Page tree

Your organization may want to have users authenticate to Lumeta Enterprise Edition using Active Directory (AD). This arrangement––with an assist from you––maps AD user-rights to the Lumeta system and controls what individual users can see and control when logged in to a Lumeta Command Center.  Your contribution is to tell the Lumeta system how to apply rules to map groups, organizations, and roles by creating a csv group mapping file. The group mapping file you create specifies the mapping.

For more on organizations, roles, and permissions, see the About Organizations, Zones & Users page.

Update

In the groupmapping mechanism, a list of AD groups separated by the pipe symbol (|) can now be set as 'superuser' (or the column can be left blank). 

Sample format:

group2|group4|group1Manager/Developmentsuperuser
group5|group4|group6Viewer/Sales 

When an AD (new) user logins into Lumeta, a user account is created along with roles mapped to the user's AD groups. If these AD groups are defined as 'superuser', all the users in AD group will be designated at Lumeta superusers. Changes to groupmapping data take effect when the users associated with those records login to the Lumeta system.

Let's assume, for example, that Active Directory contains (or has defined) these groups and we want to assign users to particular roles in Lumeta, remembering that each Lumeta role is always paired with an organization defined in Lumeta.

Example AD Groups
vp
admin
security
na
emea
apac


Customer-Defined Lumeta Organizations

NA
EMEA
APAC
Actual Lumeta Roles
SysAdmin (no GUI access)
Viewer (read-only)
Manager (read + write)


And you want these rules to apply to your Lumeta users:

  1. Vice presidents should get read-only access in all organizations

    GroupRole+Organization
    1vpViewer/NA
    2vpViewer/EMEA
    3vpViewer/APAC

    That portion of the group mapping CSV file would look like this:

    vp,Viewer/NA

    vp,Viewer/EMEA

    vp,Viewer/APAC

    Notice that the CSV example contains only two columns––the first for AD group name and the next the Lumeta role + organization.  The two columns are separated by a comma (,). Any row containing more than two columns is considered an invalid row.

  2. Admins should get SysAdmin roles in their own regions


    GroupRole+Organization
    1admin|naSysAdmin/NA
    2admin|emeaSysAdmin/EMEA
    3admin|apacSysAdmin/APAC

    The AD users in row #1 are members of both the admin and na groups.  The Lumeta users in row #1 are SysAdmins for the NA organization.
    That portion of the group mapping file would look like this:

    admin|na,SysAdmin/NA

    admin|emea,SysAdmin/EMEA

    admin|apac,SysAdmin/APAC


  3. People on the Security team should have Viewer and Manager roles in some regions.

    GroupRole+Organization
    1

    security|na|emea

    Viewer/NA
    2security|na|emeaManager/NA
    3security|na|emeaViewer/EMEA
    4security|na|emeaManager/EMEA
    5security|na|emeaViewer/APAC
    6security|na|emeaViewer/APAC
    7security|apacManager/APAC
    8security|apacViewer/NA
    9security|apacViewer/EMEA

    AD users in row #7 are members of both the security and apac groups and in Lumeta have a Manager role in the APAC organization.
    That portion of the group mapping file would look like this:

security|na|emea,Viewer/NA

security|na|emea,Manager/NA

security|na|emea,Viewer/EMEA

security|na|emea,Manager/EMEA

security|na|emea,Viewer/APAC

security|apac,Viewer/APAC

security|apac,Manager/APAC

security|apac,Viewer/NA

security|apac,Viewer/EMEA

The contents of the assembled CSV file would look like this:

vp,Viewer/NA

vp,Viewer/EMEA

vp,Viewer/APAC

admin|na,SysAdmin/NA

admin|emea,SysAdmin/EMEA

admin|apac,SysAdmin/APAC

security|na|emea,Viewer/NA

security|na|emea,Manager/NA

security|na|emea,Viewer/EMEA

security|na|emea,Manager/EMEA

security|na|emea,Viewer/APAC

security|apac,Viewer/APAC

security|apac,Manager/APAC

security|apac,Viewer/NA

security|apac,Viewer/EMEA

CSV File Rules

The rules we've introduced are as follows:

  1. Each line in the group mapping file starts with a list of AD groups followed by a role/organization pair.
  2. If there is more than one group, separate by a vertical bar (|)
  3. Each role must be paired with its organization, separated by a forward slash (/)
  4. Users are assigned roles for every in which their AD groups match

The admin and manager users and see these roles by default.
 


To map Active Directory (AD) groups and roles to Lumeta organizations, here's the process.

Prerequisites

  1. Ensure that Groups and Users have already been set up in an Active Directory (AD) server before beginning this procedure. See https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal to learn how. 

  2. Find out the credentials to your organization's AD server. Here are the types of information you'll need and an example of most (We've masked the name of our Active Directory server):

Active Directory CLI Commands

To configure Active Directory on Lumeta Enterprise Edition:

  1. Identify the Host Name or IP Address of your Command Center.
  2. Use that information to log in to the CLI of your Command Center.


  3. At the command-line prompt, enter authentication ad


  4. As you can see in the illustration above, these are the available AD Authentication CLI commands. Each of these, their purpose and syntax follow along with a screencap. The Active Directory CLI commands are presented here in the order they are presented on the CLI menu. Although not fixed, the order of operations is likely to be 1) configure, 2) viewconfig, 3) netbios, 4) enable 5) groupmapping.  This order of operations in the last column of the table below.
    CLI CommandDescription & ExampleLikely Order of Operations
    groupmapping

    Maps an Active Directory group to an Organization in Lumeta Enterprise Edition

    authentication ad groupmapping append path/to/local/file

    authentication ad groupmapping append admin@172.18.1.184:/home/admin/AD-group-mapping.csv

    If your Active Directory mapping introduces new Organizations, you will need to create those organizations in the Command Center as follows:

    organization new name-of-new-organization

    5
    configure

    Configures an Active Directory authentication server

    authentication ad configure <AD server> <realm> <domain> <username> <password>

    1
    netbios

    The netbios is an alias for the hostname used in Active Directory authentication. It's only required if your hostname is more than 15 characters long.

    In this example, the hostname of the Command Center is longer than the maximum number of characters allowed, so AD could not be enabled. In cases like these, use the netbios to serve as an alias for a too-long hostname.

    This command would create a hostname on the AD server with the name "TestAD."

    3
    enable/disable

    Enables and disables an AD authentication

    authentication ad <enable|disable>

    4
    viewconfig

    Displays the current AD configuration.  The two examples below show a not joined/disabled AD server and a joined/enabled AD server.



    2
    clearconfig

    Clears the current AD configuration

    optional


Viewing Users in Lumeta

When an AD user logs in to Lumeta, and browses to Settings > Users, users, groups, and organizations to which he has been given rights in the AD server groupings––and only those––are visible.


  • No labels