Managing and mapping roles and properties

Spectrum SSO conveniently maps user accounts to admin-assigned credentials. Users with the STS_SSO role are granted the proper shares when they log in to Spectrum™ Technology Platform. To remove role mapping, enter the LDAP attributes to un-map in the value field in the removeMapping section of the JMX console.

Ensure that your users are defined to Spectrum™ Technology Platform with the appropriate credentials and permissions. If any user has a property setting of spectrum.security.account.createNonExisting=False, the user will not be recognized and will not be authenticated for SSO. User names must be created manually, by the system administrator. A user who does not exist in the external authentication repository will not be able to log in to Spectrum, even if the user is manually created in the Spectrum Management Console. Once the user is created in the external authentication repository, they can log in to Spectrum.

Admin user setup

Users may be mapped to admin roles. Mapped admin-level users will have the same privileges as Spectrum admin-level users, but they will display as non-admin users with basic “user” role privileges. You can edit the user privileges on the Security page in Management Console, so that the true privileges are displayed.

Under Spectrum SSO implementation, the "default" admin share/user role does not automatically apply. To apply and display user role permissions, you must set properties for any user that is mapped to the domain user group.

  1. Establish system-wide access profiles, including that of Administrator ("Admin").
  2. Set a static property in spectrum that authenticates admin-level users based on the system-wide admin role definition:spectrum.security.authentication.spectrumserver.admin.role=admin

    This property sets permissions for the admin user role under SSO.

  3. Log in to the JMX console, and search for this property: com.pb.spectrum.platform.common.security.role:mappings=RoleMappings

    This property manages the mapping role attribute values to Spectrum roles.

  4. Define the admin user group property parameters:
    1. In the addMapping section, in the value field, enter the SSO role value that you want to map to a Spectrum™ Technology Platform role.
    2. In the roleName field, enter the Spectrum™ Technology Platform role that you want to map to the LDAP attribute value.
    3. Click Invoke. Users who have the SSO role will now be granted the role you specified after they log in to Spectrum™ Technology Platform at least one time. NOTE: To remove a mapping, enter the LDAP attribute you want to un-map in the value field in the removeMapping section.
  5. Set the following property to true (default) to allow and define additional admin users through the spectrum.security.account.createNonExisting=true property.
  6. Set the dynamic property to apply admin group permissions at Spectrum server startup: spectrum.security.authentication.idpserver.admin.role=rolename, where rolename is the group name for users who will inherit system-level admin permissions.