Working with Groups from an LDAP domain

As you add groups from an LDAP domain to TDV, you are selecting groups or users from the LDAP server and adding them to the TDV Server. This enables differentiated group and user access, use, creation, and modification of TDV resources as LDAP authenticated users.

LDAP domain users must belong to at least one LDAP group selected to use TDV Server as an authenticated user. This enables you to implicitly assign rights, privileges, and ownership of defined resources.

Similarly when an LDAP domain group is deselected from use with TDV Server, that group and all users defined exclusively by that group are removed locally from TDV, removing their access as authenticated users. The external LDAP server is unaffected by these TDV definition changes.

After adding an LDAP group to TDV, members of that group can be authenticated with the LDAP server. Rights can be assigned to members and data sources can define privileges for the group or its members to use resource definitions and data.

A security check on user rights and privileges is made every time a request is made of TDV applications or defined resources. Authentication status with the LDAP domain is checked and maintained with a non-persisting session.

Authenticated users can own and use resources as defined by the rights and privileges assigned to them explicitly as individuals, or implicitly by group membership. Members of a group defined for use within TDV inherit all the rights and privileges defined for that group.

When the Edit or Add External Groups window is displayed, the currently available LDAP groups are displayed, and those groups already selected for use within TDV are shown with a marked check box.

Adding external groups from an LDAP domain gives the TDV system a way to support differentiated access, and use of TDV-defined resources for selected groups without including the entire domain.

Note: Adding a group is the only way to add users to TDV from an LDAP server.

User and group management is performed on the LDAP server and TDV rights and privileges are assigned to LDAP groups and users.

LDAP users are given rights and privileges to use TDV resources by explicit addition of the groups to which those members belong. LDAP managers should make sure that appropriate groupings of users are enabled to use TDV resources.

Set appropriate rights and privileges for LDAP groups in the same way that TDV groups and users get assigned rights and privileges. Pure end-users should receive no rights, but get privileges which are assigned at the individual resource level to groups and users to access data through JDBC, ODBC, or Web services clients. Unauthenticated users, anonymous, and dynamic users with pass-through authentication can be given privileges to view, access, and execute procedures on data resources, but they cannot receive rights to change TDV definitions and settings.

Groups of developers, operations users, and administrators should have explicit rights to access tools, and rights to read or modify TDV resources at design time.

After initial TDV use, LDAP domain users can be added directly to specifically defined TDV groups, thereby granting them implicit rights and privileges, or they can be given individual rights and privileges explicitly. Managing rights and privileges by group (role-based access control) makes it easier to control large groups of users.

See Managing Security for TDV Resources for more information.

To add users to LDAP domains and groups, see Adding Users to TDV from an LDAP Domain, and Add Users to Groups.

1. In Manager, choose SECURITY > Domain Management and select the LDAP domain by using the row selector at the left of the Domain table.

You can use the navigation arrows and page numbers at the bottom of the window to display additional groups. You can also change the sort order by clicking the sort icon.

Initially, no users are shown as members of the selected groups. Users from the groups appear in the TDV system after their first use of any TDV resource.

Removing a group from an LDAP domain deletes the LDAP group, all of its users, and all implicit rights and privileges on the TDV Server.

Resource definitions for /shared resources owned by users in a deleted group retain access privileges for the remaining LDAP groups to which they belong. Resource ownership is shifted to a special system user named nobody. Those data sources should be assigned a new owner, and connections to those data sources should be tested and reintrospected to ensure that the resources remain accessible.

Group deletion removes all access privileges for the deleted group and its members. Group deletion also clears users’ personal work space in the /users node. However, the external LDAP server is unaffected by these TDV definition changes.

1. In Manager, choose SECURITY > Domain Management and use the row selector at the left of the Domain table to select the LDAP domain.

The TDV administrator with Read All Users right can review and monitor user group membership from the Manager.

2. In the Groups column click the “+” icon to expand the list of groups to which the selected LDAP user belongs.

LDAP users inherit all rights and privileges from the groups in which they belong.

The TDV Server and Manager do not manage LDAP group membership. LDAP users can be added to TDV groups as described above, but LDAP groups are not modifiable from Manager.