Troubleshooting Authentication

From SEPsesam
Jump to: navigation, search
Other languages:
Deutsch • ‎English


Copyright © SEP AG 1999-2022. All rights reserved.

Any form of reproduction of the contents or parts of this manual is allowed only with the express written permission from SEP AG. When compiling and designing user documentation SEP AG uses great diligence and attempts to deliver accurate and correct information. However, SEP AG cannot issue a guarantee for the contents of this manual.

Docs latest icon.png Welcome to the latest SEP sesam documentation version 5.0.0 Jaglion. For previous documentation version(s), check documentation archive.


Troubleshooting SEP sesam authentication

After updating to SEP sesam version 5.0.0.x, no user other than the special user Administrator (Windows) or root (Linux) is elevated to Superuser

Problem

  • After updating SEP sesam to version ≥ 5.0.0 Jaglion, the GUI complains that superuser rights are required, but only Administrator rights are listed for this GUI user. The Administrator user is not elevated to Superuser and access to the GUI is not possible without authentication.

Cause

  • This is the normal behavior for Java policy authentication. After the initial installation of SEP sesam, no user other than the default Superuser is configured. As the name implies, the permissions of the Superuser account are unrestricted. As of 5.0.0 Jaglion, the Superuser is the only user type with full control over the SEP sesam environment. It is automatically assigned exclusively to the Administrator user when database-based authentication is enabled. If policy-based authentication is enabled, this user type with Superuser rights is assigned to Administrator (on Windows and Linux), root (Linux only) and sesam user. For more details, see User Roles and Permissions and About Authentication and Authorization.

Solution
If you use policy-based authentication (sm_java.policy) and log in from localhost, you can gain Superuser rights if your username is not listed in sm_java.policy. This is possible if the localFullAccess parameter is enabled (set to true in the <SESAM_ROOT>/var/ini/sm.ini file). There is no such workaround for database-based authentication, as only Administrator (on Windows and Linux) and root (Linux only) can become Superuser.

See also

About Authentication and AuthorizationConfiguring Database-Based AuthenticationConfiguring LDAP/AD AuthenticationConfiguring Policy-Based AuthenticationConfiguring Certificate-Based AuthenticationUser Roles and PermissionsUsing Access Control Lists