Select Users or Groups from the list.
Enter a user or group name, the asterisk (*) wildcard, or a combination of * and letters in the text box.
Click Attributes to narrow your search using the available filter attributes. There are a default set of attributes that are already selected, but you can select or clear attributes to refine your query.
Enter your search value in the search field and press Enter. The search results display in the left panel. Use the arrows at the bottom of the panel to page through the list.
Check the terminal sessions that you want to make available to your users. If you selected LDAP authorization, the sessions that you select appear on the session list for the specified user or for the users within a specified group.
The Administrative Server does not support mapping sessions to Active Directory primary groups (for example, Domain Users).
An asterisk denotes that a user has inherited access to that session by having membership in a group. For example, if you map a session to a group of which User 1 is a member, then that session is listed with an asterisk (*) denoting the session is inherited. If a session is inherited, you can remove access to that session by clearing the “Allow user to inherit access to sessions” option.
NOTE: Granting access to all users means that you are granting access to the search base, and all users inherit that access. Such access is only extended to users when the “inherit access” option is checked.
Mapping user names for Automated Sign-On
After the Automated Sign-On add-on has been installed and configured on the Management and Security Server, set authorization by mapping access for all your users and groups to their sessions.
Mapping users’ access to the sessions you created specifies the session URLs available to each user. You can map access by individuals or groups.
For the selected user or group, select the sessions in the Sessions panel they are entitled to access.
Click Edit. The Edit option is only available if the Management and Security Server is correctly installed and configured, the session is mapped, and access to the session is not inherited from a group to which the user belongs.
On the User Mapping panel, choose the method you configured for determining the user’s name or group’s mainframe username:
Not set
The default must be changed for automated sign-on.
Literal value
This option is available for sessions mapped to users, but not groups. Enter a value that meets these criteria:
Derive from UPN
Select this option to request a passticket from DCAS by deriving the mainframe username from the User Principal Name (UPN) of the user. The UPN is typically available from a smart card or client certificate, and is a standard attribute in Active Directory servers. A UPN is formatted as an Internet-style email address, such as userid@domain.com, and Management and Security Server derives the mainframe username as the short name preceding the '@' symbol.
Get LDAP attribute value from authenticating directory
Select this option to perform a lookup in the LDAP directory (defined in Access Control Setup) and return the value of the entered attribute as the mainframe username.
All LDAP attributes must meet these criteria:
Get LDAP attribute value from secondary directory using search filter
Select this option to use the search filter to find the user object in the secondary LDAP directory; then return the value of the entered attribute as the mainframe username.
Click OK.
Other options
These options are available only if you selected LDAP authorization.
Access to Administrative Console
Select this option to make the Administrative Console available to this user or to users within the specified group.
Allow user to inherit (*) access to sessions
Select this option to have session access inherited from groups to which the user belongs. Clearing this option removes the group mappings for inherited sessions.
Related Topics