H3C Technologies H3C Intelligent Management Center User Manual

369

If no service is assigned to any of these AD groups, the default service is assigned to the users.

The rules that UAM uses to assign services to LDAP users are described later in this topic.

AD Group & Service Configurations
The configuration list displays the service assignment for the AD groups and the AD group priority.
To assign a service to an AD group:

a.

Click Add in the AD Group&Service Configurations area.

b.

Enter the group name in the LDAP group query field. UAM supports fuzzy matching for this
field. For example, if you enter a, all the AD group names that contain a are queried. If the field

is empty, all available groups are queried.

c.

Click Query.
All the AD groups matching the query criterion are displayed in the AD Group & Service
Configurations area.

d.

Select one or more group names, and click OK.
All the selected AD groups are displayed in the AD Group & Service Configurations area. The

AD Group Distinguished Name column displays the AD group and its absolute path in the
active directory. The Service Configuration column provides a Service Configuration icon .

Click the icon to view the available services list.
To delete AD groups, select the boxes next to their group names, and click Delete. In the
confirmation dialog box that appears, click OK.

e.

Select services for each AD group.
Click the Service Configuration icon for an AD group. The Services List window appears.
Select one or more services and click OK. The selected services are associated with the AD

group.

f.

Adjust the priorities for the AD groups.
Click the Move down icon for an AD group to reduce its priority.
Click the Move Up icon for an AD group to raise its priority.

g.

Click Next to enter the page for configuring LDAP user parameters.

Rules for assigning services to LDAP users
UAM uses the following rules to assign a service to an LDAP user in only one AD group:

{

Assigns the service in the AD group to the user.

{

If the AD group has no service, assigns the service in its parent AD group to the user. If the parent
AD group has no service, moves up until an AD group is found having services or the specified

maximum number of AD group layers is reached.

{

If none of the AD group layers has a service, assigns the default service to the user.

UAM uses the following rules to assign services to an LDAP user in more than one AD group:

{

If at least two of the AD groups have a service, compares the priorities of AD groups, and
assigns the services of a higher priority AD group to the user.

{

If none of the AD groups has services, searches their respective parent AD groups for services.
If only one parent AD group has services, assigns the service to the user. If at least two parent AD

groups a have a service, compares the priorities of the AD groups, and assigns the services of
a higher priority AD group to the user. If none of their parent AD groups has a service, moves up

the chains of AD groups until one AD group is found having a service or the specified maximum

number of AD group layers is reached.

{

If none of the AD group layers has a service, assigns the default service to the user.