Cross-registering users in the TrueSight Server Automation database (AD Kerberos)

Users must be registered in both Active Directory and the TrueSight Server Automation RBAC-based user database. Cross-registration allows users to be authorized for RBAC roles.

Only users authorized to use TrueSight Server Automation should be entered into the TrueSight Server Automation database. Use RBAC to add users to the TrueSight Server Automation database. For information about adding users to RBAC, see Creating-users.

TrueSight Server Automation documentation assumes you know how to add users to Active Directory.

Requirements for User Names

When using AD/Kerberos to authenticate end users, you must ensure that domain user names stored in RBAC are fully qualified and that those names match the user names stored in the Active Directory.

Each TrueSight Server Automation user name must be in the form:

<USER>@<DOMAIN>

where <DOMAIN> is the domain the user is registered in.

For example, if you are using RBAC or the bladduser utility to add a new TrueSight Server Automation user, you would fill in the name field with a value such as:

mary@SUB1.DEV.MYCOMPANY.COM

rather than filling in the name field with a value such as:

mary

Note that the user name mary@SUB1.DEV.MYCOMPANY.COM is a different user name than than mary or mary@SUB3.DEV.MYCOMPANY.COM.

The user's TrueSight Server Automation user name must match the user's fully qualified Active Directory user name.

TrueSight Server Automation provides a BLCLI command, RBACRole:syncUsers, that you can use to synchronize group information in Active Directory with role information in RBAC. For more information about this command, see the BLCLI help.

Where to go from here

See Setting-up-a-Network-Shell-proxy-server-for-AD-Kerberos.