To make sure that I understand, are you asking how to assign a user or group of users read-only (and, optionally, higher) permissions to all CEM business applications / business services via EEM without relying on global user groups retrieved from Active Directory? If so, this is certainly possible and I can provide some instruction.
Keep in mind, CEM typically expects one of the following users groups, even when using EEM:
CEM Incident Analyst
CEM Configuration Administrator
CEM System Administrator
While you can deviate from this structure somewhat with EEM, it's really convenient to continue thinking of users in these terms.
jfaldmo wrote:I believe you should look into "Dynamic User Groups." It is something I am exploring at this time as well. If I find an exact answer I will send it your way. If you find an exact answer then please use post it as well.
jfaldmo wrote:I didn't pursue dynamic groups any further since I finally got the Global Group Attributes setup right by using "Use Group As Container." We use Novel as our LDAP and I had to customize the "Label" to get it to work.
I believe you can get it to work by doing the following.
Go to "Manage Access Polices" and click on the icon next to "Dynamic User Group Polices" to create a new policy.
Put in a name like "dynamic admin policy"
In the "Access Policy Configuration" add a name like "dynamicadmin" and click on the add icon.
Click on Add filter button. Add a left parenthesis. In the "left type/value" box select "user" then select "Name" from the next drop down box.
For the Operator select "NOTEQUAL !=" in the "Right type/value" put in some random text like "zzzzzz"
Add a right parenthesis
Click on the Save button.
Now when you go and look up a user under "Manage Identities" you should see "dynamicadmin" under "Dynamic Groups" at the bottom of the page.
You can use this dynamic group in the policies now. For instance, go to the "Domain" policy folder and click on "Domain Admin." Under the "Identities" section change the type to "Dynamic group." Either type in "dynamicadmin" (or what ever you called the group) or click on "search identities" and click on the "Search" button. Your group should be listed and you can add it to the "Selected Identities."
Save your changes, and hopefully all your users can now login, as long as they are not named "zzzzzz."
if you guys wish to transalate your organizational users-roles into the default CA EEM / CEM access policies, please also refer to page - 121 in the APM security guide. This gives a vivd idea as to what roles possess what types of access.
Retrieving data ...