Skip to main content
Skip table of contents

Permissions on Containers – Example 2

In this example, we will consider having an account with a gateway installed on it, when the customer requires a user to be authenticated only against the domain used for authentication provider (Strict domain validation) and also a separation of view pertaining to showing of different containers and its content to different users

Below is what the hierarchy looks like, there can exist a configuration similar to this,

Account name – “Global Customer Account” and strict domain validation is enabled (Go to the Account —> Settings —> Edit —> Strict domain validation enable)
Gateway domain name – “gateway.acme.com”
Container 1 – “Dept 1 : France” , domain name – “france.dept1.acme.com”
Container 2 – “Dept 2 : Germany”, domain name – “germany.dept2.acme.com”

Each department can use its own authentication provider
Example
1. Name – “AuthProv 1”, domain name – “dept1.acme.com”, used by “Dept 1 : France”
2. Name – “AuthProv 2”, domain name – “dept2.acme.com”, used by “Dept 2 : Germany”

The goals to be achieved,
1. Users must be able to login into the gateway
Example :
a. The user “test1@dept1.acme.com” should be able to see only the content of container “Dept 1 : France” with the Account as the root.
b. The user “test1@dept2.acme.com” should be able to see only the content of container “Dept 2 : Germany” with the Account as the root.
2. A user “test1@dept1.acme.com” must be able to login into the container “Dept 1 : France” and see the content of the container with Container as the root
3. A user “test1@dept2.acme.com” must be able to login into the container “Dept 2 : Germany” and see the content of the container with Container as the root

The following steps should be followed to achieve the goals above,

1. Login into the SAFEQ Cloud web UI as an admin user

2. Go to Account (Global Customer Account) —> Authentication —> Add Authentication Provider
Make 2 new authentication providers which will be used on both the containers
Example : AuthProv 1 —> dept1.acme.com & AuthProv 2 —> dept2.acme.com

Please note a new role “ContainerAdmin” was created on the Account to grant the users appropriate permissions. Existing “Roles” can also be reused. Refer to Roles and Access Controls to know more

3. Go to Account —> Access Controls —> Add
Add access control for the authentication providers on the Account (Global Customer Account)

3. Go to the Container “Dept 1 : France” —> Access Controls —> Add
Add access control for one authentication provider which is required (dept1.acme.com). The unwanted access controls could be deleted but only after a new entry is added

4. Go to the Container “Dept 2 : Germany” —> Access Controls —> Add
Add access control for one authentication provider which is required (dept2.acme.com)

All the settings have been been set into place. It’s time to see it in action.

Logging in using only the username as “test1” and the password will fail as strict domain validation is enabled

1. Logging in onto the Account (gateway.acme.com)

Try to login with “test1@dept1.acme.com”. The user should be able to see only the contents under the “Dept 1 : France” container

Similarly, if the user “test1@dept2.acme.com” tries to login onto the gateway it should be able to see the contents under the container “Dept 2 : Germany”

2. Logging in onto the Containers

Try to login onto the container “Dept 1 : France” (france.dept1.acme.com) using test1@dept1.acme.com (Only the content of the container will be shown )

3. Try to login onto the container “Dept 2 : Germany” (germany.dept2.acme.com) using test1@dept2.acme.com

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close