People & Teams

Introduction

There are three principals in Gatana for which permissions and privileges matter: users, service-accounts and teams. A user represents a human who can sign-in into the Gatana App, service-account is similar to a user but cannot sign-in into the App and does not have identity attached (e.g. federate identity, or a password). A team is a collection of users and service-accounts who inherit the premissions of the team.

Service Accounts

Service accounts are free, and there is no limit to the number of service accounts an organization can have. These are useful if you need to connect automation or services with Gatana where either OAuth login flow is not supported, or you would like to limit the servers available. Except that they cannot sign-in to Gatana App, they behave and function just like users.

Note that any organization owner is able to manage the personal access tokens of all service accounts.

Teams

A team is a collection of users or service accounts which can be granted server roles like a user. Each member in a team can have one of two roles:

• Member: Has no administrative permissions on the team.
• Maintainer: Can add and remove team members.

For any action a member does for which they have been granted permissions through a team, the audit log will record the member, not the team.

Team Claim Mappings

You can automatically add users to teams based on claims from your external identity provider. When a user authenticates, Gatana checks their claims against configured mappings and adds them to matching teams.

To configure claim mappings, go to the profile detail view and add mappings with a claim key and value.

Examples

Consider the following claims from your IdP:

{ 
  department: "engineering",
  groups: ["engineering", "platform-team"],
  branch: {
    office: "london"
  }
}

There are different ways of matching: