DataFlux Data Management Studio

Adding Authentication Server Domains and Users

• Data Management Studio and the Authentication Server
• Overview of Authentication Server Domains and Users
• Prerequisites for Adding Authentication Server Domains and Users
• Open the Authentication Server as an Administrator
• Register a Domain
• Register a User
• (Optional) Add DBMS Logins to a User Definition
• Using Authentication Server Domains to Supply Credentials for Batch Jobs

Data Management Studio and the Authentication Server

Server administrators will use the Administration riser to add users, logins, domains, and other information on the Authentication Server. This topic provides some basic information about users, logins, and domains so that you can understand how these items interact with Data Management Studio. For details about these items, see the DataFlux Authentication Server User's Guide and the DataFlux Authentication Server Administrator's Guide.

The DataFlux Authentication Server provides a central point of authentication management across multiple domains and multiple operating environments. Specific features include:

• Centralized Authentication - the server accesses native authentication mechanisms, such as Windows Active Directory or LDAP, to verify the identity of the users of Data Management Platform client applications.
• Centralized Management of Users and Groups - the server manages user and group definitions that form the basis for authorization on Data Management Platform servers.
• Single or Reduced Sign-On - the server enables authenticated users to connect across domains to Data Management Platform servers and databases without submitting additional credentials.

If you have a Federation Server, then you must also have an Authentication Server. If the Data Management Server is configured for authorization, then you must have an Authentication Server. You must also have an Authentication Server for DataFlux Web Studio.

Overview of Authentication Server Domains and Users

An Authentication Server domain is a label that is used to group similar user credentials, such as a group of users who need to log in to Data Management Platform applications, or a group of users who need to login to a database management system (DBMS). If an Authentication Server is installed on your site, and you have administrative privilege, you can use the Administration riser in Data Management Studio to add Authentication Server domains, users, and logins.

This topic describes the basic steps for adding domains, users, and logins on the Authentication Server. Even if you are not responsible for this task, the topic will help you understand how the Authentication Server interacts with Data Management Studio and the Federation Server. For complete information about maintaining domains and related information, see the DataFlux Authentication Server User's Guide and the DataFlux Authentication Server Administrator's Guide.

Prerequisites for Adding Authentication Server Domains and Users

Assume that a connection to an Authentication Server has already been added to the Administration riser, as described in Connecting to Authentication Servers.

Identify a set of domains, users, and (possibly) logins that must be registered on the Authentication Server in order to meet certain goals at your site. For example, suppose that you wanted to meet the following goals.

Goal 1: Authenticate Data Management Platform Users. Authenticate users for Data Management Platform applications and servers on a test computer (pubdmp), including Using Business Data Network. To meet this goal, you might register a domain and users such as the following.

• Domain - PUBDMP, a local domain for users on the test computer (pubdmp) where Data Management Platform software is installed. (For production systems, you would create an Authentication Server domain that corresponds to network domain that is used for production work.)
• Users - DataFlux Admin, DataFlux User, DataFlux Web Admin, George Barnes, and Rhonda Zool (two accountants who use Business Data Network). All of these users have local accounts on the test computer, pubdmp. For production systems, these would typically be network accounts. Passwords for Data Management Platform users are not typically saved as part of the user definitions on the Authentication Server. These users will enter their passwords for the relevant domain as they normally would, when the Authentication Server prompts them to log in.  

Goal 2: Register Database Management System logins for use in job that will execute in batch mode. When a job executes in batch mode, any credentials for DBMS data sources must be provided programmatically. One solution would be to use an Authentication Server domain to retrieve DBMS credentials at runtime, if the appropriate users and logins have been added to the domain. Accordingly, part of the solution for Goal 2 might be to register domains, users, and logins such as the following.

• Domains - One for each database management system, such as ORACLE, SQLSERVER, and SAP.
• Users - No additional users are required for the example test system that is described in this section. In general, you do not have to create an Authentication Server user for every database management system user. Each Authentication Server user can have multiple logins. For convenience, all database management system logins could be added to the DataFlux Admin user that was defined for Goal 1.
• Logins - User names and passwords for the database management systems. The passwords are needed in this case because they will be retrieved at run-time by a job that is running in batch mode. For more information about this scenario, see Using Authentication Server Domains to Supply Credentials for Batch Jobs.

Open the Authentication Server as an Administrator

1. Click the Administration riser, and then expand the Authentications Servers folder.
2. Right-click an Authentication Server and select Open.
3. Enter any required credentials. After you log in, the administrative dialogs for the Authentication Server will display, as shown in the next figure.
   

Register a Domain

Register one or more domains on the Authentication Server, as required to meet your goals. For the example that is described in the Prerequisites section, you would create the following domains: 

• PUBDMP, a local domain on a test computer (pubdmp) where Data Management Platform software is installed.
• ORACLE, SQLSERVER, and SAP, a domain for each database management system that is required for the test environment.

It is assumed that you have opened the Authentication Server as an administrator. Perform the following steps to register a domain.

1. Click the Domains riser.
2. Click the New Domain control in the All Domains panel on the right. The New Domain dialog displays. Typically you will identify the information that is required by this dialog when you research the prerequisites.
3. Enter a name, a description, and other attributes, as shown in the next figure.

    

   

   
   In the previous figure, the Name specifies the domain name that could be combined with a login ID for authentication. The Description defines the purpose and scope of the domain. The User Name Format area specifies if and how the domain name is to be combined with a login ID for authentication. Given that the Down-level logon name option is selected in the previous figure, the domain will be combined with the login ID for authentication (PUBDMP\dfWebAdmin). The case-sensitive option is unchecked for this domain.

4. Click OK when finished to save the domain.
5. Repeat for all required domains. For the current example, the All Domains panel would look like the next figure.
   

Register a User

Register one or more users on the Authentication Server, as required to meet your goals. For the example that is described in the Prerequisites section, you would create the following users: DataFlux Admin, DataFlux User, DataFlux Web Admin, George Barnes, and Rhonda Zool.

It is assumed that you have opened the Authentication Server as an administrator. Perform the following steps to register a user.

1. Click the Users riser.
2. Click the New Users control in the All Users panel on the right. The New User dialog displays. Typically you will identify the information that is required by this dialog when you research the prerequisites.
3. Enter a name, a description, and other attributes, as shown in the next figure.

    

   

   
   In the previous figure, the Name specifies an Authentication Server user. The Description identifies the user. The User ID specifies a login ID for this user in the selected domain. The Domain specifies an Authentication Server domain.
   

4. Click OK when finished to save the user.
5. Repeat for all required users. For the current example, the All Users panel would look like the next figure.

   

(Optional) Add DBMS Logins to a User Definition

In order to meet Goal 2 as described in Prerequisites above, the DataFlux Admin user could add logins and passwords for Oracle, SQL Server, and SAP. These credentials would be retrieved at run-time by a job that is running in batch mode. For more information about this scenario, see Using Authentication Server Domains to Supply Credentials in Batch Mode.

It is assumed that you have connected to the Authentication Server and that you have opened that server on the Administration riser of Data Management Studio. Perform the following steps to add another login to your account.

1. Click the Users riser.
2. Select your user definition in the left panel. For the current example, you would select the DataFlux Admin user. The current logins for the selected user will display in the panel on the right. If you have selected your own account, a New login control should also be available on the right.
3. Click the New login control in the panel on the right. The New Login dialog displays. Typically you will identify the information that is required by this dialog when you research the prerequisites.
4. Enter a user ID, an Authentication Server domain, and a password for the target resource, as shown in the next figure.

    

   

   
   In the previous figure, User ID specifies the login ID for the target resource, such as an Oracle database. The Domain identifies the Authentication Server domain for the target resource, such as ORACLE. This domain must have already been created. The Password specifies the password for the target resource.

5. Click OK when finished to save the login.
6. Repeat for all required logins. For the current example, the panel on the right for DataFlux Admin would look like the next figure.

   

Using Authentication Server Domains to Supply Credentials in Batch Mode

When a job executes in batch mode, a user cannot provide any DBMS credentials that are needed to connect to data sources. One solution would be to use an Authentication Server domain to retrieve DBMS credentials at runtime, if the appropriate users and logins have been added to the domain. You could combine the following features: 

• An Authentication Server domain with the appropriate DBMS users, logins, and passwords, as described above.
• DSN connections that support Authentication Server domains. For examples, see Adding Domain Enabled ODBC Connections.
• A method for programmatically logging in to the Authentication Server in order to access DBMS logins that have been saved to the Authentication Server. For an example, see Run a Job with a DSN That Specifies an Authentication Server Domain.