Add a Permission Group for an External Authentication Provider

This is the Add icon.

*This example will show how to configure a Permission Group that includes users from an external authentication provider. This group will be a Recorder Admin group. We will also grant these users all video abilities on all servers and cameras, plus access to the Library. We will use all of the available tabs during configuration.

The Permission Group screen lists all of the Permission Groups that have been added. For each of these Permission Groups, Orchid Hybrid/Fusion VMS displays a description of the Permission Group. If the Hybrid/Fusion configuration file has been modified to add an external authentication provider (such as Active Directory, Microsoft Entra ID/Azure A-D, FreeIPA, or SAML), you may add Permission Groups that pull users from those providers.

*For details on modifying the Orchid Fusion VMS configuration file to add one of these external authentication providers, please refer to the following sections of the Orchid Fusion VMS Installation Guide:

• Active Directory
• Microsoft Entra ID/Azure Active Directory
• FreeIPA
• SAML

*On Orchid Hybrid VMS systems, IPConfigure Support personnel will modify the configuration file to permit external authentication.

*If you want to use Google authentication, you don’t need to add a special Permission Group using the method described here. As long as you included Google email addresses when you added your Google users to the system, these users may be added to any Permission Group.

*Available members for a Permission Group for an external authentication provider include users that are already defined in that external system. For more details, please refer to your authentication provider documentation.

*You may add a variety of external group mappings to the same Permission Group, if desired.

1. Click the Add Permission Group button in the top-right corner of the Permission Groups list. A New Permission Group screen will open.

The General Settings Tab

2. On the General Settings tab, enter a name and a description for the new Permission Group in the Group Name and Group Description fields.
3. Use the Members and Member Groups fields if you need to add local users and groups to this Permission Group.
4. For this group, we are going to pull members from our external authentication provider, so click on the External Group Mappings tab to continue configuring this group.

The External Group Mappings Tab

In version 24.6.1, Orchid Hybrid/Fusion VMS provides a new method for creating Permission Groups for SAML-based identity providers. In addition to the Domain Group Mappings (the original method), Hybrid/Fusion now provides Attribute Group Mappings.

Domain Group Mappings

You may use the Domain Group Mappings to configure Permission Groups with users from Active Directory,Microsoft Entra ID/Azure A-D, or FreeIPA. To add a Domain Group Mapping (pictured above), you will proceed as follows:

1. Start by clicking on the Create a Domain Mapping button.
2. Click in the Domain field and enter the name of the domain in which your external users exist. (This domain is defined in the fusion configuration file.)
3. Click in the Group field and enter the name of the group in which your external users exist. (This group exists in one of your external authentication provider systems, such as Active Directory.)
4. Click the Add a Domain Mapping button if you need to add another domain group.
   1. To remove a domain group mapping, click the Delete trash can icon to the right of the group name.
5. If you want to add an Attribute Group Mapping, proceed to the next section. If you are finished selecting external users, click on the Admin Settings tab to continue configuring this group.

Attribute Group Mappings

You may use the Attribute Group Mappings to configure Permission Groups with users from an external system via SAML. If the system has been properly configured to support an external SAML group, that external group will appear in the Attribute Group Mappings section. In the example pictured below, this group is Google/SAML. Now you have the ability to add users based on one or more attributes that have been assigned to them in the external system.

For Attribute Group Mappings, you will proceed as follows:

1. Start by clicking on the Create an Attribute Set button (pictured above).

2. Now, use the drop-down list to select the attribute that will help identify your target users.
3. Then enter the attribute value that is associated with your target users. (All of the users that match the attribute and value will be added as members of this Permission Group.)
4. Click the Add Another Attribute button if you want to select another attribute. (If your Attribute Set contains multiple attributes, a user must match all of those attributes in order to be added to the Permission Group.)
   1. To remove an attribute, click the X icon to the right of the value field.
5. Click the Add an Attribute Set button if you need to incorporate users that have an entirely different group of attributes. (If you are using multiple Attribute Sets, a user must match at least one of those sets in order to be added to the Permission Group.)
   1. To remove an entire set, click the Delete trash can icon to the right of the set name (Attribute Set 1, Attribute Set 2, etc.).
6. Click on the Admin Settings tab to continue configuring this group.

The Admin Settings Tab

1. If this Permission Group is not going to have any Admin permissions, mark the None radio button and proceed to the Permissions tab.
2. If this Permission Group is going to have all of the permissions that an Administrator has (like adding and deleting Orchid Recorders, Users, and Permission Groups), mark the Administrator Group radio button. (If marked, no other settings will be required.)
3. If this Permission Group is going to have Recorder Administrator permissions, mark the Recorder Administrator Group radio button.
   1. If you want this group to be able to add and remove Orchid Recorders, mark the Can register new Recorders checkbox. (If this is not marked, system Administrators will continue to be the only users who can add and delete Recorders.)
   2. If you want this group to be able to perform administrative tasks on all current and future Recorders, mark the All current and future Recorders radio button. (Administrative tasks include things such as camera configuration, working with the Retention Policy, checking the Audit Logs, and activation/upgrades.)
   3. If you want this group to be able to perform administrative tasks only on selected Recorders, mark the Selection radio button.
      1. You may search for servers and cameras using the Search field.
      2. Mark the Select all checkbox if you want to select all of the servers listed.
      3. To grant administrator access to specific Recorders, mark the checkboxes next to those Recorders.
      4. If you don’t want to grant administrator access to any of the Recorders, do not make any specific selections.
4. Click on the Permissions tab to continue configuring this group.

The Permissions Tab

1. If this Permission Group is going to have access to specific cameras and video, use the Permissions Granted and Permissions Revoked features. (For more details on granting and revoking permissions, please refer to the Add a Permission Group with Individual Members topic.)
2. Click on the Other Permissions tab to continue configuring this group.

The Other Permissions Tab

1. If you want this group to have access to the Library, mark the Library Access checkbox. (Users in this group will be able to view and delete Library items. Users will also have the ability to create Library items for any camera to which they have export permissions.)
2. If you want this group to have access to some or all Apps, go to the Apps Access field.
   1. Click in the Apps field to select the Apps to which you are granting access.
   2. Select individual Apps by marking the box next to one or more App names.
   3. Select all available Apps by marking the All Apps checkbox.

Finalizing the Permission Group

1. After all of the permissions are set, press the Save Group button.

Here is a view of the new Permission Group once it has been saved.