Skip to content

Search & Assign

With LDAP authorization enabled, you can assign sessions and packages to an individual user, a group of users, or a specific folder in your LDAP directory.

When multiple LDAP servers are configured, search for users or groups within a domain.

Search for Users or Groups/Folders

Determine who should have access.

  1. Verify or select the Domain.

    To assign sessions or packages to All users within the selected domain, keep that Search result selected, and skip to step 5.

  2. When LDAP authorization is enabled, you can search for and assign access to specific Users, Groups, or Folders in that domain. When LDAP authorization is not enabled, access to sessions or packages can be assigned only to All Users.

    Note

    The Search by options are based on the LDAP server configuration, (Search Base and Groups/Folders). You will see either Users | Groups OR Users | Folders.

    To search, select a Search by option, enter a name, or enter the asterisk (*) wildcard or a combination of * and letters in the text box.

  3. Click SELECT ATTRIBUTES or add CUSTOM ATTRIBUTES to narrow your search using the available filters. Click SEARCH.

  4. In the Search Results find and click the name of the user, group, or folder.

    Click Details to see this user or group’s attributes and the groups from which they can inherit access. A group’s Details also includes the members of that group.

    Or, click SEARCH AGAIN to change the search attributes or to search for another user.

  5. For the selected user or group of users, continue with Assign Sessions or Packages.

Assign Sessions or Packages

Determine which sessions or packages this user or group is entitled to access.

  1. Check the Sessions or Packages you want to make available to the selected user or group.

    Note

    You can assign access by inheritance. See these examples.

    • An asterisk (*) next to the Session name denotes that a user has inherited access to that session by being a member in a group.

      For example: JohnUser is a member of Group A. If you assign Session1 to Group A, then JohnUser inherits access to Session1. When viewing JohnUser’s assigned sessions, an asterisk appears next to Session1.

      To remove a user’s access to an inherited session, click the User, and clear the Allow user to inherit (*) access to sessions check box (below the list of sessions).

    • Granting access to All users means granting access to the search base, and every user inherits that access. Such access is extended to individual users only when the Allow user to inherit (*) access to sessions option is checked.

    • Sessions cannot be assigned to Active Directory primary groups (such as Domain users).

  2. Select or clear the option to Allow access to Administrative Console.

    When checked, the selected user or group has access to the MSS Administrative Console.

  3. The EDIT option is used for Automated Sign-on, including Reflection/InfoConnect Desktop - Workspace Automated Sign-on sessions.

    To assign an automated sign-on session, click EDIT. Then continue with Source of user name on host computer.

  4. Click APPLY to save your assigned sessions.

  5. Repeat the steps to Search & Assign sessions to a different user or group.

Source of user name on host computer

In the list of available sessions to assign, the EDIT option displays when Automated Sign-On is activated.

Note

To recap, the configuration of Automated Sign-On for the Mainframe requires:

  • The Automated Sign-On for Mainframe Add-On product is installed and configured on the Host Access Management and Security Server.

  • A session to the mainframe was created with a log-in macro detailed in the Automated Sign-on for Mainframe - Administrator Guide.

  • The session is assigned to the appropriate user or group. (The session cannot be inherited.)

  • The method for obtaining the mainframe user name is selected (after you click EDIT).

When you click EDIT to assign a session

(continuing from Assign Sessions step 3)

  1. When you click EDIT, the Source of user name on host computer panel opens, which identifies the selected user and the session that you want them to automatically log on to.

  2. Choose the method to derive the user's name on the host computer:

    • Not set

      This default must be changed for automated sign-on.

    • UPN

      Select this option to derive the user name from the user's User Principal Name (UPN). The UPN is typically available from a smart card or client certificate and is a standard attribute in Active Directory servers.

      A UPN is formatted as an internet-style email address, such as userid@domain.com, and MSS derives the user name as the short name preceding the @symbol.

      In the drop-down, select your server for one-time password requests:

      • DCAS server:<hostname:port>
    • LDAP attribute value in the authenticating directory

      Select this option to perform a lookup in the LDAP directory (defined in LDAP Server Configuration) and return the value of the entered attribute as the user name.

      Enter the LDAP attribute, using the specified criteria.

      Note

      All LDAP attributes must meet these criteria:

      • must begin with an alpha character
      • no more than 50 characters
      • any alphanumeric character or a hyphen (-) is permitted

      Select your server for one-time password requests:

      • DCAS server:<hostname:port>
    • LDAP attribute value in a secondary directory

      When using a secondary LDAP directory for automated sign-on to a mainframe, you can use this search filter to find the user object in the secondary LDAP directory. The value is returned as the mainframe user name.

      Select the LDAP attribute. Note the criteria for LDAP attributes, listed above.

      Select your server for one-time password requests:

      • DCAS server:<hostname:port>
  3. If you configured multiple DCAS servers, select the one to use for this automated sign-on session.

    An asterisk (*) appears next to your preferred DCAS server; however, you can select a different one.

  4. Click OK.