COmanage is a multi-tenant tool. This means that for each installation, one or more top-level groups (group is ambiguous, maybe stick with tenant?) can be expressed. These groups are called Collaborative Organizations or COs. Individuals are added to these fundamental groups (COs), but once there, the individuals can be included in multiple sub groups of the CO.

1. The Collaborative Organization (CO⚙️)

The term “Collaborative Organization” or CO⚙️ refers to any formal or informal group of individuals that work collaboratively in a digital setting. They have a goal of a shared infrastructure that supports their collaborations so that the traditional limitations of localized applications may be overcome. In the last lesson, we referred to this group of individuals as "your organization or collaboration." Going forward we will just use the term CO⚙️.

Some traits of these COs:gear: include:

• These individuals use a common workflow for adding collaborators.
• They share common policies for vetting the identities of collaborators.
• They may include individuals in a single organization, or individuals may be in multiple organizations, geographically different regions, or even work independently.

While COmanage can support multiple COs⚙️, it is rare for deployers who are just getting started to have more than one. During this workshop, each of us will be working with just one COs⚙️.

Administrator Roles

COmanage Registry defines several types of administrators.

CO Administrators👑

CO Administrators👑 are super users within a CO. The types of activities that a CO Administrators:crown: can do include:

• Configure a CO⚙️
• Add people to the CO⚙️ (using an enrollment workflow. we will talk about these in a future lesson)
• Manage CO Person⚙️ information for people connected to the CO⚙️
• Create and manage sub groups within the CO⚙️ (we will be talking about these sub groups in the next section.)
• Connect the CO to provision applications used by the collaboration (This point might not be covered enough in the introductory materials - the primary purposes of person attribute management is to enable access to applications (and remove it when no longer required))

Other top-level administrators

CMP Administrators👑 (aka Registry Admins)

CMP Administrators:crown: (COmanage Platform Administrators) are effectively super users, with the ability to perform almost all operations on the platform. The types of activities that CMP Administrators can do include:

• Configure the COmanage platform including creating new COs⚙️
• and everything that a CO⚙️ Administrator can do EXCEPT for adding people using an enrollment workflow (unless the CMP Administrator is explicitly granted this permission in the workflow.)

System Administrators👑

System Administrators👑 have privileges that enable them to maintain the COmanage application. These capabilities include the ability to provision cluster resources (for example, hardware, virtual machines, etc), Register and maintain IP Addresses, administer application upgrades, manage and conduct operating system upgrades and conduct backups.

Hands on - The organization model - COs

In this lesson you each will start to build an organizational model to serve as an example. Using the Modeling Organization 📝, write down a name for the CO⚙️ you will be working with for the workshop. Consider the people that you outlined in the first lesson, and pick a CO⚙️ to which these individuals would be belong (along with the person's memberships that you have outlined.)

[5 min]

Hands on - CO Settings

Most CO Settings only make sense in another context. For example, the automatic expiration setting only makes sense once Expiration Policies are defined, and Identity Source Sync only makes sense if Org Identity Sources are configured in some sort of batch mode.

COs⚙️ have a number of settings that will dictate how it will behave. These settings are outlined on the worksheet, CO Planning Worksheet 📝. As we review each of the settings, mark the values for each on the worksheet for your CO⚙️.

Features

There are several features that can be enabled on a CO:gear:. The default values will be sufficient for most needs:

• Automatic expiration (default: enabled) - In the last lesson we learned that CO Person⚙️ objects have validity date. The status of the CO Person⚙️ can be set to expired when the validity date range has passed. Here you can disable this feature of automatic expirations.
• Identity Source⚙️ sync (default: enabled) - As you know from our last lesson, the cached Identity Source Record⚙️ can be automatically synced to its source according to its defined schedule. Here you can disable this automatic processing.
• Normalizations (default: enabled) - COmanage supports the concept of data normalization. For example, upon entering the text " los angeles " into a field, normalization could correct that to "Los Angeles". Here you can disable this automatic processing.
• NSF Demographics (default: disabled) - COmanage supports the collection of NSF Demographic Information. Here you can enable this collection.

Validity Timeframes

• Re-provisioning (default: 1 day (1440 min)) - COmanage can enable information exchange to external systems through provisioning. If the validity status of the CO Person⚙️ changes, you likely will want provisioning to change as well. This setting allows you to set a delay before this action occurs to provide flexibility to correct inaccurate status changes.
• Email confirmation (default: 1 day (1440 min)) - Email addresses can be confirmed through COmanage. This security setting allows you to automatically expire the confirmation link after a set period of time.

Data fields

In this section, you can set the required fields for physical addresses and names. You can also set what name fields are permitted.

Use rules

• Sponsor Eligibility Mode (default: CO or COU Admin) - We have not yet talked about sponsorship or many of these roles. This setting determines who is eligible to sponsor others. < LDP: this isn't enough information to explain what sponsors are -- definition requested in slack. >
• Terms & Conditions (default: not enforced) - COmanage can require users to accept terms & conditions when they login. You can use this setting to turn on this feature.

[15 min]

Hands on - Create a CO⚙️

We will now implement what you have specified on your worksheets.

Sign into (the typically we don't use prepositions with the product names) Registry

1. Using the credentials you specified as part of the COmanage setup, sign into the system. These credentials have Platform Administrator privileges which enable you to create COs⚙️. Once you sign in you will see a list of available collaborations.

Create a CO⚙️

REQUIRED ROLE: CMP Administrator👑

2. From the menu, select Platform > COs to display the CO Management Overview List.

3. Click the "Add CO" link above the table on the right side to add a new CO⚙️.

4. Fill in the fields from the Metadata section of CO Planning Worksheet 📝: a. The name of your CO. This name will be displayed on lists and elsewhere. It is a good idea for this name to be descriptive, but relatively short. b. Description. Write a short description of your CO. This description will be helpful for those who may not be familiar with your CO's name. c. Status. There are three choices for the status:

   • Active - you will select this one. Your CO will be immediately active upon its creation.
   • Suspended - Useful if you do not want your CO to be active.
   • Template - Useful if you want to create several COs based on the configuration from this one.

5. Click the ADD button to save your new CO⚙️.

Configure your CO⚙️ Settings

REQUIRED ROLE: CMP Administrator👑 -OR- CO Administrator👑

6. Navigate back to the Collaborations List by selecting "Collaborations" from the menu.
7. From the Collaborations list page, click on the name of the Collaboration that you just created.
8. In the CO menu, click on the "Configuration" link to see the list of customizations that you can make. Click on the first link, CO Settings to adjust the settings.

9. Using the values that you put in your [CO Planning Worksheet 📝, adjust the settings for your CO.
10. Click the SAVE button to save your work.

Establish a CO Administrator👑

Now that you have created a CO, you should set up at least one person as its administrator. For this example, you do not yet have any CO Persons⚙️ that you can assign to this role. Instead, you will manually create records to create a CO Person⚙️ and set up yourself as that administrator.

11. Ensure that you are signed in and are looking at the CO that you created.
12. Navigate to the Organizational Identity List using the menu on the left by clicking People > Organizational Identities

13. Click on the Add a New Organizational Identity link to open a form to create a new Org Identity⚙️. NOTE: generally you will not be performing this function manually, so we will include the minimum attributes and information here.

14. Fill in the form for yourself. The only required information is a Given Name. Feel free to fill in as much or as little as you would like. When you are finished, click the ADD button to save the new Organizational Identity.

15. You will need an email address associated with this Org Identity:gear to create a CO Person⚙️ that can be turned into an administrator. Add an email address by clicking the Add button in the Email addresses section. Fill in the form that is presented, and click the ADD button to add the email address.

16. Now that you have an Org Identity⚙️ with an email address, you can invite this person (you!) to be a member of your CO⚙️. On the menu on the left, select People > Invite to start the process. This action will bring you to a list of Org Identities⚙️ that both have an email address, and has not yet a part of the CO⚙️ or been invited to join. You will see the Org Identity⚙️ that you created on this list.

17. Click the Invite button, review the form that appears as a result, and then click the "SEND INVITE" button. This action will send an invitation email to the address stored, and will add a CO Person⚙️ attached to the Org Identity⚙️ to the CO⚙️. This means that this new CO Person⚙️ will appear in the population list for the CO. (The population list appears once the invitation is sent.)

18. Let's edit the CO Person⚙️ directly to complete the process. Click the Edit button for the newly created CO Person⚙️ to display the edit screen. Notice that this person was automatically added to the CO:members:all group.

19. Make the following edits to complete the process:

• Change the Status in the Person Attributes section to Active and click the SAVE button. (This action will result in the person also being added to the CO:members:active group)
• Add the person to the CO:admins group. In the Groups section, click the Manage Group Memberships link. for the CO:admins group, check the Member checkbox in the Actions column. Click the SAVE button at the bottom of the list to save this action. Navigate back to the CO Person⚙️ to check that this person is now a part of the administrators group for the CO⚙️

CONGRATULATIONS!! You have just created and configured your first CO.

[25 min]

Terminology & resources

COmanage Objects ⚙️

CO Person Roles 👑

Worksheets 📝

Slides

To be included

NEXT SECTION: 2. The COUs

LESSON OVERVIEW: CO320 - Modeling Your Organization in COmanage

WORKSHOP OVERVIEW: COmanage Workshop: Managing Identities & Collaborations