<< PREVIOUS       NEXT >>

 

ACCESS MANAGEMENT

 

OVERVIEW

TYPES OF USERS IN CMS

 

There are two types of users in CMS:

  1. Local CMS Users – These users are created and maintained in CMS. This type of users is very useful in test environments

    1. This feature can also be leveraged as a fallback mechanism

    2. During initial CMS Onboarding after installation, a Super Admin user is created

  2. LDAP/AD Users – In a compliance environment, it is desirable to have all authentication from AD and not from a local, isolated authentication. This aids in maintaining authentication audit records

    1. The default CMS Role is assigned to the user. The user role may be modified as required by the Super Admin user. Refer Section User Roles for more information about the User Roles

    2. Once a user is imported in CMS, if the user is deleted in LDAP, logging into the CMS is not allowed. But the user has to be deleted from CMS by a Super Admin. (Refer Section  Delete User)

  3. SAML Users – An existing IDP can be configured and the SAML users can access CMS with their credentials. Refer Section SAML SSO Integration

    1. The profile information and password of SAML users cannot be modified from CMS. These modifications must be performed through the SAML IDP

 

AD

 

AD stands for Active Directory. It is a directory services implementation that provides functionalities like authentication, group and user management, policy administration and more. AD supports both Kerberos and LDAP. Microsoft AD is by far the most common directory services system in use today. AD provides Single-Sign On (SSO) and works well on premise and over VPN.

 

An admin can create a group of users and give them specific access privileges to certain directories on the server. As a network grows, AD provides a way to organize a large number of users into logical groups and sub-groups, while providing access control at each level. A port is utilized for communication between AD and VSP CMS

 

LDAP

 

LDAP stands for Lightweight Directory Access Protocol. LDAP provides a communication language that applications use to communicate with directory services servers.

 

LDAP is used for user authentication across existing Active Directory. There are multiple ways of configuring the directory. The way the authentication is carried out is based on the way the directory is organized. Multi-tree structure is also supported by VSP.

 

LDAP WORKING

  1. A client sends a request for information stored within an LDAP database along with the user’s credentials to an LDAP server

  2. The LDAP server then authenticates the credentials submitted by the user against their core user identity, which is stored in the LDAP database

  3. If the credentials submitted by the user match the credentials associated with their core user identity that is stored within the LDAP database, the client is granted access and receives the requested information (attributes, group memberships, or other data)

  4. If the credentials do not match, the client is denied access to the LDAP database

 

<< PREVIOUS       NEXT >>