Multi-Tenancy in HP Matrix Operating Environment Infrastructure Orchestration
11
Figure 15: The login page for the blue sky cloud Self Service Portal.
Integration with Active Directory
IO works with one or more Active Directories allowing Windows User Groups, as well as individual Users, to be
given access to resources. Nested AD Groups to a depth 1 are supported
6
; see Figure 16 below.
When IO is installed, three local User Groups (HPIO_Administrators, HPIO_Architects and HPIO_Users) are created.
The Windows CMS administrator populates the Service Provider roles by adding local Windows Users, Active
Directory Users or Groups to these Groups. Any updates are immediately reflected in the Console Organization tab.
When an organization is created, two local Windows Groups, with descriptions indicating the organization’s name,
are created. They have names of the form
<organization_id>_ Administrators and
<organization_id>_ Users
For example, here are the two IO generated Windows groups for the organization with ID org379329493:
If the organization is renamed, the descriptions are updated on refreshing the User Group. These Groups may be
populated with local Windows Users, Active Directory Users or Groups. Note that if the CMS is HA enabled then
only Active Directory users and groups should be used.
Figure 16
: One level nested AD Groups are supported
Active DirectoryCMS
Anne
Brian
...
Orange_Dev
Frida
Jorge
Steve_West
Linda_West
...
Orange_Dev_West
Steve_East
Linda_East
...
Orange_Dev_East
Level 0 Level 1
Can login into IO Cannot login into IO
Robert
Jean
...
IT_Contractors
Org137934_Administrators
Org137934_Users
John
Wesley
IT_Outsource
Key
Windows Group
Contains
Users may belong to more than one IO Windows Group and hence belong to multiple IO Organizations. Such users
can be simultaneously logged in to one or more of the Portals belonging to different organizations. If a user is
removed from an organization that only takes effect after he is logged out from the organization portal.
6
Note that only directly named users and groups included in the HPIO Windows groups can be viewed. Users or subgroups within
these named groups are not visible, nor can they be directly assigned to resources.