With LDAP authorization enabled, you can assign sessions and packages to an individual user, a group of users, or a specific folder in your LDAP directory.
When multiple LDAP servers are configured, search for users or groups within a domain.
Determine who should have access.
Verify or select the Domain.
To assign sessions or packages to All users within the selected domain, keep that Search result selected, and skip to step 5.
When LDAP authorization is enabled, you can search for and assign access to specific Users, Groups, or Folders in that domain. When LDAP authorization is not enabled, access to sessions or packages can be assigned only to All Users.
NOTE:The Search by options are based on the LDAP server configuration (Search Base and Groups/Folders). You will see either Users | Groups OR Users | Folders.
To search, select a Search by option, enter a name, or enter the asterisk (*) wildcard or a combination of * and letters in the text box.
Click Select attributes or add Custom attributes to narrow your search using the available filters. Click Search.
In the Search Results find and click the name of the user, group, or folder.
Click Details to see this user or group’s attributes and the groups from which they can inherit access. A group’s Details also includes the members of that group.
Or, click Search Again to change the search attributes or to search for another user.
For the selected user or group of users, continue with Assign Sessions or Packages.
Related Topics
Determine which sessions or packages this user or group is entitled to access.
Check the Sessions or Packages you want to make available to the selected user or group.
Become familiar with these Notes to understand different means of assigning access.
NOTE:
An asterisk (*) next to the Session name denotes that a user has inherited access to that session by being a member in a group.
For example, if you assign Session1 to Group A, of which JohnUser is a member, then JohnUser inherits access to Session1. When viewing JohnUser’s assigned sessions, an asterisk appears next to Session1. To remove a user’s access to an inherited session, click the User, and clear the Allow user to inherit (*) access to sessions check box (below the list).
Granting access to All users means granting access to the search base, and all users inherit that access. Such access is only extended to users when the inherit * access option is checked.
Sessions cannot be assigned to Active Directory primary groups (such as Domain users).
Select or clear the option to Allow access to Administrative Console.
When checked, the selected user or group has access to the Administrative Console.
The Edit option is used for Automated Sign-On to a Mainframe. If you are configuring this add-on feature, and want to assign this session, click Edit. Then continue with Select method to obtain mainframe user name.
Click Apply to save your assigned sessions.
Repeat the steps to Search and Assign sessions to a different user or group.
Related Topics
The Edit option displays when Automated Sign-On for Mainframe is activated. Use the Edit button you to choose a method to derive the mainframe user name that will automatically log the selected user or group on to the selected mainframe session.
NOTE:To recap, the configuration of Automated Sign-On for the Mainframe requires:
The Automated Sign-On for Mainframe Add-On product is installed and configured on the Host Access Management and Security Server.
A session to the mainframe was created with a macro detailed in the Automated Sign-On for Mainframe Administrator Guide.
The session is assigned to the appropriate user or group.
Note: The session cannot be inherited from a group to which the user belongs.
The method for obtaining the mainframe user name is selected.
To select the method:
For the selected user or group, check the session you want them to automatically log on to.
Click Edit, next to the session name.
On the Method to obtain mainframe user name panel, choose the option:
Not set
The default must be changed for automated sign-on.
Derive from UPN
Select this option to request a passticket from DCAS by deriving the mainframe username from the User Principal Name (UPN) of the user. The UPN is typically available from a smart card or client certificate, and is a standard attribute in Active Directory servers. A UPN is formatted as an Internet-style email address, such as userid@domain.com, and Management and Security Server derives the mainframe username as the short name preceding the '@' symbol.
Get LDAP attribute value from authenticating directory
Select this option to perform a lookup in the LDAP directory (defined in Authentication & Authorization) and return the value of the entered attribute as the mainframe username.
All LDAP attributes must meet these criteria:
Get LDAP attribute value from secondary directory using search filter
Select this option to use the search filter to find the user object in the secondary LDAP directory; then return the value of the entered attribute as the mainframe username.
Literal value
This option is available for sessions assigned to users, but not groups. Enter a value that meets these criteria:
Click OK.
Related Topics