An LDAP group in Control-M/EM authorizations is mapped to the corresponding group in the LDAP server. This eliminates the need of creating users in Control-M/EM, and instead authenticates the users in the LDAP server.
In addition, a user who logs into Control-M/EM with LDAP credentials does not need to be a direct member of one of the LDAP groups that are mapped to Control-M/EM. Control-M/EM checks the descendants of the LDAP groups mapped to Control-M/EM. If the user is a member of one or more of the descendant groups, the user is authorized in Control-M/EM, and inherits the combined authorizations of all of the parental groups.
The login procedure must authenticate the identifiers of the user against external LDAP directories. Users who are not defined in the Control-M/EM users must belong to groups in the LDAP directory. These LDAP groups must be associated with Control-M/EM authorization, as described in Defining LDAP Groups.
Parent Topic |