5 0 0:About Authentication and Authorization

From SEPsesam
Revision as of 16:56, 5 July 2021 by Sta (talk | contribs) (New authentication and authorization concept, in progress.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Other languages:
Deutsch • ‎English

Copyright © SEP AG 1999-2022. All rights reserved.

Any form of reproduction of the contents or parts of this manual is allowed only with the express written permission from SEP AG. When compiling and designing user documentation SEP AG uses great diligence and attempts to deliver accurate and correct information. However, SEP AG cannot issue a guarantee for the contents of this manual.

This page is a draft. Treat the information on this page with caution as it may be incomplete.

Docs latest icon.png Welcome to the latest SEP sesam documentation version 5.0.0 Jaglion. For previous documentation version(s), check Authentication in previous versions.


SEP sesam introduces new authorization concept to grant and restrict access to SEP sesam Server and specific objects. Now only a user with superuser privileges can configure authentication and to attach permissions (ACLs) to created users. Note that authentication is the first step of authorization. This means that first the identity of a user who is accessing a SEP sesam Server is authenticated by verifying a user credentials (username and password).

After successful authentication starts the authorization, when SEP sesam validates if an authenticated user has appropriate permissions for accessing a specific resource or operation within SEP sesam Server.

Authorization is implemented through permissions based on the user type (which defines the connection to SEP sesam Server and the GUI objects displayed) and Access Control Lists (ACLs) that define which users or groups are granted access to specific objects.

Authentication methods

After the initial installation of SEP sesam, no users are configured except the superuser. Depending on the version, SEP sesam provides different authentication methods that are mutually exclusive: database-based authentication which is simply called authentication, and policy-based authentication. By default, policy-based authentication is active. Note that only one authentication method can be active at any time.

Information sign.png Note
You can bypass authentication for local server for all users by setting the parameter localFullAccess in the <SESAM_ROOT>/var/ini/sm.ini file to true as described in the section below.

Database-based authentication

SEP sesam provides database-based authentication that allows superusers to configure users and grant them appropriate permissions to perform SEP sesam operations by setting individual passwords and assigning users to the relevant user group.

You can use LDAP/AD authentication in combination with database-based authentication. This way SEP sesam can authenticate users against an external LDAP/AD directory. If LDAP/AD authentication is enabled in SEP sesam and the users are mapped correctly, they can log in to SEP sesam according to their entry in the LDAP/AD directory and the user mapping information. For details, see Configuring LDAP/AD Authentication.

In v. ≥ 5.0.0 Jaglion, you can also authenticate users via a signed certificate instead of a user password if a database-based authentication is enabled. This means that you can select a (signed) certificate instead of entering a password during login. The users from external authentication sources (LDAP/AD) cannot be authenticated using a certificate (only by using a password). For details, see Configuring Certificate-Based Authentication.

The assigned user group (based on user type) determines the actions that the group members can perform. The database-based authentication can be enabled from GUI by activating authentication under the Configuration ‐> Permission Management. This is the only way to set the password for the Administrator.

If the DB-based authentication is activated via GUI, the authEnabled parameter is set to true in the <SESAM_ROOT>/var/ini/sm.ini file on the SEP sesam Server. For details on database-based permissions, see Configuring Database-Based Authentication.

Policy-based authentication

Policy-based authentication represents a traditional approach to managing user's permissions. SEP sesam GUI is based on Java and uses sm_java.policy file to grant the required permissions. The policy file is by default located at <SESAM_ROOT>/var/ini/sm_java.policy, where <SESAM_ROOT> is the pathname of the SEP sesam home directory.

With policy-based authentication permissions are assigned to user/host combination in the sm_java.policy file. You can also grant users the required permissions by using GUI: Main Selection -> Configuration ‐> User Permissions. For details on policy-based permissions, see Configuring Policy-Based Authentication.

Configuring localFullAccess in sm.ini

localFullAccess defines whether a user that is logged to the SEP sesam Server directly may use SEP sesam CLI and GUI without any authentication. If set to true, authentication is not required. If set to false, the authentication is mandatory for all users. SEP sesam will prompt for the username and password to log in.

If database-based authentication is enabled, localFullAccess flag is set to false automatically. A certificate is passed from the SEP sesam command line to the SEP sesam Server, where it is verified. The certificate file is stored in <SESAM_ROOT>/var/ini/ssl.

Information sign.png Note
  • On Unix, only the system root user can access this directory and use the command line without authentication.
  • On Windows, use Windows User Account Control (UAC) to limit the access to certificate file.

How to change the localFullAccess flag

  1. Locate the <SESAM_ROOT>/var/ini/sm.ini file on the SEP sesam Server (where <SESAM_ROOT> is the pathname of the SEP sesam home directory). Open the sm.ini file using a text editor and set the flag for the localFullAccess parameter to true.
  2. Once you have changed the settings, save your changes and restart the SEP sesam Server for the changes to take effect. The sm.ini file is preserved when you upgrade your SEP sesam Server.

Implementing authentication and authorization

After enabling the appropriate authentication method (database-based or policy-based authentication) described above, the following steps are required to implement authentication and authorization:

  1. Create new users.
  2. Add users to the groups (superuser, admin, backup, restore, or operator).
  3. Assign user types (roles) to the new users.
  4. In addition to user roles (and permissions based on the user type), there are several user permissions (ACLs) that you can set (attach to a role) to control access to specific resources or operations.

Authentication and authorization concept.png