DX Application Performance Management

Hello,
I am using APM 10.7 pointing to EEM which refers to two AD nodes.
I would like to setup APM so that the user administration is left to Active Directory team.

I mean that I want to define groups and policies in EEM so that every user in a certain AD group can be an Administrator and other users in a different AD Group are Guests: in a nutshell I do not want to add/remove users in EEM Groups.

So I worked as I used to do with another product (Autosys): I defined an Application Group and then a Dynamic group linked to an AD Group.
Then I modified the Domain access policy so that users in that Dynamic Group are "Administrator" for a certain domain.
My userid is in that AD Group but if I try to login to Workstation I get an error: "user has no read permission on any domain" (authentication step is successful, authorization is not).

If I add manually my Userid in the Dynamic Group I can login without any problem. Of course this is not a solution as the group is no more "dynamic".

Note that in both cases if I look at my userid I see that I am in the Dynamic Group that I defined, same access policy for Domain.

So... it seems that all the policies are Ok but userid is not checked in the AD Group that I added to the Dynamic Group.

Any idea?

Thanks, Giuseppe

Hi,

We are using similar solution in our company. In "Manage Access Polices -> Polices -> Domain" we have for example default "Domain Guest" and here You need to find and assign Global Group (Global Group it will be Your AD group). I don't know if it should look like this but it works :)

Regards,
Pawel
Original Message:
Sent: 10-21-2020 07:54 AM
From: Giuseppe Venturella
Subject: Unable to login using an LDAP Group via EEM

Hello,
I am using APM 10.7 pointing to EEM which refers to two AD nodes.
I would like to setup APM so that the user administration is left to Active Directory team.

I mean that I want to define groups and policies in EEM so that every user in a certain AD group can be an Administrator and other users in a different AD Group are Guests: in a nutshell I do not want to add/remove users in EEM Groups.

So I worked as I used to do with another product (Autosys): I defined an Application Group and then a Dynamic group linked to an AD Group.
Then I modified the Domain access policy so that users in that Dynamic Group are "Administrator" for a certain domain.
My userid is in that AD Group but if I try to login to Workstation I get an error: "user has no read permission on any domain" (authentication step is successful, authorization is not).

If I add manually my Userid in the Dynamic Group I can login without any problem. Of course this is not a solution as the group is no more "dynamic".

Note that in both cases if I look at my userid I see that I am in the Dynamic Group that I defined, same access policy for Domain.

So... it seems that all the policies are Ok but userid is not checked in the AD Group that I added to the Dynamic Group.

Any idea?

Thanks, Giuseppe

Hi,

We are using similar solution in our company. In "Manage Access Polices -> Polices -> Domain" we have for example default "Domain Guest" and here You need to find and assign Global Group (Global Group it will be Your AD group). I don't know if it should look like this but it works :)

Regards,
Pawel
Original Message:
Sent: 10-21-2020 07:54 AM
From: Giuseppe Venturella
Subject: Unable to login using an LDAP Group via EEM

Hello,
I am using APM 10.7 pointing to EEM which refers to two AD nodes.
I would like to setup APM so that the user administration is left to Active Directory team.

I mean that I want to define groups and policies in EEM so that every user in a certain AD group can be an Administrator and other users in a different AD Group are Guests: in a nutshell I do not want to add/remove users in EEM Groups.

So I worked as I used to do with another product (Autosys): I defined an Application Group and then a Dynamic group linked to an AD Group.
Then I modified the Domain access policy so that users in that Dynamic Group are "Administrator" for a certain domain.
My userid is in that AD Group but if I try to login to Workstation I get an error: "user has no read permission on any domain" (authentication step is successful, authorization is not).

If I add manually my Userid in the Dynamic Group I can login without any problem. Of course this is not a solution as the group is no more "dynamic".

Note that in both cases if I look at my userid I see that I am in the Dynamic Group that I defined, same access policy for Domain.

So... it seems that all the policies are Ok but userid is not checked in the AD Group that I added to the Dynamic Group.

Any idea?

Thanks, Giuseppe

Hi,

We are using similar solution in our company. In "Manage Access Polices -> Polices -> Domain" we have for example default "Domain Guest" and here You need to find and assign Global Group (Global Group it will be Your AD group). I don't know if it should look like this but it works :)



Regards,
Pawel
Original Message:
Sent: 10-21-2020 07:54 AM
From: Giuseppe Venturella
Subject: Unable to login using an LDAP Group via EEM

Hello,
I am using APM 10.7 pointing to EEM which refers to two AD nodes.
I would like to setup APM so that the user administration is left to Active Directory team.

I mean that I want to define groups and policies in EEM so that every user in a certain AD group can be an Administrator and other users in a different AD Group are Guests: in a nutshell I do not want to add/remove users in EEM Groups.

So I worked as I used to do with another product (Autosys): I defined an Application Group and then a Dynamic group linked to an AD Group.
Then I modified the Domain access policy so that users in that Dynamic Group are "Administrator" for a certain domain.
My userid is in that AD Group but if I try to login to Workstation I get an error: "user has no read permission on any domain" (authentication step is successful, authorization is not).

If I add manually my Userid in the Dynamic Group I can login without any problem. Of course this is not a solution as the group is no more "dynamic".

Note that in both cases if I look at my userid I see that I am in the Dynamic Group that I defined, same access policy for Domain.

So... it seems that all the policies are Ok but userid is not checked in the AD Group that I added to the Dynamic Group.

Any idea?

Thanks, Giuseppe

Thank you Pawel,
I will try :-)

BR, Giuseppe
Original Message:
Sent: 10-22-2020 03:19 AM
From: Pawel Slowik
Subject: Unable to login using an LDAP Group via EEM

Hi,

We are using similar solution in our company. In "Manage Access Polices -> Polices -> Domain" we have for example default "Domain Guest" and here You need to find and assign Global Group (Global Group it will be Your AD group). I don't know if it should look like this but it works :)



Regards,
Pawel
Original Message:
Sent: 10-21-2020 07:54 AM
From: Giuseppe Venturella
Subject: Unable to login using an LDAP Group via EEM

Hello,
I am using APM 10.7 pointing to EEM which refers to two AD nodes.
I would like to setup APM so that the user administration is left to Active Directory team.

I mean that I want to define groups and policies in EEM so that every user in a certain AD group can be an Administrator and other users in a different AD Group are Guests: in a nutshell I do not want to add/remove users in EEM Groups.

So I worked as I used to do with another product (Autosys): I defined an Application Group and then a Dynamic group linked to an AD Group.
Then I modified the Domain access policy so that users in that Dynamic Group are "Administrator" for a certain domain.
My userid is in that AD Group but if I try to login to Workstation I get an error: "user has no read permission on any domain" (authentication step is successful, authorization is not).

If I add manually my Userid in the Dynamic Group I can login without any problem. Of course this is not a solution as the group is no more "dynamic".

Note that in both cases if I look at my userid I see that I am in the Dynamic Group that I defined, same access policy for Domain.

So... it seems that all the policies are Ok but userid is not checked in the AD Group that I added to the Dynamic Group.

Any idea?

Thanks, Giuseppe

Hello,
it doesn't work in my case. I suspect this is because I'm using "Multiple Microsoft Active Directory Domains".

Thanks, Pino
Original Message:
Sent: 10-22-2020 10:46 AM
From: Giuseppe Venturella
Subject: Unable to login using an LDAP Group via EEM

Thank you Pawel,
I will try :-)

BR, Giuseppe
Original Message:
Sent: 10-22-2020 03:19 AM
From: Pawel Slowik
Subject: Unable to login using an LDAP Group via EEM

Hi,

We are using similar solution in our company. In "Manage Access Polices -> Polices -> Domain" we have for example default "Domain Guest" and here You need to find and assign Global Group (Global Group it will be Your AD group). I don't know if it should look like this but it works :)



Regards,
Pawel
Original Message:
Sent: 10-21-2020 07:54 AM
From: Giuseppe Venturella
Subject: Unable to login using an LDAP Group via EEM

Hello,
I am using APM 10.7 pointing to EEM which refers to two AD nodes.
I would like to setup APM so that the user administration is left to Active Directory team.

I mean that I want to define groups and policies in EEM so that every user in a certain AD group can be an Administrator and other users in a different AD Group are Guests: in a nutshell I do not want to add/remove users in EEM Groups.

So I worked as I used to do with another product (Autosys): I defined an Application Group and then a Dynamic group linked to an AD Group.
Then I modified the Domain access policy so that users in that Dynamic Group are "Administrator" for a certain domain.
My userid is in that AD Group but if I try to login to Workstation I get an error: "user has no read permission on any domain" (authentication step is successful, authorization is not).

If I add manually my Userid in the Dynamic Group I can login without any problem. Of course this is not a solution as the group is no more "dynamic".

Note that in both cases if I look at my userid I see that I am in the Dynamic Group that I defined, same access policy for Domain.

So... it seems that all the policies are Ok but userid is not checked in the AD Group that I added to the Dynamic Group.

Any idea?

Thanks, Giuseppe