When creating a tenant you may have noticed mention of an 'owner group' with a UUID returned. This is the default group attached to the tenant where members all have 'owner' permission (described below) to that created tenant and all child sub-tenants. Initially only you will be a member of the group.
If you have at least 'viewer' access to an entity (tenant or environment) and try to do something that requires a higher privilege you will receive a 'HTTP 403 Forbidden' response. If you do not even have 'viewer' access to the entity (or it does not exist) you will receive a 'HTTP 404 Not Found'.
Groups are tied to a single tenant though they affect sub-tenants. You may create more groups by using:
klic group create TENANT-UUID NAME
You may add members with (using username-less realms only such as
example.com captures all users with an email in that realm):
klic group useradd GROUP-UUID example.com firstname.lastname@example.org email@example.com
Recall that a group is tied to a tenant, so there is no need for the
TENANT-UUID as it is explicit
Members are similarly removed using
klic group userdel ...
Once you have created a group and managed its members, you can change the permissions of the group to describe what it's members are allowed to do:
See the next section for supported role and scope values.
klic permission update GROUP-UUID add ROLE SCOPE
You may also pin a permission to an explicit environment with:
klic permission update –environment ENVIRONMENT-UUID GROUP-UUID add ROLE SCOPE
Scope is ignored for environment pinning and always set to
Role and Scope
There are three roles:
viewer: only allowed to read all settings and submit usage data
editor: allowed to enrol environments as well as create and renew licenses (in addition to
owner: allowed to create sub-tenants, groups and assign roles and permissions (in addition to
There are four scopes:
base: only the listed tenant (no sub-tenant access)
sub: listed tenant and all sub-tenants
one: only sub-tenants of listed tenant but not sub-sub-tenants or deeper
subordinates: only sub-tenants of listed tenant but inclusive of all sub-sub-tenants or deeper