If groups are configured correctly in the openldap config then you can add a group (not just an individual user) as a member of an environment and all members of that group will be able to use it.
Individual users (or another group) can be added separately with a different permission (e.g. Owner vs Member) and users will get the highest their address eligible for.
All the auth providers (except for local where it makes no sense) allow you to add members by name for a person who has not created an account yet (and therefore does not appear in the accounts list).
So either you are confused there, or are actually talking about managing the users access to Rancher as a whole, vs individual environments. You cannot make a group or person who doesn’t have an account yet an Admin, for example.
These are 2 separate concepts that may be getting confused:
Account kind: affects the whole install
- User: can use the environments they are given access to
- Admin: can do anything, use any environment, configure auth, etc.
Environment member role (called projectMember in API): affects a single environment
- Readonly: can see but not change anything
- Restricted: can manage stacks/services/containers but not hosts
- Member: can manage all resources in the project
- Owner: member + can manage the membership list & roles.