Configuring Policy-Based Authentication
SEP sesam provides different authentication methods that are mutually exclusive: policy-based authentication and database-based authentication. The latter can be used in combination with LDAP/AD authentication or to enable authentication with a signed certificate (≥ 5.0.0 Jaglion).
Only one authentication method can be active at a time. By default, policy-based authentication is active.
Policy-based authentication uses the sm_java.policy file to grant the required permissions. You can configure it by editing the policy file or use the GUI to configure the user access rights by specifying the user type (role).
SEP sesam currently provides 5 user types. The following list shows the available user types and their corresponding rights.
- Superuser (≥ Jaglion): The only user type with full control over the SEP sesam environment (previously Admin). This user type with superuser rights is automatically assigned exclusively to the Administrator user when database-based authentication is activated. If policy-based authentication is enabled, this user type with superuser rights is assigned to the Administrator, root and sesam users.
- Administrator: Administrators can administer the SEP sesam system and access the GUI objects (except permission management) if not restricted by ACLs.
- Operator: Operators can monitor the whole environment.
- Backup (≥ Jaglion): Backup users can access the GUI objects granted by ACLs. They are also allowed to start backups and restores.
- Restore: Restore users can access the GUI objects granted by ACLs. They are only allowed to start standard restores.
Note that the displayed GUI components depend on the user type. For details, see Available interface options according to user type.
- The authentication module is version-dependent; it is configured in the
<SESAM_ROOT>/var/ini/sm.inifile on the SEP sesam Server. By default, policy-based authentication is already active, therefore no settings need to be changed.
- Make sure that reverse DNS resolution (from IP address to host name) is set up correctly. If the name resolution for the selected host is not correct, the connection to the GUI server fails. For details, see How to check DNS configuration.
Select one of the following methods to configure policy-based authentication.
The sm_java.policy file is by default located at
<SESAM_ROOT> is the pathname of the SEP sesam home directory.
- Open the sm_java.policy file with a text editor.
- Under the section // SEP specify the role permissions. The assignment of permissions is user- and host specific. A permission entry begins with the word permission and is structured as follows:
- After you have changed and saved the sm_java.policy file, restart the SEP sesam GUI for the changes to take effect.
permission de.sep.sesam.gui.server.<permission_type> "<user_name>@<host_name>";
permission de.sep.sesam.gui.server.AdminPermission "admin@veteranix"; permission de.sep.sesam.gui.server.AdminPermission "kd@veteranix"; permission de.sep.sesam.gui.server.OperatorPermission "operator@veteranix"; permission de.sep.sesam.gui.server.RestorePermission "restore@veteranix";
A wildcard value "*" can also be used to assign permissions to all users of a specific host
permission de.sep.sesam.gui.server.OperatorPermission "*@veteranix";
or to a user accessing the SEP sesam Server from any host:
permission de.sep.sesam.gui.server.AdminPermission "Administrator@*";
Web applications use the name dashboard to authenticate to the GUI server:
permission de.sep.sesam.gui.server.OperatorPermission "dashboard@*";
Configuring policy-based authentication in GUI
- In the GUI, from the menu bar select Configuration ‐> User Permissions.
- Click New to open the New Users Permissions window and configure the user permissions. Use the drop-down lists to select the user and/or client and the user type (Admin, Operator, Backup (≥ Jaglion), or restore)>.
If you have problems logging in after updating to 5.0.0, see Troubleshooting Authentication.