Global Users Authentication

Using Role Based Access Control › User Authentication › Global Users Authentication

Global Users Authentication

When a user logs in to the CA 3Tera AppLogic GUI, or logs in using SSH to open a command line shell, the login consists of the following two separate operations:

Authentication uses either the local or global directory service to verify the user name and password is valid.
Authorization verifies the user has permission to log in. It is valid to have users which do not have permission to log in. For example, in the case where a global directory service is used to perform authentication, not all users maintained by the global directory service are likely to be permitted to log in to a particular grid.

For a user to be granted login permission, that user is typically added to a group which has login permission on the grid ACL. It is possible to grant the implicit local group all access level rights on the grid ACL (all such access levels include login permission). In this case, every local user and every global user is granted permission to log in. Typically, a user is added to a local or global group which is granted these rights.

In the case of a global user, the user's unique ID is not determined until the user authenticates for the first time using the global directory service. As a result, it is impossible to add a global user to a local group until that user has authenticated at least once. If the implicit local group all is not provided login permission, then the process used to provide a global user log in access to a grid is as follows:

The global user logs in to the CA 3Tera AppLogic GUI. While authentication succeeds, authorization fails because the global user does not have login permission. Because authentication has succeeded, the global user ID has been determined and the global user's global group membership has also been determined. As a result, this information has been cached in the local directory service.
The global user is added to a local group with login permission, or, a global group in which the global user is a member is provided access level rights on the grid ACL. Once this step is completed, the global user can successfully log in through the CA 3Tera AppLogic GUI or through SSH.