Working with Groups from an LDAP domain
As you add groups from an LDAP domain to TDV, you are selecting groups or users from the LDAP server and adding them to the TDV Server. This enables differentiated group and user access, use, creation, and modification of TDV resources as LDAP authenticated users.
LDAP domain users must belong to at least one LDAP group selected to use TDV Server as an authenticated user. This enables you to implicitly assign rights, privileges, and ownership of defined resources.
Similarly when an LDAP domain group is deselected from use with TDV Server, that group and all users defined exclusively by that group are removed locally from TDV, removing their access as authenticated users. The external LDAP server is unaffected by these TDV definition changes.
After adding an LDAP group to TDV, members of that group can be authenticated with the LDAP server. Rights can be assigned to members and data sources can define privileges for the group or its members to use resource definitions and data.
A security check on user rights and privileges is made every time a request is made of TDV applications or defined resources. Authentication status with the LDAP domain is checked and maintained with a non-persisting session.
Authenticated users can own and use resources as defined by the rights and privileges assigned to them explicitly as individuals, or implicitly by group membership. Members of a group defined for use within TDV inherit all the rights and privileges defined for that group.
When the Edit or Add External Groups window is displayed, the currently available LDAP groups are displayed, and those groups already selected for use within TDV are shown with a marked check box.
Adding a Group to an LDAP Domain
Adding external groups from an LDAP domain gives the TDV system a way to support differentiated access, and use of TDV-defined resources for selected groups without including the entire domain.
Note: Adding a group is the only way to add users to TDV from an LDAP server.
User and group management is performed on the LDAP server and TDV rights and privileges are assigned to LDAP groups and users.
LDAP users are given rights and privileges to use TDV resources by explicit addition of the groups to which those members belong. LDAP managers should make sure that appropriate groupings of users are enabled to use TDV resources.
Set appropriate rights and privileges for LDAP groups in the same way that TDV groups and users get assigned rights and privileges. Pure end-users should receive no rights, but get privileges which are assigned at the individual resource level to groups and users to access data through JDBC, ODBC, or Web services clients. Unauthenticated users, anonymous, and dynamic users with pass-through authentication can be given privileges to view, access, and execute procedures on data resources, but they cannot receive rights to change TDV definitions and settings.
Groups of developers, operations users, and administrators should have explicit rights to access tools, and rights to read or modify TDV resources at design time.
After initial TDV use, LDAP domain users can be added directly to specifically defined TDV groups, thereby granting them implicit rights and privileges, or they can be given individual rights and privileges explicitly. Managing rights and privileges by group (role-based access control) makes it easier to control large groups of users.
To add a group from an LDAP domain
1. In Manager, choose SECURITY > Domain Management and select the LDAP domain by using the row selector at the left of the Domain table.
2. Click Edit External Groups at the bottom of the table.
The Add External Groups window displays all groups in the LDAP domain.
3. Select those groups that you want to grant access to TDV resources.
You can use the navigation arrows and page numbers at the bottom of the window to display additional groups. You can also change the sort order by clicking the sort icon.
4. Click OK.
Initially, no users are shown as members of the selected groups. Users from the groups appear in the TDV system after their first use of any TDV resource.
Removing a Group from an LDAP Domain
Removing a group from an LDAP domain deletes the LDAP group, all of its users, and all implicit rights and privileges on the TDV Server.
Resource definitions for /shared resources owned by users in a deleted group retain access privileges for the remaining LDAP groups to which they belong. Resource ownership is shifted to a special system user named nobody. Those data sources should be assigned a new owner, and connections to those data sources should be tested and reintrospected to ensure that the resources remain accessible.
Group deletion removes all access privileges for the deleted group and its members. Group deletion also clears users’ personal work space in the /users node. However, the external LDAP server is unaffected by these TDV definition changes.
To remove a group from an LDAP domain
1. In Manager, choose SECURITY > Domain Management and use the row selector at the left of the Domain table to select the LDAP domain.
2. Click Edit External Groups.
The window displays all groups in the LDAP domain.
3. Select the groups to remove.
Use the navigation arrows and page numbers at the bottom of the window to display additional groups.
4. Click OK.
Viewing Group Membership
The TDV administrator with Read All Users right can review and monitor user group membership from the Manager.
To view a user’ s group membership in an LDAP domain
1. In Manager, choose SECURITY > User Management.
The table of users can be filtered by domain and group, and sorted on multiple attributes.
2. In the Groups column click the “+” icon to expand the list of groups to which the selected LDAP user belongs.
Adding and Removing LDAP Users from a Group
LDAP users inherit all rights and privileges from the groups in which they belong.
The TDV Server and Manager do not manage LDAP group membership. LDAP users can be added to TDV groups as described above, but LDAP groups are not modifiable from Manager.
To add or remove LDAP users to or from a group
1. In Manager, choose SECURITY > Group Management.
2. In the Users column, select the Edit Users icon for the group.
The Edit Group Membership window is displayed.
3. Add or remove users by checking or clearing the users.
4. Click OK.