github.com/pachyderm/pachyderm@v1.13.4/doc/docs/master/enterprise/auth/manage-users-groups.md (about) 1 # Manage Users and Groups 2 3 If you have users or groups configured in a third-party 4 identity provider, you can give access to Pachyderm to 5 those users and groups. The following table summarizes 6 which providers support user and group authentication: 7 8 | Provider | Users | Groups | 9 | --------------- | --------------- | --------------- | 10 | GitHub | ✔ | X | 11 | Okta (SAML) | ✔ | ✔ | 12 | Otka (OIDC) | ✔ | ✔ | 13 | Keycloak (OIDC) | ✔ | ✔ | 14 | Keycloak (SAML) | ✔ | ✔ | 15 | Google (OIDC) | ✔ | X | 16 | Auth0 (OIDC) | ✔ | X | 17 18 ## Configure User Access 19 20 You can manage user access in the UI and CLI. 21 For example, you are logged in to Pachyderm as the user `user1` 22 and have a repository called `test`. Because the user `user1` created 23 this repository, `user1` has full `OWNER`-level access to the repo. 24 You can confirm this in the dashboard by navigating to or clicking on 25 the repo. Alternatively, you can confirm your access by running the 26 `pachctl auth get ...` command: 27 28 !!! example 29 30 ```shell 31 pachctl auth get dwhitena test 32 ``` 33 34 **System response:** 35 36 ```shell 37 OWNER 38 ``` 39 40 An OWNER of `test` or a cluster admin can then set other user 41 level of access to the repo by using the `pachctl auth set ...` 42 command or through the dashboard. 43 44 For more information about the roles that you can assign, 45 see [Roles](). 46 47 48 49 To manage user access, complete the following steps: 50 51 * If you are using the dashboard: 52 53 1. In the dashboard, click **Repo**. 54 1. Select the repo to which you want to grant access to your users. 55 1. Click **Modify access controls**. 56 1. Add the users to a desired list of `READERs`, `WRITERs`, 57 or `OWNERs`. 58 59 For example, to give the GitHub user `user2` `READER`, but not 60 `WRITER` or `OWNER`, access to the `test` repository add them 61 to the `READER` list. 62 63 * If you are using `pachctl`: 64 65 1. Grant a user an access to a repo: 66 67 ```shell 68 pachctl auth set <username> (none|reader|writer|owner) <repo> 69 ``` 70 71 **Example:** 72 73 ```shell 74 pachctl auth set user1 reader test 75 ``` 76 77 1. Verify the ACL for the repo: 78 79 ```shell 80 pachctl auth get <repo> 81 ``` 82 83 **Example:** 84 85 ```shell 86 pachctl auth get test 87 ``` 88 89 **System Response:** 90 91 ```shell 92 github:svekars: OWNER 93 github:user1: READER 94 ``` 95 96 ## Configure Group Access 97 98 If you have a group of users configured in an identity provider, 99 you can grant access to a Pachyderm repository to all users 100 in that group. 101 102 !!! note 103 This functionality is experimental and supported only 104 through the command line. The changes will not be 105 visible in the UI. 106 107 To configure group access for SAML providers, you need to set the `group_attibute` in 108 the `id_providers` field of your authentication config: 109 110 **Example:** 111 112 ```shell 113 pachctl auth set-config <<EOF 114 { 115 ... 116 "id_providers": [ 117 { 118 ... 119 "saml": { 120 "group_attribute": "memberOf" 121 } 122 } 123 ], 124 } 125 EOF 126 ``` 127 128 To configure groups in OIDC providers, you need to add the `groups` scope to 129 `additional_scopes` in your authentication config: 130 131 **Example:** 132 133 ```shell 134 pachctl auth set-config <<EOF 135 { 136 ... 137 "id_providers": [ 138 { 139 ... 140 "oidc": { 141 "additional_scopes": ["groups"] 142 } 143 } 144 ], 145 } 146 EOF 147 ``` 148 149 150 !!! note "See also" 151 [Configure a SAML User](https://docs.pachyderm.com/latest/enterprise/saml/)