Each group to which a user is a member is compared against the mapping parameters. Mapping
occurs sequentially with a group first compared to the super-map parameter. If no match is made,
the group is then compared with the service-map parameter, and so on. For example, if a match
is made for group A with the super-map parameter, the user belonging to group A is authorized
with Super rights to the system.
With this process, a user can be authenticated, but not authorized if no group membership exists.
In this case, the user is subsequently denied access to the system.
Authorization on Systems Using Virtual Domains
As discussed in
within the system. On systems using virtual domains, this process is taken one step further where
the user's groups are mapped to system domains. Therefore, the user's role within a specific group
is carried over to the domain(s) mapped to that group. For instructions on authorizing LDAP users
on systems using Domains, see Chapter 4, Managing User Accounts and Connections in the HP
3PAR OS CLI Administrator's Manual.
The group-to-domain mapping relationship:
LDAP User 1 has membership to Group B.
Group-to-role mapping determines that Group B uses the Edit role.
Group-to-domain mapping establishes a match between Group B and Domain A.
LDAP User 1 has Edit role access to all objects in Domain A.
"Authorization" (page
22), a user's group association determines that user's role
LDAP Authentication and Authorization
23