This document describes the steps to allow end users from specific domains to access the Frontend of a project in Globant Enterprise AI.
The process is based on the configuration of a role, the assignment of permissions to specific assistants and the invitation of a generic user that guarantees access to the Frontend to all users who, once authenticated on the platform, belong to the defined domain.
Below are the steps to configure this access.
In the project where you want to enable access, start by defining a role, following the steps detailed in Creating Project Roles.
In this case, the name Frontend has been used, but you can choose any name that best suits your case.
Once the role has been created, it is necessary to associate the corresponding assistants. To do so, click on PERMISSIONS in the newly created role.
When accessing PERMISSIONS, you will be able to see the list of assistants and select those to which the role will have access.
After configuring the role and permissions, you must generate the invitation for the end user. To do so, follow the steps indicated in Invite New Members.
The objective is to allow users whose email belongs to a domain to access without the need to generate an invitation for each user of that domain.
For this, you must define an invitation with the email address following the format all-members@domain.com.
That is, all users whose email has @domain.com will be able to authenticate in the Frontend and will automatically be assigned the role(s) assigned to this generic member.
Select the role defined in step 1 and click the CONFIRM button.
Once the invitation has been processed, any end user with the domain @domain.com will be able to access the Frontend of the project.
- Access to Multiple Projects and Assistants: The invited user can be added to additional projects, which will enable them to access the Frontend to multiple projects and the assistants configured within each of them.
- Access Deletion: If the membership of a user who has been invited under this method is deleted, they will lose access to the projects they could only access through that generic user details.
It is important to take into account the following restrictions when configuring domain user access:
- Assigning Backend roles is not allowed: Users with this type of invitation cannot be assigned to Backend roles in projects. If an attempt is made to assign a Frontend or a Backend role, the system will display a warning message and only invitations for Frontend roles will be processed.
- It is not possible to add these users to Organizations: This type of user can't be assigned as a member of Organizations. When trying to make this assignment, the system will display a warning stating that it is not allowed.
By default, the “local” Identity Provider (GAM Auth Type) can't be used to provide access through this mechanism, so only other IDPs configured in the platform (for example, Google, Azure AD, etc.) may be used.
To modify the default Identity Providers exclusion list, you must have SuperAdmin access and follow these steps:
- Under SuperAdmin options, click on System and select Parameters.
- In the Parameters section, look for the parameter DOMAIN_GENERIC_MEMBER_EXCLUDED_AUTHTYPES.
- Set the parameter value to the domain you want to exclude, for example, local or any other domain or comma-separated list of domains.
To configure the generic user that will be used to generate the invitations, follow these steps:
- Under SuperAdmin options, click on System and select Parameters.
- In the Parameters section, look for the parameter DOMAIN_GENERIC_MEMBER_USERNAME.
- Set the value of this parameter to the generic user name expected for that domain. The default value is all-members, but you can modify it if necessary (note that this applies to the whole environment).