Cisco Systems Servers Manuale Utente
12-13
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Chapter 12 Administering External User Databases
Database Group Mappings
Group Mapping by Group Set Membership
You can create group mappings for some external user databases based on the
combination of external user database groups to which users belong. The
following are the external user database types for which you can create group
mappings based on group set membership:
combination of external user database groups to which users belong. The
following are the external user database types for which you can create group
mappings based on group set membership:
•
Windows NT/2000
•
Novell NDS
•
Generic LDAP
Note
Windows NT/2000 databases are defined by domain name.
When you configure a Cisco Secure ACS group mapping based on group set
membership, you can add one or many external user database groups to the set.
For Cisco Secure ACS to map a user to the specified Cisco Secure ACS group, the
user must match all the external user database groups in the set.
membership, you can add one or many external user database groups to the set.
For Cisco Secure ACS to map a user to the specified Cisco Secure ACS group, the
user must match all the external user database groups in the set.
As an example, you could configure a group mapping for users who belong to both
the Engineering and Tokyo groups and a separate one for users who belong to both
Engineering and London. You could then configure separate group mappings for
the combinations of Engineering-Tokyo and Engineering-London and configure
different access times for the Cisco Secure ACS groups to which they map. You
could also configure a group mapping that only included the Engineering group
that would map other members of the Engineering group who were not members
of Tokyo or London.
the Engineering and Tokyo groups and a separate one for users who belong to both
Engineering and London. You could then configure separate group mappings for
the combinations of Engineering-Tokyo and Engineering-London and configure
different access times for the Cisco Secure ACS groups to which they map. You
could also configure a group mapping that only included the Engineering group
that would map other members of the Engineering group who were not members
of Tokyo or London.
Group Mapping Order
Cisco Secure ACS always maps users to a single Cisco Secure ACS group, yet a
user can belong to more than one group set mapping. For example, a user, John,
could be a member of the group combination Engineering and California, and at
the same time be a member of the group combination Engineering and Managers.
If there are Cisco Secure ACS group set mappings for both these combinations,
Cisco Secure ACS has to determine to which group John should be assigned.
user can belong to more than one group set mapping. For example, a user, John,
could be a member of the group combination Engineering and California, and at
the same time be a member of the group combination Engineering and Managers.
If there are Cisco Secure ACS group set mappings for both these combinations,
Cisco Secure ACS has to determine to which group John should be assigned.
Cisco Secure ACS prevents conflicting group set mappings by assigning the
group set mappings a mapping order. When a user authenticated by an external
user database is to be assigned to a Cisco Secure ACS group, Cisco Secure ACS
group set mappings a mapping order. When a user authenticated by an external
user database is to be assigned to a Cisco Secure ACS group, Cisco Secure ACS