Map sessions to users

In the Access Mapper, first search for the user or groups, and then select the sessions they can access.

Search for users

  1. Verify or select the Domain.

  2. Search for Users or Groups in that domain.

    Enter a user or group name, the asterisk (*) wildcard, or a combination of * and letters in the text box. Click Search.

  3. Click Select attributes to narrow your search using the available filters. If you change the default attributes, click Search again.

  4. Enter your search value in the search field and press Enter. The search results display in the left panel. Use the arrows at the bottom of the panel to page through the list.

Select sessions

Check the terminal sessions that you want to make available to your users. If you selected LDAP authorization, the sessions that you select appear on the session list for the specified user or for the users within a specified group.

The Administrative Server does not support mapping sessions to Active Directory primary groups (for example, Domain Users).

An asterisk denotes that a user has inherited access to that session by having membership in a group. For example, if you map a session to a group of which User 1 is a member, then that session is listed with an asterisk (*) denoting the session is inherited. If a session is inherited, you can remove access to that session by clearing the “Allow user to inherit access to sessions” option.

NOTE: Granting access to all users means that you are granting access to the search base, and all users inherit that access. Such access is only extended to users when the “inherit access” option is checked.

Other options

These options are available only with LDAP authorization.

  • Access to Administrative Console

    Select this option to make the Administrative Console available to this user or to users within the specified group.

  • Allow user to inherit (*) access to sessions

    Select this option to have session access inherited from groups to which the user belongs. Clearing this option removes the group mappings for inherited sessions.

Mapping mainframe user names for Automated Sign-On

After the Automated Sign-On for Mainframe add-on product has been installed and configured on the Management and Security Server, set authorization by mapping access for users and groups to their sessions.

Mapping users’ access to the sessions you created specifies the list of sessions available to each user. You can map access by individuals or groups.

  1. For the selected user or group, select the sessions they are entitled to access.

  2. Click Edit. Use this mapped setting to access mainframe user names for automated sign-on. The Edit option is available only if the Management and Security Server is correctly configured, the session is mapped, and access to the session is not inherited from a group to which the user belongs.

  3. On the User Mapping panel, choose the method you configured for determining the user’s name or group’s mainframe username:

    • Not set

      The default must be changed for automated sign-on.

    • Derive from UPN

      Select this option to request a passticket from DCAS by deriving the mainframe username from the User Principal Name (UPN) of the user. The UPN is typically available from a smart card or client certificate, and is a standard attribute in Active Directory servers. A UPN is formatted as an Internet-style email address, such as, and Management and Security Server derives the mainframe username as the short name preceding the '@' symbol.

    • Get LDAP attribute value from authenticating directory

      Select this option to perform a lookup in the LDAP directory (defined in Access Control Setup) and return the value of the entered attribute as the mainframe username.

      All LDAP attributes must meet these criteria:

      • -must begin with an alpha character
      • -no more than 50 characters
      • -any alphanumeric character or a hyphen is permitted
    • Get LDAP attribute value from secondary directory using search filter

      Select this option to use the search filter to find the user object in the secondary LDAP directory; then return the value of the entered attribute as the mainframe username.

    • Literal value

      This option is available for sessions mapped to users, but not groups. Enter a value that meets these criteria:

      • -up to eight alphanumeric characters
      • -no spaces
      • -no other characters
  4. Click OK.

Related Topics