With LDAP authorization enabled, you can assign sessions and packages to an individual user, a group of users, or a specific folder in your LDAP directory.
When multiple LDAP servers are configured, search for users or groups within a domain.
Determine who should have access.
Verify or select the.
To assign sessions or packages to All users within the selected domain, keep that Search result selected, and skip to step 5.
When LDAP authorization is enabled, you can search for and assign access to specific not enabled, access to sessions or packages can be assigned only to All Users., , or in that domain. When LDAP authorization is
NOTE:The Search Base and Groups/Folders). You will see either OR .options are based on the LDAP server configuration (
To search, select aoption, enter a name, or enter the asterisk (*) wildcard or a combination of * and letters in the text box.
Clickor add to narrow your search using the available filters. Click .
In thefind and click the name of the user, group, or folder.
Clickto see this user or group’s attributes and the groups from which they can inherit access. A group’s Details also includes the members of that group.
Or, clickto change the search attributes or to search for another user.
For the selected user or group of users, continue with Assign Sessions or Packages.
Determine which sessions or packages this user or group is entitled to access.
Check the Sessions or Packages you want to make available to the selected user or group.
NOTE:You can assign access by inheritance. See these examples.
An asterisk (*) next to the Session name denotes that a user has inherited access to that session by being a member in a group.
For example: JohnUser is a member of Group A. If you assign Session1 to Group A, then JohnUser inherits access to Session1. When viewing JohnUser’s assigned sessions, an asterisk appears next to Session1.
To remove a user’s access to an inherited session, click the User, and clear thecheck box (below the list of sessions).
Granting access to All users means granting access to the search base, and every user inherits that access. Such access is extended to individual users only when the option is checked.
Sessions cannot be assigned to Active Directory primary groups (such as Domain users).
Select or clear the option to.
When checked, the selected user or group has access to the MSS Administrative Console.
The Automated Sign-on to a Mainframe, including Reflection/InfoConnect Desktop - Workspace Automated Sign-on sessions.option is used for
To assign an automated sign-on session, click Select the source of the mainframe user name.. Then continue with
Clickto save your assigned sessions.
Repeat the steps to Search & Assign sessions to a different user or group.
In the list of available sessions to assign, the Automated Sign-On for Mainframe is activated.option displays when
NOTE:To recap, the configuration of Automated Sign-On for the Mainframe requires:
The Automated Sign-On for Mainframe Add-On product is installed and configured on the Host Access Management and Security Server.
A session to the mainframe was created with a log-in macro detailed in the Automated Sign-on for Mainframe - Administrator Guide.
The session is assigned to the appropriate user or group. (The session cannot be inherited.)
The method for obtaining the mainframe user name is selected (after you click).
(continuing from Assign Sessions step 3)
When you click, the panel opens, which identifies the selected user and the session that you want them to automatically log on to.
Choose the method to derive the mainframe user name:
This default must be changed for automated sign-on.
Select this option to request a PassTicket from DCAS by deriving the mainframe user name from the User Principal Name (UPN) of the user. The UPN is typically available from a smart card or client certificate, and is a standard attribute in Active Directory servers.
A UPN is formatted as an internet-style email address, such as email@example.com, and Management and Security Server derives the mainframe user name as the short name preceding the '@' symbol.
Select this option to perform a lookup in the LDAP directory (defined in Authentication & Authorization) and return the value of the entered attribute as the mainframe user name.
Enter the LDAP attribute. Note: All LDAP attributes must meet these criteria:
must begin with an alpha character
no more than 50 characters
any alphanumeric character or a hyphen is permitted
When using a secondary LDAP directory, you can use this search filter to find the user object in the secondary LDAP directory. The value is returned as the mainframe user name.
Note the criteria for LDAP attributes, listed above.
This option is available for sessions assigned to users, but not groups. This method is typically used for testing, not for production.
Enter a value that meets these criteria:
up to eight alphanumeric characters
no other characters
If you configured multiple DCAS servers, select the one to use for this automated sign-on session.
An asterisk (*) appears next to your preferred DCAS server; however, you can select a different one.