3PAR InForm® OS 2.3.1 Concepts Guide (320-200112 Rev B, February 2010)

4.7
LDAP Authentication and Authorization
InForm OS Version 2.3.1 3PAR InForm OS Concepts Guide
match is made, the group is then compared with the service-map parameter, and so on. For
example, if a match is made for group A with the
super-map parameter, the user belonging
to group A is authorized with super level privileges for the system.
With this process, a user can be authenticated, but not authorized if no group membership
exists. In this case, the user is subsequently denied access to the system.
4.5.3 Authorization on Systems Using 3PAR Virtual Domains
As discussed in Authorization on page 4.6, a user’s group association determines that user’s
privileges within the system. On systems using 3PAR Virtual Domains, this process is taken one
step further where the user’s groups are mapped to system domains. Therefore, the user’s
privilege level within a specific group is carried over to the domain(s) mapped to that group.
For instructions on authorizing LDAP users on systems using Domains, see Chapter 4, Managing
User Accounts and Connections in the InForm OS CLI Administrator’s Manual.
Figure 4-1 illustrates the group-to-domain mapping relationship as follows:
LDAP User 1 has membership to Group B.
Group-to-privilege mapping determines that Group B has edit level privileges.
Group-to-domain mapping establishes a match between Group B and Domain A.
LDAP User 1 has edit privileges over all objects in Domain A.
Figure 4-1. Group-to-Domain Mapping Relationship
LDAP User 1
Group A
Group B
Domain B (D.B)
D.B
Obj1
D.B
Obj2
D.B
Obj3
D.B
Obj4
D.A
Obj1
D.A
Obj2
D.A
Obj3
D.A
Obj4
Domain A (D.A)
Edit-Map