Defining the Authorization Scheme
MashZone NextGen permissions are assigned to user groups or to individual users. To set up authorization when LDAP is the user repository, you must relate MashZone NextGen user groups to user groups in LDAP and define how users are assigned to groups in LDAP. User membership in LDAP groups can be defined by adding users to group entries or by adding group names to user entries, but not both.
Note: | In previous releases, MashZone NextGen user groups were called roles that could be implemented as user roles in LDAP instead of user groups. To use roles in LDAP for authorization in MashZone NextGen, please contact your Software AG representative for more information. |
You
must add the built-in
MashZone NextGen groups that define basic permissions as groups in LDAP. You assign users to these built-in groups to assign basic
MashZone NextGen permissions. Your existing LDAP groups can then be used in
MashZone NextGen to define run permissions for specific mashables, mashups or apps.
For more information on authorization, see Authorization Policies and Permissions.
1. If needed, log into MashZone NextGen Hub and click Admin Console in the main menu. 2. Expand MashZone NextGen Repositories and click User Repository - LDAP.
3. Click Advanced Options.
4. If user membership is defined in group entries in your LDAP directory, set these properties:
Set the
Search Groups for User Membership option.
Enter the beginning context for user group searches in the
Group Search Base property.
This is combined with the User Group Search Filter to find LDAP groups to determine user membership in groups that may have MashZone NextGen permissions. For example:
ou=groups
Enter the filter to apply in group searches in the
User Group Search Filter property.
This is combined with Group Search Base to find LDAP groups to determine user membership in groups that may have MashZone NextGen permissions. The variable {0} is replaced with the user's username from login. For example:
uniquemember={0}
Enter the LDAP attribute in group entries that identifies a group in the
Group Name Attribute property.
This attribute contains the name of user groups that is used in MashZone NextGen permissions. The default value is the group common name:
cn
Important: | If you change this property, you must also update the Group Name Pattern property. |
If group IDs in your LDAP Directory are not simple common names (see Group Name Attribute), enter a regular expression in
Group Name Pattern to identify the built-in
MashZone NextGen groups.
For example:
cn=(PRESTO_.*?)
MashZone NextGen expects specific names for the built-in groups that you add to your LDAP Directory. These values are defined in the common name of the group. This property allows MashZone NextGen to find the expected values for built-in groups, but use the full correct group names for the groups for your organization.
5. If user membership is defined solely in user entries, set these properties:
Clear the
Search Groups for User Membership option.
Enter the name of the LDAP attribute in user entries that identies the groups that users belong to in the
User Membership Attribute property.
If group IDs in your LDAP Directory are not simple common names, enter a regular expression in
Group Name Pattern to identify the built-in
MashZone NextGen groups.
For example:
cn=(PRESTO_.*?)
MashZone NextGen expects specific names for the built-in groups that you add to your LDAP Directory. These values are defined in the common name of the group. This property allows MashZone NextGen to find the expected values for built-in groups, but use the full correct group names for the groups for your organization.
With these properties set, for example:
Search Groups for User Membership = true
Group Search Base = ou= groups,ou=system
User Group Search Filter=uniquemember={0}
Group Name Attribute = cn
And a username of jwalker, MashZone NextGen would search all entries in ou=groups where uniquemember=jwalker. The names for any of these groups would be the common name (cn) for the group entry.
If these properties were set instead:
Search Groups for User Membership = false
User Membership Attribute = memberOf
The list of groups would consist of all values in the memberOf attribute in the jwalker user entry.
This list of group names would be compared to the built-in MashZone NextGen groups and to groups with run permissions for artifacts to determine the full set of permissions for jwalker.