Absent Member.. drenze Absent Member..
Absent Member..
3200 views

BSM 9.20 LDAP Authentication - Deny User Access by default

The title pretty much says it all.

 

I'm setting up BSM 9.20 in our environment using LDAP authentication and user synchronization. I have this working wonderfully. However, by default, any users not in one of my user groups are able to login with system viewer permissions by default. I would like to prevent them from logging in at all.

 

This must be something that somebody else has wanted to do at some point - is there any way to do this or has anybody set up a workaround?

 

Thanks.

Tags (1)
0 Likes
9 Replies
Micro Focus Expert
Micro Focus Expert

Re: BSM 9.20 LDAP Authentication - Deny User Access by default

From BSM documentation:

 

LDAP users who do not exist in, and log into, BSM, are created as BSM users.
Their status is determined as follows:
➤ If the user belongs to a mapped LDAP group, she is automatically assigned
to the BSM group that is mapped to their LDAP group.
➤ If their group is not mapped to a BSM group, or if they do not belong to
an LDAP group, they are nested under the Root group and created as a
BSM user with System Viewer permissions. Their permissions and user
hierarchy can be modified on the User Management interface.

 

====================================================================================

 

This task describes how to handle unknown users trying to log into BSM --
users that were authenticated by the hosting application but do not exist in
the BSM users repository:
To configure unknown user handling mode:
1 Select Admin > Platform > Setup and Maintenance > Infrastructure
Settings, choose Foundations, and select Single Sign On.
2 Locate the Unknown User Handling Mode entry in the Single Sign On -
Lightweight (LW-SSO) field, and select one of the following options:
➤ Integration User. A user with the User name Integration User is created
in place of the user who attempted to login. This user has System
Viewer permissions.
➤ Allow. The user is created as a new BSM user and allowed access to the
system. This user has System Viewer permissions, and his default
password is his login name.
➤ Deny. The user is denied access to BSM, and is directed to the login
page.
The changes take effect immediately.
Note: When User Synchronization is enabled between BSM and the LDAP
server, unknown users are always denied entry into BSM.

0 Likes
Absent Member.. drenze Absent Member..
Absent Member..

Re: BSM 9.20 LDAP Authentication - Deny User Access by default

Thanks for pointing this out - I missed it in the documentation. I'm not wild about the entirely online format of the documentation in 9.20 without the easy access to the PDF's from earlier versions. I've had a few config issues that I searched and searched for that were resolved quickly once I found the PDF's.

 

Thanks again!

0 Likes
Absent Member.. drenze Absent Member..
Absent Member..

Re: BSM 9.20 LDAP Authentication - Deny User Access by default

K...I've done this, and LDAP users not specifically in one of my groups are still able to login.
0 Likes
Absent Member.. Syed Uzair D Ha Absent Member..
Absent Member..

Re: BSM 9.20 LDAP Authentication - Deny User Access by default

Hey Guys,

 

Can you please share the PDFs where these information is available.

 

Thanks

0 Likes
Highlighted
Absent Member.. FrankyVally Absent Member..
Absent Member..

Re: BSM 9.20 LDAP Authentication - Deny User Access by default

Hello,

 

I am going through the same issue.  Even after changing the Infrastructure foundation of SSO to Deny, it still let's user in even if they do not belong to any of the groups configured in BSM.

 

Anybody knows how to really deny access to user that do not belong to groups configured in BSM?

 

Thanks and regards.

Tags (3)
0 Likes
Absent Member.. jmertie Absent Member..
Absent Member..

Re: BSM 9.20 LDAP Authentication - Deny User Access by default

Wondering if this thread is closed... I have confirmed that the results that at least I expected for the Deny option does not function properly. The system I am working on is 9.21 and MS AD (not sure of the version or if it matters). Any ideas of patches to address this, administrative workarounds or my misunderstanding to expected behavior will be apprecitated.

 

0 Likes
Absent Member.. drenze Absent Member..
Absent Member..

Re: BSM 9.20 LDAP Authentication - Deny User Access by default

Well...I'm the one who posted the original message, and *I* certainly don't consider it to be closed, as I haven't received a satisfactory answer yet. 🙂

 

Now...as far as it goes...In the Infrastructure settings, there's a setting (I can't remember which one) which identifies the default role that a user who is not in a group that has not specifically been given permissions. By default, this is set to System Viewer. If you blank it out, then the default user role is to have *no* system permissions - they can't see anything. This is what I've done.

 

It's not an ideal solution, but it's one that I'm able to live with, in terms of our company's IT Security policies.

 

Hope this helps.

 

 

 

 

0 Likes
Contributor.. paulmsantiago Contributor..
Contributor..

Re: BSM 9.20 LDAP Authentication - Deny User Access by default


drenze wrote:

Well...I'm the one who posted the original message, and *I* certainly don't consider it to be closed, as I haven't received a satisfactory answer yet. 🙂

Now...as far as it goes...In the Infrastructure settings, there's a setting (I can't remember which one) which identifies the default role that a user who is not in a group that has not specifically been given permissions. By default, this is set to System Viewer. If you blank it out, then the default user role is to have *no* system permissions - they can't see anything. This is what I've done.

It's not an ideal solution, but it's one that I'm able to live with, in terms of our company's IT Security policies.

Hope this helps.



I've had to do the same in the past.

 

The setting to blank out is "Automatically created user roles" under "LDAP Configuration - LDAP General".

0 Likes
Javier_Mora Absent Member.
Absent Member.

Re: BSM 9.20 LDAP Authentication - Deny User Access by default

Hello,

 

Pretty much, the workaround in this case is as you have described, to clear out the setting from BSM Platform.

 

If you require a different solution than this one, I would advice to open an enhancement to Support including all the details on desired behavior and reasons on why this is needed as requested.

 

BSM Support will follow this request and validate it with R&D.

 

Kind regards,

Javier

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.