How to define access to resources using a Windows group
search cancel

How to define access to resources using a Windows group

book

Article ID: 9585

calendar_today

Updated On:

Products

CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM)

Issue/Introduction

These are the steps needed to push a policy to your management servers that gives users in an Active Directory group admin access so that they can host into the DMS and DH databases.

Environment

Enterprise Manager 12.8+

Resolution

You will first need to setup the xgroup on the local embedded endpoint on the management servers. You can do this via a policy and host group. 

1. Create a host group in Enterprise Manager for the management servers: Enterprise Manager, Load Balancing Enterprise Managers, and Distribution Servers. 

2. Create a policy that gives the xgid access with TERMINAL rule. 


Deploy Script:

exg DOMAIN\Group admin auditor

auth TERMINAL <!HOSTNAME> xgid(DOMAIN\Group) access(r,w)

 

Undeploy Script:

auth- TERMINAL <!HOSTNAME> xgid(DOMAIN\Group) 

rxg DOMAIN\Group 

 

3. Deploy Policy to Host Group.

So this gives users in the "DOMAIN\Group" admin access to the seosdb or the first level of selang on the management hosts. Note, you can use <!HOSTNAME> as is since it's a variable. 

Next, do the following in the DMS database.

1. Create terminal rules for each management servers within the environment in the DMS. 

er TERMINAL FQDN_SERVER1 defaccess(r) owner(nobody)

er TERMINAL FQDN_SERVER2 defaccess(r) owner(nobody)

 

2. Create your xgroup with admin auditor access. 

exg DOMAIN\Group admin auditor 

 

3. Add auth rights to each terminal.

auth TERMINAL FQDN_SERVER1  xgid(DOMAIN\Group) access(r,w)

auth TERMINAL FQDN_SERVER2  xgid(DOMAIN\Group) access(r,w)

 

After these steps you have provided the needed access to anyone in the group run selang and host into the DH__@ locally. Also, because you setup each terminal in the DMS which is sent to each DH you can host to a DH__@SERVER2 from SERVER1. 

Additional Information

Confirm that in seos.ini it is set:

osuser_enabled = yes

Then the XUSER object will be created automatically upon login of the user in the PIM host.

E.g. an Active Directory user logging on to the PIM host which is also running UNAB is automatically created as a xuser object in the local PIM database.

As shown above XGROUPs need to be defined explicitly in the local PIM database and need to match the sAMAccountName/gid of the osgroup.

Once an OS-user logs on to the PIM host seosd enumerates to which OS-groups this user belongs to.

 

Access to the resource is granted when the user is member of the according XGROUP which is authorised it to the relevant resource.

This concept is of course also working for other classes like FILE etc.