Capabilities of RBM

RBM authenticates users, evaluates the access profile, and enforces access to resources.

Authenticating users

Extract the user identity from the access request and authenticate the user identity that is presented. You can configure one of the following methods for user authentication.
Custom
An external programmatic method.
LDAP server
An external authentication system.
Local user
Locally configured user account.
RADIUS server
An external authentication system.
SAF
An external authentication system.
SPNEGO (deprecated)
An external Windows Integrated Authentication system. When SPNEGO is the RBM authentication method, you cannot log in to the GUI.
The SPNEGO method is deprecated.
TLS user certificate
A TLS certificate from a connection peer.
XML file
A file that contains authentication information.

With an external authentication system, the mapping method for the access profile must be a local resource.

Evaluating the access profile

The access profile defines the set of privileges for one or more resources on the DataPower® Gateway. Resources can be as broad as a service or as specific as the ability to configure only user profiles that start with the letters foo (as in foo_one). Privileges for a resource can be one or more of the following permissions.
  • Read
  • Write
  • Add
  • Delete
  • Execute
A bundle of access rights (also termed access policies) constitutes an access profile. An access profile can originate from any of the following credential mapping sources.
Custom
An external programmatic method.
Local user group
Locally configured user group.
XML file
A file that defines access profiles.
The following table lists the supported credential mapping methods for each authentication method.
Table 1. Authentication methods and supported credential mapping methods
Authentication method Mapping with a local user group Mapping with an XML file Custom mapping
Custom No Yes Yes
LDAP No Yes Yes
Local user Yes Yes Yes
RADIUS No Yes Yes
SAF No Yes Yes
TLS user credential No Yes Yes
XML file Yes Yes Yes

When the credentials mapping is with a local user group or with an XML file, you can use the Search LDAP for group name property to retrieve the distinguished name with an LDAP search.

Enforcing access to resources

After the user is authenticated and the access profile is evaluated, the DataPower Gateway enforces the established access profile. The GUI displays only resources that the user has access to, and the command line recognizes only commands for resource that the user has access to.

For commands that users do not have access to, the command line displays the following message.
Unknown command or macro (command)