×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
BMC TrueSight Middleware Administrator 8.2 ... Planning Security policy settings The five security models

The PREAUTH_ADMIN model

This model provides flexibility for customers with unique configurations and no compatible security migration paths. 

The word pre-authentication is applicable because of the forwarding of requests from that external server to the TrueSight Middleware Administrator. This external server is trusted to perform authentication checks. Authorization remains an internal process. The Product Administrator retains full use of and responsibility for administration of users and groups.

PREAUTH_ADMIN functional structure is displayed in the diagram below:

 
 

Functional details: PREAUTH_ADMIN

A proxy server authenticates each incoming request and forwards it to the TrueSight Middleware Administrator service. A packet identifies the request to the application. The application then acts on it.

The authorization mechanism is as follows:

  1. User makes request/attempts action.
  2. The proxy server receives the request.
  3. The proxy creates and sends the request to the application.
  4. The application receives the request and either approves or denies it.
    1. If approved, the user action takes place.
    2. If denied, an error message is generated. For instance, a user who has only Inquire permissions for a particular project and who attempts to modify an object within TrueSight Middleware Administrator, will receive a standard '403' error message.
A potential problem with PREAUTH_ADMIN (and PREAUTH_LDAP) is that the TrueSight Middleware Administrator service explicitly trusts the host that originates the request (note, not the proxy server, the whole host). This means that any HTTP request that forms the right HTTP stream can impersonate any valid user in TrueSight Middleware Administrator. This could result in elevated privileges for someone creating the HTTP connection on that host (using curl or creating a HTTP client program). When using this model, you must have good security and trust policies in place on the trusted proxy host machine. 
Was this page helpful? Yes No Submitting... Thank you
Last modified by Ashley Pearson on Jun 07, 2017
planning admin_guide security_models preauth_admin

Comments

Log in or register to comment.

The LDAP_LDAP model
The PREAUTH_LDAP model
© Copyright 2015-2017 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.