Decision Management (ODM,ADS)

 View Only
  • 1.  User Management

    Posted Mon October 30, 2023 07:33 AM

    Hello, I am new to Decision Center. This discussion is about User Management. I have just configured DC and I was surprised that when I authenticate to it with my WebSphere administration user I could have access to the DC Administration tasks without needing to add my user to one of the groups res*. I am trying to secure my DC, but it seems that everyone that can authenticate is an Administrator. So how can I secure something in these conditions? 

    Furthermore I configured the connection to LDAP in DC console, I was able to import one group to test the integration with AD, but the users for that group were not imported.

    Can you help me with this? 


    ------------------------------
    JOAO PEDRO ALEXANDRE
    ------------------------------


  • 2.  RE: User Management

    Posted Tue October 31, 2023 04:31 AM

    Hello Joao,

    If you can access the Decision Center Administration tab, it's because you have the WAS/Liberty rtsAdministrator role. See https://www.ibm.com/docs/en/odm/8.12.0?topic=center-enabling-users-groups about existing Decision Center roles : rtsAdministrator,rtsConfigManager,rtsUser

    So, if you want to prevent an access to the Administrator tab, you have to remove this role to your user and just provide the rtsUser role.

    You should have something in your Websphere application settings that looks like this :

    https://github.com/DecisionsDev/odm-ondocker/blob/master/decisioncenter/config/application-decisioncenter.xml#L10

    Here you have to map the J2EE role to existing LDAP groups using fully qualified name as explained here :

    https://www.ibm.com/docs/en/odm/8.12.0?topic=profile-step-2-configuring-user-access-decision-center

    When your roles are correctly set, then you can manage authorization at Decision Center level. What we also call "fine grained permission".

    This video is providing interesting explanations: https://www.youtube.com/watch?v=WpCrAQRqVAA

    Hope this helps. 

     



    ------------------------------
    Mathias Mouly
    ------------------------------



  • 3.  RE: User Management

    Posted Tue October 31, 2023 06:56 AM

    Hi Mathias,

    first of all thanks very much for your quick response.

    After reading it I went to check the user mapping in 'Security role to user/group mapping' in the teamserver application configuration and found out that the group my user belongs to is indeed mapped as rtsAdministrator.

    So that part is understood.

    Now my problem now seems to be in the LDAP configuration at Decision Center level. I am able to import the groups, but not the users. I believe the issue is in one of this parameters. I have to check them with the AD Administrator.

    Group search filter ==> (ObjectCategory=Group)
    Group name attribute  ==> cn
    Group member attribute ==> member
    User login id attribute ==> uid
    user name attribute ==> samAccountName

    Thanks very much for your help



    ------------------------------
    JOAO PEDRO ALEXANDRE
    ------------------------------



  • 4.  RE: User Management

    Posted Tue October 31, 2023 08:07 AM

    Hi,

    It is really important that the user login id attribute matches the user login attribute used in the configuration at the application server level.

    Also your group search filter is possibly not filtering enough and might be generating to many replies...



    ------------------------------
    Alain Robert
    ------------------------------



  • 5.  RE: User Management

    Posted Tue October 31, 2023 08:30 AM

    You are right, I was playing with the parameters and after changing that one from uid to cn, I was able to import the users too.

    Thanks very much for your help.

     

    João Pedro Alexandre

    Senior Lead, Infrastructure Specialist

    Kyndryl Consult 

     

    Unless stated otherwise above:
    KNDRL SERVICES PORTUGAL, S.A.
    Sociedade Anónima com o Capital Social de € 11.000.000
    Registada na Conservatória do Registo Comercial de Lisboa, sob o número único fiscal e de matrícula  516360558
    Edifício "Office Oriente" - Rua do Mar da China, Nº 3, Parque das Nações, 1990-138 LISBOA