Archive:4 4 3:Authentication

From SEPsesam

Copyright © SEP AG 1999-2024. All rights reserved.

Any form of reproduction of the contents or parts of this manual is allowed only with the express written permission from SEP AG. When compiling and designing user documentation SEP AG uses great diligence and attempts to deliver accurate and correct information. However, SEP AG cannot issue a guarantee for the contents of this manual.

This is not the latest version of SEP sesam documentation and, as such, does not provide information on features introduced in the latest release. For more information on SEP sesam releases, see SEP sesam Release Versions. For the latest documentation, check SEP sesam Documentation.


SEP sesam uses the authentication module to grant and restrict access to SEP sesam Server. Users can connect to SEP sesam Server only if they are granted appropriate permissions. Their user rights depend on the user type. SEP sesam user types are admin, operator and restore.

  • Admin is the only user role with full control over the SEP sesam.
  • The Operator monitors the SEP sesam Server backup status.
  • The Restore user is only allowed to start restores.

Note that the displayed GUI components depend on the user type. For details on GUI elements, see SEP sesam GUI.

After the initial installation of SEP sesam, no users are configured except the administrator. Depending on version, SEP sesam provides different authentication methods that are mutually exclusive: policy-based authentication (for all SEP sesam versions) and database-based authentication (in 4.4.3 Tigon and newer). By default, policy-based authentication is active. Note that only one policy can be active at any time.

In SEP sesam version 4.4.3 Tigon and newer, you can bypass authentication for local server for all users by setting the parameter localFullAccess in the <SESAM_ROOT>/var/ini/sm.ini file to true.

Policy-based authentication in 4.4.3 release and newer

Policy-based authentication represents a traditional approach to managing user's permissions with SEP sesam version 4.4.3 and newer. SEP sesam GUI is based on Java and uses sm_java.policy file to grant the required permissions. The policy file is by default located at <SESAM_ROOT>/var/ini/sm_java.policy, where <SESAM_ROOT> is the pathname of the SEP sesam home directory.

With policy-based authentication permissions are assigned to user/host combination in the sm_java.policy file. You can also grant users the required permissions by using GUI: Main Selection -> Configuration ‐> User Permissions. For details on policy-based permissions, see Configuring Policy-Based Authentication.

For release 4.4.3 Tigon and newer, the authentication module is configured in the <SESAM_ROOT>/var/ini/sm.ini file on the SEP sesam Server. Policy-based authentication is enabled by default with the authEnabled parameter set to false in the sm.ini file.

For SEP sesam versions ≤ 4.4.3, it is strongly recommended not to change the authentication module settings in the sm.ini file.

Database-based authentication in 4.4.3 Tigon and newer

As of 4.4.3 Tigon, SEP sesam provides database-based authentication that allows administrators to configure users and grant them appropriate permissions to perform SEP sesam operations by setting individual passwords and assigning users to the relevant user group. The assigned user group (based on user type) determines the actions that the group members can perform.

The database-based authentication can be enabled from GUI by activating authentication under the Configuration ‐> Permission Management. This is the only way to set the password for the Administrator. For details on database-based permissions, see Configuring Database-Based Authentication.

If the DB-based authentication is activated via GUI, the authEnabled parameter is set to true in the <SESAM_ROOT>/var/ini/sm.ini file on the SEP sesam Server. For details on database-based permissions, see Configuring Database-Based Authentication.

Configuring localFullAccess in sm.ini

localFullAccess defines whether a user that is logged to the SEP sesam Server directly may use SEP sesam CLI and GUI without any authentication. If set to true, authentication is not required. If set to false, the authentication is mandatory for all users. SEP sesam will prompt for the username and password to log in. If database-based authentication is enabled, localFullAccess flag is set to false automatically. A certificate is passed from the SEP sesam command line to the SEP sesam Server, where it is verified. The certificate file is stored in <SESAM_ROOT>/var/ini/ssl.

  • On Unix, only the system root user can access this directory and use the command line without authentication.
  • On Windows, use Windows User Account Control (UAC) to limit the access to certificate file.

How to change flag localFullAccess

  1. Locate the <SESAM_ROOT>/var/ini/sm.ini file on the SEP sesam Server (where <SESAM_ROOT> is the pathname of the SEP sesam home directory). Open the sm.ini file using a text editor and set the flag for the localFullAccess parameter to true.
  2. Once you have changed the settings, save your changes and restart the SEP sesam Server for the changes to take effect. The sm.ini file is preserved when you upgrade your SEP sesam Server.
For SEP sesam versions ≤ 4.4.3: It is strongly recommended to leave the localFullAccess flag set to true.