Add a Permission Group for an External Authentication Provider

This is the Add icon.

*This example will show how to configure a Permission Group that includes users from an external authentication provider. This group will be a Recorder Admin group. We will also grant these users all video abilities on all servers and cameras, plus access to the Library. We will use all of the available tabs during configuration.

The Permission Group screen lists all of the Permission Groups that have been added. For each of these Permission Groups, Orchid Fusion/Hybrid VMS displays a description of the Permission Group. If the Fusion/Hybrid configuration file has been modified to add an external authentication provider (such as Active Directory, Azure Active Directory, FreeIPA, or SAML), you may add Permission Groups that pull users from those providers.

*For details on modifying the Orchid Fusion VMS configuration file to add one of these external authentication providers, please refer to the following sections of the Orchid Fusion VMS Installation Guide:

• Active Directory
• Azure Active Directory
• FreeIPA
• SAML

*On Orchid Hybrid VMS systems, IPConfigure Support personnel will modify the configuration file to permit external authentication.

*If you want to use Google authentication, you don’t need to add a special Permission Group using the method described here. As long as you included Google email addresses when you added your Google users to the system, these users may be added to any Permission Group.

1. Click the Add Permission Group button in the top-right corner of the Permission Groups list. A New Permission Group screen will open.

The General Settings Tab

2. On the General Settings tab, enter a name and a description for the new Permission Group in the Group Name and Group Description fields.
3. Use the Members and Member Groups fields if you need to add local users and groups to this Permission Group.
4. Go to the External Group Mappings section.
5. Click in the Domain field and enter the name of the domain in which your external users exist. (This domain is defined in the fusion configuration file.)
6. Click in the Group field and enter the name of the group in which your external users exist. (This group exists in one of your external authentication provider systems, such as Active Directory or Ping.)
7. Click the Add icon to add this new external group. As soon as you add the new external group, another prompt will appear so you can enter another group (if needed).
   1. If you don’t have any additional external groups to add, simply click in the white space to the right of the Domain and Group fields.
   2. To remove an external group mapping, click the X to the right of the group name.
8. Click on the Admin Settings tab to continue configuring this group.

*Available members for a Permission Group for an external authentication provider include all of the users that are already defined in that external system. For more details, please refer to your authentication provider documentation.

*You may add external groups from Active Directory, Azure Active Directory, FreeIPA, and SAML to the same Permission Group, if desired.

The Admin Settings Tab

1. If this Permission Group is not going to have any Admin permissions, mark the None radio button and proceed to the Permissions tab.
2. If this Permission Group is going to have all of the permissions that an Administrator has (like adding and deleting Orchid Recorders, Users, and Permission Groups), mark the Administrator Group radio button. (If marked, no other settings will be required.)
3. If this Permission Group is going to have Recorder Administrator permissions, mark the Recorder Administrator Group radio button.
   1. If you want this group to be able to add and remove Orchid Recorders, mark the Can register new Recorders checkbox. (If this is not marked, system Administrators will continue to be the only users who can add and delete Recorders.)
   2. If you want this group to be able to perform administrative tasks on all current and future Recorders, mark the All current and future Recorders radio button. (Administrative tasks include things such as camera configuration, working with the Retention Policy, checking the Audit Logs, and activation/upgrades.)
   3. If you want this group to be able to perform administrative tasks only on selected Recorders, mark the Selection radio button.
      1. You may search for servers and cameras using the Search field.
      2. Mark the Select all checkbox if you want to select all of the servers listed.
      3. To grant administrator access to specific Recorders, mark the checkboxes next to those Recorders.
      4. If you don’t want to grant administrator access to any of the Recorders, do not make any specific selections.
4. Click on the Permissions tab to continue configuring this group.

The Permissions Tab

1. If this Permission Group is going to have access to specific cameras and video, use the Permissions Granted and Permissions Revoked features. (For more details on granting and revoking permissions, please refer to the Add a Permission Group with Individual Members topic.)
2. Click on the Other Permissions tab to continue configuring this group.

The Other Permissions Tab

1. If you want this group to have access to the Library, mark the Library Access checkbox. (Users in this group will be able to view and delete Library items. Users will also have the ability to create Library items for any camera to which they have export permissions.)
2. If you want this group to have access to some or all Apps, go to the Apps Access field.
   1. Click in the Apps field to select the Apps to which you are granting access.
   2. Select individual Apps by marking the box next to one or more App names.
   3. Select all available Apps by marking the All Apps checkbox.

Finalizing the Permission Group

1. After all of the permissions are set, press the Save Group button.

Here is a view of the new Permission Group once it has been saved.