5 1 0:Configuring Policy-Based Authentication

From SEPsesam


Welcome to the latest SEP sesam documentation version 5.1.0 Apollon. For previous documentation version(s), check documentation archive.


Overview


SEP sesam provides different authentication methods that are mutually exclusive: policy-based authentication and database-based authentication. The latter can be used in combination with LDAP/AD authentication or to enable authentication with a signed certificate (≥ 5.0.0 Jaglion).

Only one authentication method can be active at a time. By default, policy-based authentication is active.

Policy-based authentication uses the sm_java.policy file to grant the required permissions. You can configure it by editing the policy file or use the GUI to configure the user access rights by specifying the user type (role). SEP sesam currently provides 5 user types. The following list shows the available user types and their corresponding rights.

  • Superuser (≥ Jaglion): The only user type with full control over the SEP sesam environment (previously Admin). This user type with superuser rights is automatically assigned to the Administrator and sesam users.
  • Administrator: Administrators can administer the SEP sesam system and access the GUI objects (except permission management) if not restricted by ACLs.
  • Operator: Operators can monitor the whole environment.
  • Backup (≥ Jaglion): Backup users can access the GUI objects granted by ACLs. They are allowed to start backups.
  • Restore: Restore users can access the GUI objects granted by ACLs. They are allowed to start restores.

Note that the displayed GUI components depend on the user type. For details, see Available interface options according to user type.

Prerequisites

  • The authentication module is version-dependent; it is configured in the <SESAM_ROOT>/var/ini/sm.ini file on the SEP sesam Server. By default, policy-based authentication is already active, therefore no settings need to be changed.
  • Make sure that reverse DNS resolution (from IP address to host name) is set up correctly. If the name resolution for the selected host is not correct, the connection to the GUI server fails. For details, see How to check DNS configuration.

Steps

Select one of the following methods to configure policy-based authentication.

Editing sm_java.policy

The sm_java.policy file is by default located at <SESAM_ROOT>/var/ini/sm_java.policy, where <SESAM_ROOT> is the pathname of the SEP sesam home directory.

  1. Open the sm_java.policy file with a text editor.
  2. Under the section // SEP specify the role permissions. The assignment of permissions is user- and host specific. A permission entry begins with the word permission and is structured as follows:
  3.  permission de.sep.sesam.gui.server.''<permission_type''> "''<user_name>''@''<host_name>''";

    For example:

     permission de.sep.sesam.gui.server.AdminPermission "admin@veteranix";
     permission de.sep.sesam.gui.server.AdminPermission "kd@veteranix";
     permission de.sep.sesam.gui.server.OperatorPermission "operator@veteranix";
     permission de.sep.sesam.gui.server.RestorePermission "restore@veteranix";

    A wildcard value "*" can also be used to assign permissions to all users of a specific host

     permission de.sep.sesam.gui.server.OperatorPermission "*@veteranix";

    or to a user accessing the SEP sesam Server from any host:

     permission de.sep.sesam.gui.server.AdminPermission "Administrator@*";

    Web applications use the name dashboard to authenticate to the GUI server:

     permission de.sep.sesam.gui.server.OperatorPermission "dashboard@*";
  4. After you have changed and saved the sm_java.policy file, restart the SEP sesam GUI for the changes to take effect.

Configuring policy-based authentication in GUI

  1. In the GUI, from the menu bar select Configuration ‐> Permission Management.

  2. Click Create New to open the Create User window and configure the user permissions. Use the drop-down list to select the user group. Enter the information as required and click OK.


See also

User Roles and PermissionsAbout Authentication and AuthorizationConfiguring Database-Based AuthenticationConfiguring LDAP/AD AuthenticationConfiguring Certificate-Based Authentication

Copyright © SEP AG 1999-2024. All rights reserved.
Any form of reproduction of the contents or parts of this manual is allowed only with the express written permission from SEP AG. When compiling and designing user documentation SEP AG uses great diligence and attempts to deliver accurate and correct information. However, SEP AG cannot issue a guarantee for the contents of this manual.