Administering › Managing Role Objects › Role Authentication › Setting the Role Authentication Method

Setting the Role Authentication Method

To change the authentication method for a role, you must have a System Administrator or Group Administrator role type. Otherwise, you must use mainframe security.

Note: A role cannot have any sub roles if you want to change its type to Basic User.

Follow these steps:

1. From the Administration Tab, click the Role subtab.
2. Select a role from the list
3. Click the Definition tab in the edit panel.
4. Select a role type of Basic User

   Notes:

   • Only roles with a role type of Basic User or Advanced User can use LDAP authentication.
   • Additionally, roles with a type of Advanced User can only use the LDAP Mainframe Hybrid Profile Object when using LDAP authentication.
   • If a role has subroles, you cannot change the type of the role to Basic User. You must first delete the subroles of a Group Administrator type role before changing its role type.
5. Find the Role Profiles section and select the Non-Mainframe Users with a Profile option.

   If you want the LDAP credentials of the user as the same as mainframe credentials to be sent to the mainframe, select the LDAP Profile, which is the LDAP Mainframe Hybrid Profile Object. Otherwise, select a different Profile, which specifies which credentials should be sent to the mainframe.

   Note: With External Security EXIT authentication, a predefined Profile object and Directory object, EXIT is automatically selected for Non-Mainframe users.

6. Select a Profile from the first drop-down list on the right.

   If no alternate Profiles are listed, you must first create a Profile from the Profile tab.

7. Do one of the following:
   • Select an LDAP Directory from the next drop-down to the right.

     If no LDAP Directories exist, you either create a new Directory or enter the attributes listed below.

   • Manually enter the LDAP attributes needed to authenticate the users of the role.

     Enter values for LDAP Server, LDAP Port, Login Attribute, and Base DN.

     For more information, see User Authentication - Directory Settings and their Meanings

     Notes:

     • It is important to be aware that these options are overwritten when selecting a new LDAP directory.
     • If you want to permanently retain these options, we suggest that you have a member of the System Admin role create an LDAP Directory object. The LDAP Directory objects are retained permanently.
8. (Optional) Click the Automatic Enrollment checkbox.

   With the Automatic Enrollment option selected, any LDAP users that are authenticated with the selected LDAP setup are placed into this role automatically.

9. Click the Update button near the top right of the panel.

   The authentication parameters are saved.