Your organization may want to have users authenticate to Lumeta Enterprise Edition using Active Directory (AD). This arrangement––with an assist from you––maps AD user-rights to the Lumeta system and controls what individual users can see and control when logged in to a Lumeta Command Center. Your contribution is to tell the Lumeta system how to apply rules to map groups, organizations, and roles by creating a csv group mapping file. The group mapping file you create specifies the mapping. For more on organizations, roles, and permissions, see the About Organizations, Zones & Users page. Let's assume, for example, that Active Directory contains (or has defined) these groups and organizations and we want to assign users to particular groups within particular organizations according to their particular role. | |||||||||||||||||
|
|
|
And you want these rules to apply to your Lumeta users:
- Vice presidents should get read-only access in all organizations
Group Role+Organization vp Viewer/NA vp Viewer/EMEA vp Viewer/APAC That portion of the group mapping CSV file would look like this:
vp,Viewer/NA
vp,Viewer/EMEA
vp,Viewer/APAC
Notice that the CSV example contains only two columns––the first for AD group name and the next the Lumeta role + organization. The two columns are separated by a comma(,). Any row containing more than two columns is considered an invalid row. Admins should get SysAdmin roles in their own regions
Group Role+Organization admin|na SysAdmin/NA admin|emea SysAdmin/EMEA admin|apac SysAdmin/APAC That portion of the group mapping file would look like this:
admin|na,SysAdmin/NA
admin|emea,SysAdmin/EMEA
admin|apac,SysAdmin/APAC
- People on the Security team should have Viewer and Manager roles in some regions.
Group Role+Organization security|na|emea
Viewer/NA security|na|emea Manager/NA security|na|emea Viewer/EMEA security|na|emea Manager/EMEA security|na|emea Viewer/APAC security|na|emea Viewer/APAC security|apac Manager/APAC security|apac Viewer/NA security|apac Viewer/EMEA
That portion of the group mapping file would look like this:
security|na|emea,Viewer/NA
security|na|emea,Manager/NA
security|na|emea,Viewer/EMEA
security|na|emea,Manager/EMEA
security|na|emea,Viewer/APAC
security|apac,Viewer/APAC
security|apac,Manager/APAC
security|apac,Viewer/NA
security|apac,Viewer/EMEA
The assembled CSV file would look like this:
vp,Viewer/NA
vp,Viewer/EMEA
vp,Viewer/APAC
admin|na,SysAdmin/NA
admin|emea,SysAdmin/EMEA
admin|apac,SysAdmin/APAC
security|na|emea,Viewer/NA
security|na|emea,Manager/NA
security|na|emea,Viewer/EMEA
security|na|emea,Manager/EMEA
security|na|emea,Viewer/APAC
security|apac,Viewer/APAC
security|apac,Manager/APAC
security|apac,Viewer/NA
security|apac,Viewer/EMEA
- Each line in the group mapping file starts with a list of AD groups followed by a list of roles/organizations.
- If there is more than one group, separate by a vertical bar (|)
- Each role must be paired with its organization, separated by a forward slash (/)
- Multiple role/organization pairs are separated by a comma.
All matching rows contribute to a user's roles. In the above example group mapping:
- The VP of security for North America would have the Manager role in the NA organization and Viewer role everywhere else.
- The VP of IT in Europe would have Viewer role everywhere and SysAdmin role in EMEA.
The admin and manager users and see these roles by default.
To map Active Directory (AD) groups and roles to Lumeta organizations, here's the process.
Prerequisites
- Ensure that Groups and Users have already been set up in an Active Directory (AD) server before beginning this procedure. See https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal to learn how.
- Find out the credentials to your organization's AD server. Here are the types of information you'll need and an example of most (We've masked the name of our Active Directory server):
Active Directory CLI Commands
To configure Active Directory on Lumeta Enterprise Edition:
- Identify the Host Name or IP Address of your Command Center.
- Use that information to log in to the CLI of your Command Center.
- At the command-line prompt, enter
authentication ad
- These are the available AD Authentication CLI commands, their purpose and syntax, and an example of each command. The Active Directory CLI commands are presented here in the order they are presented on the CLI menu. Although not fixed, the order of operations is likely to be 1) configure, 2) viewconfig, 3) netbios, 4) enable 5) groupmapping. This order of operations in the last column of the table below.
CLI Command Description & Example Likely Order of Operations groupmapping Maps an Active Directory group to an Organization in Lumeta Enterprise Edition
If your Active Directory mapping introduces new Organizations, you will need to create those organizations in the Command Center as follows:
5 configure Configures an Active Directory authentication server
1 netbios The netbios is an alias for the hostname used in Active Directory authentication.
In this example, the hostname of the Command Center is longer than the maximum number of characters allowed, so AD could not be enabled. In cases like these, use the netbios to serve as an alias for a too-long hostname.
This command would create a hostname on the AD server with the name "TestAD."
3 enable/disable Enables and disables an AD authentication
4 viewconfig Displays the current AD configuration
2 clearconfig Clears the current AD configuration
optional
Viewing Users in Lumeta
When an AD user logs in to Lumeta, and browses to Settings > Users, users, groups, and organizations to which he has been given rights in the AD server groupings––and only those––are visible.