Assigning Users to TDV Groups or Identities

Administration Guide > Pluggable Authentication Modules > What Happens at Deployment and Run Time > Assigning Users to TDV Groups or Identities

The TDV Manager Principal Mapping page allows you to link PAM authentication with TDV-defined users and groups.

If a user is validated, the security context values present in the Subject instance or any channel properties for that connection can be used to authenticate a specific group or user for that session. Group membership can be assigned to the user session based on any of the following:

• TDV-wide static group list

• Groups associated with approving authentication modules

• Groups associated with principals contained in the security context

If the user is from the dynamic domain, the permission check bases decisions on the session's security context.

It is recommended that dynamically-defined users have a restricted set of privileges and rights to access information in the public domain, unless you require PAM authentication for all users.

To enable use of principal mapping

1. Navigate to the TDV Manager Principal Mapping page, and from there select Security > Principal Mapping.

2. If the text to the left of Principal to Group Mapping says Disabled, click Change Enabling.

Enable mapping to use values from the security context of the authenticated user to assign that user to a TDV group.

3. Select Add Mapping.

4. Select a name for the mapping.

5. Select the Assignment Types to map values from the user’s security context.

Assignment Type	Description
X.500 Distinguished Name	This is a hierarchical string expression that allows domain, organization, and group granularity to be set in the Name field. Users defined within the more general container are mapped to the specified group for data and resource privileges.
Name Match (exact)	The name in the security context must match the specified string exactly for the group assignment to occur.
Name Match (regex)	Wild cards and special characters can be used to enable members of the same domain to have group privileges. Refers to the Java docs describing Java Class Pattern for regular expressions in java.util.regex.Pattern.
Kerberos Realm	If a Kerberos principal has been added to the security context by a login module, a group mapping can be assigned based on the principal realm. This adds to the mapping that was set for the module instance.

6. Specify the domain and group rights and privileges to assign to the users who match the given name.

The domain specification can be omitted if you want to specify the TDV domain, which is the default behavior.