5 0 0:Configuring Database-Based Authentication: Difference between revisions

From SEPsesam
mNo edit summary
m (Removed limitation of certificate-based authentication combined with LDAP or AD (UST))
(21 intermediate revisions by the same user not shown)
Line 1: Line 1:
<translate><!--T:1-->
<noinclude><translate><!--T:1-->
<div class="noprint"><languages />
<div class="noprint"><languages />
{{Copyright SEP AG|en}}</translate>
{{Copyright SEP AG|en}}</translate>


<translate><!--T:2-->
<translate><!--T:2-->
{{Navigation_latest|release=4.4.3 ''Grolar''|link=[[Special:MyLanguage/SEP_sesam_Documentation#previous|Documentation archive]]}}</div>
{{Navigation_latest|release=[[SEP_sesam_Release_Versions|4.4.3 ''Beefalo''/5.0.0 ''Jaglion'']]
|link=[[Special:MyLanguage/SEP_sesam_Documentation#previous|Documentation archive]]}}</div>




== Overview == <!--T:3--></translate>
<!--T:3-->
<div class="boilerplate metadata" id="Additional resources" style="background-color:#ecedf1; color:#8695a7; border: 1px ridge #cdd3db; margin: 0.5em; padding: 0.5em; float: right; width: 35%; "><center><b>
</noinclude>=== Overview ===</translate>
<noinclude><div class="boilerplate metadata" id="Additional resources" style="background-color:#ecedf1; color:#8695a7; border: 1px ridge #cdd3db; margin: 0.5em; padding: 0.5em; float: right; width: 35%; "><center><b>
<translate><!--T:4-->
<translate><!--T:4-->
Additional resources</translate></b></center>
Additional resources</translate></b></center>
Line 15: Line 17:
| rowspan="2" style="padding:0px 10px 0px;" |
| rowspan="2" style="padding:0px 10px 0px;" |
<translate><!--T:5-->
<translate><!--T:5-->
[[File:SEP_next.png|45px|link=Special:MyLanguage/4_4_3_Grolar:About_Authentication_and_Authorization|About Authentication and Authorization</translate>
[[File:SEP_next.png|45px|link=About_Authentication_and_Authorization|About Authentication and Authorization</translate>
]]
]]
| style="padding:0px 40px 0px 10px; color: grey; font-size: 90%; text-align:left;" |
| style="padding:0px 40px 0px 10px; color: grey; font-size: 90%; text-align:left;" |
<translate><!--T:6-->
<translate><!--T:6-->
See also: [[Special:MyLanguage/4_4_3_Grolar:About_Authentication_and_Authorization|About Authentication and Authorization]] – [[Special:MyLanguage/4_4_3_Grolar:Configuring_LDAP/AD_Authentication|Configuring LDAP/AD Authentication]] – [[Special:MyLanguage/4_4_3_Grolar:Using_Access_Control_Lists|Using Access Control Lists]] – [[Special:MyLanguage/Configuring_Policy-Based_Authentication|Configuring Policy-Based Authentication]]</translate>
See also: [[About_Authentication_and_Authorization|About Authentication and Authorization]] – [[Special:MyLanguage/5_0_0:User_Roles_and_Permissions#UI_options|User Roles and Permissions]] – [[Special:MyLanguage/5_0_0:Configuring_Certificate-Based_Authentication|Configuring Certificate-Based Authentication]] – [[Special:MyLanguage/Configuring_LDAP/AD_Authentication|Configuring LDAP/AD Authentication]] – [[Special:MyLanguage/Using_Access_Control_Lists|Using Access Control Lists]] – [[Special:MyLanguage/Configuring_Policy-Based_Authentication|Configuring Policy-Based Authentication]]</translate>
|}
|}


Line 34: Line 36:
| rowspan="2" style="padding:0px 10px 0px;" |
| rowspan="2" style="padding:0px 10px 0px;" |
<translate><!--T:9-->
<translate><!--T:9-->
[[File:SEP Tip.png|45px|link=Special:MyLanguage/FAQ|FAQ]]</translate>
[[File:SEP Tip.png|45px|link=Special:MyLanguage/4_4_3_Beefalo:FAQ|FAQ]]</translate>
| style="padding:0px 40px 0px 10px; color: grey; font-size: 90%; text-align:left;" |
| style="padding:0px 40px 0px 10px; color: grey; font-size: 90%; text-align:left;" |
<translate><!--T:10-->
<translate><!--T:10-->
Check [[Special:MyLanguage/FAQ#installation_and_configuration|FAQ]] for installation and configuration issues.</translate>
Check [[Special:MyLanguage/4_4_3_Beefalo:FAQ#installation_and_configuration|FAQ]] for installation and configuration issues.</translate>
|}
|}


Line 47: Line 49:
<translate><!--T:12-->
<translate><!--T:12-->
Problems? See the [[Special:MyLanguage/Troubleshooting_Guide|Troubleshooting Guide]].</translate>
Problems? See the [[Special:MyLanguage/Troubleshooting_Guide|Troubleshooting Guide]].</translate>
|}</div>
|}</div></noinclude>
<translate><!--T:13-->
<translate><!--T:13-->
SEP sesam provides different authentication methods that are mutually exclusive: [[Special:MyLanguage/Configuring_Policy-Based_Authentication|policy-based authentication]] and database-based authentication which can be combined with Lightweight Directory Access Protocol (LDAP) or/and Active Directory. Only one (policy-based or database-based authentication) can be active at any time. By default, policy-based authentication is active.  
SEP sesam provides different authentication methods that are mutually exclusive: [[Special:MyLanguage/Configuring_Policy-Based_Authentication|policy-based authentication]] and database-based authentication which can be combined with Lightweight Directory Access Protocol (LDAP) or/and Active Directory. Only one method (policy-based or database-based authentication) can be active at a time. By default, policy-based authentication is active.  


<!--T:14-->
<!--T:14-->
Activating database-based authentication has to be done via GUI to set the administrator password. Once SEP sesam GUI Server and Client are restarted, the administrator is able to configure default user access rights that are based on predefined user type. These are:</translate>
Activating database-based authentication has to be done via the GUI to set the ''superuser/admin'' password. Note that ''superuser'' has replaced the former ''admin'' role with SEP sesam version [[SEP_sesam_Release_Versions|5.0.0 ''Jaglion'']].<br/>After restarting SEP sesam GUI Server and Client, the ''superuser/admin'' (depending on the version) can configure default user access rights that are based on predefined user type.</translate><translate><!--T:62--> {{5 0 0:SEP sesam User Types/en}}</translate><translate><!--T:19-->
*<translate><!--T:15-->
Which GUI components are displayed depends on the user type. For details, see [[Special:MyLanguage/5_0_0:User_Roles_and_Permissions#UI_options|Available interface options according to user type]].
''Admin'': The only user role with full control over the SEP sesam.</translate>
*<translate><!--T:16-->
''Operator'': Can monitor the whole environment.</translate>
*<translate><!--T:17-->
''Restore'': Only allowed to start restores.</translate>


<translate><!--T:18-->
<!--T:63-->
You can further configure authorization based on user roles, introduced in [[Special:MyLanguage/SEP_sesam_Release_Versions|''Grolar'']].  
As of v. [[SEP_sesam_Release_Versions|5.0.0 ''Jaglion'']], it is also possible to authenticate users with a [[Special:MyLanguage/5_0_0:Configuring_Certificate-Based_Authentication|signed certificate]] instead of a user password if ''database-based authentication'' is enabled. For step-by-step procedure, see [[Special:MyLanguage/5_0_0:Configuring_Certificate-Based_Authentication|Configuring Certificate-Based Authentication]].  


<!--T:19-->
===={{anchor|prerequisite}}Prerequisite==== <!--T:20--></translate>  
Note that the displayed GUI components depend on the user type. For details on GUI elements, see [[Special:MyLanguage/SEP sesam GUI|SEP sesam GUI]].
 
==={{anchor|prerequisite}}Prerequisite=== <!--T:20--></translate>  
*<translate><!--T:21-->
*<translate><!--T:21-->
Make sure that the reverse DNS resolution (from IP address to host name) is set up correctly. If the name resolution for the selected host is not correct, the connection to the GUI server fails. For details, see [[Special:MyLanguage/How_to_check_DNS_configuration|How to check DNS configuration]].
Make sure that reverse DNS resolution (from IP address to host name) is set up correctly. If the name resolution for the selected host is not correct, the connection to the GUI server fails. For details, see [[Special:MyLanguage/How_to_check_DNS_configuration|How to check DNS configuration]].


=={{anchor|activate}}Activating database-based authentication in GUI== <!--T:22--></translate>
==={{anchor|activate}}Activating database-based authentication in the GUI=== <!--T:22--></translate>


<ol><li><translate><!--T:23-->
<ol><li><translate><!--T:23-->
Line 78: Line 72:
Click '''Activate Authentication'''. Set up the password for the ''Administrator'' user; note that this is the only way to set the administrator's password.</translate></li>
Click '''Activate Authentication'''. Set up the password for the ''Administrator'' user; note that this is the only way to set the administrator's password.</translate></li>
<translate><!--T:25-->
<translate><!--T:25-->
[[Image:Authentication_activate.png|600px|link=]]</translate>
[[Image:Authentication_activate_Beefalo_V2.jpg|700px|link=]]</translate>
<br clear=all>  
<br clear=all>  
<li><translate><!--T:26-->
<li><translate><!--T:26-->
After activating the authentication mode and confirming your action, SEP sesam GUI will restart automatically. You have to restart SEP sesam Client manually for the changes to take effect.</translate></li>
After activating the authentication mode and confirming your action, SEP sesam GUI will restart automatically. You have to restart SEP sesam Client manually for the changes to take effect.</translate></li>
<translate><!--T:27-->
<translate><!--T:27-->
[[Image:Authentication_restart.png|450px|link=]]</translate>
[[Image:Authentication_restart_Beefalo_V2.jpg|link=]]</translate>
<br clear=all>
<br clear=all>
<li><translate><!--T:28-->
<li><translate><!--T:28-->
Optionally, select enable LDAP or/and Active Directory to authenticate users against an external LDAP directory. For details on how to configure LDAP/AD authentication, see [[Special:MyLanguage/4_4_3_Grolar:Configuring_LDAP/AD_Authentication|Configuring LDAP/AD Authentication]].</translate><br />
LDAP/AD authentication is enabled by default. For details on how to configure LDAP/AD authentication, see [[Special:MyLanguage/Configuring_LDAP/AD_Authentication|Configuring LDAP/AD Authentication]].</translate></li>
<translate><!--T:29-->
[[Image:Authentication_LDAP_AD.jpg|450px|link=]]</translate>
<br clear=all>
<li><translate><!--T:30-->
<li><translate><!--T:30-->
Log in as an administrator to '''configure the users and add them to relevant group'''. By default, the following [[Special:MyLanguage/SEP_sesam_Glossary#user_types|user types]] are available: ''Admin'', ''Operator'', ''Restore''.</translate></li>
You have to log in to '''configure users and add them to the selected group'''. The way you need to log in depends on the version. In v. [[SEP sesam Release Versions|≥ 5.0.0 ''Jaglion'']] log in as Administrator with the user type ''superuser''. In earlier versions, log in with the ''administrator'' user type. The following [[Special:MyLanguage/SEP_sesam_Glossary#user_types|user types]] are available: ''Administrators'', ''Operators'', ''Backup users'' (≥ 5.0.0 Jaglion), ''Restore users''.</translate></li>
<li><translate><!--T:31-->
<li><translate><!--T:31-->
You can create your own subgroups (e.g., ''SUB_ADMIN'') to grant users more specific roles. Under the '''Groups''' tab, click '''Create''' to configure a new subgroup. The ''Sub Group'' window opens.</translate>  
You can create your own subgroups (e.g., ''SUB_ADMIN'') to grant users more specific roles. Under the '''Groups''' tab, click '''Create New''' to configure a new subgroup. The ''Sub Group'' window opens.</translate>  
<li><translate><!--T:32-->
<li><translate><!--T:32-->
Specify a group name and from the drop-down list select the relevant role to be applied to the whole group: ''Administrator'', ''Operator''.</translate></li>
Specify a group name and from the drop-down list select the relevant role to be applied to the whole group: ''Administrator'', ''Operator'', ''Backup'' (in v. ≥ 5.0.0 ''Jaglion''), or ''Restore''. For more details, see [[Special:MyLanguage/5_0_0:User_Roles_and_Permissions|User Roles and Permissions]].</translate></li>
<translate><!--T:33-->
<translate><!--T:33-->
[[Image:Authentication_sub_group.jpg|450px|link=]]</translate>
[[Image:Authentication_sub_group_Jaglion.jpg|link=]]</translate>
<br clear=all>
<br clear=all>
{{<translate><!--T:34-->
{{<translate><!--T:34-->
note</translate>|<translate><!--T:35-->
note</translate>|<translate><!--T:35-->
If you want to combine LDAP/AD, you have to use the external groups. Add the group from LDAP/AD and select '''Based on group''' option to map to this particular SEP sesam group.</translate>}}
If you want to combine LDAP/AD, you have to use the external groups. Add the group from LDAP/AD and select the '''Based on group''' option to map to this particular SEP sesam group; see [[Special:MyLanguage/4_4_3_Beefalo:Configuring_LDAP/AD_Authentication_V2#GUI|Configuring LDAP authentication in the GUI]].</translate>}}
<li><translate><!--T:36-->
<li><translate><!--T:36-->
Under the '''Users''' tab, click '''Create''' to configure a new user. The ''Create User'' window opens.</translate></li>
Under the ''Users'' tab, click '''Create New''' to configure a new user. The ''Create User'' window opens.</translate></li>
<li><translate><!--T:37-->
<li><translate><!--T:37-->
Specify a name, password and assign a user to the relevant group, for example, ''RESTORE''.</translate></li>
Enter a name (e.g., ''mustermann'') and a password and assign the user to the relevant group, for example, ''RESTORE''.</translate></li>
<translate><!--T:38-->
<translate><!--T:38-->
[[Image:Authentication_create_user.jpg|450px|link=]]</translate>
[[Image:Authentication_create_user_Jaglion.jpg|link=]]</translate>
<br clear=all>
<br clear=all>
<li><translate><!--T:39-->
<li><translate><!--T:39-->
A user can be a member of one or more groups. Under the '''Groups''' tab, double-click the relevant group and select or deselect the users to assign them to the respective group or remove them from it.</translate></li>
A user can be a member of one or more groups. Under the '''Groups''' tab, double-click the relevant group and (de)select the users to assign them to or remove them from the respective group.</translate></li>
<translate><!--T:40-->
<translate><!--T:40-->
[[Image:Permission_management_groups.jpg|450px|link=]]</translate>
[[Image:Permission_management_groups_Beefalo_V2.jpg|link=]]</translate>
<br clear=all>  
<br clear=all>  
<li><translate><!--T:41-->
<li><translate><!--T:41-->
Now you can configure ACLs (access control lists) to specify which users or groups are granted access to location (group of clients) or a specific client. For details, see [[Special:MyLanguage/4_4_3_Grolar:Using_Access_Control_Lists|Using Access Control Lists]].</translate>
Now you can configure ACLs (access control lists) to specify which users or groups are granted access to location (group of clients) or a specific client. As of v. [[SEP sesam Release Versions|5.0.0 ''Jaglion'']], you can also configure ACLs for backup tasks, media pools and schedules. For details, see [[Special:MyLanguage/Using_Access_Control_Lists|Using Access Control Lists]].</translate>
</ol>
</ol>
{{<translate><!--T:42-->
{{<translate><!--T:42-->
Line 121: Line 112:
When activating database-based authentication via GUI, parameter <tt>authEnabled</tt> is changed to ''true'' in the <tt>sm.ini</tt> file. Setting the flag to ''false'' enables [[Special:MyLanguage/About_Authentication_and_Authorization#policy|policy-based authentication]] and deactivates database-based authentication.</translate>}}
When activating database-based authentication via GUI, parameter <tt>authEnabled</tt> is changed to ''true'' in the <tt>sm.ini</tt> file. Setting the flag to ''false'' enables [[Special:MyLanguage/About_Authentication_and_Authorization#policy|policy-based authentication]] and deactivates database-based authentication.</translate>}}


<translate>=={{anchor|reset}}Resetting user password== <!--T:44-->
<translate>==={{anchor|reset}}Resetting user password=== <!--T:44-->


<!--T:45-->
<!--T:45-->
To reset the password of another user, you must have ''Admin'' privileges. Resetting a password is a two step process: The administrator has to reset a password in the command line by using <tt>sm_cmd command</tt> and then use the newly generated password to be able to change the password under the ''Permission Management'' in GUI.
To reset the password of another user, you must have ''superuser/admin'' privileges. Resetting a password is a two-step process: The ''superuser/admin'' has to reset the password in the command line by using the <tt>sm_cmd</tt> command and then use the newly generated password to be able to change the password in the ''Permission Management'' in GUI.


==={{anchor|CMD}}Resetting password in the command line=== <!--T:46-->
===={{anchor|CMD}}Resetting the password in the command line==== <!--T:46-->


<!--T:47-->
<!--T:47-->
{{:4_4_3_Grolar:Administering_ACLs_from_the_Command_Line/en|Administering ACLs from the Command Line}}</translate>
{{:4_4_3_Grolar:Administering_ACLs_from_the_Command_Line/en|Administering ACLs from the Command Line}}</translate>
<translate>==={{anchor|GUI}}Changing password in the GUI=== <!--T:48-->
<translate>===={{anchor|GUI}}Changing password in the GUI==== <!--T:48-->


<!--T:49-->
<!--T:49-->
After resetting a user password by using <tt>sm_cmd reset user</tt> command, you can change the password for the respective user in the ''Permission Management'' in GUI by using the automatically generated password from the command output. Note that only an ''Admin'' user has enough privileges to use the Permission Management and configure users.</translate>
After resetting a user password with the <tt>sm_cmd reset user</tt> command, you can change the password for the respective user in the ''Permission Management'' in the GUI by using the automatically generated password from the command output. Note that only a ''superuser/admin'' user has sufficient permissions to use the ''Permission Management'' and configure users.</translate>
<ol><li><translate><!--T:50-->
<ol><li><translate><!--T:50-->
From the menu bar select '''Configuration''' ‐> '''Permission Management'''. The ''Permission Management'' window opens.</li>
From the menu bar select '''Configuration''' ‐> '''Permission Management'''. The ''Permission Management'' window opens.</li>
<li>Select the user for which you want to reset the password and click '''Change'''. In our example, the user is named ''mustermann''.</translate></li>
<li>Select the user for which you want to reset the password and click '''Change'''. In our example, the user is named ''mustermann''.</translate></li>
<translate><!--T:51-->
<translate><!--T:51-->
[[Image:Permission_management.jpg|link=]]</translate>
[[Image:Permission_management_Beefalo_V2.jpg|link=]]</translate>
<br clear=all>
<br clear=all>
<li><translate><!--T:52-->
<li><translate><!--T:52-->
In the ''Change User'' window, click '''Change Password'''.</translate></li>
In the ''Change User'' window, click '''Change Password'''.</translate></li>
<translate><!--T:53-->
<translate><!--T:53-->
[[Image:Change_user.jpg|link=]]</translate>
[[Image:Change_user_Beefalo_V2.jpg|link=]]</translate>
<br clear=all>
<br clear=all>
<li><translate><!--T:54-->
<li><translate><!--T:54-->
The ''Change Password'' window opens. Enter the password which you have obtained by resetting a password in the command line (in our example ''bouryper39''), specify a new password and click '''OK'''.</translate></li>
The ''Change Password'' window opens. Enter the password you obtained by resetting a password in the command line (in our example ''bouryper39''), enter a new password and click '''OK'''.</translate></li>
<translate><!--T:55-->
<translate><!--T:55-->
[[Image:Change_password.jpg|link=]]</translate>
[[Image:Change_password_Beefalo_V2.jpg|link=]]</translate>
<br clear=all>
<br clear=all>
</ol>
</ol>


<translate>=={{anchor|deactivate}}Deactivating database-based authentication== <!--T:56--></translate>
<translate>==={{anchor|deactivate}}Deactivating database-based authentication=== <!--T:56--></translate>
<ol><li><translate><!--T:57-->
<ol><li><translate><!--T:57-->
In the GUI, from the menu bar select '''Configuration''' ‐> '''Permission Management''' -> tab '''Activation'''.</translate></li>
In the GUI, from the menu bar select '''Configuration''' ‐> '''Permission Management''' -> tab '''Activation'''.</translate></li>
Line 158: Line 149:
Click '''Deactivate Authentication'''.</translate></li>
Click '''Deactivate Authentication'''.</translate></li>
<li><translate><!--T:59-->
<li><translate><!--T:59-->
After deactivating the authentication mode and confirming your action, SEP sesam GUI will restart automatically. You have to restart SEP sesam Server manually for the changes to take effect.</translate></li>
After deactivating the authentication mode and confirming your action, SEP sesam GUI will restart automatically. You have to restart SEP sesam Client manually for the changes to take effect.</translate></li>
<li><translate><!--T:60-->
<li><translate><!--T:60-->
Now [[Special:MyLanguage/About_Authentication_and_Authorization#policy|policy-based authentication]] is enabled and the flag <tt>authEnabled</tt> is set to ''false'' in the <tt>sm.ini</tt> file.</translate></li></ol>
Now [[Special:MyLanguage/About_Authentication_and_Authorization#policy|policy-based authentication]] is enabled and the flag <tt>authEnabled</tt> is set to ''false'' in the <tt>sm.ini</tt> file.</translate></li>
</ol>


<translate><div class="noprint">
<noinclude><translate><div class="noprint">
==See also== <!--T:61-->
===See also=== <!--T:61-->
[[Special:MyLanguage/4_4_3_Grolar:About_Authentication_and_Authorization|About Authentication and Authorization]] – [[Special:MyLanguage/4_4_3_Grolar:Configuring_LDAP/AD_Authentication|Configuring LDAP/AD Authentication]] – [[Special:MyLanguage/4_4_3_Grolar:Using_Access_Control_Lists|Using Access Control Lists]] – [[Special:MyLanguage/Configuring_Policy-Based_Authentication|Configuring Policy-Based Authentication]]</div></translate>
[[About_Authentication_and_Authorization|About Authentication and Authorization]] – [[Special:MyLanguage/5_0_0:User_Roles_and_Permissions#UI_options|User Roles and Permissions]] – [[Special:MyLanguage/5_0_0:Configuring_Certificate-Based_Authentication|Configuring Certificate-Based Authentication]] – [[Special:MyLanguage/Configuring_LDAP/AD_Authentication|Configuring LDAP/AD Authentication]] – [[Special:MyLanguage/Using_Access_Control_Lists|Using Access Control Lists]] – [[Special:MyLanguage/Configuring_Policy-Based_Authentication|Configuring Policy-Based Authentication]]</div></translate></noinclude>

Revision as of 12:32, 29 April 2022

Other languages:

Copyright © SEP AG 1999-2024. All rights reserved.

Any form of reproduction of the contents or parts of this manual is allowed only with the express written permission from SEP AG. When compiling and designing user documentation SEP AG uses great diligence and attempts to deliver accurate and correct information. However, SEP AG cannot issue a guarantee for the contents of this manual.

Docs latest icon.png Welcome to the latest SEP sesam documentation version 4.4.3 Beefalo/5.0.0 Jaglion. For previous documentation version(s), check Documentation archive.


Overview

SEP sesam provides different authentication methods that are mutually exclusive: policy-based authentication and database-based authentication which can be combined with Lightweight Directory Access Protocol (LDAP) or/and Active Directory. Only one method (policy-based or database-based authentication) can be active at a time. By default, policy-based authentication is active.

Activating database-based authentication has to be done via the GUI to set the superuser/admin password. Note that superuser has replaced the former admin role with SEP sesam version 5.0.0 Jaglion.
After restarting SEP sesam GUI Server and Client, the superuser/admin (depending on the version) can configure default user access rights that are based on predefined user type.Users can connect to SEP sesam Server only if they are granted appropriate permissions. Their user rights and also displayed GUI components depend on the user type. The user type can be specified when configuring authentication. For details, see About Authentication and Authorization.

User types

As of. SEP sesam version 5.0.0 Jaglion, the authentication and authorization is enhanced with two new user types – superuser, which replaces the previous Admin role, and backup user. (In previous SEP sesam versions the available user types were admin, operator and restore.) SEP sesam currently provides 5 user types. The following list shows the available user types and their corresponding rights.

  • Superuser (≥ Jaglion): The only user type with full control over the SEP sesam environment (previously Admin). This user type with superuser rights is automatically assigned to the Administrator and sesam users.
  • Administrator: Administrators can administer the SEP sesam system and access the GUI objects (except permission management) if not restricted by ACLs.
  • Operator: Operators can monitor the whole environment.
  • Backup (≥ Jaglion): Backup users can access the GUI objects granted by ACLs. They are allowed to start backups.
  • Restore: Restore users can access the GUI objects granted by ACLs. They are allowed to start restores.

Which GUI components are displayed depends on the user type. For details, see Available interface options according to user type.

As of v. 5.0.0 Jaglion, it is also possible to authenticate users with a signed certificate instead of a user password if database-based authentication is enabled. For step-by-step procedure, see Configuring Certificate-Based Authentication.

Prerequisite

  • Make sure that reverse DNS resolution (from IP address to host name) is set up correctly. If the name resolution for the selected host is not correct, the connection to the GUI server fails. For details, see How to check DNS configuration.

Activating database-based authentication in the GUI

  1. In the GUI, from the menu bar select Configuration ‐> Permission Management.
  2. Click Activate Authentication. Set up the password for the Administrator user; note that this is the only way to set the administrator's password.
  3. Authentication activate Beefalo V2.jpg
  4. After activating the authentication mode and confirming your action, SEP sesam GUI will restart automatically. You have to restart SEP sesam Client manually for the changes to take effect.
  5. Authentication restart Beefalo V2.jpg
  6. LDAP/AD authentication is enabled by default. For details on how to configure LDAP/AD authentication, see Configuring LDAP/AD Authentication.
  7. You have to log in to configure users and add them to the selected group. The way you need to log in depends on the version. In v. ≥ 5.0.0 Jaglion log in as Administrator with the user type superuser. In earlier versions, log in with the administrator user type. The following user types are available: Administrators, Operators, Backup users (≥ 5.0.0 Jaglion), Restore users.
  8. You can create your own subgroups (e.g., SUB_ADMIN) to grant users more specific roles. Under the Groups tab, click Create New to configure a new subgroup. The Sub Group window opens.
  9. Specify a group name and from the drop-down list select the relevant role to be applied to the whole group: Administrator, Operator, Backup (in v. ≥ 5.0.0 Jaglion), or Restore. For more details, see User Roles and Permissions.
  10. Authentication sub group Jaglion.jpg
    Information sign.png Note
    If you want to combine LDAP/AD, you have to use the external groups. Add the group from LDAP/AD and select the Based on group option to map to this particular SEP sesam group; see Configuring LDAP authentication in the GUI.
  11. Under the Users tab, click Create New to configure a new user. The Create User window opens.
  12. Enter a name (e.g., mustermann) and a password and assign the user to the relevant group, for example, RESTORE.
  13. Authentication create user Jaglion.jpg
  14. A user can be a member of one or more groups. Under the Groups tab, double-click the relevant group and (de)select the users to assign them to or remove them from the respective group.
  15. Permission management groups Beefalo V2.jpg
  16. Now you can configure ACLs (access control lists) to specify which users or groups are granted access to location (group of clients) or a specific client. As of v. 5.0.0 Jaglion, you can also configure ACLs for backup tasks, media pools and schedules. For details, see Using Access Control Lists.
Information sign.png Note
When activating database-based authentication via GUI, parameter authEnabled is changed to true in the sm.ini file. Setting the flag to false enables policy-based authentication and deactivates database-based authentication.

Resetting user password

To reset the password of another user, you must have superuser/admin privileges. Resetting a password is a two-step process: The superuser/admin has to reset the password in the command line by using the sm_cmd command and then use the newly generated password to be able to change the password in the Permission Management in GUI.

Resetting the password in the command line

4 4 3 Grolar:Administering ACLs from the Command Line/en

Changing password in the GUI

After resetting a user password with the sm_cmd reset user command, you can change the password for the respective user in the Permission Management in the GUI by using the automatically generated password from the command output. Note that only a superuser/admin user has sufficient permissions to use the Permission Management and configure users.

  1. From the menu bar select Configuration ‐> Permission Management. The Permission Management window opens.
  2. Select the user for which you want to reset the password and click Change. In our example, the user is named mustermann.
  3. Permission management Beefalo V2.jpg
  4. In the Change User window, click Change Password.
  5. Change user Beefalo V2.jpg
  6. The Change Password window opens. Enter the password you obtained by resetting a password in the command line (in our example bouryper39), enter a new password and click OK.
  7. Change password Beefalo V2.jpg

Deactivating database-based authentication

  1. In the GUI, from the menu bar select Configuration ‐> Permission Management -> tab Activation.
  2. Click Deactivate Authentication.
  3. After deactivating the authentication mode and confirming your action, SEP sesam GUI will restart automatically. You have to restart SEP sesam Client manually for the changes to take effect.
  4. Now policy-based authentication is enabled and the flag authEnabled is set to false in the sm.ini file.