b717810061
Closes #33199 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com> Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
124 lines
6.3 KiB
Text
124 lines
6.3 KiB
Text
[id="managing-organization-members_{context}"]
|
|
|
|
[[_managing_members_]]
|
|
= Managing members
|
|
[role="_abstract"]
|
|
|
|
An organization member is basically a realm user but with a link to a single organization. They are logically separated
|
|
from other users in a realm so that you know exactly which users belong to an organization.
|
|
|
|
There are different ways to add, or onboard, a member to an organization:
|
|
|
|
* Adding an existing realm user as a member
|
|
* Through an identity provider associated with an organization
|
|
* Sending an invitation to create a new account
|
|
* Sending an invitation to an existing user to join an organization
|
|
|
|
Once a member of an organization, that user's account can be managed just like any regular account in a realm by accessing the *Users* section in the menu.
|
|
|
|
However, you can narrow the users to only those associated with an organization by accessing the *Members* tab when managing an organization. In this tab, you have a list of all the organization members and actions to add new members and to edit and remove existing ones.
|
|
|
|
.Managing organization members
|
|
image:images/organizations-manage-members.png[alt="Managing organization members"]
|
|
|
|
[[_managed_unmanaged_members_]]
|
|
== Managed and unmanaged members
|
|
|
|
When managing members, consider how their relationship with an organization affects the lifecycle of their accounts.
|
|
Members can join an organization through different flows and each flow indicates the strength of the link between their accounts and the organization.
|
|
|
|
There are two types of members:
|
|
|
|
* *Managed*
|
|
* *Unmanaged*
|
|
|
|
Managed members are those managed by the organization, and they cannot exist outside of their organization. For instance, consider
|
|
an account created through an identity provider associated with an organization. That account does not belong to a realm as it was federated from the organization.
|
|
In this case, the single-source of truth for the identity is the organization and its lifecycle is controlled
|
|
by the organization.
|
|
If you remove the organization or the member, the account is also removed from the realm.
|
|
|
|
On the other hand, unmanaged members are those that can exist without the organization. For instance, when adding an existing
|
|
realm user to an organization, the account belongs to the realm first and foremost and eventually linked to an organization. In this case,
|
|
removing an organization or a member will not remove the account from the realm; the realm is
|
|
the single-source of truth for the identity.
|
|
|
|
== Adding an existing realm user as a member
|
|
|
|
An existing realm user can join an organization by selecting that user from a list and adding the user to the organization.
|
|
|
|
.Procedure
|
|
|
|
. Click *Add member*.
|
|
. Click *Add realm user*.
|
|
. Select one or more users and click *Add* to add them to the organization.
|
|
|
|
.Adding a realm user
|
|
image:images/organizations-add-realm-user.png[alt="Adding a realm user"]
|
|
|
|
Once a user is a member of the organization, that user is able to authenticate to the realm just like a regular user and using
|
|
any credential supported by the realm.
|
|
|
|
== Inviting users
|
|
|
|
An administrator can email users to join an organization.
|
|
|
|
.Procedure
|
|
|
|
. Click *Add member*.
|
|
. Click *Invite member*.
|
|
. Provide an email address
|
|
. Click *Send*
|
|
|
|
.Inviting members
|
|
image:images/organizations-invite-member.png[alt="Inviting members"]
|
|
|
|
Optionally, you can also provide a value for the *First name* and *Last name* fields for a more personalized email
|
|
message using a greeting message with the first and last names of the person receiving the email.
|
|
|
|
An invitation is basically an email sent with a link that the person should click to perform the necessary steps to join
|
|
an organization. These steps depend on whether the person already has an account in the realm or if a new account should
|
|
be created before joining the organization.
|
|
|
|
If the email maps to an existing user in a realm, the steps the user will follow are basically about confirming the
|
|
intention to join the organization.
|
|
|
|
On the other hand, if no user is associated with the given email address, the steps
|
|
will involve creating a new account through the realm's self-registration flow. In this case, the user is forced
|
|
to provide the same email address used to send the invitation.
|
|
Make sure to enable the *User registration* setting in the *Login* tab at the *Realm settings* to use this type of invitation.
|
|
|
|
[[_onboard_member_identity_provider_]]
|
|
== Onboarding members using an Identity Provider
|
|
|
|
An organization might have its own identity provider as the single source of truth for their identities. In this case,
|
|
users federated from the identity provider are automatically added as a member of the organization.
|
|
|
|
When users join an organization through an identity provider associated with an organization, they are automatically marked
|
|
as managed members. In this case, they will go through the broker login flows configured in the realm and join the organization
|
|
automatically once they successfully authenticate.
|
|
|
|
Onboarding new members through an identity provider can be done by either automatically redirecting the user to an organization's
|
|
identity provider or by selecting the identity provider when at the login page.
|
|
|
|
In both cases, once the user provides the email, {project_name} will try to match an organization based on the email domain. In case
|
|
the email domain matches the organization, and an identity provider is associated with the same domain and the *Redirect when email domain matches*
|
|
setting is enabled, the user is automatically redirected to the identity provider. Once the user authenticates at the identity provider
|
|
and completes the first broker login flow, the user is automatically added as an organization member.
|
|
|
|
On the other hand, if *Redirect when email domain matches* is not enabled, but the identity provider is configured not to
|
|
*Hide on login page*, the user can select the identity provider and then be redirected to the identity provider to continue
|
|
the onboarding process.
|
|
|
|
For more details, see <<_managing_identity_provider_,Managing Identity Providers>>.
|
|
|
|
== Removing a member
|
|
|
|
You can remove a member from an organization.
|
|
|
|
From the action menu next to the member you want to remove, click *Remove*.
|
|
|
|
When removing a member from an organization, remember that the user may or may not be removed from a realm depending on if
|
|
that user is managed or unmanaged member, respectively.
|
|
|
|
For more details, see <<_managed_unmanaged_members_,Managed and unmanaged members>>.
|