Difference between revisions of "Active Directory - Set up Role Mappings"
(19 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
[[Category:How_To]] | [[Category:How_To]] | ||
+ | [[Category:Fusion Registry Install]] | ||
+ | [[Category:RegistrySecurity]] | ||
+ | |||
+ | '''This option is only available in Version 10.''' | ||
+ | |||
=Overview= | =Overview= | ||
If you are using Active Directory as the Authentication Service you will need to access the Role Mapping menu from the Admin-> Server Security page in order to map the Organisations you have set up in Fusion Registry to the Groups and users that you have created in Active Directory. | If you are using Active Directory as the Authentication Service you will need to access the Role Mapping menu from the Admin-> Server Security page in order to map the Organisations you have set up in Fusion Registry to the Groups and users that you have created in Active Directory. | ||
Line 6: | Line 11: | ||
In this very simple example the following has taken place. | In this very simple example the following has taken place. | ||
− | ==Server Security General | + | ==Server Security - General == |
+ | The Registry has been fully locked-down so only authorised users are able to login. [https://wiki.sdmxcloud.org/Fusion_Registry_Security_Overview You can read more about the general concepts of Security in Fusion Registry in this article.] | ||
+ | |||
+ | |||
+ | [[File:VMSS1.PNG|800px]] | ||
− | The | + | ==Server Security - Authentication Service== |
+ | The relevant settings for active Directory (in this instance idap is used rather than idaps) have been applied. | ||
− | [[File: | + | [[File:VMSS0.PNG|800px]] |
==Active Directory== | ==Active Directory== | ||
Line 30: | Line 40: | ||
[[File:VMSS3.PNG|800px]] | [[File:VMSS3.PNG|800px]] | ||
− | |||
==Role Mapping== | ==Role Mapping== | ||
− | The Role Mapping page is where you specify which Groups in AD map to which Organisations in Fusion Registry. At the moment this page is somewhat | + | The Role Mapping page is where you specify which Groups in AD map to which Organisations in Fusion Registry. At the moment this page is somewhat counter-intuitive (which we plan to address in a future release), but if you follow the steps below your mapping will succeed. |
Line 40: | Line 49: | ||
===Map the Agency=== | ===Map the Agency=== | ||
− | In the Role Mappings page, click the Add Mapping button. The Role Mapping modal will appear and display all the Organisations in the Registry. | + | In the Role Mappings page, click the '''Add''' '''Mapping''' button. The Role Mapping modal will appear and display all the Organisations in the Registry. |
[[File:VMSS5.PNG|600px]] | [[File:VMSS5.PNG|600px]] | ||
− | In the field AD Role, enter the Group | + | |
+ | In the field AD Role, enter the '''Group''' name '''exactly''' as it appear in AD and then select the Agency as shown in the image below. | ||
[[File:VMSS6.PNG|600px]] | [[File:VMSS6.PNG|600px]] | ||
− | Click Assign to return to the Role Mapping page. | + | |
+ | Click '''Assign''' to return to the Role Mapping page. | ||
===Map the Data Providers=== | ===Map the Data Providers=== | ||
− | Again, click the Add Mapping button and enter the AD Group | + | Again, click the '''Add Mapping''' button and enter the AD '''Group''' name but this time you can click all three Data Providers as shown on the example below. |
Line 59: | Line 70: | ||
===Map the Data Consumers=== | ===Map the Data Consumers=== | ||
− | Click all the Data Consumers. | + | Click all the Data Consumers and then click '''Assign'''. |
[[File:VMSS8.PNG|600px]] | [[File:VMSS8.PNG|600px]] | ||
+ | |||
+ | ===Results=== | ||
+ | Having created the 3 mappings the Role Mappings Page will display a line for each Organisation (this is the counter intuitive aspect referred to as above). If you click on any of the Data Consumer records or any of the Data Provider records you will see that they are all the same insofar as all 3 are shown. | ||
− | + | [[File:VMSS9.PNG|1000px]] | |
− | + | ||
+ | |||
+ | However, the mapping has been successful and all 7 AD users will be able to login to the Registry and will have [https://wiki.sdmxcloud.org/Fusion_Registry_Security_Overview#Authorisation the correct privilege's as discussed in this article.] | ||
+ | |||
+ | [https://wiki.sdmxcloud.org/Role_Mapping Click here to learn about other functions available in the Role Mapping page.] | ||
+ | ==Content Security Considerations== | ||
− | [[ | + | Please refer to this article [[Content_Security_-_Active_Directory| which explains what you may need to do if you are using Content Security]]. |
Latest revision as of 05:03, 12 September 2024
This option is only available in Version 10.
Contents
Overview
If you are using Active Directory as the Authentication Service you will need to access the Role Mapping menu from the Admin-> Server Security page in order to map the Organisations you have set up in Fusion Registry to the Groups and users that you have created in Active Directory.
Example
In this very simple example the following has taken place.
Server Security - General
The Registry has been fully locked-down so only authorised users are able to login. You can read more about the general concepts of Security in Fusion Registry in this article.
Server Security - Authentication Service
The relevant settings for active Directory (in this instance idap is used rather than idaps) have been applied.
Active Directory
3 Groups have been created, one for each type of user:
- Agency
- Data Provider
- Data Consumer
7 Users have been created. Game of Thrones is the Agency, John, Cersei and Doran are Data Providers and Baylon, Edmure and Olenna are Data Consumers. Each of the users is a member of the appropriate group.
Fusion Registry
In the Organisations area of Fusion Registry, again 7 records exist, the Agency, the 3 Data Providers and the 3 Data Consumers.
Role Mapping
The Role Mapping page is where you specify which Groups in AD map to which Organisations in Fusion Registry. At the moment this page is somewhat counter-intuitive (which we plan to address in a future release), but if you follow the steps below your mapping will succeed.
Map the Agency
In the Role Mappings page, click the Add Mapping button. The Role Mapping modal will appear and display all the Organisations in the Registry.
In the field AD Role, enter the Group name exactly as it appear in AD and then select the Agency as shown in the image below.
Click Assign to return to the Role Mapping page.
Map the Data Providers
Again, click the Add Mapping button and enter the AD Group name but this time you can click all three Data Providers as shown on the example below.
Map the Data Consumers
Click all the Data Consumers and then click Assign.
Results
Having created the 3 mappings the Role Mappings Page will display a line for each Organisation (this is the counter intuitive aspect referred to as above). If you click on any of the Data Consumer records or any of the Data Provider records you will see that they are all the same insofar as all 3 are shown.
However, the mapping has been successful and all 7 AD users will be able to login to the Registry and will have the correct privilege's as discussed in this article.
Click here to learn about other functions available in the Role Mapping page.
Content Security Considerations
Please refer to this article which explains what you may need to do if you are using Content Security.