DX Unified Infrastructure Management

I am trying to modify the USM group, tree view/group access for several sets of users. I have an ACL created and linked to an account and that account is the owner of the USM group but instead of the users seeing just their groups when they login they are still seeing the entire tree of groups and can view those group contents.
Is there something I am missing here?

Do these users also have accounts in IM or Admin Console's Managed Users? If so then they will have access to everything.

If not then in the UMP's > USM porlet at the Root level did  you create a "Container" first for this Account and specify the "Account" = account_name. 
In the AccountAdmin portlet for that specific account, did you specify just the Ownership to the specific Origin? 


------------------------------
Daniel Blanco
Enterprise Tools Team Architect
DBlanco@alphaserveit.com
------------------------------

Original Message:
Sent: 04-06-2020 02:19 PM
From: Dane Rafn
Subject: Restricting USM group access

I am trying to modify the USM group, tree view/group access for several sets of users. I have an ACL created and linked to an account and that account is the owner of the USM group but instead of the users seeing just their groups when they login they are still seeing the entire tree of groups and can view those group contents.
Is there something I am missing here?

Daniel:
The users are not in IM, they are in an AD group for users.  I created the ACL and Account in UMP and the USM group was created at root level under groups and the users are a member of the account in the Liferay control panel settings for groups.
When the user signs in they see all groups and nto just the one they are a member of - which I was attempting to limit to.
Original Message:
Sent: 04-06-2020 02:45 PM
From: Daniel Blanco
Subject: Restricting USM group access

Do these users also have accounts in IM or Admin Console's Managed Users? If so then they will have access to everything.

If not then in the UMP's > USM porlet at the Root level did  you create a "Container" first for this Account and specify the "Account" = account_name.
In the AccountAdmin portlet for that specific account, did you specify just the Ownership to the specific Origin?


------------------------------
Daniel Blanco
Enterprise Tools Team Architect
DBlanco@alphaserveit.com

Original Message:
Sent: 04-06-2020 02:19 PM
From: Dane Rafn
Subject: Restricting USM group access

I am trying to modify the USM group, tree view/group access for several sets of users. I have an ACL created and linked to an account and that account is the owner of the USM group but instead of the users seeing just their groups when they login they are still seeing the entire tree of groups and can view those group contents.
Is there something I am missing here?

Dane -

Access to UMP USM groups are not controlled by liferay groups.  Daniel Blanco correctly answered your question.  You need to define an account from the UMP AccountAdmin portlet where you assign specific origins to the account and add users to the account.  When you create/edit groups in the UMP USM portlet, you can specify the Account that has access to the group.  By default, the account option of a group is give a value of No Account. 


Users that are members of defined Accounts will only be able to access groups that are configured with the same Account that the user is a member of.


In this example, the Test Account 1 account was created with 1 user.  All groups in the UMP USM portal have the Account option set to No Account.  When the acct1user1 user logs in, they see no groups as follows:


If your LDAP users were not assigned to a UIM account, then they will be able to see all groups defined in the UMP USM portlet.

------------------------------
Kathy Maguire
Technical Support Engineer 4
Broadcom
------------------------------

Original Message:
Sent: 04-06-2020 04:48 PM
From: Dane Rafn
Subject: Restricting USM group access

Daniel:
The users are not in IM, they are in an AD group for users.  I created the ACL and Account in UMP and the USM group was created at root level under groups and the users are a member of the account in the Liferay control panel settings for groups.
When the user signs in they see all groups and nto just the one they are a member of - which I was attempting to limit to.
Original Message:
Sent: 04-06-2020 02:45 PM
From: Daniel Blanco
Subject: Restricting USM group access

Do these users also have accounts in IM or Admin Console's Managed Users? If so then they will have access to everything.

If not then in the UMP's > USM porlet at the Root level did  you create a "Container" first for this Account and specify the "Account" = account_name.
In the AccountAdmin portlet for that specific account, did you specify just the Ownership to the specific Origin?


------------------------------
Daniel Blanco
Enterprise Tools Team Architect
DBlanco@alphaserveit.com

Original Message:
Sent: 04-06-2020 02:19 PM
From: Dane Rafn
Subject: Restricting USM group access

I am trying to modify the USM group, tree view/group access for several sets of users. I have an ACL created and linked to an account and that account is the owner of the USM group but instead of the users seeing just their groups when they login they are still seeing the entire tree of groups and can view those group contents.
Is there something I am missing here?

How do you assign LDAP users to an account if not through the Liferay settings?  When I go to the Account created in AccountAdmin, users, it shows no users and the only option I have is to create a user.  This user is linked through an LDAP group and the create user is a local user.
Original Message:
Sent: 04-06-2020 05:33 PM
From: Kathryn Maguire
Subject: Restricting USM group access

Dane -

Access to UMP USM groups are not controlled by liferay groups.  Daniel Blanco correctly answered your question.  You need to define an account from the UMP AccountAdmin portlet where you assign specific origins to the account and add users to the account.  When you create/edit groups in the UMP USM portlet, you can specify the Account that has access to the group.  By default, the account option of a group is give a value of No Account.

Users that are members of defined Accounts will only be able to access groups that are configured with the same Account that the user is a member of.

In this example, the Test Account 1 account was created with 1 user.  All groups in the UMP USM portal have the Account option set to No Account.  When the acct1user1 user logs in, they see no groups as follows:

Define a group with the Account option set to Test Account 1 and when the acct1user1 user logs in they now see their group:

If your LDAP users were not assigned to a UIM account, then they will be able to see all groups defined in the UMP USM portlet.

------------------------------
Kathy Maguire
Technical Support Engineer 4
Broadcom

Original Message:
Sent: 04-06-2020 04:48 PM
From: Dane Rafn
Subject: Restricting USM group access

Daniel:
The users are not in IM, they are in an AD group for users.  I created the ACL and Account in UMP and the USM group was created at root level under groups and the users are a member of the account in the Liferay control panel settings for groups.
When the user signs in they see all groups and nto just the one they are a member of - which I was attempting to limit to.
Original Message:
Sent: 04-06-2020 02:45 PM
From: Daniel Blanco
Subject: Restricting USM group access

Do these users also have accounts in IM or Admin Console's Managed Users? If so then they will have access to everything.

If not then in the UMP's > USM porlet at the Root level did  you create a "Container" first for this Account and specify the "Account" = account_name.
In the AccountAdmin portlet for that specific account, did you specify just the Ownership to the specific Origin?


------------------------------
Daniel Blanco
Enterprise Tools Team Architect
DBlanco@alphaserveit.com

Original Message:
Sent: 04-06-2020 02:19 PM
From: Dane Rafn
Subject: Restricting USM group access

I am trying to modify the USM group, tree view/group access for several sets of users. I have an ACL created and linked to an account and that account is the owner of the USM group but instead of the users seeing just their groups when they login they are still seeing the entire tree of groups and can view those group contents.
Is there something I am missing here?

Perhaps this document can help: https://community.broadcom.com/enterprisesoftware/communities/community-home/librarydocuments/viewdocument?DocumentKey=48385cf7-021f-4982-b380-e8b588fc5e3a
Original Message:
Sent: 04-06-2020 05:47 PM
From: Dane Rafn
Subject: Restricting USM group access

How do you assign LDAP users to an account if not through the Liferay settings?  When I go to the Account created in AccountAdmin, users, it shows no users and the only option I have is to create a user.  This user is linked through an LDAP group and the create user is a local user.
Original Message:
Sent: 04-06-2020 05:33 PM
From: Kathryn Maguire
Subject: Restricting USM group access

Dane -

Access to UMP USM groups are not controlled by liferay groups.  Daniel Blanco correctly answered your question.  You need to define an account from the UMP AccountAdmin portlet where you assign specific origins to the account and add users to the account.  When you create/edit groups in the UMP USM portlet, you can specify the Account that has access to the group.  By default, the account option of a group is give a value of No Account.

Users that are members of defined Accounts will only be able to access groups that are configured with the same Account that the user is a member of.

In this example, the Test Account 1 account was created with 1 user.  All groups in the UMP USM portal have the Account option set to No Account.  When the acct1user1 user logs in, they see no groups as follows:

Define a group with the Account option set to Test Account 1 and when the acct1user1 user logs in they now see their group:

If your LDAP users were not assigned to a UIM account, then they will be able to see all groups defined in the UMP USM portlet.

------------------------------
Kathy Maguire
Technical Support Engineer 4
Broadcom

Original Message:
Sent: 04-06-2020 04:48 PM
From: Dane Rafn
Subject: Restricting USM group access

Daniel:
The users are not in IM, they are in an AD group for users.  I created the ACL and Account in UMP and the USM group was created at root level under groups and the users are a member of the account in the Liferay control panel settings for groups.
When the user signs in they see all groups and nto just the one they are a member of - which I was attempting to limit to.
Original Message:
Sent: 04-06-2020 02:45 PM
From: Daniel Blanco
Subject: Restricting USM group access

Do these users also have accounts in IM or Admin Console's Managed Users? If so then they will have access to everything.

If not then in the UMP's > USM porlet at the Root level did  you create a "Container" first for this Account and specify the "Account" = account_name.
In the AccountAdmin portlet for that specific account, did you specify just the Ownership to the specific Origin?


------------------------------
Daniel Blanco
Enterprise Tools Team Architect
DBlanco@alphaserveit.com

Original Message:
Sent: 04-06-2020 02:19 PM
From: Dane Rafn
Subject: Restricting USM group access

I am trying to modify the USM group, tree view/group access for several sets of users. I have an ACL created and linked to an account and that account is the owner of the USM group but instead of the users seeing just their groups when they login they are still seeing the entire tree of groups and can view those group contents.
Is there something I am missing here?

On the ACL LDAP page there is a place to link the ACL used for your LDAP Group(should be unique and a copy of one of the originals), to a User UMP Account.
Original Message:
Sent: 04-06-2020 05:47 PM
From: Dane Rafn
Subject: Restricting USM group access

How do you assign LDAP users to an account if not through the Liferay settings?  When I go to the Account created in AccountAdmin, users, it shows no users and the only option I have is to create a user.  This user is linked through an LDAP group and the create user is a local user.
Original Message:
Sent: 04-06-2020 05:33 PM
From: Kathryn Maguire
Subject: Restricting USM group access

Dane -

Access to UMP USM groups are not controlled by liferay groups.  Daniel Blanco correctly answered your question.  You need to define an account from the UMP AccountAdmin portlet where you assign specific origins to the account and add users to the account.  When you create/edit groups in the UMP USM portlet, you can specify the Account that has access to the group.  By default, the account option of a group is give a value of No Account.

Users that are members of defined Accounts will only be able to access groups that are configured with the same Account that the user is a member of.

In this example, the Test Account 1 account was created with 1 user.  All groups in the UMP USM portal have the Account option set to No Account.  When the acct1user1 user logs in, they see no groups as follows:

Define a group with the Account option set to Test Account 1 and when the acct1user1 user logs in they now see their group:

If your LDAP users were not assigned to a UIM account, then they will be able to see all groups defined in the UMP USM portlet.

------------------------------
Kathy Maguire
Technical Support Engineer 4
Broadcom

Original Message:
Sent: 04-06-2020 04:48 PM
From: Dane Rafn
Subject: Restricting USM group access

Daniel:
The users are not in IM, they are in an AD group for users.  I created the ACL and Account in UMP and the USM group was created at root level under groups and the users are a member of the account in the Liferay control panel settings for groups.
When the user signs in they see all groups and nto just the one they are a member of - which I was attempting to limit to.
Original Message:
Sent: 04-06-2020 02:45 PM
From: Daniel Blanco
Subject: Restricting USM group access

Do these users also have accounts in IM or Admin Console's Managed Users? If so then they will have access to everything.

If not then in the UMP's > USM porlet at the Root level did  you create a "Container" first for this Account and specify the "Account" = account_name.
In the AccountAdmin portlet for that specific account, did you specify just the Ownership to the specific Origin?


------------------------------
Daniel Blanco
Enterprise Tools Team Architect
DBlanco@alphaserveit.com

Original Message:
Sent: 04-06-2020 02:19 PM
From: Dane Rafn
Subject: Restricting USM group access

I am trying to modify the USM group, tree view/group access for several sets of users. I have an ACL created and linked to an account and that account is the owner of the USM group but instead of the users seeing just their groups when they login they are still seeing the entire tree of groups and can view those group contents.
Is there something I am missing here?

found screen shot for a clients docs: 

Original Message:
Sent: 04-06-2020 05:47 PM
From: Dane Rafn
Subject: Restricting USM group access

How do you assign LDAP users to an account if not through the Liferay settings?  When I go to the Account created in AccountAdmin, users, it shows no users and the only option I have is to create a user.  This user is linked through an LDAP group and the create user is a local user.
Original Message:
Sent: 04-06-2020 05:33 PM
From: Kathryn Maguire
Subject: Restricting USM group access

Dane -

Access to UMP USM groups are not controlled by liferay groups.  Daniel Blanco correctly answered your question.  You need to define an account from the UMP AccountAdmin portlet where you assign specific origins to the account and add users to the account.  When you create/edit groups in the UMP USM portlet, you can specify the Account that has access to the group.  By default, the account option of a group is give a value of No Account.

Users that are members of defined Accounts will only be able to access groups that are configured with the same Account that the user is a member of.

In this example, the Test Account 1 account was created with 1 user.  All groups in the UMP USM portal have the Account option set to No Account.  When the acct1user1 user logs in, they see no groups as follows:

Define a group with the Account option set to Test Account 1 and when the acct1user1 user logs in they now see their group:

If your LDAP users were not assigned to a UIM account, then they will be able to see all groups defined in the UMP USM portlet.

------------------------------
Kathy Maguire
Technical Support Engineer 4
Broadcom

Original Message:
Sent: 04-06-2020 04:48 PM
From: Dane Rafn
Subject: Restricting USM group access

Daniel:
The users are not in IM, they are in an AD group for users.  I created the ACL and Account in UMP and the USM group was created at root level under groups and the users are a member of the account in the Liferay control panel settings for groups.
When the user signs in they see all groups and nto just the one they are a member of - which I was attempting to limit to.
Original Message:
Sent: 04-06-2020 02:45 PM
From: Daniel Blanco
Subject: Restricting USM group access

Do these users also have accounts in IM or Admin Console's Managed Users? If so then they will have access to everything.

If not then in the UMP's > USM porlet at the Root level did  you create a "Container" first for this Account and specify the "Account" = account_name.
In the AccountAdmin portlet for that specific account, did you specify just the Ownership to the specific Origin?


------------------------------
Daniel Blanco
Enterprise Tools Team Architect
DBlanco@alphaserveit.com

Original Message:
Sent: 04-06-2020 02:19 PM
From: Dane Rafn
Subject: Restricting USM group access

I am trying to modify the USM group, tree view/group access for several sets of users. I have an ACL created and linked to an account and that account is the owner of the USM group but instead of the users seeing just their groups when they login they are still seeing the entire tree of groups and can view those group contents.
Is there something I am missing here?