All Lumeta users need to have roles (Manager, SysAdmin, Viewer) within organizations that have been defined within Lumeta. There is one existing organization called Organization1 by default. Users can have multiple roles in different organizations.
[ Insert links to section describing roles and organizations ]
Active directory users logging in to Lumeta for the first time will be assigned roles and organizations based on the Active Directory groups they belong to. In order to accomplish this, Lumeta needs to know how to map AD groups to Lumeta roles within organizations. This is where the group mapping file comes in.
For example, if Active Directory assigns users combinations of these groups:
- AD groups: vp, admin, security, na, emea, apac
And you’ve defined the following organizations in Lumeta:
- Lumeta organizations: NA, EMEA, APAC
And you want these rules to apply to your Lumeta users:
- Vice presidents should get read-only access in all organizations
- Admins should get SysAdmin roles in their own regions
- People on the security team should have Viewer and Manager roles in some regions.
Then you would create the following group mapping file:
vp,Viewer/NA,Viewer/EMEA,Viewer/APAC
admin|na,SysAdmin/NA
admin|emea,SysAdmin/EMEA
admin|apac,SysAdmin/APAC
security|na|emea,Viewer/NA,Manager/NA,Viewer/EMEA,Manager/EMEA,Viewer/APAC
security|apac,Viewer/APAC,Manager/APAC,Viewer/NA,Viewer/EMEA
The group mapping file is in CSV (comma separated values) format with a particular formatting within each field.
- Each line in the group mapping file starts with a list of AD groups followed by a list of roles/organizations.
- If there is more than one group, separate by a vertical bar (|)
- Each role must be paired with its organization, separated by a forward slash (/)
- Multiple role/organization pairs are separated by a comma.
All matching rows contribute to a user's roles. In the above example group mapping
- The VP of security for North America would have the Manager role in the NA organization and Viewer role everywhere else.
- The VP of IT in Europe would have Viewer role everwhere and SysAdmin role in EMEA.
Some organizations prefer to have their users authenticate to Lumeta Enterprise Edition using Active Directory (AD). This arrangement transmits AD user-rights to the Lumeta system and controls what individual users can see when logged in to a Lumeta Command Center.
The admin and manager users and see these roles by default.
In the set of example users below, user2 would see groups 2 and 3; user4 would see groups 4, 5, and 6.
- user1 - group1, group2
- user2 - group2, group3
- user3 - group1, group2, group4, group5
- user4 - group4, group5, group6
- user5 - group6
To map Active Directory (AD) groups and roles to Lumeta organizations, here's the process.
Prerequisites
- Ensure that Groups and Users have already been set up in an Active Directory (AD) server before beginning this procedure. See https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal to learn how.
- Find out the credentials to your organization's AD server. Here are the types of information you'll need and an example of most (We've masked the name of our Active Directory server):
Active Directory CLI Commands
To configure Active Directory on Lumeta Enterprise Edition:
- Identify the Host Name or IP Address of your Command Center.
- Use that information to log in to the CLI of your Command Center.
- At the command-line prompt, enter
authentication ad
- These are the available AD Authentication CLI commands, their purpose and syntax, and an example of each command. The Active Directory CLI commands are presented here in the order they are presented on the CLI menu. Although not fixed, the order of operations is likely to be 1) configure, 2) viewconfig, 3) netbios, 4) enable 5) groupmapping. This order of operations in the last column of the table below.
CLI Command Description & Example Likely Order of Operations groupmapping Maps an Active Directory group to an Organization in Lumeta Enterprise Edition
If your Active Directory mapping introduces new Organizations, you will need to create those organizations in the Command Center as follows:
5 configure Configures an Active Directory authentication server
1 netbios The netbios is an alias for the hostname used in Active Directory authentication.
In this example, the hostname of the Command Center is longer than the maximum number of characters allowed, so AD could not be enabled. In cases like these, use the netbios to serve as an alias for a too-long hostname.
This command would create a hostname on the AD server with the name "TestAD."
3 enable/disable Enables and disables an AD authentication
4 viewconfig Displays the current AD configuration
2 clearconfig Clears the current AD configuration
optional
Viewing Users in Lumeta
When an AD user logs in to Lumeta, and browses to Settings > Users, users, groups, and organizations to which he has been given rights in the AD server groupings––and only those––are visible.