In the previous blog (/blogs/2011/11/04/netscaler-command-center-5-0-extended-authentication-support-part-2-dual-mode-smooth-authentication-configuration/) we discussed the significance of the dual mode smooth authentication support. Now we will move on to the second part of the extended authentication in Command Center 5.0, that is Customized Active Directory group level control.
Customized Active Directory group level control
Creating AD Groups:
- Step1: Go to Authentication Settings under Administrations
- Step2: Enter all the AD server credentials and enable group extraction
- Step3: Go to Groups under Administration
- Step4: Click Add groups
- Step5: Select Browse and enter the credentials
- Step6: Select the groups, you want to authenticate access to CC functions and click OK
- Step7: Select the read-write-execute levels for the CC features you want for those groups and click OK
- Step8: Now you have created AD groups, which are authorized to perform a certain level of functions on CC appliance
Once these AD groups are created on the CC appliance, the process of authentication and authorization simplifies.
Now, we will dig-in the details on the impacts of the AD group extraction on the command center:
First of all, everything from the time a user enters the user credentials to access the command center, till the time it has an access to the command center, all of this is segregated in to authentication and authorization.
Reason1 : Simplifies the administrators job
It eradicates the manual process of allotting a specific group to a particular user from the active directory, every time an external AD user accesses the Command Center.
The flow of execution in NetScaler Command Center 4.1:
To have more access at the user level on command center features, admin had to allot manually to all the users different groups allowing specific level of access!!
Now, that’s a cumbersome job!!
The flow of execution in NetScaler Command Center 5.0 beta:
With this process, the admin doesn’t have to specifically authorize every single external AD user who logs in. The authorization is done automatically when the user belongs to a particular AD group! J
Note that, the AD server is just responsible for authentication. The authorization of the Command Centers features is done by Command Center only.
Reason2 : Restricts the users with no read-write-execute level permissions
In CC 4.1, the default “Users” group allotted to every AD user who logs-in, used to end up having read operations on the command center. This was even when the “User” group definition was no read-write-execute level functions at all.
With CC 5.0 we can absolutely deny the user to access any type of resources and operations until and unless it belongs to an AD group configured on the Command Center. Absolutely means, no read operation as well! If a user tries to log-in who exists on the Active directory but not on any of the AD groups on the Command Center, the user will be denied access right there and then.
Reason3 : User Convenience
With the AD group extraction, users will be be able to view AD group details on the CC appliance.
With this we end the extended authentication support part 3 blog and will continue to blog with the NetScaler Command Center 5.0 other key enhancements from next week onwards.