| Attributes |
string
key
mandatory
noNotification
restricted |
-
ericssonFilterId
-
The value component of the RDN.
|
string[0..1] |
-
roleAliasesBaseDn
-
LDAP DN to a subtree of objects that is used to convert alias roles to roles the ME understands.
An option for authorization methods that implements Role Based Access Control.
The value is an LDAP DN. The format of the DN for such an object is 'role=[role], roleAliasesBaseDn', where [role] must be replaced with the name of a role alias or role group. All these objects must be accessible from the base DN defined in this attribute. For example: if roleAliasesBaseDn = "dc=example,dc=com" and the user has role Admin, and the object "role=Admin,dc=example,dc=com" exists and has attribute ericssonUserAuthorizationScope = Administrator, the user receives the Administrator role.
|
BasicAdmState |
-
targetBasedAccessControl
=
LOCKED
-
Toggles Target Based Access Control.
The User Management MO provides the <Target Type> strings of the ME. The TBAC authorization behavior is defined in the User Management MOC.
The optional Ericsson LDAP-schema-specified attribute ericssonUserAuthenticationScope stores the targets where the user can be authenticated and authorized. It is a case-insensitive string of <Target Type>. The Ericsson target-type identifier, such as ‘bsc’, ‘cscf’, classifies the target type the user can access.
The optional Ericsson LDAP-schema-specified attribute ericssonUserAuthorizationScope stores the authorization profiles of which the user is a member. It is a case-insensitive string of form <Target Type>:<Authorization Profile>, where ':' is a separator; <Target Type> is the Ericsson target-type identifier, such as ‘bsc’, ‘cscf’, and it classifies the target type for which the user acquires the <Authorization Profile>. <Authorization Profile> is the Ericsson application-defined profile, for example, a role.
Attribute ericssonUserAuthenticationScope behavior:
When TBAC is LOCKED in the ME, authentication and authorization are performed without TBAC.
When TBAC is UNLOCKED in the ME and the user has a target-restricted authentication scope, authentication and authorization are performed when a match is found. If not, it fails.
Attribute ericssonUserAuthenticationScope allows the use of wild-carded scope ('*') to permit the user to be authorized on any ME based on its ericssonUserAuthorizationScope attribute.
Attribute ericssonUserAuthorizationScope behavior:
When TBAC is LOCKED in the ME, the authorization profiles without target qualifiers and with wildcard target qualifier ('*') are assigned to the user from the user database. When TBAC is UNLOCKED in the ME, the authorization profiles with matching target qualifiers and with wildcard target qualifier are assigned to the user from the user database.
Not using the Ericsson LDAP schema in the user accounts, or improper use of this schema causes authorization failure.
For more details, refer to the Ericsson LDAP Interface Description.
Example with roles:
If the ME in User Management MOC is configured with 'cscf.ims.stockholm' and the LDAP user account contains:
ericssonUserAuthenticationScope: cscf.ims.stockholm
ericssonUserAuthenticationScope: cscf.ims.malmo
ericssonUserAuthorizationScope: cscf.ims.stockholm:SystemAdministrator
ericssonUserAuthorizationScope: cscf.ims.malmo:SystemSecurityAdministrator
ericssonUserAuthorizationScope: *:ApplicationOperator
Then given the LDAP user provided a correct password it is authenticated on the ME and assigned with role 'SystemAdministrator' and 'ApplicationOperator'.
|
EricssonFilterVersion |
-
version
=
2
-
The selected version of the Ericsson filtering behavior.
Version 1 is deprecated. Version 1 allows wildcarding of roles without any qualifier and it supports the use of '*' character. Such syntax applies the given role on all targets:
ericssonUserAuthorizationScope: ApplicationOperator
ericssonUserAuthorizationScope: *:ApplicationOperator
Version 2 differentiates the wildcarding behavior depending on the value of attribute targetBasedAccessControl. When targetBasedAccessControl is LOCKED, both syntaxes are allowed and assigns the role to the user in the ME. When targetBasedAccessControl is UNLOCKED, it only allows the use of '*' character, but unqualified roles are ignored.
|