Depending on the authentication method that you have set up, users can either be created manually or dynamically in Data360 Analyze:
- Manual user creation - Administrators can create users locally in Data360 Analyze, see Creating local users.
- Dynamic user creation - If you have SSO or LDAP/AD authentication enabled, users can be automatically created on sign in as follows:
- If you have enabled SSO authentication, local users can be created on sign in based on the value passed from CA Single Sign-On in the SM_USER header. Alternatively, if you have configured LDAP/AD integration, users will be searched for within the LDAP/AD source system using the value passed from CA Single Sign-On in the SM_USER header, and then created based on their LDAP/AD profile.
- If you have configured LDAP/AD integration, users can be automatically created on sign in or imported based on their LDAP/AD user accounts.
To configure dynamic user creation for SSO or LDAP/AD users, or to manually import users from LDAP/AD:
- From the Directory, select Settings.
- Select User Accounts.
From the Details panel, you can:
- Select default roles for new user accounts, see General.
- Select whether you want to create user accounts on demand, see On Demand User Creation.
- Configure the import LDAP Server details.
- Enter the LDAP import settings for your LDAP/AD server, including the option to automate LDAP/AD synchronization.
- Configure Advanced Settings for LDAP/AD imports, including LDAP alias dereferencing.
General
Property | Description |
---|---|
Default roles for new users |
Select one or more default user roles to assign to new users when they are created as part of on-demand user creation. If you do not want to assign a user role immediately, you can leave this field blank. For more information on the user roles that are available in Data360 Analyze, see User roles. Tip: If you want to edit the user role for a particular user at a later date, you can do this by selecting the Users collection from the Directory, see Managing users.
|
Default roles for new groups | Select one or more default roles to assign to new groups when they are created as part of on-demand group synchronization. |
On Demand User Creation
Property | Description |
---|---|
Do not create user account | Select this option if you do not want user accounts to be created dynamically. In this case, Admin users can manually create new user accounts, see Creating local users. |
Create local account |
Select Create local account to enable local user accounts to be automatically created the first time a user signs in to Data360 Analyze. |
Sync groups | When Create local account is selected, select Sync groups if you want to enable SAML SSO group management. |
Import from LDAP |
Select Import from LDAP to enable user accounts to be automatically created from external systems. If you have integrated with SSO or LDAP/AD and you select this option, the first time that an LDAP/AD or SSO user signs in to Data360 Analyze, their account will be automatically created. Note: If you want to import user account details via LDAP/AD, you must also complete the LDAP Server and LDAP import fields.
If you do not select this option, you can manually import LDAP/AD users by clicking the import button when you have finished entering your LDAP/AD settings. |
Update user accounts on every sign in |
Select Update user accounts on every sign in if you want Data360 Analyze to synchronize with your LDAP/AD server each time an LDAP/AD user signs in to gather the latest user account information. Note that this action could take some time to complete. |
Bulk import
Property | Description |
---|---|
Schedule update and import Now |
You can set the Schedule update every X days at X property to enable automatic synchronization with your LDAP/AD source system to regularly obtain the latest user account information. Note: Updates can only occur when the server is running. If the server is restarted, the next sync happens at the scheduled time, not immediately after the server restarts.
When you have finished entering your LDAP/AD settings, click the import Now button to import users and groups from your LDAP/AD server. When the import is complete, an import summary is displayed in the details panel. Note: The import Now button is only enabled when you have completed the LDAP Server and LDAP import sections.
|
LDAP Server
Enter the import server connection settings for your LDAP/AD server, as per the examples in the following table:
Server Connection property | Description |
---|---|
LDAP
- or - Active Directory |
Select LDAP or Active Directory depending on your external source system. |
Server URL | Specify the name of the server which hosts your LDAP/AD source system, including the port number and root DN, in the following format:
ldap://server.example.com:389/ou=someOrgUnit,dc=example,dc=com The root Distinguished Name (root DN) defines the entry point in the LDAP/AD structure from which the import will take place. Note: We recommend that you set the root DN to the lowest possible point in the LDAP/AD structure.
Using a secure connection to import LDAP/AD users and groups If you want to enable LDAP over SSL, use the "ldaps" protocol in your URL and ensure that the port number corresponds to the LDAPS port number on the LDAP server. ldaps://server.example.com:389/ou=someOrgUnit,dc=example,dc=com You must then install security certificates on both your source LDAP/AD server and the Data360 Analyze server. See Adding SSL certificates > Installing the certificate for more details. |
Application User DN | Enter the Application User DN. The Application User DN is the DN of the LDAP binding user that will be used to connect to the source system when performing an import.
|
Application User Password | Enter the Application User Password that corresponds to the Application User DN. |
LDAP import
Enter the import settings for your LDAP/AD server, as per the examples in the following table:
import Settings property | Description |
---|---|
Username Attribute
|
Specify the attribute on your source LDAP/AD system that will be used as the username for the imported users.
|
User Filter |
Applying a filter
You must apply a user filter to determine how users are identified on the source system and, optionally, to limit the import to only those users who require access to Data360 Analyze. You can apply a filter by using standard LDAP query syntax, as in the following examples, where A value is required for this property. Filtering to exclude an attribute
This query would import all objects that have an objectClass attribute of "person", and would exclude objects that have an Organizational Unit attribute of "HumanResources" OR "ResearchAndDevelopment". Using the wildcard operator
This query would import all objects that have the objectClass attribute populated with a value. |
Import usernames as lowercase | Select import usernames as lowercase to enable users to enter their login username in lower case and still access the system. This option is useful when integrating with an LDAP/AD system that performs case insensitive authentication. If you do not select this option, usernames will be imported in their original case. Username set to "aUser" on AD:
|
Import Groups | Select import groups if you want to import groups as well as users. |
Group Filter | If you are importing groups, you must apply a filter to identify the groups on the source system and, optionally, to limit the import to groups that match a specific filter criteria. You can apply a filter by typing standard LDAP query syntax, as in the following example, where objectClass=<something> is used to identify a group in the source system.Filtering for multiple attributes
This query would import objects that have an objectClass attribute of "groupOfNames" AND are members of the "Data360 Analyze Users Group". |
Group Name Attribute | Specify the attribute on your source LDAP/AD system which will be used as the group name for groups that you import to Data360 Analyze. |
Group Member Attribute | Specify the attribute on the source LDAP/AD system that identifies users that are members of the group. |
Paging limit |
Setting a paging limit
To allow data to be handled in set sizes and avoid slowing down the LDAP/AD system when handling large data sets, paging limits are often set on LDAP/AD systems. You must align Data360 Analyze with your source system by entering a paging limit that is the same or less than the paging limit that is set on your LDAP/AD source system. Please contact your LDAP/AD administrator regarding the paging limit that is set on your source system.
If your source system specifies a paging limit of "5", and you set a paging limit of "0" (unlimited) in Data360 Analyze, you would receive an error because this is greater than the paging limit of "5" that is specified on the source system. Similarly, if you specified a paging limit of "10" in Data360 Analyze, you would receive an error stating that you have exceeded the page limit size that is set in the source system. By entering a paging limit of "5" or less in Data360 Analyze, the import would complete successfully, as this corresponds to the paging limit that is set on the source system. |
Advanced Settings
You also have the option to configure the following advanced settings:
Advanced Settings property | Description |
---|---|
Referral | Select an option to configure the URL referral. Choose from:
|
Search Sub-Tree | Select Search Sub-Tree to search for users in the entire sub-tree relative to the rootDN. |
Search Time Limit | Specify the time to wait in milliseconds before the search fails. A value of zero means that there is no limit. |
Search Count Limit | Specify the maximum number of results that can be returned in a search. A value of zero means that there is no limit. |
Ignore Partial Result Error | Specify whether partial result errors should be ignored in searches. |
Configuring LDAP alias dereferencing
You can use the Key/Value table to specify settings specific to your LDAP or AD server, for example, you can configure LDAP alias dereferencing.
In an LDAP system, an "alias entry" is a directory entry that points to another entry. By default, Data360 Analyze does not set the behavior of alias dereferencing on LDAP imports, therefore the source LDAP system will follow its own alias dereferencing settings during an LDAP import.
You can configure LDAP alias dereferencing by entering the following key: java.naming.ldap.derefAliases
Then enter one of the following values:
Alias dereferencing property value | Definition |
---|---|
always | Always dereference aliases. LDAP imports include objects that are referenced by an alias. |
never | Never dereference aliases. LDAP imports do not include objects that are referenced by an alias. |
finding | Only dereferences aliases that are one level deep in the LDAP directory. LDAP imports do not include aliases that are referenced by another alias. For example, if alias "A" references alias "B", alias "B" is not dereferenced. |
Consider the following LDAP directory structure:
"ou=Staff"
is an alias that points to "ou=People"
. There are two user entries referenced by "ou=People"
:
-
"cn=JBloggs"
-
"cn=ABooth"
"cn=New, ou=People"
is an alias pointing to "cn=SJobs, ou=NewHires"
.
The following table outlines the effect of changing the alias dereferencing property value on an LDAP import that is set to search from "ou=Staff"
:
Alias dereferencing property value | Result of LDAP import |
---|---|
always |
"cn=JBloggs" , "cn=ABooth" and "cn=SJobs" are imported. |
never | Nobody is imported. |
finding |
"cn=JBloggs" and "cn=ABooth" are imported. |
When you have finished entering your LDAP/AD import settings, click the import Now button to import users and groups from your LDAP/AD server. When the import is complete, an import summary is displayed in the details panel.
Synchronizing with LDAP/AD
After you have completed the initial LDAP import, you can synchronize Data360 Analyze users and groups with your LDAP/AD server at any time by clicking the import Now button.
Or, if you have selected Update user accounts on every sign in or Schedule update every X days at X, new user accounts will be created automatically as specified.
See also: