Active Directory security modes
TrueSight Middleware and Transaction Monitor provides the following forms of security for user authentication:
- Internal Security – provided by an internal directory server.
- Active Directory Delegate Mode Security – combines Active Directory Authentication (user identification and password checking) and Internal LDAP authorization.
The Active Directory Only mode (also known as Legacy mode) security configuration that was available in earlier versions of the product is no longer supported for new installations or upgrades.
Active Directory Delegate Mode security
Active Directory Delegate Mode Security allows for configuring TrueSight Middleware and Transaction Monitor security to authenticate a user via their Active Directory credentials and group memberships while allowing for TrueSight Middleware and Transaction Monitor user and group authorization and configuration information to be stored in its internal database.
This mode alleviates the need to modify the Active Directory schema. It might require the Active Directory administrator to set up Groups and User associations that are used to dictate a user's level of authority. Internal users (such as TopicService, etc.) are maintained in the internal TrueSight Middleware and Transaction Monitor database, and are not required in the Active Directory domain.
When using Active Directory Delegate Mode, security users can log in using their Active Directory user name and password. Active Directory users are granted permission to work with TrueSight Middleware and Transaction Monitor based on their group membership.
Groups must be created in TrueSight Middleware and Transaction Monitor (using the Security Tab in the Management Console) with the same name as an existing Active Directory group. Permissions can be granted to that group to allow all members of that group to log in and use TrueSight Middleware and Transaction Monitor.
For example, user "Bob" is a member of the Active Directory group "MQAdmins." To enable "Bob" to log in, ensure that an "MQAdmins" group exists in the product and that it has the permissions assigned appropriately to the role.
When a user logs into a TrueSight Middleware and Transaction Monitor system that is configured in Active Directory Delegate Mode, a user account is automatically created in the internal LDAP directory. Passwords are synchronized automatically (i.e., users can change their Active Directory password without having to make any changes to TrueSight Middleware and Transaction Monitor).