StackState authentication is configured in a config file that contains already predefined roles for the Guest user (very limited permission level) and the Admin user (full permission level).
Make sure that your LDAP group and user names are provided in a proper sections of a config file. If they are, you have configured everything for the two predefined groups StackState has.
To create a new subject (a group or a username), you must follow the StackState CLI route below. When you create a subject, it has no permissions at first. All custom subjects need a scope by design, so they do not have access to the full topology. This is a security requirement that makes sure that users have access only to what they need.
To create the
stackstate subject with a scope that allows the user to see all elements with the “StackState” label, use the following command:
sts subject save stackstate 'label = "StackState"'
To give more context and specific limitations you can create the subject called
stackstateManager that also has the scope of
StackState label and has access to Business Applications within that label, command looks like this:
sts subject save stackstateManager 'label = "StackState" AND type = "Business Application"'
Please note that when passing a STQL query in a CLI command, all operators( like
AND, and so on) need to be surrounded by spaces, as in the above example.