Manage administrator groups 编辑

Manage administrator groups

You can add administrators to your Citrix Cloud account using groups in your Active Directory or Azure Active Directory (AD). You can then manage service access permissions for all administrators in the group.

AD prerequisites

Citrix Cloud supports AD group authentication through SAML 2.0. Before adding members of your AD administrator groups to Citrix Cloud, you need to configure a connection between Citrix Cloud and your SAML provider. For more information, see Connect SAML as an identity provider to Citrix Cloud.

If you already have a SAML connection in Citrix Cloud, you must reconnect your SAML provider to Citrix Cloud before adding AD administrator groups. If you don’t reconnect SAML, adding AD administrator groups might fail. For more information, see Using an existing SAML connection for administrator authentication.

Azure AD prerequisites

Using Azure AD group authentication requires the latest version of the Azure AD application for connecting your Azure AD to Citrix Cloud. Citrix Cloud acquired this application when you connected your Azure AD for the first time. If you connected your Azure AD to Citrix Cloud before May 2019, Citrix Cloud might not be using the most current application to connect with Azure AD. Citrix Cloud can’t display your Azure AD groups if your account isn’t using the most current application.

Before using Azure AD groups in Citrix Cloud, perform the following tasks:

  1. Verify that you’re using the latest application for your Azure AD connection. Citrix Cloud displays a notification if you’re not using the most current application.
  2. If the application must be updated, reconnect your Azure AD to Citrix Cloud. By reconnecting to your Azure AD, you grant application-level read-only permissions to Citrix Cloud and allow Citrix Cloud to reconnect to your Azure AD on your behalf. During reconnection, a list of these permissions is displayed for your review. For more information about the permissions Citrix Cloud requests, see Azure Active Directory Permissions for Citrix Cloud.

    Important:

    To complete this task, you must be a Global Admin in Azure AD. Also, you must be signed in to Citrix Cloud using a Full Access administrator account under the Citrix identity provider. If you sign in with your Azure AD credentials, the reconnection fails. If you don’t have any administrators using the Citrix identity provider, you can add one temporarily to perform this task and then delete it afterward.

To verify your connection to Azure AD

  1. Sign in to Citrix Cloud using a Full Access administrator account under the Citrix identity provider.
  2. From the Citrix Cloud menu, select Identity and Access Management and then select Authentication.
  3. Locate Azure Active Directory. A notification appears if Citrix Cloud must update the application for your Azure AD connection.

    Reconnect to Azure AD prompt in Citrix Cloud console

    If Citrix Cloud is already using the most current application, no notification appears.

To reconnect to Azure AD

  1. From the Azure AD notification in the Citrix Cloud console, click the reconnect link. A list of the requested Azure permissions appears.
  2. Review the permissions and then select Accept.

Supported services and permissions

The following services support custom access permissions for administrator groups:

  • Citrix Application Delivery Management service
  • Citrix DaaS
  • Workspace Environment Management service

You can assign custom access permissions for supported services only. Full access permissions are not supported.

Administrator groups don’t have access to any other service. They can only manage the supported services for which they have permission to access.

Permission changes for an administrator group member who’s already signed in will take effect only after they sign out and sign in again.

Resultant permissions for administrators with Citrix, AD, and Azure AD identities

When an administrator signs in to Citrix Cloud, only certain permissions might be available if the administrator has both a Citrix identity (the default identity provider in Citrix Cloud) and a single-user or group-based identity through AD or Azure AD. The table in this section describes the permissions that are available for each combination of these identities.

Single-user AD or Azure AD identity refers to AD or Azure AD permissions that are granted to the administrator through an individual account. Group-based AD or Azure AD identity refers to AD or Azure AD permissions that are granted as a member of an Azure AD group.

Citrix identitySingle-user AD or Azure AD identityGroup-based AD or Azure AD identityPermissions available after authentication
XX Administrator has cumulative permissions of both identities after successful authentication with either the Citrix identity or Azure AD identity.
X XEach identity is treated as an independent entity. Available permissions depends on whether the administrator authenticates using the Citrix identity or the Azure AD identity.
 XXAdministrator has cumulative permissions of both identities when authenticating to Citrix Cloud with Azure AD.
XXXWhen authenticating with their Citrix identity, the administrator has cumulative permissions of both the Citrix identity and the single-user Azure AD identity. When authenticating with Azure AD, the administrator has cumulative permissions of all three identities.

Sign-in experience for administrators

After you add an AD or Azure AD group to Citrix Cloud and define the service permissions, administrators in the group simply sign in by selecting Sign in with my company credentials on the Citrix Cloud sign-in page and entering their sign-in URL for the account (for example, https://citrix.cloud.com/go/mycompany). Unlike adding individual administrators, administrators in the group aren’t explicitly invited, so they won’t receive any emails to accept an invitation to be Citrix Cloud administrators.

After signing in, administrators select Manage from the service tile to access the service’s management console.

Launchpad with Citrix DaaS tile

Administrators who are granted permissions only as members of groups can access the Citrix Cloud account using the sign-in URL for the Citrix Cloud account.

Administrators who are granted permissions through an individual account and as a member of a group can choose the Citrix Cloud account they want to access. If the administrator is a member of multiple Citrix Cloud accounts, they can select a Citrix Cloud account from the customer picker after authenticating successfully.

Limitations

Access to platform and service features

Citrix Cloud platform features as described in Console permissions are not available to members of administrator groups.

Also, Citrix DaaS features that rely on Citrix Cloud platform capabilities such as Quick Deploy user assignment are not available.

Impact of multiple groups on application performance

Citrix recommends that a single administrator belongs to no more than 20 groups that have been added to Citrix Cloud. Membership in a larger number of groups might result in reduced application performance.

Impact of multiple groups on authentication

If a group-based administrator is assigned to multiple groups in AD or Azure AD, authentication might fail because the number of groups is too large. This issue occurs due to a limitation in Citrix Cloud’s integration with AD and Azure AD. When the administrator attempts to sign in, Citrix Cloud attempts to compress the number of groups that are retrieved. If Citrix Cloud can’t apply the compression successfully, all groups can’t be retrieved and the authentication fails.

This issue might also affect users who authenticate to Citrix Workspace through AD or Azure AD. If a user belongs to multiple groups, authentication might fail because the number of groups is too large.

To resolve this issue, review the administrator or user account and verify that they belong only to the groups that are required for their role in the organization.

Adding groups fails due to too many assigned role/scope pairs

When adding a group with multiple role/scope pairs, an error might occur that indicates the group can’t be created. This error occurs because the number of role/scope pairs that are assigned to the group is too large. To resolve this error, divide the role/scope pairs among two or more groups and assign the administrators to those groups.

Add an administrator group to Citrix Cloud

  1. From the Citrix Cloud menu, select Identity and Access Management and then select Administrators.
  2. Select Add administrator/group.
  3. In Administrator details, select your Azure AD and sign in to Azure, if needed. Select Next.
  4. If using AD, select the domain you want to use.
  5. Search for the group you want to add and select the group.
  6. In Set access, select the roles you want to assign to the group. You must select at least one role.
  7. When you’re finished, select Save.

Modify service permissions for an administrator group

  1. From the Citrix Cloud menu, select Identity and Access Management and then select Administrators.
  2. Locate the administrator group you want to manage and, from the ellipsis menu, select Edit Access. Group with Edit access menu selected
  3. Select or clear the check marks next to one or more role and scope pairs as needed.
  4. When you’re finished, select Save.

Delete an administrator group

  1. From the Citrix Cloud menu, select Identity and Access Management and then select Administrators.
  2. Locate the administrator group you want to manage and, from the ellipsis menu, select Delete Group. Ellipsis menu with Delete Group selected

    A confirmation message appears. Delete Group confirmation message

  3. Choose I understand deleting this group will prevent administrators in the group from accessing Citrix Cloud. to confirm you’re aware of the effects of deleting the group.
  4. Select Delete.

Switch between multiple Citrix Cloud accounts

Note:

This section describes a scenario that affects members of Azure AD administrator groups only.

By default, members of Azure AD administrator groups can’t switch between other Citrix Cloud accounts that they can access. For these administrators, the Change Customer option, shown in the image below, doesn’t appear in the Citrix Cloud user menu.

User menu with Change Customer button highlighted

To enable this menu option and allow Azure AD group members to switch between other Citrix Cloud accounts, you must link the accounts that you want to change between.

Linking Citrix Cloud accounts involves a hub-and-spoke-approach. Before linking accounts, decide which Citrix Cloud account will act as the account from which the other accounts are accessed (the “hub”) and which accounts you want to have listed in the customer picker (the “spokes”).

Before linking accounts, ensure you meet the following requirements:

  • You have full access permissions in Citrix Cloud.
  • You have access to the Windows PowerShell Integrated Scripting Environment (ISE).
  • You have the customer IDs for the Citrix Cloud accounts you want to link. The customer ID appears in the top-right corner of the management console for each account. Citrix Cloud console with Customer ID highlighted
  • You have the Citrix CWSAuth bearer token for the Citrix Cloud account you want to link as the hub account. To retrieve this bearer token, follow the instructions in CTX330675. You need to supply this information when linking your Citrix Cloud accounts.

To link Citrix Cloud accounts

  1. Open the PowerShell ISE and paste the following script into the working pane:

    $headers = @{}
    $headers.Add("Accept","application/json")
    $headers.Add("Content-Type","application/json")
    $headers.Add("Authorization","CWSAuth bearer=XXXXXXX")
    
    $uri = "https://trust.citrixworkspacesapi.net/HubCustomerID/links"
    
    $resp = Invoke-RestMethod -Method Get -Uri $uri -Headers $headers
    $allLinks = $resp.linkedCustomers + @("SpokeCustomerID")
    
    $body = @{"customers"=$allLinks}
    $bodyjson = $body | ConvertTo-Json
    
    $resp = Invoke-WebRequest -Method Post -Uri $uri -Headers $headers -Body $bodyjson -ContentType 'application/json'
    Write-Host "Citrix Cloud Status Code: $($resp.RawContent)"
    <!--NeedCopy-->
    

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:89 次

字数:16566

最后编辑:8 年前

编辑次数:0 次

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文