Managing Active Directory Authentication and Authorization
>What is Active Directory Authentication and Authorization? |
New to Sentinel EMS?
See How to Use Sentinel EMS? |
What is Active Directory Authentication and Authorization?
Active Directory is a directory service implemented by Microsoft for Windows domain networks. An Active Directory domain controller authenticates and authorizes users in a Windows-domain network by enforcing security policies for all computers.
Using Sentinel EMS you can do the following:
>Authenticate the login account information (User ID and Password) using Active Directory. Active Directory authentication enables vendor users to log in to Sentinel EMS if they have an account in an Active Directory domain.
>Provide role-based authorization using Active Directory. Groups are created and associated with user accounts in the Active Directory. You then create roles in Sentinel EMS for these group names.
Updating Active Directory Users in Sentinel EMS
To authenticate Active Directory users in Sentinel EMS, the Sentinel EMS database must be updated with the Active Directory users. Before aligning Active Directory users, you must create a Sentinel EMS administrator vendor user (with an administrator role) and align that vendor user with an existing Active Directory administrator. The Active Directory administrator can then log in to Sentinel EMS and align other Active Directory users with their roles and privileges as required in Sentinel EMS.
You align the Active Directory administrator and users to Sentinel EMS one at a time by adding them from the Vendor Users page.
As you start typing a name in the User ID field, Sentinel EMS automatically fetches user names matching the string entered from the Active Directory. The names listed are those that exist in Active Directory but not in Sentinel EMS.
Existing values for attributes, such as Email and Expiration Date, are fetched from the Active Directory for the selected name.
Role Associations for Active Directory Users
Sentinel EMS provides role-based authorization using Microsoft Windows Active Directory. Groups are created and associated with Active Directory user accounts. You apply these group names to the roles that you create in Sentinel EMS.
To be able to use the groups in Active Directory for authorization in Sentinel EMS:
1.Create the same role name in Sentinel EMS for each group name in Active Directory. For example, if an Order Taker group exists in Active Directory, then create an Order Taker role in Sentinel EMS.
2.Add permissions to roles. For details, see Roles.
NOTE For a scenario where you roll back from LDAP authentication and authorization to Sentinel EMS Basic authentication (DB), ensure that the Sentinel EMS administrator user is assigned the Sentinel EMS Admin role. This enables the administrator to log in to Sentinel EMS and realign other vendor users with their roles and privileges as required.