Manualshelf

User`s guide

ManualsBrandsAMD ManualsComputer equipmentLE-363 User's
281282283284285286287288289290
Chapter 15 User Authorization and Access Control 261
Interaction Between Existing Groups and Role
Group Mappings
In previous versions of the XgOS IMS model, groups were required to be configured
with an “xg-” prefix if users of those groups would be accessing the Oracle Fabric
Interconnect. The previous model (groups with the “xg-” prefix) are still supported,
so you do not need to delete and recreate those existing groups. However, with role
group mappings, groups can be assigned to multiple roles, and as a result, the users
in those groups can have multiple roles. If a user is in a group in both the previous
“xg-” model and a role group mapping, the role group mapping is enforced. For
example, assume the following:
user Greg is configured in “xg-admins” on the AD server which maps to the
administrator role.
user Greg is also configured in the group “server-admins” which has a role group
mapping to the “server” role on the Oracle Fabric Interconnect.
In this example, the role group mapping takes precedence. When Greg logs in to the
Oracle Fabric Interconnect, he gets the server administrator role.
Interaction Between Different Role Group
Mappings
When users are in an IMS system, and the Oracle Fabric Interconnect is integrated
into that IMS system, the user logs in to the Oracle Fabric Interconnect based on one
or more groups to which the user belongs. At the user’s log in attempt, IMS is used
to authenticate and if access is granted, the user’s role-group is determined based on
the list of groups to which the user belongs. At this point, specific rules are applied
to determine which role the user is assigned. If multiple role group mappings are
found for a user’s groups, the determination of which group is used occurs as
follows:
If noaccess is present in the matched role groups, access is denied.
If administrators is present, that role group is used.
If storage, network or server is present, that role group is used.
If operator is present, that role group is used.
If no role group mapping matches for the user, the user’s role is set to operator.
Making changes to a user (such as adding a new user, or switching the user to
different groups), it is a best practice to flush the IMS cache to clear any stale
information for the user, and refresh the user entry with the newest information. You
can flush the IMS cache by issuing the system flush ims command.