Manualshelf

HP 3PAR InForm OS 3.1.1 Concepts Guide

ManualsBrandsHP ManualsSoftwareHP 3PAR Operating System Software
21222324252627282930
Each group to which a user is a member is compared against the mapping parameters. Mapping
occurs sequentially with a group first compared to the super-map parameter. If no match is made,
the group is then compared with the service-map parameter, and so on. For example, if a match
is made for group A with the super-map parameter, the user belonging to group A is authorized
with Super rights to the system.
With this process, a user can be authenticated, but not authorized if no group membership exists.
In this case, the user is subsequently denied access to the system.
Authorization on Systems Using Virtual Domains
As discussed in Authorization (page 23), a user’s group association determines that user’s role
within the system. On systems using virtual domains, this process is taken one step further where
the user’s groups are mapped to system domains. Therefore, the user’s role within a specific group
is carried over to the domain(s) mapped to that group. For instructions on authorizing LDAP users
on systems using Domains, see Chapter 4, Managing User Accounts and Connections in the InForm
OS CLI Administrator’s Manual.
The group-to-domain mapping relationship:
LDAP User 1 has membership to Group B.
Group-to-role mapping determines that Group B uses the Edit role.
Group-to-domain mapping establishes a match between Group B and Domain A.
LDAP User 1 has Edit role access to all objects in Domain A.
24 LDAP