Defining the Authorization Scheme

Presto permissions are assigned to user groups or to individual users. To set up authorization when LDAP is the user repository, you must relate Presto user groups to user groups in LDAP and define how users are assigned to groups in LDAP. User membership in LDAP groups can be defined by adding users to group entries or by adding group names to user entries, but not both.

Note:

In previous releases, Presto user groups were called roles that could be implemented as user roles in LDAP instead of user groups. To use roles in LDAP for authorization in Presto, please contact your Software AG representative for more information.

You must add the built-in Presto groups that define basic permissions as groups in LDAP. You assign users to these built-in groups to assign basic Presto permissions. Your existing LDAP groups can then be used in Presto to define run permissions for specific mashables, mashups or apps. For more information on authorization, see Authorization Policies and Permissions.

1. If needed, log into Presto Hub and click

Admin Console in the main menu.

4. If user membership is defined in group entries in your LDAP directory, set these properties:

Enter the beginning context for user group searches in the Group Search Base property.

This is combined with the User Group Search Filter to find LDAP groups to determine user membership in groups that may have Presto permissions. For example:

Enter the filter to apply in group searches in the User Group Search Filter property.

This is combined with Group Search Base to find LDAP groups to determine user membership in groups that may have Presto permissions. The variable {0} is replaced with the user's username from login. For example:

Enter the LDAP attribute in group entries that identifies a group in the Group Name Attribute property.

This attribute contains the name of user groups that is used in Presto permissions. The default value is the group common name:

Important:

If you change this property, you must also update the Group Name Pattern proprty.

If group IDs in your LDAP Directory are not simple common names (see Group Name Attribute), enter a regular expression in Group Name Pattern to identify the built-in Presto groups.

Presto expects specific names for the built-in groups that you add to your LDAP Directory. These values are defined in the common name of the group. This property allows Presto to find the expected values for built-in groups, but use the full correct group names for the groups for your organization.

5. If user membership is defined solely in user entries, set these properties:

Enter the name of the LDAP attribute in user entries that identies the groups that users belong to in the User Membership Attribute property.

If group IDs in your LDAP Directory are not simple common names, enter a regular expression in Group Name Pattern to identify the built-in Presto groups.

With these properties set, for example:

Search Groups for User Membership = true
Group Search Base=ou=groups
User Group Search Filter=uniquemember={0}
Group Name Attribute = cn

And a username of jwalker, Presto would search all entries in ou=groups where uniquemember=jwalker. The names for any of these groups would be the common name (cn) for the group entry.

If these properties were set instead:

Search Groups for User Membership = false
User Membership Attribute = memberOf

The list of groups would consist of all values in the memberOf attribute in the jwalker user entry.

This list of group names would be compared to the built-in Presto groups and to groups with run permissions for artifacts to determine the full set of permissions for jwalker.