Administer Basic CA EEM Security › Manage Access for Referenced User Accounts › Example: One Individual in Two Referenced Active Directories

Example: One Individual in Two Referenced Active Directories

Assumptions:

• Prior to upgrading CA Process Automation, CA EEM referenced an external directory, a Microsoft Active Directory. The CA EEM release was r8.4
• Later, but still prior to upgrading CA Process Automation, CA EEM was upgraded from r8.4 to r12.51. The CA Process Automation users, that is, referenced AD users who were assigned to an application group, retained the group assignment after the CA EEM upgrade. The global users assigned to the Designers group who owned automation objects, retained the object ownership.
• During the CA Process Automation upgrade to r4.2, the installer selected to reference multiple ADs, a feature supported as of CA EEM r12.5.
• The CA EEM administrator now needs to assign an application user group to selected global users from the additional ADs. The administrator also re-assigns application groups to CA Process Automation users from the original AD.
• The CA EEM administrator enters search criteria for a user in one of the newly referenced AD domains. This user happens to be in two domains, the existing domain and a new domain. Although typically, each user is in one domain, it is possible for users to be in more than one AD domain. When this happens, the two user accounts are treated as different users, even though they may refer to the same individual.

The following procedure shows how this example would appear in the CA EEM Search results and corresponding user records.

Follow these steps:

1. Log into CA EEM as the CA EEM administrator.
2. Click Manage Identities. Enter search criteria for Global Users. The example search is for all AD users with the last name of Meier.

   

   2. Select one of the displayed global users, for example, Meier, Iris. The User account panel opens. This represents the record from the newly referenced AD domain. Click Add Application User Details.

   

3. Select the PAMAdmins user group to create administrator permissions to CA Process Automation for this user.

   

4. Select the other Global User entry from the Search results. Notice that this one displays ADdomain2, not ADdomain1 and has Production Users permissions. This represents the existing user record.

   

5. The user in the AD domain that was originally referenced, can log in to CA Process Automation with the unqualified user name, if that domain is set as the default domain. (All users from the additional domains must enter their principal name for Username at login. So, for this example, entry of the unqualified user name logs the user in with Production Users permissions. To get PAMAdmins permission, the user would enter ADdomain1\meiir01 in the Username field.