Table of Contents
Authorization Realms are used by Authentication Realms to associate Users with Roles and to determine user access to AnthillPro. Authorization Realms can be deactivated by clicking the Mark as Inactive icon (see below).
There are three Authorization Realm options:
Anthill. Uses internal Anthill role management. See Anthill Authorization Realm.
LDAP. Uses external LDAP role management. See LDAP Authorization Realm.
Single Sign-On. Uses external Single Sign-On role management. See Single Sign-On Authorization Realm.
The Anthill Authorization Realm uses AnthillPro to manage Users. You will need access to the System page in order to manage security.
Go to System > Authorization under the Security menu.
On the Authorization tab, click the Create Authorization Realm button.
Check Anthill, click Set, and configure Realm.
Name the Authorization Realm.
Description. Provide a description of the Authorization Realm.
If not adding an initial User Role, Click Save then Done to complete. Otherwise proceed to item 5.
Click the Add Initial User Role button (optional).
New users created within an Authentication Realm governed by the Authorization Realm you are configuring will automatically become members of the Roles configured here. For example, if a user is added to the Kerberos Authentication Realm that is managed by the Anthill Authorization Realm, the new user will be automatically assigned the Roles chosen here.
This item requires that the appropriate Roles have already been created. See Define Roles.
Select the Role from the drop-down menu and click Add Roll.
To add more User Roles, repeat items 5 and 6.
Click Save then Done.
The LDAP Authorization Realm uses an external LDAP server for authorization. If User Roles are defined in LDAP as an attribute of the User, the LDAP Role Attribute configuration must be used. If User Roles are defined elsewhere in LDAP and reference the Users that belong to them, a LDAP Role Search needs to be performed. You will need access to the System page in order to manage security.
Go to System > Authorization under the Security menu.
On the Authorization tab, click the Create Authorization Realm button.
Check LDAP and click Set.
On the Main tab, configure Realm:
Name the Authorization Realm.
Description. Provide a description of the Authorization Realm.
Role Attribute. Give the name of the attribute that contains role names in the user directory entry.
If User Roles are defined in LDAP as an attribute of the User, the Role Attribute configuration must be used.
Role Name. Provide the name of the entry that contains the user's role names in the directory entries returned by the role search. If this is not specified, no role search will take place.
If User Roles are defined elsewhere in LDAP and reference the Users that belong to them, a Role Search needs to be performed.
Role Base. Give the base directory to execute role searches in (e.g., ou=groups,dc=anthill3,dc=com).
Role Search. Provide the LDAP filter expression to use when searching for user role entries. The user name will be put in place of {1} in the search pattern and the full user DN will be put in place of {0} (e.g., member={0}).
Search Role Subtree. Check True to search the subtree for the roles or False to not search.
If not mapping LDAP roles to Anthill Security Roles, click Save then Done to complete. Otherwise proceed to item 6.
Select the Role Mapping tab (optional) and follow the Map LDAP Role link.
This item requires that the appropriate Roles have already been created. See Define Roles.
LDAP Role Name. Give the LDAP role to map.
Anthill Role. Select the Anthill role to map the LDAP role to.
Click Save then Done.
The Single Sign-On Authorization Realm uses an external Single Sign-On server for authorization. You will need access to the System page in order to manage security.
Go to System > Authorization under the Security menu.
On the Authorization tab, click the Create Authorization Realm button.
Check Single Sign-On and click Set.
On the Main tab, configure Realm:
Name the Authorization Realm.
Description. Provide a description of the Authorization Realm.
If not mapping Single Sign-On roles to Anthill Security Roles, click Save then Done to complete. Otherwise proceed to item 6.
Select the Role Mapping tab (optional) and follow the Map Single Sign-On Role link.
This item requires that the appropriate Roles have already been created. See Define Roles.
Give the Single Sign-On role to map.
Select the Anthill role to map the LDAP role to.
Click Save then Done.