SEP sesam provides different authentication methods that are mutually exclusive: policy-based authentication and database-based authentication which can be combined with Lightweight Directory Access Protocol (LDAP) or/and Active Directory. Only one method (policy-based or database-based authentication) can be active at a time. By default, policy-based authentication is active.
Activating database-based authentication has to be done via the GUI to set the superuser/admin password. Note that superuser has replaced the former admin role with SEP sesam version 5.0.0 Jaglion.
After restarting SEP sesam GUI Server and Client, the superuser/admin can configure default user access rights that are based on predefined user type. SEP sesam currently provides 5 user types. The following list shows the available user types and their corresponding rights.
- Superuser (≥ Jaglion): The only user type with full control over the SEP sesam environment (previously Admin). This user type with superuser rights is automatically assigned to the Administrator and sesam users.
- Administrator: Administrators can administer the SEP sesam system and access the GUI objects (except permission management) if not restricted by ACLs.
- Operator: Operators can monitor the whole environment.
- Backup (≥ Jaglion): Backup users can access the GUI objects granted by ACLs. They are allowed to start backups.
- Restore: Restore users can access the GUI objects granted by ACLs. They are allowed to start restores.
Which GUI components are displayed depends on the user type. For details, see Available interface options according to user type.
|Users can also authenticate with a signed certificate instead of a user password if database-based authentication is enabled. For step-by-step procedure, see Configuring Certificate-Based Authentication.
Activating database-based authentication in the GUI
- In the GUI, from the menu bar select Configuration ‐> Permission Management.
- Click Activate Authentication. Set up the password for the Administrator user; note that this is the only way to set the administrator's password.
- After activating the authentication mode and confirming your action, you have to restart SEP sesam GUI and SEP sesam Client for the changes to take effect.
- LDAP/AD authentication is enabled by default. For details on how to configure LDAP/AD authentication, see Configuring LDAP/AD Authentication.
- You have to log in to configure users and add them to the selected group. The following user types are available: Administrators, Operators, Backup users, and Restore users.
- You can create your own subgroups (e.g., SUB_ADMIN) to grant users more specific roles. Under the Groups tab, click Create New to configure a new subgroup. The Sub Group window opens.
- Specify a group name and from the drop-down list select the relevant role to be applied to the whole group: Administrator, Operator, Backup, or Restore. For more details, see User Roles and Permissions.
- Under the Users tab, click Create New to configure a new user. The Create User window opens.
- Enter a name (e.g., mustermann) and a password and assign the user to the relevant group, for example, RESTORE.
- A user can be a member of one or more groups. Under the Groups tab, double-click the relevant group and (de)select the users to assign them to or remove them from the respective group.
- Now you can configure ACLs (access control lists) to specify which users or groups are granted access to location (group of clients) or a specific client. You can also configure ACLs for backup tasks, media pools and schedules. For details, see Using Access Control Lists.
|If you want to use LDAP/AD, you have to use the external groups. Add the group from LDAP/AD and select the Based on group option to map to this particular SEP sesam group; see Configuring LDAP authentication in the GUI.
|When activating database-based authentication via GUI, parameter authEnabled is changed to true in the sm.ini file. Setting the flag to false enables policy-based authentication and deactivates database-based authentication.
Resetting user password
To reset the password of another user, you must have superuser/admin privileges. SEP sesam generates a random password, which you send to the user. The user can then use the generated password to change their password and set a new one. The superuser/admin can reset the password in the GUI or in the command line by using the sm_cmd command.
|Resetting a password in SEP sesam version 5.0.0 Jaglion is a two-step process: The superuser/admin has to reset the password in the command line by using the sm_cmd command and then use the newly generated password to be able to change the password in the Permission Management in GUI. For detailed procedure see Resetting user password in 5.0.0 Jaglion.
Resetting password in the GUI
To reset the password for a user in the GUI follow the procedure below:
- From the menu bar select Configuration ‐> Permission Management. The Permission Management window opens.
- Double-click the user for which you want to reset the password, or select the user and click Change.
- In the Change User window, click Reset Password.
- Click Yes to confirm the action.
- Copy the generated password and send it to the user. Then click OK to apply the changes.
Resetting password in the command line
To reset a user password, log in to SEP sesam Server console and enter the following command:
sm_cmd reset user <ID or name>
The output of the above command is shown in the example.
In this example, the user name is mustermann.
sm_cmd reset user mustermann C:\Program Files\SEPsesam\bin\sesam>sm_cmd reset user mustermann bouryper39
Changing the password
To change your own user password in the GUI follow the procedure below:
- From the menu bar select Configuration ‐> Change Password. The Change Password window opens.
- Enter your current password. Then enter your new password and repeat the new password to confirm the change.
- Click OK to apply the change.
Deactivating database-based authentication
- In the GUI, from the menu bar select Configuration ‐> Permission Management -> tab Activation.
- Click Deactivate Authentication.
- After deactivating the authentication mode and confirming your action, SEP sesam GUI will restart automatically. You have to restart SEP sesam Client manually for the changes to take effect.
Now policy-based authentication is enabled and the flag authEnabled is set to false in the sm.ini file.
About Authentication and Authorization – User Roles and Permissions – Configuring Certificate-Based Authentication – Configuring LDAP/AD Authentication – Using Access Control Lists – Configuring Policy-Based Authentication