Configuring Policy-Based Authentication

From SEPsesam
Revision as of 11:15, 22 March 2022 by Sta (talk | contribs) (Corrected links.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Other languages:
Deutsch • ‎English

Copyright © SEP AG 1999-2022. All rights reserved.

Any form of reproduction of the contents or parts of this manual is allowed only with the express written permission from SEP AG. When compiling and designing user documentation SEP AG uses great diligence and attempts to deliver accurate and correct information. However, SEP AG cannot issue a guarantee for the contents of this manual.

Docs latest icon.png Welcome to the latest SEP sesam documentation version 4.4.3 Beefalo V2/5.0.0 Jaglion. For previous documentation version(s), check Documentation archive.


Overview

SEP sesam provides different authentication methods that are mutually exclusive: policy-based authentication and database-based authentication. The latter can be used in combination with LDAP/AD authentication or to enable authentication with a signed certificate (≥ 5.0.0 Jaglion).

Only one authentication method can be active at a time. By default, policy-based authentication is active.

Policy-based authentication uses the sm_java.policy file to grant the required permissions. You can configure it by editing the policy file or use the GUI to configure the user access rights by specifying the user type (role).


SEP sesam currently provides 5 user types. The following list shows the available user types and their corresponding rights.

  • Superuser (≥ Jaglion): The only user type with full control over the SEP sesam environment (previously Admin). This user type with superuser rights is automatically assigned exclusively to the Administrator user when database-based authentication is activated. If policy-based authentication is enabled, this user type with superuser rights is assigned to the Administrator, root and sesam users.
  • Administrator: Administrators can administer the SEP sesam system and access the GUI objects (except permission management) if not restricted by ACLs.
  • Operator: Operators can monitor the whole environment.
  • Backup (≥ Jaglion): Backup users can access the GUI objects granted by ACLs. They are also allowed to start backups and restores.
  • Restore: Restore users can access the GUI objects granted by ACLs. They are only allowed to start standard restores.

Note that the displayed GUI components depend on the user type. For details, see Available interface options according to user type.

Prerequisites

  • The authentication module is version-dependent; it is configured in the <SESAM_ROOT>/var/ini/sm.ini file on the SEP sesam Server. By default, policy-based authentication is already active, therefore no settings need to be changed.
  • Make sure that reverse DNS resolution (from IP address to host name) is set up correctly. If the name resolution for the selected host is not correct, the connection to the GUI server fails. For details, see How to check DNS configuration.

Steps

Select one of the following methods to configure policy-based authentication.

Editing sm_java.policy

The sm_java.policy file is by default located at <SESAM_ROOT>/var/ini/sm_java.policy, where <SESAM_ROOT> is the pathname of the SEP sesam home directory.

  1. Open the sm_java.policy file with a text editor.
  2. Under the section // SEP specify the role permissions. The assignment of permissions is user- and host specific. A permission entry begins with the word permission and is structured as follows:
  3. permission de.sep.sesam.gui.server.<permission_type> "<user_name>@<host_name>";
    

    For example:

    permission de.sep.sesam.gui.server.AdminPermission "admin@veteranix";
    permission de.sep.sesam.gui.server.AdminPermission "kd@veteranix";
    permission de.sep.sesam.gui.server.OperatorPermission "operator@veteranix";
    permission de.sep.sesam.gui.server.RestorePermission "restore@veteranix";
    

    A wildcard value "*" can also be used to assign permissions to all users of a specific host

    permission de.sep.sesam.gui.server.OperatorPermission "*@veteranix";
    

    or to a user accessing the SEP sesam Server from any host:

    permission de.sep.sesam.gui.server.AdminPermission "Administrator@*";
    

    Web applications use the name dashboard to authenticate to the GUI server:

    permission de.sep.sesam.gui.server.OperatorPermission "dashboard@*";
    
  4. After you have changed and saved the sm_java.policy file, restart the SEP sesam GUI for the changes to take effect.

Configuring policy-based authentication in GUI

  1. In the GUI, from the menu bar select Configuration ‐> User Permissions.
  2. User permissions Beefalo V2.jpg

  3. Click New to open the New Users Permissions window and configure the user permissions. Use the drop-down lists to select the user and/or client and the user type (Admin, Operator, Backup (≥ Jaglion), or restore)>.
  4. New users permission Beefalo V2.jpg


Troubleshooting

If you have problems logging in after updating to 5.0.0, see Troubleshooting Authentication.