|
|
|
To define access permissions for a session for which you have specified FILE in the Permission Level field in the global or local session definition, you create a file on an NTFS file system. (The FAT file system does not support security.)
CA Automation Point maps the access permissions defined for this file to correspond with session-level access permissions.
We recommend that you create all security files outside of the Site directory. This prevents those files from being overwritten when you import or export other site configuration settings and preserves their security access permissions. When you import a saved Site configuration, all files in the Site directory are deleted, and new files are extracted to the Site directory. The import operation resets all permissions of all files and directories to be inherited from the parent folder.
Important! Before you assign access permissions to selected users or groups, see the following table. The table shows how CA Automation Point maps assigned Windows file permissions to correspond to sessions' access permissions.
|
Windows Permission |
CA Automation Point Session Permission |
Default Permission Level |
|---|---|---|
|
Read |
User can view sessions but not issue commands. |
VIEW |
|
Read & Execute |
User can view sessions and issue commands through command dialog. |
EXEC |
|
Full Control |
User can view sessions and type directly into console window. |
FULL |
If none of the permissions are checked, the user has no access to the session. The permission level then is NONE.
Note: If you are specifying permissions for groups, and the groups being added to the permission set are Domain level groups, ensure that you give the Domain group the "Logon locally" right on the CA Automation Point machine. This is a requirement for Domain level groups.
When Windows security is selected on the Remote Viewing configuration dialog, it is possible to enable the Single Sign-on feature. This feature allows a Windows user to open a Remote Viewer session without manually specifying login credentials. The Windows workstation can be part of a Windows domain and can use an Active Directory user accounts to take full advantage of this feature.
A requirement for this feature is a valid Service Principal Name (SPN) registration in the Active Directory database for the designated domain. The CA Automation Point administrator can select automatic registration by the Remote Manger or select manually registration by the domain administrator.r.
The default Logon user account for the CA-AP Remote Manager service is the Local System account. The Local System account by definition has all the required privileges for performing automatic SPN registration.
If a different Logon user account is specified for the CA-AP Remote Manager service using the Windows Control Panel, ensure that it is granted the required privileges. In this case, the Logon user account that is specified for the CA-AP Remote Manager service must have the Write ServicePrincipalName privilege that is assigned by a domain administrator.
Enable automatic SPN registration by selecting the Automatic radio button under the Service Principal Name group box. With automatic registration, the Remote Manager service registers an SPN in the Active Directory database in the following form:
apview/<hostname>
Under normal circumstances, use automatic SPN registration. If automatic SPN registration is not possible or a different SPN format is required, use the manual SPN registration process.
Enable manual SPN registration by selecting the Manual radio button under the Service Principal Name group box. Enter the SPN, manually registered by the domain administrator, into the Service Principal Name edit box. This registration can be done using a utility such as setspn.
Note: If the specified SPN is missing from the Active Directory database, the feature can fail under certain circumstances.
| Copyright © 2012 CA. All rights reserved. |
|