Your organization may want to have users authenticate to Lumeta Enterprise Edition using Active Directory (AD). This arrangement––with an assist from you––maps AD user-rights to the Lumeta system and controls what individual users can see and control when logged in to a Lumeta Command Center. Your contribution is to tell the Lumeta system how to apply rules to map groups, organizations, and roles by creating a csv group mapping file. The group mapping file you create specifies the mapping.
Let's assume, for example, that Active Directory contains (or has defined) these groups and organizations and we want to assign users to particular groups within particular organizations according to their particular role. | |||||||||||||||||
|
|
|
And you want these rules to apply to your Lumeta users:
Group | Role+Organization | ||
---|---|---|---|
1 | vp | Viewer/NA | |
2 | vp | Viewer/EMEA | |
3 | vp | Viewer/APAC |
That portion of the group mapping CSV file would look like this:
vp,Viewer/NA
vp,Viewer/EMEA
vp,Viewer/APAC
Notice that the CSV example contains only two columns––the first for AD group name and the next the Lumeta role + organization. The two columns are separated by a comma(,). Any row containing more than two columns is considered an invalid row.
Admins should get SysAdmin roles in their own regions
Group | Role+Organization | ||
---|---|---|---|
1 | admin|na | SysAdmin/NA | |
2 | admin|emea | SysAdmin/EMEA | |
3 | admin|apac | SysAdmin/APAC |
The users in row #1 are members of both the admin and na groups. The groups in row #1 are SysAdmins for the NA organization.
That portion of the group mapping file would look like this:
admin|na,SysAdmin/NA
admin|emea,SysAdmin/EMEA
admin|apac,SysAdmin/APAC
Group | Role+Organization | ||
---|---|---|---|
1 | security|na|emea | Viewer/NA | |
2 | security|na|emea | Manager/NA | |
3 | security|na|emea | Viewer/EMEA | |
4 | security|na|emea | Manager/EMEA | |
5 | security|na|emea | Viewer/APAC | |
6 | security|na|emea | Viewer/APAC | |
7 | security|apac | Manager/APAC | |
8 | security|apac | Viewer/NA | |
9 | security|apac | Viewer/EMEA |
security|na|emea,Viewer/NA
security|na|emea,Manager/NA
security|na|emea,Viewer/EMEA
security|na|emea,Manager/EMEA
security|na|emea,Viewer/APAC
security|apac,Viewer/APAC
security|apac,Manager/APAC
security|apac,Viewer/NA
security|apac,Viewer/EMEA
The contents of the assembled CSV file would look like this:
vp,Viewer/NA
vp,Viewer/EMEA
vp,Viewer/APAC
admin|na,SysAdmin/NA
admin|emea,SysAdmin/EMEA
admin|apac,SysAdmin/APAC
security|na|emea,Viewer/NA
security|na|emea,Manager/NA
security|na|emea,Viewer/EMEA
security|na|emea,Manager/EMEA
security|na|emea,Viewer/APAC
security|apac,Viewer/APAC
security|apac,Manager/APAC
security|apac,Viewer/NA
security|apac,Viewer/EMEA
CSV File Rules
The rules we've introduced are as follow:
The admin and manager users and see these roles by default.
To map Active Directory (AD) groups and roles to Lumeta organizations, here's the process.
To configure Active Directory on Lumeta Enterprise Edition:
authentication ad
CLI Command | Description & Example | Likely Order of Operations |
---|---|---|
groupmapping | Maps an Active Directory group to an Organization in Lumeta Enterprise Edition
If your Active Directory mapping introduces new Organizations, you will need to create those organizations in the Command Center as follows:
| 5 |
configure | Configures an Active Directory authentication server | 1 |
netbios | The netbios is an alias for the hostname used in Active Directory authentication. In this example, the hostname of the Command Center is longer than the maximum number of characters allowed, so AD could not be enabled. In cases like these, use the netbios to serve as an alias for a too-long hostname. This command would create a hostname on the AD server with the name "TestAD." | 3 |
enable/disable | Enables and disables an AD authentication
| 4 |
viewconfig | Displays the current AD configuration. The two examples below show a not joined/disabled AD server and a joined/enabled AD server. | 2 |
clearconfig | Clears the current AD configuration | optional |
When an AD user logs in to Lumeta, and browses to Settings > Users, users, groups, and organizations to which he has been given rights in the AD server groupings––and only those––are visible.