Limiting HMC access to some users while using LDAP Authentication (MVCM MVCA)[1]

Version 1
    Share:|

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    MainView Console Management for zEnterprise - Base


    APPLIES TO:

    MVCM MVCA MainView Console Management for zEnterprise MainView Console Automation for zEnterprise



    QUESTION:

    An administrator would like to allow HMC access to some users but not others while still using LDAP to check user passwords and general access privileges.


    ANSWER:

    One way this can be done is by adding the users who are allowed HMC access to the MVCM authentication server internal database. Note: Passwords will still be checked using LDAP to the standard repository (Active Directory, RACF, ACF2, etc.) and general group access will still be checked, meaning only user with MVCM access will be allowed to log into MVCM viewers and tools.

    1. On the Authentication Server "General" tab under the Authentication Method section, enable the "Use Database for Privileges" option. Click the Apply button, then Stop and Start the authentication server.
     

      User-added image
      
    2. On the Authentication Server "Users" tab: one at a time add the HMC users to the MVCM authentication database. Password does NOT matter, you can put a random string in here. Enable "HMC Access Privileges" at the bottom of the list of options, Save the user. The authentication server does NOT need to be restarted when users are changed or modified. 

       
      User-added image
      
    Now all users still have their passwords checked using LDAP but only users who are both (a) defined in the MVCM database AND (b) have the HMC Access Privilege enabled will be able to access the HMC sessions. Users who are NOT in the database or who are in the database but not HMC-enabled can still access console sessions but not the HMC. 

    Note: You may want to configure 2 automation viewers, one with the HMC and one without the HMC: if non-HMC operators try to login to the HMC viewer they will get access to console sessions but they will always see a reject error for the HMC.

     


    Article Number:

    000163831


    Article Type:

    FAQ/Procedural



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles