releases

When you upgrade Citrix ADM from 12.0 to 13.0, you do not see the options to provide “read-write” or “read” permissions while creating groups. These permissions have been replaced by “roles and access policies,” which give you more flexibility to provide role-based permissions to the users. The following table shows how the permissions in release 12.0 are mapped to release 13.0:

12.0 Allow Applications Only 13.0
admin read-write False admin
admin read-write True appAdmin
admin read-only False readonly
admin read-only True appReadonly