4.1 Search & Assign

With LDAP authorization enabled, you can assign sessions and packages to an individual user, a group of users, or a specific folder in your LDAP directory.

When multiple LDAP servers are configured, search for users or groups within a domain.

4.1.1 Search for Users or Groups/Folders

Determine who should have access.

  1. Verify or select the Domain.

    To assign sessions or packages to All users within the selected domain, keep that Search result selected, and skip to step 5.

  2. When LDAP authorization is enabled, you can search for and assign access to specific Users, Groups, or Folders in that domain. When LDAP authorization is not enabled, access to sessions or packages can be assigned only to All Users.

    NOTE:The Search by options are based on the LDAP server configuration (Search Base and Groups/Folders). You will see either Users | Groups OR Users | Folders.

    To search, select a Search by option, enter a name, or enter the asterisk (*) wildcard or a combination of * and letters in the text box.

  3. Click Select attributes or add Custom attributes to narrow your search using the available filters. Click Search.

  4. In the Search Results find and click the name of the user, group, or folder.

    Click Details to see this user or group’s attributes and the groups from which they can inherit access. A group’s Details also includes the members of that group.

    Or, click Search Again to change the search attributes or to search for another user.

  5. For the selected user or group of users, continue with Assign Sessions or Packages.

Related Topics

4.1.2 Assign Sessions or Packages

Determine which sessions or packages this user or group is entitled to access.

  1. Check the Sessions or Packages you want to make available to the selected user or group.

    NOTE:You can assign access by inheritance. See these examples.

    • An asterisk (*) next to the Session name denotes that a user has inherited access to that session by being a member in a group.

      For example: JohnUser is a member of Group A. If you assign Session1 to Group A, then JohnUser inherits access to Session1. When viewing JohnUser’s assigned sessions, an asterisk appears next to Session1.

      To remove a user’s access to an inherited session, click the User, and clear the Allow user to inherit (*) access to sessions check box (below the list of sessions).

    • Granting access to All users means granting access to the search base, and every user inherits that access. Such access is extended to individual users only when the Allow user to inherit (*) access to sessions option is checked.

    • Sessions cannot be assigned to Active Directory primary groups (such as Domain users).

  2. Select or clear the option to Allow access to Administrative Console.

    When checked, the selected user or group has access to the Administrative Console.

  3. The Edit option is used for Automated Sign-On to a mainframe. To assign an automated sign-on session, click Edit. Then continue with Select the source of the mainframe user name.

  4. Click Apply to save your assigned sessions.

  5. Repeat the steps to Search & Assign sessions to a different user or group.

Related Topics

Select the source of the mainframe user name

In the list of available sessions to assign, the Edit option displays when Automated Sign-On for Mainframe is activated.

NOTE:To recap, the configuration of Automated Sign-On for the Mainframe requires:

  • The Automated Sign-On for Mainframe Add-On product is installed and configured on the Host Access Management and Security Server.

  • A session to the mainframe was created with a log-in macro detailed in the Automated Sign-On for Mainframe Administrator Guide.

  • The session is assigned to the appropriate user or group. (The session cannot be inherited.)

  • The method for obtaining the mainframe user name is selected (after you click Edit).

When you click Edit to assign a session

(continuing from Assign Sessions step 3)

  1. When you click Edit, the Source of mainframe user name panel opens, which identifies the selected user and the session that you want them to automatically log on to.

  2. Choose the method to derive the mainframe user name:

    • Not set

      This default must be changed for automated sign-on.

    • UPN

      Select this option to request a PassTicket from DCAS by deriving the mainframe user name from the User Principal Name (UPN) of the user. The UPN is typically available from a smart card or client certificate, and is a standard attribute in Active Directory servers.

      A UPN is formatted as an internet-style email address, such as userid@domain.com, and Management and Security Server derives the mainframe user name as the short name preceding the '@' symbol.

    • LDAP attribute value in the authenticating directory

      Select this option to perform a lookup in the LDAP directory (defined in Authentication & Authorization) and return the value of the entered attribute as the mainframe user name.

      Enter the LDAP attribute. Note: All LDAP attributes must meet these criteria:

      • must begin with an alpha character

      • no more than 50 characters

      • any alphanumeric character or a hyphen is permitted

    • LDAP attribute value in a secondary directory

      When using a secondary LDAP directory, you can use this search filter to find the user object in the secondary LDAP directory. The value is returned as the mainframe user name.

      Note the criteria for LDAP attributes, listed above.

    • Literal value

      This option is available for sessions assigned to users, but not groups. This method is typically used for testing, not for production.

      Enter a value that meets these criteria:

      • up to eight alphanumeric characters

      • no spaces

      • no other characters

  3. If you configured multiple DCAS servers, select the one to use for this automated sign-on session.

    An asterisk (*) appears next to your preferred DCAS server; however, you can select a different one.

  4. Click OK.

Related Topics