Any way to restrict access to Catalog files in ES
Hi, Is there a way we can restrict access to certain files to certain users/group in Catalog option (on left hand side menu under ESMAC)?
I am working on a requirement where we want to give access to only certain user/group on certain files.
E.g. Group A - cannot access files or access only in 'Readonly' mode for the files having first 2 qualifiers as DRRX.PROD.*
Appreciate if anyone could share a step-wise process/procedure to achieve this or solution closer to this requirement.
To do this you would need to configure the Enterprise Server External Security Facility, then configure the External Security Manager (usually an LDAP server such as Active Directory or OpenLDAP's slapd) with security rules for the datasets you want to restrict.
There's an entire volume of documentation on Enterprise Server security, though its exact location depends on the product you're using. (Please remember to include your product, version, and platform when you post a question.) For example:
Michael, We are using NE 5.1 for one client and 6.0 for another client but both has Microfocus running on a Unix system.
Can you please provide the steps on how to set up an LDAP server running on a UNIX system for ES/MTO security?
Thanks for your help.
[quote user="ASHISH"]Can you please provide the steps on how to set up an LDAP server running on a UNIX system for ES/MTO security?[/quote]
That's not the sort of thing you can fit into a forum post. Installing, configuring, and maintaining an LDAP server in a production environment is a significant system-administration task.
In your case, it will be complicated by the fact that you have one installation running Server Express 5.1. (Net Express is the Windows product - on Unix or Linux, you'll be running Server Express or Application Server, for a 5.x or 6.x product.) There have been a lot of enhancements and fixes to our security features and LDAP client support since 5.1.
You will need to:
- Determine what LDAP server you're going to use. OpenLDAP (its server component is called "slapd") is the most common choice for Unix/Linux, but there are others for most platforms. Most of our customers actually use Active Directory running on a Windows system (typically a domain controller) for the LDAP server, even when they run Enterprise Server on Unix systems; the Unix LDAP client can connect to Active Directory without any problems.
- Install the LDAP server and get it running.
- Configure the LDAP server for ES security. That means:
- Understanding the ES External Security Facility (refer to the Micro Focus docs).
- Understanding the MLDAP ESM Module, part of the ESF.
- Making some choices about how you're going to use LDAP-based security. For example, you'll need to decide how users are verified, and whether you're going to try to integrate OS user accounts and ES user accounts (so Enterprise Server users are the same as operating system users).
- Extending the LDAP schema to include Micro Focus object classes and attributes.
- Installing the sample ES security configuration into the LDAP server.
- Installing an LDAP client shared object on the Unix systems (most often this is the OpenLDAP client).
- Configuring an Enterprise Server Security Provider to use the MLDAP ESM Module and the LDAP client you've installed, to make security queries against your LDAP server.
- Configuring your Enterprise Server regions to use your Security Provider, setting security options and if necessary modifying security rules to create a security policy that meets your needs. (For example, can regions be started and stopped without a user ID and password?)
- When all of that's working, adding rules to the LDAP repository to implement your additional security requirements, such as limiting access to those data sets.
Most of the documentation and supporting materials we provide for LDAP setup are for Windows and Active Directory, because that's what nearly all customers use. Only a handful of customers have implemented security using a Unix-based LDAP server. Generally speaking, they either had the LDAP server already in production and had administrators who were experienced with it, or they took the time to build that expertise.
The OpenLDAP web site has a quick-start guide that might be helpful: http://www.openldap.org/doc/admin24/quickstart.html
If you're not up to speed on LDAP and configuring it on a UNIX platform, you might contact you're sales rep and get a Micro Focus consultant out for a few days to do it for you