Creating a UMS group and machine users

This procedure ensures that the CDP machine user gets permission to access the tenant bucket.

Repeat the following steps for each tenant:
  1. In Management Console, User Management > Groups, click CREATE GROUP and create a User Management Service (UMS) group, for example group-tenant-1.
  2. In Groups > Members, search for and select your srv_machine_<env id>_storage_role to add this UMS machine user to group-tenant-1.
  3. In Management Console > Environments, select an environment, and click Actions > Manage Access > IDBroker Mappings > Edit.
  4. Click + to add a mapping, select the Group-tenant-1 and Role-tenant-1, and specify the complete managed identity. For example: /subscriptions/<subsciption_id>/resourcegroups/<resource_group>providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>
  5. Synchronize your group changes with FreeIPA by performing a user sync per environment: In the RAZ-enabled environment, click Actions > Synchronize Users to FreeIPA.
    The UMS machine user gets the permission to access the tenant-specific container.