Source:About Authentication and Authorization: Difference between revisions

From SEPsesam
(Removed draft (reviewed by KAD) and fixed translation tags.)
(Marked this version for translation)
Line 1: Line 1:
<noinclude><translate>
<noinclude><translate>
<!--T:1-->
<div class="noprint"><languages/>
<div class="noprint"><languages/>
{{Copyright SEP AG|en}}</translate>
{{Copyright SEP AG|en}}</translate>


<translate>{{Navigation_latest|release=[[SEP_sesam_Release_Versions|5.0.0 ''Jaglion'']]|link=[[Special:MyLanguage/4_4_3_Grolar:About_Authentication_and_Authorization|Authentication in previous versions]]}}</div></translate><br />
<translate><!--T:2--> {{Navigation_latest|release=[[SEP_sesam_Release_Versions|5.0.0 ''Jaglion'']]|link=[[Special:MyLanguage/4_4_3_Grolar:About_Authentication_and_Authorization|Authentication in previous versions]]}}</div></translate><br />


</noinclude><translate>=== Overview ===</translate>
</noinclude><translate>=== Overview === <!--T:3--></translate>
<noinclude><div class="boilerplate metadata" id="Additional resources" style="background-color:#ecedf1; color:#8695a7; border: 1px ridge #cdd3db; margin: 0.5em; padding: 0.5em; float: right; width: 35%; "><center><b>
<noinclude><div class="boilerplate metadata" id="Additional resources" style="background-color:#ecedf1; color:#8695a7; border: 1px ridge #cdd3db; margin: 0.5em; padding: 0.5em; float: right; width: 35%; "><center><b>
<translate>Additional resources</translate></b></center>
<translate><!--T:4--> Additional resources</translate></b></center>


{|style="margin: auto; margin-bottom:1em; width:100%; border:0px solid grey;"
{|style="margin: auto; margin-bottom:1em; width:100%; border:0px solid grey;"
| rowspan="2" style="padding:0px 10px 0px;" |[[File:SEP_next.png|45px|link=Special:MyLanguage/Configuring_Policy-Based_Authentication|Configuring Policy-Based Authentication]]
| rowspan="2" style="padding:0px 10px 0px;" |[[File:SEP_next.png|45px|link=Special:MyLanguage/Configuring_Policy-Based_Authentication|Configuring Policy-Based Authentication]]
| style="padding:0px 40px 0px 10px; color: grey; font-size: 90%; text-align:left;" |<translate>See also: [[Special:MyLanguage/4_4_3_Grolar:Configuring_Database-Based_Authentication|Configuring Database-Based Authentication]] – [[Special:MyLanguage/Configuring_LDAP/AD_Authentication|Configuring LDAP/AD Authentication]] – [[Special:MyLanguage/Configuring_Policy-Based_Authentication|Configuring Policy-Based Authentication]] – [[Special:MyLanguage/5_0_0:Configuring_Certificate-Based_Authentication|Configuring Certificate-Based Authentication]] –  [[Special:MyLanguage/5_0_0:User_Roles_and_Permissions|User Roles and Permissions]] – [[Special:MyLanguage/5_0_0:Using_Access_Control_Lists|Using Access Control Lists]]</translate>
| style="padding:0px 40px 0px 10px; color: grey; font-size: 90%; text-align:left;" |<translate><!--T:5--> See also: [[Special:MyLanguage/4_4_3_Grolar:Configuring_Database-Based_Authentication|Configuring Database-Based Authentication]] – [[Special:MyLanguage/Configuring_LDAP/AD_Authentication|Configuring LDAP/AD Authentication]] – [[Special:MyLanguage/Configuring_Policy-Based_Authentication|Configuring Policy-Based Authentication]] – [[Special:MyLanguage/5_0_0:Configuring_Certificate-Based_Authentication|Configuring Certificate-Based Authentication]] –  [[Special:MyLanguage/5_0_0:User_Roles_and_Permissions|User Roles and Permissions]] – [[Special:MyLanguage/5_0_0:Using_Access_Control_Lists|Using Access Control Lists]]</translate>
|}
|}


{|style="margin: auto; margin-bottom:1em; width:100%; border:0px solid grey;"
{|style="margin: auto; margin-bottom:1em; width:100%; border:0px solid grey;"
| rowspan="2" style="padding:0px 10px 0px;" | [[File:SEP Tip.png|45px|link=Special:MyLanguage/FAQ|FAQ]]
| rowspan="2" style="padding:0px 10px 0px;" | [[File:SEP Tip.png|45px|link=Special:MyLanguage/FAQ|FAQ]]
| style="padding:0px 40px 0px 10px; color: grey; font-size: 90%; text-align:left;" |<translate>Check [[Special:MyLanguage/FAQ|FAQ]] for installation and configuration issues.</translate>
| style="padding:0px 40px 0px 10px; color: grey; font-size: 90%; text-align:left;" |<translate><!--T:6--> Check [[Special:MyLanguage/FAQ|FAQ]] for installation and configuration issues.</translate>
|}
|}


{|style="margin: auto; margin-bottom:1em; width:100%; border:0px solid grey;"
{|style="margin: auto; margin-bottom:1em; width:100%; border:0px solid grey;"
| rowspan="2" style="padding:0px 10px 0px;" | [[File:SEP Troubleshooting.png|45px|link=Special:MyLanguage/Troubleshooting_Guide|Troubleshooting Guide]]
| rowspan="2" style="padding:0px 10px 0px;" | [[File:SEP Troubleshooting.png|45px|link=Special:MyLanguage/Troubleshooting_Guide|Troubleshooting Guide]]
| style="padding:0px 40px 0px 10px; color: grey; font-size: 90%; text-align:left;" | <translate>Problems? See the [[Special:MyLanguage/Troubleshooting_Guide|Troubleshooting Guide]].</translate>
| style="padding:0px 40px 0px 10px; color: grey; font-size: 90%; text-align:left;" | <translate><!--T:7--> Problems? See the [[Special:MyLanguage/Troubleshooting_Guide|Troubleshooting Guide]].</translate>
|}</div></noinclude>
|}</div></noinclude>
<translate>
<translate>
<!--T:8-->
SEP sesam operations, such as backup and restore, can only be performed by users who have the appropriate permissions. SEP sesam v. ''5.0.0'' authentication concept - which is used to grant and restrict access to SEP sesam Server(s) and specific objects - has changed. Now only a user with [[Special:MyLanguage/SEP_sesam_Glossary#user_types|''Superuser'']] privileges can configure authentication and attach permissions (ACLs) to created users.
SEP sesam operations, such as backup and restore, can only be performed by users who have the appropriate permissions. SEP sesam v. ''5.0.0'' authentication concept - which is used to grant and restrict access to SEP sesam Server(s) and specific objects - has changed. Now only a user with [[Special:MyLanguage/SEP_sesam_Glossary#user_types|''Superuser'']] privileges can configure authentication and attach permissions (ACLs) to created users.


<!--T:9-->
Authentication is a two-step process. First, the identity of a user accessing a SEP sesam Server is authenticated by verifying the user credentials (username and password). After successful authentication SEP sesam checks if the authenticated user has the appropriate permissions to access a specific resource or operation within the SEP sesam Server.
Authentication is a two-step process. First, the identity of a user accessing a SEP sesam Server is authenticated by verifying the user credentials (username and password). After successful authentication SEP sesam checks if the authenticated user has the appropriate permissions to access a specific resource or operation within the SEP sesam Server.


<!--T:10-->
Authorization is implemented through ''permissions based on the user type'' that defines the connection to the SEP sesam Server and the available GUI objects. Additionally, custom user roles can be set by configuring ''ACLs'' by a user with ''Superuser'' privileges.
Authorization is implemented through ''permissions based on the user type'' that defines the connection to the SEP sesam Server and the available GUI objects. Additionally, custom user roles can be set by configuring ''ACLs'' by a user with ''Superuser'' privileges.


==={{anchor|methods}}Authentication methods===
==={{anchor|methods}}Authentication methods=== <!--T:11-->


<!--T:12-->
After the initial installation of SEP sesam, no users are configured except the [[Special:MyLanguage/5_0_0:SEP_sesam_User_Types|''Superuser'']]. SEP sesam provides several authentication methods that are mutually exclusive (and may be version dependent): ''database-based authentication'', which is simply called authentication, and ''policy-based authentication''. By default, policy-based authentication is active. Note that only one authentication method can be active at a time.</translate>
After the initial installation of SEP sesam, no users are configured except the [[Special:MyLanguage/5_0_0:SEP_sesam_User_Types|''Superuser'']]. SEP sesam provides several authentication methods that are mutually exclusive (and may be version dependent): ''database-based authentication'', which is simply called authentication, and ''policy-based authentication''. By default, policy-based authentication is active. Note that only one authentication method can be active at a time.</translate>


{{<translate>note</translate>|<translate>You can bypass authentication for local server for all users by setting the parameter <tt>localFullAccess</tt> in the {{Sesamroot|/var/ini/sm.ini}} file to ''true'' as described in the [[Special:MyLanguage/4_4_3_Grolar:About_Authentication_and_Authorization#localFullAccess|section below]].</translate>}}
{{<translate><!--T:13--> note</translate>|<translate><!--T:14--> You can bypass authentication for local server for all users by setting the parameter <tt>localFullAccess</tt> in the {{Sesamroot|/var/ini/sm.ini}} file to ''true'' as described in the [[Special:MyLanguage/4_4_3_Grolar:About_Authentication_and_Authorization#localFullAccess|section below]].</translate>}}


<translate>===={{anchor|database}}Database-based authentication====  
<translate>===={{anchor|database}}Database-based authentication==== <!--T:15-->


<!--T:16-->
It allows ''Superusers'' to configure users and grant them appropriate permissions to perform SEP sesam operations by setting individual passwords and assigning users to the appropriate user group.
It allows ''Superusers'' to configure users and grant them appropriate permissions to perform SEP sesam operations by setting individual passwords and assigning users to the appropriate user group.


<!--T:17-->
You can use '''''LDAP/AD authentication''''' in combination with database-based authentication. This way SEP sesam can authenticate users against an external LDAP/AD directory. If LDAP/AD authentication is enabled in SEP sesam and users are correctly mapped, they can log in to SEP sesam according to their entry in the LDAP/AD directory and user mapping information. For details, see [[Special:MyLanguage/Configuring_LDAP/AD_Authentication|Configuring LDAP/AD Authentication]].
You can use '''''LDAP/AD authentication''''' in combination with database-based authentication. This way SEP sesam can authenticate users against an external LDAP/AD directory. If LDAP/AD authentication is enabled in SEP sesam and users are correctly mapped, they can log in to SEP sesam according to their entry in the LDAP/AD directory and user mapping information. For details, see [[Special:MyLanguage/Configuring_LDAP/AD_Authentication|Configuring LDAP/AD Authentication]].


<!--T:18-->
If database-based authentication is enabled, users can also authenticate with a ''signed certificate'' by simply selecting a (signed) certificate at login instead of entering a password. Note that a signed certificate can only be used for internal groups, while users from external authentication sources (LDAP/AD) can only be authenticated with a password. For details, see [[Special:MyLanguage/5_0_0:Configuring_Certificate-Based_Authentication|Configuring Certificate-Based Authentication]].
If database-based authentication is enabled, users can also authenticate with a ''signed certificate'' by simply selecting a (signed) certificate at login instead of entering a password. Note that a signed certificate can only be used for internal groups, while users from external authentication sources (LDAP/AD) can only be authenticated with a password. For details, see [[Special:MyLanguage/5_0_0:Configuring_Certificate-Based_Authentication|Configuring Certificate-Based Authentication]].


<!--T:19-->
The assigned user group (based on [[Special:MyLanguage/SEP_sesam_Glossary#user_types|user type]]) determines the actions that the group members can perform. The database-based authentication can be enabled from GUI by activating authentication under the '''Configuration''' ‐> '''Permission Management'''. This is the only way to set the password for the ''Superuser'' (''Administrator'').  
The assigned user group (based on [[Special:MyLanguage/SEP_sesam_Glossary#user_types|user type]]) determines the actions that the group members can perform. The database-based authentication can be enabled from GUI by activating authentication under the '''Configuration''' ‐> '''Permission Management'''. This is the only way to set the password for the ''Superuser'' (''Administrator'').  


<!--T:20-->
When database-based authentication is enabled, the <tt>authEnabled</tt> parameter in the {{Sesamroot|/var/ini/sm.ini}} file on the SEP sesam Server is set to true. For details on database-based permissions, see [[Special:MyLanguage/4_4_3_Grolar:Configuring_Database-Based_Authentication|Configuring Database-Based Authentication]].
When database-based authentication is enabled, the <tt>authEnabled</tt> parameter in the {{Sesamroot|/var/ini/sm.ini}} file on the SEP sesam Server is set to true. For details on database-based permissions, see [[Special:MyLanguage/4_4_3_Grolar:Configuring_Database-Based_Authentication|Configuring Database-Based Authentication]].


===={{anchor|policy}}Policy-based authentication====  
===={{anchor|policy}}Policy-based authentication==== <!--T:21-->
Policy-based authentication represents a traditional approach to managing [[Special:MyLanguage/SEP_sesam_Glossary#user_permissions|user's privileges]]. SEP sesam GUI is based on Java and uses the <tt>sm_java.policy</tt> file to grant the required permissions. The policy file is located at {{path|<SESAM_ROOT>/var/ini/sm_java.policy}}, where {{Sesamroot|}} is the pathname of the SEP sesam ''home'' directory.
Policy-based authentication represents a traditional approach to managing [[Special:MyLanguage/SEP_sesam_Glossary#user_permissions|user's privileges]]. SEP sesam GUI is based on Java and uses the <tt>sm_java.policy</tt> file to grant the required permissions. The policy file is located at {{path|<SESAM_ROOT>/var/ini/sm_java.policy}}, where {{Sesamroot|}} is the pathname of the SEP sesam ''home'' directory.


<!--T:22-->
For policy-based authentication, the permissions are assigned to the user/host combination in the <tt>sm_java.policy</tt> file. You can also grant users the required permissions by using '''GUI''': Main Selection -> ''Configuration'' ‐> ''User Permissions''. For details on policy-based permissions, see [[Special:MyLanguage/Configuring Policy-Based Authentication|Configuring Policy-Based Authentication]].
For policy-based authentication, the permissions are assigned to the user/host combination in the <tt>sm_java.policy</tt> file. You can also grant users the required permissions by using '''GUI''': Main Selection -> ''Configuration'' ‐> ''User Permissions''. For details on policy-based permissions, see [[Special:MyLanguage/Configuring Policy-Based Authentication|Configuring Policy-Based Authentication]].


===={{anchor|localFullAccess}}Configuring ''localFullAccess'' in <tt>sm.ini</tt>====  
===={{anchor|localFullAccess}}Configuring ''localFullAccess'' in <tt>sm.ini</tt>==== <!--T:23-->


<!--T:24-->
<tt>localFullAccess</tt> determines whether a user logged to the SEP sesam Server is allowed to use SEP sesam CLI and GUI without any authentication. If set to ''true'', authentication is not required. If set to ''false'', the authentication is mandatory for all users. SEP sesam will prompt for the username and password to log in.
<tt>localFullAccess</tt> determines whether a user logged to the SEP sesam Server is allowed to use SEP sesam CLI and GUI without any authentication. If set to ''true'', authentication is not required. If set to ''false'', the authentication is mandatory for all users. SEP sesam will prompt for the username and password to log in.


<!--T:25-->
If database-based authentication is enabled, the flag <tt>localFullAccess</tt> is automatically set to false. A certificate is passed from the SEP sesam command line to the SEP sesam Server, where it is verified. The certificate file is stored in {{Sesamroot|/var/ini/ssl}}.</translate>
If database-based authentication is enabled, the flag <tt>localFullAccess</tt> is automatically set to false. A certificate is passed from the SEP sesam command line to the SEP sesam Server, where it is verified. The certificate file is stored in {{Sesamroot|/var/ini/ssl}}.</translate>


{{<translate>note</translate>|
{{<translate><!--T:26--> note</translate>|
*<translate>On Unix, only the ''system root'' user can access this directory and use the command line without authentication.</translate>
*<translate><!--T:27--> On Unix, only the ''system root'' user can access this directory and use the command line without authentication.</translate>
*<translate>On Windows, use Windows User Account Control (UAC) to restrict access to the certificate file.</translate>}}
*<translate><!--T:28--> On Windows, use Windows User Account Control (UAC) to restrict access to the certificate file.</translate>}}


<translate>'''''How to change the <tt>localFullAccess</tt> flag'''''</translate>
<translate><!--T:29--> '''''How to change the <tt>localFullAccess</tt> flag'''''</translate>


<ol><li><translate>Locate the {{Sesamroot|/var/ini/sm.ini}} file on the SEP sesam Server (where {{Sesamroot|}} is the pathname of the SEP sesam home directory). Open the <tt>sm.ini</tt> file using a text editor and set the flag for the <tt>localFullAccess</tt> parameter to ''true''.</translate></li>  
<ol><li><translate><!--T:30--> Locate the {{Sesamroot|/var/ini/sm.ini}} file on the SEP sesam Server (where {{Sesamroot|}} is the pathname of the SEP sesam home directory). Open the <tt>sm.ini</tt> file using a text editor and set the flag for the <tt>localFullAccess</tt> parameter to ''true''.</translate></li>  
<li><translate>Once you have changed the settings, save your changes and restart the SEP sesam Server for the changes to take effect. The <tt>sm.ini</tt> file is preserved when you upgrade your SEP sesam Server.</translate></li></ol>
<li><translate><!--T:31--> Once you have changed the settings, save your changes and restart the SEP sesam Server for the changes to take effect. The <tt>sm.ini</tt> file is preserved when you upgrade your SEP sesam Server.</translate></li></ol>


<translate>==={{anchor|implementation}}Implementing authentication and authorization===
<translate>==={{anchor|implementation}}Implementing authentication and authorization=== <!--T:32-->


<!--T:33-->
After enabling the appropriate authentication method (''database-based'' or ''policy-based authentication'' as described above), perform the following steps to manage users and implement authentication and authorization:</translate>
After enabling the appropriate authentication method (''database-based'' or ''policy-based authentication'' as described above), perform the following steps to manage users and implement authentication and authorization:</translate>
#<translate>Create new users.</translate>
#<translate><!--T:34--> Create new users.</translate>
#<translate>Add users to groups.</translate>
#<translate><!--T:35--> Add users to groups.</translate>
#<translate>Assign user types (roles) to the new users.</translate>
#<translate><!--T:36--> Assign user types (roles) to the new users.</translate>
#<translate>In addition to user roles (and permissions based on the user type), there are several user permissions (ACLs) that you can set (assign to a role) to control access to specific resources or operations.
#<translate><!--T:37-->
In addition to user roles (and permissions based on the user type), there are several user permissions (ACLs) that you can set (assign to a role) to control access to specific resources or operations.


<!--T:38-->
[[File:Authentication_and_authorization_concept.png|830px|link=]]</translate>
[[File:Authentication_and_authorization_concept.png|830px|link=]]</translate>
<br clear=all>
<br clear=all>


<translate>===={{anchor|users}}Managing users====
<translate>===={{anchor|users}}Managing users==== <!--T:39-->


<!--T:40-->
Once authentication is enabled, you can create new users and add them to groups (''Superuser'', ''Admin'', ''Backup'', ''Restore'', or ''Operator''). When selecting a user type (role), it represents a specific role in SEP sesam with associated permissions (e.g. ''Superuser'' has full control over SEP sesam). The ''permissions based on the selected user type'' (default permissions) control access to SEP sesam Server, a specific resource, operation, and [[Special:MyLanguage/5_0_0:User_Roles_and_Permissions#5_0_0:User_Roles_and_Permissions#GUI_options|available GUI options]].  
Once authentication is enabled, you can create new users and add them to groups (''Superuser'', ''Admin'', ''Backup'', ''Restore'', or ''Operator''). When selecting a user type (role), it represents a specific role in SEP sesam with associated permissions (e.g. ''Superuser'' has full control over SEP sesam). The ''permissions based on the selected user type'' (default permissions) control access to SEP sesam Server, a specific resource, operation, and [[Special:MyLanguage/5_0_0:User_Roles_and_Permissions#5_0_0:User_Roles_and_Permissions#GUI_options|available GUI options]].  


<!--T:41-->
Note that the procedure for managing users differs depending on the authentication method selected, so you must ensure that you follow the appropriate procedure:</translate>
Note that the procedure for managing users differs depending on the authentication method selected, so you must ensure that you follow the appropriate procedure:</translate>
*<translate>For ''database-based authentication'', see [[Special:MyLanguage/4_4_3_Grolar:Configuring_Database-Based_Authentication|Configuring Database-Based Authentication]].</translate>
*<translate><!--T:42--> For ''database-based authentication'', see [[Special:MyLanguage/4_4_3_Grolar:Configuring_Database-Based_Authentication|Configuring Database-Based Authentication]].</translate>
*<translate>For ''policy-based authentication'', see [[Special:MyLanguage/4_4_3_Grolar:Configuring_Database-Based_Authentication|Configuring Database-Based Authentication]].</translate>
*<translate><!--T:43--> For ''policy-based authentication'', see [[Special:MyLanguage/4_4_3_Grolar:Configuring_Database-Based_Authentication|Configuring Database-Based Authentication]].</translate>
*<translate>For ''LDAP/AD authentication'', see [[Special:MyLanguage/Configuring_LDAP/AD_Authentication|Configuring LDAP/AD Authentication]]
*<translate><!--T:44-->
For ''LDAP/AD authentication'', see [[Special:MyLanguage/Configuring_LDAP/AD_Authentication|Configuring LDAP/AD Authentication]]


===={{anchor|permissions}}Attaching user permissions====
===={{anchor|permissions}}Attaching user permissions==== <!--T:45-->


<!--T:46-->
In addition to the ''default permissions'' (described above) based on the selected user type, you can also set custom user roles by configuring ACLs if you have ''Superuser'' privileges. For more details on permissions, see [[Special:MyLanguage/5_0_0:User_Roles_and_Permissions|User Roles and Permissions]].  
In addition to the ''default permissions'' (described above) based on the selected user type, you can also set custom user roles by configuring ACLs if you have ''Superuser'' privileges. For more details on permissions, see [[Special:MyLanguage/5_0_0:User_Roles_and_Permissions|User Roles and Permissions]].  


<!--T:47-->
ACLs allow you to configure permissions for each user or group with fine-grained access rights for ''locations'', ''clients'', ''backup tasks'' (or ''groups''), ''media pools'', and ''schedules''. For example, if you assign the ''Restore'' user permission to a specific backup task, that user can start the task-specific backup. For more information, see [[Special:MyLanguage/5_0_0:Using_Access_Control_Lists|Using Access Control Lists]].
ACLs allow you to configure permissions for each user or group with fine-grained access rights for ''locations'', ''clients'', ''backup tasks'' (or ''groups''), ''media pools'', and ''schedules''. For example, if you assign the ''Restore'' user permission to a specific backup task, that user can start the task-specific backup. For more information, see [[Special:MyLanguage/5_0_0:Using_Access_Control_Lists|Using Access Control Lists]].


<noinclude><div class="noprint">
<noinclude><div class="noprint">
===See also===  
===See also=== <!--T:48-->
[[Special:MyLanguage/4_4_3_Grolar:Configuring_Database-Based_Authentication|Configuring Database-Based Authentication]] – [[Special:MyLanguage/Configuring_LDAP/AD_Authentication|Configuring LDAP/AD Authentication]] – [[Special:MyLanguage/Configuring_Policy-Based_Authentication|Configuring Policy-Based Authentication]] – [[Special:MyLanguage/5_0_0:Configuring_Certificate-Based_Authentication|Configuring Certificate-Based Authentication]] –  [[Special:MyLanguage/5_0_0:User_Roles_and_Permissions|User Roles and Permissions]] – [[Special:MyLanguage/5_0_0:Using_Access_Control_Lists|Using Access Control Lists]]</div></translate></noinclude>
[[Special:MyLanguage/4_4_3_Grolar:Configuring_Database-Based_Authentication|Configuring Database-Based Authentication]] – [[Special:MyLanguage/Configuring_LDAP/AD_Authentication|Configuring LDAP/AD Authentication]] – [[Special:MyLanguage/Configuring_Policy-Based_Authentication|Configuring Policy-Based Authentication]] – [[Special:MyLanguage/5_0_0:Configuring_Certificate-Based_Authentication|Configuring Certificate-Based Authentication]] –  [[Special:MyLanguage/5_0_0:User_Roles_and_Permissions|User Roles and Permissions]] – [[Special:MyLanguage/5_0_0:Using_Access_Control_Lists|Using Access Control Lists]]</div></translate></noinclude>

Revision as of 12:14, 20 October 2021

Other languages:

Copyright © SEP AG 1999-2024. All rights reserved.

Any form of reproduction of the contents or parts of this manual is allowed only with the express written permission from SEP AG. When compiling and designing user documentation SEP AG uses great diligence and attempts to deliver accurate and correct information. However, SEP AG cannot issue a guarantee for the contents of this manual.

Docs latest icon.png Welcome to the latest SEP sesam documentation version 5.0.0 Jaglion. For previous documentation version(s), check Authentication in previous versions.


Overview

SEP sesam operations, such as backup and restore, can only be performed by users who have the appropriate permissions. SEP sesam v. 5.0.0 authentication concept - which is used to grant and restrict access to SEP sesam Server(s) and specific objects - has changed. Now only a user with Superuser privileges can configure authentication and attach permissions (ACLs) to created users.

Authentication is a two-step process. First, the identity of a user accessing a SEP sesam Server is authenticated by verifying the user credentials (username and password). After successful authentication SEP sesam checks if the authenticated user has the appropriate permissions to access a specific resource or operation within the SEP sesam Server.

Authorization is implemented through permissions based on the user type that defines the connection to the SEP sesam Server and the available GUI objects. Additionally, custom user roles can be set by configuring ACLs by a user with Superuser privileges.

Authentication methods

After the initial installation of SEP sesam, no users are configured except the Superuser. SEP sesam provides several authentication methods that are mutually exclusive (and may be version dependent): database-based authentication, which is simply called authentication, and policy-based authentication. By default, policy-based authentication is active. Note that only one authentication method can be active at a time.

Information sign.png Note
You can bypass authentication for local server for all users by setting the parameter localFullAccess in the <SESAM_ROOT>/var/ini/sm.ini file to true as described in the section below.

Database-based authentication

It allows Superusers to configure users and grant them appropriate permissions to perform SEP sesam operations by setting individual passwords and assigning users to the appropriate user group.

You can use LDAP/AD authentication in combination with database-based authentication. This way SEP sesam can authenticate users against an external LDAP/AD directory. If LDAP/AD authentication is enabled in SEP sesam and users are correctly mapped, they can log in to SEP sesam according to their entry in the LDAP/AD directory and user mapping information. For details, see Configuring LDAP/AD Authentication.

If database-based authentication is enabled, users can also authenticate with a signed certificate by simply selecting a (signed) certificate at login instead of entering a password. Note that a signed certificate can only be used for internal groups, while users from external authentication sources (LDAP/AD) can only be authenticated with a password. For details, see Configuring Certificate-Based Authentication.

The assigned user group (based on user type) determines the actions that the group members can perform. The database-based authentication can be enabled from GUI by activating authentication under the Configuration ‐> Permission Management. This is the only way to set the password for the Superuser (Administrator).

When database-based authentication is enabled, the authEnabled parameter in the <SESAM_ROOT>/var/ini/sm.ini file on the SEP sesam Server is set to true. For details on database-based permissions, see Configuring Database-Based Authentication.

Policy-based authentication

Policy-based authentication represents a traditional approach to managing user's privileges. SEP sesam GUI is based on Java and uses the sm_java.policy file to grant the required permissions. The policy file is located at <SESAM_ROOT>/var/ini/sm_java.policy, where <SESAM_ROOT> is the pathname of the SEP sesam home directory.

For policy-based authentication, the permissions are assigned to the user/host combination in the sm_java.policy file. You can also grant users the required permissions by using GUI: Main Selection -> Configuration ‐> User Permissions. For details on policy-based permissions, see Configuring Policy-Based Authentication.

Configuring localFullAccess in sm.ini

localFullAccess determines whether a user logged to the SEP sesam Server is allowed to use SEP sesam CLI and GUI without any authentication. If set to true, authentication is not required. If set to false, the authentication is mandatory for all users. SEP sesam will prompt for the username and password to log in.

If database-based authentication is enabled, the flag localFullAccess is automatically set to false. A certificate is passed from the SEP sesam command line to the SEP sesam Server, where it is verified. The certificate file is stored in <SESAM_ROOT>/var/ini/ssl.

Information sign.png Note
  • On Unix, only the system root user can access this directory and use the command line without authentication.
  • On Windows, use Windows User Account Control (UAC) to restrict access to the certificate file.

How to change the localFullAccess flag

  1. Locate the <SESAM_ROOT>/var/ini/sm.ini file on the SEP sesam Server (where <SESAM_ROOT> is the pathname of the SEP sesam home directory). Open the sm.ini file using a text editor and set the flag for the localFullAccess parameter to true.
  2. Once you have changed the settings, save your changes and restart the SEP sesam Server for the changes to take effect. The sm.ini file is preserved when you upgrade your SEP sesam Server.

Implementing authentication and authorization

After enabling the appropriate authentication method (database-based or policy-based authentication as described above), perform the following steps to manage users and implement authentication and authorization:

  1. Create new users.
  2. Add users to groups.
  3. Assign user types (roles) to the new users.
  4. In addition to user roles (and permissions based on the user type), there are several user permissions (ACLs) that you can set (assign to a role) to control access to specific resources or operations.

Authentication and authorization concept.png

Managing users

Once authentication is enabled, you can create new users and add them to groups (Superuser, Admin, Backup, Restore, or Operator). When selecting a user type (role), it represents a specific role in SEP sesam with associated permissions (e.g. Superuser has full control over SEP sesam). The permissions based on the selected user type (default permissions) control access to SEP sesam Server, a specific resource, operation, and available GUI options.

Note that the procedure for managing users differs depending on the authentication method selected, so you must ensure that you follow the appropriate procedure:

Attaching user permissions

In addition to the default permissions (described above) based on the selected user type, you can also set custom user roles by configuring ACLs if you have Superuser privileges. For more details on permissions, see User Roles and Permissions.

ACLs allow you to configure permissions for each user or group with fine-grained access rights for locations, clients, backup tasks (or groups), media pools, and schedules. For example, if you assign the Restore user permission to a specific backup task, that user can start the task-specific backup. For more information, see Using Access Control Lists.