Password Policy for all appliance users on

Managing Roles

Mon, 01 Jan 0001 00:00:00 +0000

Roles are templates that include permissions and users can be assigned to one or more roles. Users in the appliance must be attached to a role.

The default roles packaged with ESA are as follows:

Roles	Description	Permissions
Policy Proxy User	Allows a user to connect to DSG via SOAP/REST and access web services using Application Protector (AP).	Proxy-User
Policy User	Allows user to connect to DSG via SOAP/REST and perform security operations using Application Protector (AP).	Policy-User
Security Administrator Viewer	Role that can view the ESA Web UI, CLI, and reports.	Security Viewer, Appliance CLI Viewer, Appliance web viewer, Reports Viewer
Shell Accounts	Role who has direct SSH access to Appliance OS shell. Note: It is recommended that careful consideration is taken when assigning the Shell Accounts role and permission to a user. Ensure that if a user is assigned to the Shell Account role, no other role is linked to the same user. The user has no access to the Web UI or CLI, except when the user has password policy enabled and is required to change password through Web UI.	Shell (non-CLI) Access Note: The user can access SSH directly if the permission is tied to this role.
Security Administrator	Role who is responsible for setting up data security using ESA policy management, which includes but is not limited to creating policy, managing policy, and deploying policy.	Security Officer, Reports Manager, Appliance Web Manager, Appliance CLI Administrator, Export Certificates, DPS Admin, Directory Manager, Export Keys, RLP Manager

The capabilities of a role are defined by the permissions attached to the role. Though roles can be created, modified, or deleted from the appliance, permissions cannot be edited. The permissions that are available to map with a user and packaged with ESA as default permissions are as follows:

Configuring the proxy authentication settings

Mon, 01 Jan 0001 00:00:00 +0000

To configure the proxy authentication from the Web UI, the directory_administrator permission must be associated with the required role. It is also possible to do this through the CLI manager. For more information about configuring LDAP from the CLI manager, refer to here.

Perform the following steps to configure proxy authentication settings.

Working with External Groups

Mon, 01 Jan 0001 00:00:00 +0000

The directory service providers, such as, Active Directory (AD) or Oracle Directory Server Enterprise Edition (ODSEE), are identity management systems that contain information about the enterprise users. You can map the users in the directory service providers to the various roles defined in the Appliances. The External Groups feature enables you to associate users or groups to the roles.

You can import users from a directory service to assign roles for performing various security and administrative operations in the appliances. Using External Groups, you connect to an external source, import the required users or groups, and assign the appliance-specific roles to them. The appliances automatically synchronize with the directory service provider at regular time intervals to update user information. If any user or group in a source directory service is updated, it is reflected across the users in the external groups. The updates made to the local LDAP do not affect the source directory service provider.