Configuring Policy-Based Authentication

From SEPsesam
Jump to: navigation, search
This page contains changes which are not marked for translation.

Other languages:
Deutsch • ‎English

Copyright © SEP AG 1999-2020. All rights reserved.

Any form of reproduction of the contents or parts of this manual is allowed only with the express written permission from SEP AG. When compiling and designing user documentation SEP AG uses great diligence and attempts to deliver accurate and correct information. However, SEP AG cannot issue a guarantee for the contents of this manual.

Docs latest icon.png Welcome to the latest SEP sesam documentation version 4.4.3/4.4.3Beefalo V2. For previous documentation version(s), check Documentation archive.


Overview

SEP sesam provides different authentication methods that are mutually exclusive: policy-based authentication and database-based authentication. Only one can be active at any time. By default, policy-based authentication is active.

Policy-based authentication uses sm_java.policy file to grant the required permissions. You can configure it by editing the policy file or use the GUI to configure the user access rights by specifying the user type (role). SEP sesam user types are admin, operator and restore.

  • Admin is the only user role with full control over the SEP sesam.
  • The Operator monitors the SEP sesam Server backup status.
  • The Restore user is only allowed to start restores.

Note that the displayed GUI components depend on the user type. For details on GUI elements, see SEP sesam GUI Overview.

Prerequisites

  • The authentication module is version-dependent; it is configured in the <SESAM_ROOT>/var/ini/sm.ini file on the SEP sesam Server. By default, policy-based authentication is already active, therefore no settings need to be changed.
  • Information sign.png Note
    For SEP sesam versions ≤ 4.4.3, it is strongly recommended not to change the authentication module settings in the sm.ini file.
  • Make sure that the reverse DNS resolution (from IP address to host name) is set up correctly. If the name resolution for the selected host is not correct, the connection to the GUI server fails. For details, see How to check DNS configuration.

Steps

Select one of the following methods to configure policy-based authentication.

Editing sm_java.policy file

The sm_java.policy file is by default located at <SESAM_ROOT>/var/ini/sm_java.policy, where <SESAM_ROOT> is the pathname of the SEP sesam home directory.

  1. Open the sm_java.policy file using a text editor.
  2. Under the section // SEP specify role permissions. The assignment of permissions is user- and host specific. A permission entry begins with the word permission and is composed as follows:
  3. permission de.sep.sesam.gui.server.<permission_type> "<user_name>@<host_name>";
    

    For example:

    permission de.sep.sesam.gui.server.AdminPermission "admin@veteranix";
    permission de.sep.sesam.gui.server.AdminPermission "kd@veteranix";
    permission de.sep.sesam.gui.server.OperatorPermission "operator@veteranix";
    permission de.sep.sesam.gui.server.RestorePermission "restore@veteranix";
    

    A wildcard value "*" can also be used to assign permissions to all users from a given host

    permission de.sep.sesam.gui.server.OperatorPermission "*@veteranix";
    

    or to a user accessing the SEP sesam Server from any host:

    permission de.sep.sesam.gui.server.AdminPermission "Administrator@*";
    

    Web applications are using the name dashboard to authenticate to the GUI server:

    permission de.sep.sesam.gui.server.OperatorPermission "dashboard@*";
    
  4. After changing and saving the sm_java.policy file, restart the SEP sesam GUI for the changes to take effect.

Configuring policy-based authentication in GUI

  1. In the GUI, from the menu bar select Configuration ‐> User Permissions.
  2. User permissions Beefalo V2.jpg

  3. Click New to open the New Users Permissions window and configure the user permissions. Use the drop-down lists to select the user and/or client and user type (admin, operator or restore).
  4. New users permission Beefalo V2.jpg