You are right, I was playing with the parameters and after changing that one from uid to cn, I was able to import the users too.
Thanks very much for your help.
João Pedro Alexandre
Senior Lead, Infrastructure Specialist
Kyndryl Consult
Unless stated otherwise above:
KNDRL SERVICES PORTUGAL, S.A.
Sociedade Anónima com o Capital Social de € 11.000.000
Registada na Conservatória do Registo Comercial de Lisboa, sob o número único fiscal e de matrícula 516360558
Edifício "Office Oriente" - Rua do Mar da China, Nº 3, Parque das Nações, 1990-138 LISBOA
Original Message:
Sent: 10/31/2023 8:07:00 AM
From: Alain Robert
Subject: RE: User Management
Hi,
It is really important that the user login id attribute matches the user login attribute used in the configuration at the application server level.
Also your group search filter is possibly not filtering enough and might be generating to many replies...
------------------------------
Alain Robert
------------------------------
Original Message:
Sent: Tue October 31, 2023 06:55 AM
From: JOAO PEDRO ALEXANDRE
Subject: User Management
Hi Mathias,
first of all thanks very much for your quick response.
After reading it I went to check the user mapping in 'Security role to user/group mapping' in the teamserver application configuration and found out that the group my user belongs to is indeed mapped as rtsAdministrator.
So that part is understood.
Now my problem now seems to be in the LDAP configuration at Decision Center level. I am able to import the groups, but not the users. I believe the issue is in one of this parameters. I have to check them with the AD Administrator.
Group search filter ==> | (ObjectCategory=Group) |
Group name attribute ==> | cn |
Group member attribute ==> | member |
User login id attribute ==> | uid |
user name attribute ==> | samAccountName |
Thanks very much for your help
------------------------------
JOAO PEDRO ALEXANDRE
Original Message:
Sent: Tue October 31, 2023 04:31 AM
From: Mathias Mouly
Subject: User Management
Hello Joao,
If you can access the Decision Center Administration tab, it's because you have the WAS/Liberty rtsAdministrator role. See https://www.ibm.com/docs/en/odm/8.12.0?topic=center-enabling-users-groups about existing Decision Center roles : rtsAdministrator,rtsConfigManager,rtsUser
So, if you want to prevent an access to the Administrator tab, you have to remove this role to your user and just provide the rtsUser role.
You should have something in your Websphere application settings that looks like this :
https://github.com/DecisionsDev/odm-ondocker/blob/master/decisioncenter/config/application-decisioncenter.xml#L10
Here you have to map the J2EE role to existing LDAP groups using fully qualified name as explained here :
https://www.ibm.com/docs/en/odm/8.12.0?topic=profile-step-2-configuring-user-access-decision-center
When your roles are correctly set, then you can manage authorization at Decision Center level. What we also call "fine grained permission".
This video is providing interesting explanations: https://www.youtube.com/watch?v=WpCrAQRqVAA
Hope this helps.
------------------------------
Mathias Mouly
Original Message:
Sent: Mon October 30, 2023 07:33 AM
From: JOAO PEDRO ALEXANDRE
Subject: User Management
Hello, I am new to Decision Center. This discussion is about User Management. I have just configured DC and I was surprised that when I authenticate to it with my WebSphere administration user I could have access to the DC Administration tasks without needing to add my user to one of the groups res*. I am trying to secure my DC, but it seems that everyone that can authenticate is an Administrator. So how can I secure something in these conditions?
Furthermore I configured the connection to LDAP in DC console, I was able to import one group to test the integration with AD, but the users for that group were not imported.
Can you help me with this?
------------------------------
JOAO PEDRO ALEXANDRE
------------------------------