6. Group management#
This page describes group management in Nubus. It addresses functional administrators who manage groups and their members. You find the following sections on this page:
Nubus stores groups in the LDAP directory service. Typically, groups contain user accounts. However, they also optionally consist of other objects types, for example computer objects. Groups are the basis to differentiate permissions in Nubus.
6.1. Assign users to groups#
You can assign user accounts to groups in the following ways:
A selection of groups to a user account in the User management module, see Groups in Groups tab - Users management.
A selection of user accounts to a group in the group management module, see Users in General tab - Group management.
6.2. Recommendation for group name definition#
One important and required attribute for groups is the group name. This section describes a recommendation for the group name definition. Consider the recommendation as a guideline and not a rule. Keep potential side effects in mind when defining group names outside the recommendation.
To avoid conflicts with the different tools handling groups in Nubus, adhere to the following recommendations for the definition of group names:
Only use the following characters from the ASCII character set for group names:
Upper and lower case letters (
A-Za-z)Digits (
0-9)Hyphen (
-)Space
The group name starts with a letter from the ASCII character set.
The space isn’t allowed as first or last character.
The hyphen isn’t allowed as last character.
In Nubus the group name has at least a length of 4 characters and at most 20 characters.
The recommendation results in the regular expression in Listing 6.1.
^[A-Za-z][A-Za-z0-9 -]{2,18}[A-Za-z0-9]$
6.3. Managing groups through management module#
In Nubus, you manage groups through the Groups management module. You find the module in the Domain category of the Management UI Fig. 6.1 shows the module for creating a group. The following sections describe the tabs in the Groups management module:
Fig. 6.1 Creating a group through the Group management module#
6.3.1. General tab - Group management#
- Name
Defines the name of the group. For recommended characters for the group name, see Recommendation for group name definition.
- Description
For a description of the group.
- Users
Add users as members to the group.
- Groups
Add other groups as members of the current group. It turns the current group into a nested group. See Group nesting with groups in groups.
6.3.2. Advanced settings tab - Group management#
This part defines a mail group. For details, see Management of mail groups.
- Host members
Add computer host objects as members to the group.
- Member of
Add other groups. The current group becomes member of the other groups listed here.
- Group ID
If you want to assign a certain ID to the group, you can set it here when creating a group.
Otherwise, Nubus automatically assigns the next available group ID to the group when you create it. You can’t change the group ID subsequently. The Group management module then shows the ID as read-only field.
The group ID may consist of integers between 1000 and 59999, and between 65536 and 100000.
The relative ID (RID) is the local part of the Security ID (SID) that Windows and Samba domains use.
If you want to assign a certain RID to the group, you can set it here when creating a group. Otherwise, Nubus automatically assigns the next available RID to the group when you create it. You can’t change the RID subsequently. The Group management module then shows the RID as read-only field.
If you use Samba/AD, Samba creates the RID and you can’t specify it.
Standard groups and special objects reserve RIDs below 1000.
Nubus evaluates the group type when a user signs in to a Samba/AD based domain. The following group types exist:
- Global Groups
are known across the domain. This is the default group type.
- Local groups
are only relevant on Windows servers.
- Well-known group
This group type covers groups preconfigured by Samba/Windows servers which generally have special privileges, such as
Power Users.
Only the login procedure in a Samba/AD based domain evaluates this group type upon user sign-in. For more information, see Synchronization of Active Directory groups when using Samba/AD.
Use this field to assign Windows system rights to a group, for example, the right to join a Microsoft Windows client in the domain. The field is equivalent to Samba privilege in Account tab - Users management.
6.3.3. Options settings tab - Group management#
This tab is only available when adding groups, not when editing groups. You can clear certain LDAP object classes for the group here. After group creation, you can no longer edit the fields.
- Samba group
This checkbox indicates whether the group contains the LDAP object class
sambaGroupMapping.- POSIX group
This checkbox indicates whether the group contains the LDAP object class
posixGroup.
6.4. Group nesting with groups in groups#
Nubus supports group nesting,
also known as groups in groups.
This simplifies the management of the groups.
For example, if you manage two locations in one domain,
you can create two groups IT staff location A and IT staff location B,
You can assign user accounts of the respective location’s IT staff
to either group.
To create a cross-location group,
it’s sufficient to define the groups IT staff location A and IT staff location B as members.
Nubus automatically detects cyclic dependencies of nested groups and refuses them.
Nubus resolves nested group memberships during creating the group cache. Nested groups are therefore transparent for applications. For more information, see Local group cache.