Capabilities of RBM
RBM authenticates users, evaluates the access profile, and enforces access to resources.
RBM consists of the following capabilities.
Authenticating users
Extract the user identity from the access request and authenticate the user identity that is
presented. You can configure one of the following methods for user authentication.
- Custom
- An external programmatic method.
- LDAP server
- An external authentication system.
- Local user
- Locally configured user account.
- RADIUS server
- An external authentication system.
- SAF
- An external authentication system.
- SPNEGO (deprecated)
- An external Windows Integrated Authentication system. When SPNEGO is the RBM authentication method, you cannot log in to the GUI.
- TLS user certificate
- A TLS certificate from a connection peer.
- XML file
- A file that contains authentication information.
With an external authentication system, the mapping method for the access profile must be a local resource.
Evaluating the access profile
The access profile defines the set of privileges for one or more resources on the DataPower® Gateway. Resources can be as broad as a service or
as specific as the ability to configure only user profiles that start with the letters
foo
(as in foo_one
). Privileges for a resource can be one or more
of the following permissions.- Read
- Write
- Add
- Delete
- Execute
A bundle of access rights (also termed access policies) constitutes an access profile. An access
profile can originate from any of the following credential mapping sources.
- Custom
- An external programmatic method.
- Local user group
- Locally configured user group.
- XML file
- A file that defines access profiles.
The following table lists the supported credential mapping methods for each authentication
method.
Authentication method | Mapping with a local user group | Mapping with an XML file | Custom mapping |
---|---|---|---|
Custom | No | Yes | Yes |
LDAP | No | Yes | Yes |
Local user | Yes | Yes | Yes |
RADIUS | No | Yes | Yes |
SAF | No | Yes | Yes |
TLS user credential | No | Yes | Yes |
XML file | Yes | Yes | Yes |
When the credentials mapping is with a local user group or with an XML file, you can use the Search LDAP for group name property to retrieve the distinguished name with an LDAP search.
Enforcing access to resources
After the user is authenticated and the access profile is evaluated, the DataPower Gateway enforces the established access profile. The GUI displays only resources that the user has access to, and the command line recognizes only commands for resource that the user has access to.
For commands that users do not have access to, the command line displays the following
message.
Unknown command or macro (command)