6. Group management#

This page describes group management in Nubus. It addresses functional administrators who manage groups and their members. You find the following sections on this page:

Nubus stores groups in the LDAP directory service. Typically, groups contain user accounts. However, they also optionally consist of other objects types, for example computer objects. Groups are the basis to differentiate permissions in Nubus.

6.1. Assign users to groups#

You can assign user accounts to groups in the following ways:

6.2. Recommendation for group name definition#

One important and required attribute for groups is the group name. This section describes a recommendation for the group name definition. Consider the recommendation as a guideline and not a rule. Keep potential side effects in mind when defining group names outside the recommendation.

To avoid conflicts with the different tools handling groups in Nubus, adhere to the following recommendations for the definition of group names:

  • Only use the following characters from the ASCII character set for group names:

    • Upper and lower case letters (A-Za-z)

    • Digits (0-9)

    • Hyphen (-)

    • Space

  • The group name starts with a letter from the ASCII character set.

  • The space isn’t allowed as first or last character.

  • The hyphen isn’t allowed as last character.

  • In Nubus the group name has at least a length of 4 characters and at most 20 characters.

The recommendation results in the regular expression in Listing 6.1.

Listing 6.1 Regular expression for group name definition recommendation#
^[A-Za-z][A-Za-z0-9 -]{2,18}[A-Za-z0-9]$

6.3. Managing groups through management module#

In Nubus, you manage groups through the Groups management module. You find the module in the Domain category of the Management UI Fig. 6.1 shows the module for creating a group. The following sections describe the tabs in the Groups management module:

Creating a group through the Group management module

Fig. 6.1 Creating a group through the Group management module#

6.3.1. General tab - Group management#

Name

Defines the name of the group. For recommended characters for the group name, see Recommendation for group name definition.

Description

For a description of the group.

Users

Add users as members to the group.

Groups

Add other groups as members of the current group. It turns the current group into a nested group. See Group nesting with groups in groups.

6.3.2. Advanced settings tab - Group management#

Mail

This part defines a mail group. For details, see Management of mail groups.

Host members

Add computer host objects as members to the group.

Member of

Add other groups. The current group becomes member of the other groups listed here.

Group ID

If you want to assign a certain ID to the group, you can set it here when creating a group.

Otherwise, Nubus automatically assigns the next available group ID to the group when you create it. You can’t change the group ID subsequently. The Group management module then shows the ID as read-only field.

The group ID may consist of integers between 1000 and 59999, and between 65536 and 100000.

Windows ‣ Relative ID

The relative ID (RID) is the local part of the Security ID (SID) that Windows and Samba domains use.

If you want to assign a certain RID to the group, you can set it here when creating a group. Otherwise, Nubus automatically assigns the next available RID to the group when you create it. You can’t change the RID subsequently. The Group management module then shows the RID as read-only field.

If you use Samba/AD, Samba creates the RID and you can’t specify it.

Standard groups and special objects reserve RIDs below 1000.

Windows ‣ group type

Nubus evaluates the group type when a user signs in to a Samba/AD based domain. The following group types exist:

Global Groups

are known across the domain. This is the default group type.

Local groups

are only relevant on Windows servers.

Well-known group

This group type covers groups preconfigured by Samba/Windows servers which generally have special privileges, such as Power Users.

Windows ‣ AD group type

Only the login procedure in a Samba/AD based domain evaluates this group type upon user sign-in. For more information, see Synchronization of Active Directory groups when using Samba/AD.

Windows ‣ Samba privileges

Use this field to assign Windows system rights to a group, for example, the right to join a Microsoft Windows client in the domain. The field is equivalent to Samba privilege in Account tab - Users management.

6.3.3. Options settings tab - Group management#

This tab is only available when adding groups, not when editing groups. You can clear certain LDAP object classes for the group here. After group creation, you can no longer edit the fields.

Samba group

This checkbox indicates whether the group contains the LDAP object class sambaGroupMapping.

POSIX group

This checkbox indicates whether the group contains the LDAP object class posixGroup.

6.4. Group nesting with groups in groups#

Nubus supports group nesting, also known as groups in groups. This simplifies the management of the groups. For example, if you manage two locations in one domain, you can create two groups IT staff location A and IT staff location B, You can assign user accounts of the respective location’s IT staff to either group.

To create a cross-location group, it’s sufficient to define the groups IT staff location A and IT staff location B as members. Nubus automatically detects cyclic dependencies of nested groups and refuses them.

Nubus resolves nested group memberships during creating the group cache. Nested groups are therefore transparent for applications. For more information, see Local group cache.