Search & Assign
With LDAP authorization enabled, you can assign sessions and packages to an individual user, a group of users, or a specific folder in your LDAP directory.
When multiple LDAP servers are configured, search for users or groups within a domain.
Search for Users or Groups/Folders
Determine who should have access.
-
Verify or select the Domain.
To assign sessions or packages to All users within the selected domain, keep that Search result selected, and skip to step 5.
-
When LDAP authorization is enabled, you can search for and assign access to specific Users, Groups, or Folders in that domain. When LDAP authorization is not enabled, access to sessions or packages can be assigned only to All Users.
Note
The Search by options are based on the LDAP server configuration, (Search Base and Groups/Folders). You will see either Users | Groups OR Users | Folders.
To search, select a Search by option, enter a name, or enter the asterisk (
*
) wildcard or a combination of*
and letters in the text box. -
Click SELECT ATTRIBUTES or add CUSTOM ATTRIBUTES to narrow your search using the available filters. Click SEARCH.
-
In the Search Results find and click the name of the user, group, or folder.
Click Details to see this user or group’s attributes and the groups from which they can inherit access. A group’s Details also includes the members of that group.
Or, click SEARCH AGAIN to change the search attributes or to search for another user.
-
For the selected user or group of users, continue with Assign Sessions or Packages.
Assign Sessions or Packages
Determine which sessions or packages this user or group is entitled to access.
-
Check the Sessions or Packages you want to make available to the selected user or group.
Note
You can assign access by inheritance. See these examples.
-
An asterisk (*) next to the Session name denotes that a user has inherited access to that session by being a member in a group.
For example: JohnUser is a member of Group A. If you assign Session1 to Group A, then JohnUser inherits access to Session1. When viewing JohnUser’s assigned sessions, an asterisk appears next to Session1.
To remove a user’s access to an inherited session, click the User, and clear the Allow user to inherit (*) access to sessions check box (below the list of sessions).
-
Granting access to All users means granting access to the search base, and every user inherits that access. Such access is extended to individual users only when the Allow user to inherit (*) access to sessions option is checked.
-
Sessions cannot be assigned to Active Directory primary groups (such as Domain users).
-
-
Select or clear the option to Allow access to Administrative Console.
When checked, the selected user or group has access to the MSS Administrative Console.
-
The EDIT option is used for Automated Sign-On, including Reflection/InfoConnect Desktop - Workspace Automated Sign-On sessions.
To assign an automated sign-on session, click EDIT. Then continue with Source of user name on host computer.
-
Click APPLY to save your assigned sessions.
-
To assign sessions to a different user or group, repeat the steps to Search & Assign.
Source of user name on host computer
In the list of available sessions to assign, the EDIT option displays when Automated Sign-On is activated.
Note
To recap, the configuration of either Automated Sign-On for Mainframe or Automated Sign-On for Host Access requires:
-
The Automated Sign-On add-on product is installed and configured on MSS.
-
A session to the host was created with a log-in macro. See Automated Sign-on for Mainframe (IBM DCAS) - Administrator Guide, Configure Automated Sign-On for Mainframe (IBM Z MFA), or Configuring MSS Automated Sign-On for Host Access.
-
The session is assigned to the appropriate user or group.
-
The method for obtaining the user name is selected (after you click EDIT).
Click EDIT to assign a session.
(continuing from Assign Sessions step 3)
-
When you click EDIT, the Source of user name on host computer panel opens, which identifies the selected user and the session that you want them to automatically log on to.
-
Choose the method to derive the user's name on the host computer:
-
Not set
This default must be changed for automated sign-on.
-
UPN
Select this option to derive the user's name on the host system from the user's User Principal Name (UPN). The UPN is typically available from a smart card or client certificate and is a standard attribute in Active Directory servers.
A UPN is formatted as an internet-style email address, such as
userid@domain.com
, and MSS derives the user name as the short name preceding the@
symbol.In the drop-down, select your server for one-time password requests:
- MSS Automated Sign-On for Host Access Service
- IBM DCAS:
<hostname:port>
- IBM Z MFA:
<hostname:port>
-
LDAP attribute value in the authenticating directory
Select this option to perform a lookup in the LDAP directory (defined in LDAP Server Configuration) and return the value of the entered attribute as the user name.
-
Enter the LDAP attribute, using the specified criteria.
Note: All LDAP attributes must meet these criteria:
- must begin with an alpha character
- must be no more than 50 characters
- may be any alphanumeric character or a hyphen (-)
-
Select your server for one-time password requests:
- MSS Automated Sign-On for Host Access Service
- IBM DCAS:
<hostname:port>
- IBM Z MFA:
<hostname:port>
-
-
LDAP attribute value in a secondary directory
When using a secondary LDAP directory for automated sign-on, you can use this search filter to find the user object in the secondary LDAP directory. The value is returned as the user name.
-
Select the LDAP attribute. Note the criteria for LDAP attributes, listed above.
-
Select your server for one-time password requests:
- MSS Automated Sign-On for Host Access Service
- IBM DCAS:
<hostname:port>
- IBM Z MFA:
<hostname:port>
-
-
-
If you configured multiple IBM servers, select the one to use for this automated sign-on session.
An asterisk (
*
) appears next to your preferred IBM server; however, you can select a different one. -
Click OK.