The RSA SecurID 7.1 Connector supports both remote users and local users, through the one account object class. Remote users are users that exist in other realms but to whom you want to grant certain rights within the current realm. Local users and remote users (also known as trusted users) can have the same login names within one security domain.
The different account types are distinguished by appending a suffix to the associated RSA user ID and using the percent sign as delimiter. For example, " % ".
Note: There is a space before and after the delimiter.
Remote users have special LDAP names with the following format:
Remote_username< delimiter >Realm_name
An example of a remote user name is UserName01% CA
Using a delimiter to distinguish local and remote users has implications on global user correlation and the use of account templates. During correlation, the delimiter becomes part of the global user name. However global users with the delimiter as part of their name cannot be used to create endpoint users using account templates as the delimiter is treated as a special character.
To allow for some alternatives for correlation, you can use the following hidden attributes:
The Login Id attribute is always set to the login name of the user regardless of whether the user is a remote or local user. That is, it does not contain the delimiter and realm suffix for remote users.
Correlating against this attribute means that all global users created can be used with account templates but any users with the same login name as the same user are also correlated. For example, the local user janesmith is correlated to the same global user as janesmith % sales and janesmith % dev1.
This attribute is set to the login name of the user only for local users, but is not set for remote users.
Correlating against this attribute creates global users for all local RSA users while correlating all remote RSA users to the default user.
|
Copyright © 2013 CA.
All rights reserved.
|
|