# User Collections User Collections feature is introduced on Cloudbrink platform from release 14.5 that enables the customers to create multiple collections of users and group associations using the same domain name and in turn user these collections to create multiple OTP authentication policies with different device-user-group bindings. This document explains the configuration steps for meeting the use case given below using the new User Collections feature. #### Use Case 1: The customer wants to create multiple role-based access control (RBAC) policies with different resource-templates and other policies within their organization. All the users in the organization have same email domain name. The customer wants to leverage the native OTP authentication mechanism for the user login. When a user connects to Cloudbrink using the BrinkAgent and OTP authentication mechanism, based on the user’s group association, corresponding resource-template and other policies (ex: DSPA policy, Device Session policy) must be applied. #### Use Case 2: Extending the above use case, the customer wants to make sure that if user belongs to more than one group, and each group has a corresponding resource-template, then the user session allows access to ALL the resources specified in all the resource-templates of the groups to which user belongs. For example, user1 belongs to group1 and group2. These two groups have resource-template-1 and resource-template-2 associated. When user1 logs in, user1 should be able to access resources specified in resource-template-1 AND resource-template-2. #### Use Case 1 Configuration Steps: Given below are the steps to meet use case 1. Step-1) Create User Collections. For testing multiple user RBAC policies, create as many User Collections as the RBAC roles needed. For each User Collection, repeat all the steps mentioned in this step. Navigate to Configure → Collections

Click “Add New”

* Configure the “Name” & “Description” parameters. * Users can be added using two methods 1\) By uploading a CSV file that contains “username” as first column name and “groups” as second column. Username column must contain user’s email IDs and groups column must contain comma separated list of groups that the user will be part of. 2\) By manually adding the Username and Groups that user belongs to. * In this example, manual creation process is followed. * A sample CSV file format and values is given at the Appendix section in this document.

For each group entered, press ‘+’ symbol next to the “Enter Groups”. Finally, click on the second ‘+’ to add the user row.

* Verify the newly added username and group association entry under “Users List”. * Hit “Save” to save the User Collections entity.

Verify the newly created User Collections entity

#### Step-2) Create OTP Authentication policies using User Collections Customer can create multiple OTP authentication policies, one OTP policy per User Collection. Each OTP policy will use one unique User Collection for determining which users must be authenticated using the OTP policy and which Device-User-Group the users belong to. Navigate to Configure → Policies → Authentication Click “Add New”

Select “Cloudbrink Passwordless Auth (Select Users)” option

* Provide a “Name” to the authentication policy * Configure the email domain names that the OTP users will be using * Realm is auto-generated. Change it only if a specific value needs to be used for tracking purposes. * Finally, hit “Save” to save the OTP authentication policy.

Verify the newly created auth policy

#### Step-3) Create Device-User-Groups with same name as user groups and assign policies Navigate to Configure → Device-User-Groups Click on “Add New” * Provide a “Name” to the device-user-group. This “Name” much match with one of the groups to which the users in the User Collection are part of. * When a user logs in using OTP, Cloudbrink will extract the groups that this user belongs to from the Users Collection, and if there is a matching Device-User-Group, the policies assigned to this Device-User-Group will be applied for the user session. Adding new Device-User-Groups

Example: “gtm-services” device-user-group is same as group name that user belongs to while creating the user in step-1 Assign policies to the newly created Device-User-Groups

#### Step-4) Repeat steps 1-to-3 for multiple Users Collection so that RBAC can be used for users with same email domain name. #### Use Case 2 Configuration Steps: Given below are the steps to meet use case 2. #### Step-5) Combining resource-templates from multiple Device-User-Groups If the user belongs to multiple groups, and each group has different resource-templates for each group, the user session must allow all resources that are specified in all these resource-templates. Above behaviour must be enabled by the MSP partner at the tenant-level. Below are the steps to enable this behaviour. * Login to MSP portal * Navigate to Configure → Customers table * Click on “Update” button against the customer/tenant where the multiple-group support should be enabled * Navigate to “Capabilities” tab for the tenant * Select “Enabled” for the feature “ Login to MSP portal

Customers table

Tenant Update option

Capabilities Tab

Enable Multi-group option

NOTE: If the UI says “Need Cloudbrink can enable this feature”, please reach out to --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.cloudbrink.com/configuration/user-collections.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.