Dynamic Roles (Auto-provisioning users)

Dynamic Roles are a means of provisioning standard users (users without workspaces) onto the platform without having to create an explicit account for them within Cloudbridge. Dynamic Roles leverage a source script within the environment that returns UPNs of users. From the returned UPNs, results can be filtered to include only a subset if desired. These are then automatically turned into active user logins on the platform.

This guide will help an organization understand and implement the Dynamic Roles capability in the Cloudbridge Platform.

Instructions

  1. Source Script
    First define a source script which will generate results containing Microsoft Single Sign-on UPNs  (eg. some.user@myorganization.com ).
    The script can return:

    • One UPN per cell, with one or more such cells per row

    • Multiple UPNs in one cell, with one or more such cells per row


    The script can be located in a user Workspace or an Environment; an environment would be recommended for easier management.

    • Run the script once to generate results.

    • Adjust the default result view name(s) if desired.

  2. Dynamic Role Creation
    Dynamic Roles are added through the Manage Roles area.

    • Navigate to Global Settings / Team, then click the Manage Roles button in the upper right.  The Manage Roles dialog will open.

    • On the Manage Roles dialog add a new Dynamic Role by clicking [Add New Dynamic] at the bottom left. A new row will appear - type in a name for the new role.

  3. Dynamic Role Configuration
    Once a name is given to the role, click the gear to the right of the name to access the Dynamic Role configuration panel.

    • Choose the type of Workspace where the source script in step 1 is located.

    • Start typing the partial name of the source script created in step 1; once it appears in the list, select it.

    • Choose the view which contains the UPNs to be included in this Dynamic Role.

    • Choose the column or columns from the view that contain the desired UPNs

    • Add any filters if desired to filter down the qualifying rows

    • Click the [Preview] button to see the UPNs that will be included (this is a good practice if source cells contain multiple UPNs - to verify the platform successfully found and split them)

    • If all is good, click OK

    • Back on the Manage Roles panel click OK. A notification is made indicating that it may take several minutes for the users to appear in the Team users list.

  4.  Updating Dynamic Role users
    If the Dynamic Role is to be periodically refreshed for users, simply schedule the source script accordingly. When new results are available from the source script, the users in the dynamic role will be automatically refreshed.

  5. NOTES

    • Only standard users can be created via dynamic roles (ie. users without Workspaces)

    • Users in Dynamic Roles can only login using Microsoft Single Sign-On

    • If a UPN already exists as a platform user (in any tenant in the platform), they will not be included in the Dynamic Role.

    • A UPN can belong to multiple Dynamic Roles. You will see this indicated in the Role column of the Teams view

    • A UPN belonging to a Dynamic Role can be converted to a static Role by clicking on the link text in the Role column to show the Modify Role panel.  On this panel you may assign the static role by picking it from the picklist.

    • When RBAC'ing solutions/scripts/results to users in Dynamic Roles, you can only RBAC to the role itself, not to individual users in the role.

There is one known bug - whereby when right-clicking a static user in the Teams list and choosing Edit Profile..., then closing the dialog, then doing the same on one from a Dynamic Roles, a “Not found” error is shown with the profile editor in the background of the previous static user edited.

SAMPLE SCRIPT
Below is a simple script that will generate UPNs for a Dynamic Role.  While there is a UserName column, this is irrelevant for Dynamic Roles... only the UPNs are used... it's just to show that the results could have other information as well. Users would likely be pulled from some other system/database/directory - script is just a sample.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 $Results = @() $ResultRow = @{} $ResultRow.UserName = 'John Doe' $ResultRow.UserEmail = 'jd@acme.com' $Results += $ResultRow $ResultRow = @{} $ResultRow.UserName = 'Jane Doe' $ResultRow.UserEmail = 'mrsdoe@acme.com' $Results += $ResultRow $ResultRow = @{} $ResultRow.UserName = 'Bobby Smith' $ResultRow.UserEmail = 'roberts@anothercompany.com' $Results += $ResultRow $Results