Configuring Policy-Based Authentication
SEP sesam provides different authentication methods that are mutually exclusive: policy-based authentication and database-based authentication. Only one can be active at any time. By default, policy-based authentication is active.
Policy-based authentication uses sm_java.policy file to grant the required permissions. You can configure it by editing the policy file or use the GUI to configure the user access rights by specifying the user type (role). SEP sesam user types are admin, operator and restore.
- Admin is the only user role with full control over the SEP sesam.
- The Operator monitors the SEP sesam Server backup status.
- The Restore user is only allowed to start restores.
Note that the displayed GUI components depend on the user type. For details on GUI elements, see SEP sesam GUI Overview.
- The authentication module is version-dependent; it is configured in the
<SESAM_ROOT>/var/ini/sm.inifile on the SEP sesam Server. By default, policy-based authentication is already active, therefore no settings need to be changed.
- Make sure that the reverse DNS resolution (from IP address to host name) is set up correctly. If the name resolution for the selected host is not correct, the connection to the GUI server fails. For details, see How to check DNS configuration.
|For SEP sesam versions ≤ 4.4.3, it is strongly recommended not to change the authentication module settings in the sm.ini file.|
Select one of the following methods to configure policy-based authentication.
Editing sm_java.policy file
The sm_java.policy file is by default located at
<SESAM_ROOT> is the pathname of the SEP sesam home directory.
- Open the sm_java.policy file using a text editor.
- Under the section // SEP specify role permissions. The assignment of permissions is user- and host specific. A permission entry begins with the word permission and is composed as follows:
- After changing and saving the sm_java.policy file, restart the SEP sesam GUI for the changes to take effect.
permission de.sep.sesam.gui.server.<permission_type> "<user_name>@<host_name>";
permission de.sep.sesam.gui.server.AdminPermission "admin@veteranix"; permission de.sep.sesam.gui.server.AdminPermission "kd@veteranix"; permission de.sep.sesam.gui.server.OperatorPermission "operator@veteranix"; permission de.sep.sesam.gui.server.RestorePermission "restore@veteranix";
A wildcard value "*" can also be used to assign permissions to all users from a given host
permission de.sep.sesam.gui.server.OperatorPermission "*@veteranix";
or to a user accessing the SEP sesam Server from any host:
permission de.sep.sesam.gui.server.AdminPermission "Administrator@*";
Web applications are using the name dashboard to authenticate to the GUI server:
permission de.sep.sesam.gui.server.OperatorPermission "dashboard@*";