Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 42 Next »

Your organization may want to have users authenticate to Lumeta Enterprise Edition using Active Directory (AD). This arrangement––with an assist from you––maps AD user-rights to the Lumeta system and controls what individual users can see and control when logged in to a Lumeta Command Center.  Your contribution is to tell the Lumeta system how to apply rules to map groups, organizations, and roles by creating a csv group mapping file. The group mapping file you create specifies the mapping.

For more on organizations, roles, and permissions, see the About Organizations, Zones & Users page.

Let's assume, for example, that Active Directory contains (or has defined) these groups and organizations and we want to assign users to particular groups within particular organizations according to their particular role. 

Example AD Groups
vp
admin
security
na
emea
apac


Example AD Organizations
NA
EMEA
APAC
Actual Lumeta Default Roles
SysAdmin
Viewer (read-only)
Manager (read + write)


And you want these rules to apply to your Lumeta users:

  1. Vice presidents should get read-only access in all organizations
    GroupAccessOrganization
    vpViewerNA
    vpViewerEMEA
    vpViewerAPAC

    That portion of the group mapping file would look like this:

    vp,Viewer/NA

    vp,Viewer/EMEA

    vp,Viewer/APAC

  2. Admins should get SysAdmin roles in their own regions

    GroupAccessOrganization
    admin|naSysAdminNA
    admin|emeaSysAdminEMEA
    admin|apacSysAdminAPAC

    That portion of the group mapping file would look like this:

    admin|na,SysAdmin/NA

    admin|emea,SysAdmin/EMEA

    admin|apac,SysAdmin/APAC


  3. People on the Security team should have Viewer and Manager roles in some regions.


s

GroupAccessOrganization

security|na|emea,Viewer/NA

security|na|emea,Manager/NA

security|na|emea,Viewer/EMEA

security|na|emea,Manager/EMEA

security|na|emea,Viewer/APAC

security|apac,Viewer/APAC

security|apac,Manager/APAC

security|apac,Viewer/NA

security|apac,Viewer/EMEA

ViewerNA
security|na|emeaManagerNA
security|na|emeaViewerEMEA
security|na|emeaManagerEMEA
security|na|emeaViewerAPAC
security|na|emeaViewerAPAC
security|apacManagerAPAC
security|apacViewerNA
security|apacViewerEMEA









T


Then you would create the following group mapping file:

vp,Viewer/NA

vp,Viewer/EMEA

vp,Viewer/APAC

admin|na,SysAdmin/NA

admin|emea,SysAdmin/EMEA

admin|apac,SysAdmin/APAC

security|na|emea,Viewer/NA

security|na|emea,Manager/NA

security|na|emea,Viewer/EMEA

security|na|emea,Manager/EMEA

security|na|emea,Viewer/APAC

security|apac,Viewer/APAC

security|apac,Manager/APAC

security|apac,Viewer/NA

security|apac,Viewer/EMEA

 

  • CSV file should contain only two columns i.e AD group name and Lumeta role separated by a comma(,).
  • Row containing more than two columns is considered as invalid row.


 

  • Each line in the group mapping file starts with a list of AD groups  followed by a list of roles/organizations.
  • If there is more than one group, separate by a vertical bar (|)
  • Each role must be paired with its organization, separated by a forward slash (/)
  • Multiple role/organization pairs are separated by a comma.

 

All matching rows contribute to a user's roles. In the above example group mapping:

  • The VP of security for North America would have the Manager role in the NA organization and Viewer role everywhere else.
  • The VP of IT in Europe would have Viewer role everywhere and SysAdmin role  in EMEA.

All Lumeta users are assigned to have roles (Manager, SysAdmin, Viewer) within organizations that have been defined within Lumeta. There is one existing organization called Organization1 by default. Users can have multiple roles in different organizations.

 

[ Insert links to section describing roles and organizations ]

The admin and manager users and see these roles by default.
 

In the set of example users below, user2 would see groups 2 and 3; user4 would see groups 4, 5, and 6.

  • user1 - group1, group2
  • user2 - group2, group3
  • user3 - group1, group2, group4, group5
  • user4 - group4, group5, group6
  • user5 - group6




To map Active Directory (AD) groups and roles to Lumeta organizations, here's the process.

Prerequisites

  1. Ensure that Groups and Users have already been set up in an Active Directory (AD) server before beginning this procedure. See https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal to learn how. 

  2. Find out the credentials to your organization's AD server. Here are the types of information you'll need and an example of most (We've masked the name of our Active Directory server):

Active Directory CLI Commands

To configure Active Directory on Lumeta Enterprise Edition:

  1. Identify the Host Name or IP Address of your Command Center.
  2. Use that information to log in to the CLI of your Command Center.


  3. At the command-line prompt, enter authentication ad


  4. These are the available AD Authentication CLI commands, their purpose and syntax, and an example of each command. The Active Directory CLI commands are presented here in the order they are presented on the CLI menu. Although not fixed, the order of operations is likely to be 1) configure, 2) viewconfig, 3) netbios, 4) enable 5) groupmapping.  This order of operations in the last column of the table below.
    CLI CommandDescription & ExampleLikely Order of Operations
    groupmapping

    Maps an Active Directory group to an Organization in Lumeta Enterprise Edition

    If your Active Directory mapping introduces new Organizations, you will need to create those organizations in the Command Center as follows:

    5
    configure

    Configures an Active Directory authentication server


    1
    netbios

    The netbios is an alias for the hostname used in Active Directory authentication.

    In this example, the hostname of the Command Center is longer than the maximum number of characters allowed, so AD could not be enabled. In cases like these, use the netbios to serve as an alias for a too-long hostname.

    This command would create a hostname on the AD server with the name "TestAD."

    3
    enable/disable

    Enables and disables an AD authentication

    4
    viewconfig

    Displays the current AD configuration



    2
    clearconfig

    Clears the current AD configuration

    optional




Viewing Users in Lumeta

When an AD user logs in to Lumeta, and browses to Settings > Users, users, groups, and organizations to which he has been given rights in the AD server groupings––and only those––are visible.


  • No labels