Trusted Users and Trusted User Groups

Users who can authenticate through realms other than their own are called trusted users. Only trusted users can authenticate through a trusted realm, so you must create trusted users in the trusted realm.

You can group trusted users into trusted user groups. Similar to user groups, you can use trusted user groups to provide access to an authentication agent. Only members of a trusted user group can access an agent. Trusted users and trusted user groups can only access authentication agents that have been enabled and configured for trusted realm authentication.

Add a Trusted User

Only trusted users can access the agents enabled for trusted realm authentication. An authentication agent can be configured to automatically designate all users from a trusted realm as trusted users. You can manually add trusted users if more restriction is necessary. When you manually add trusted users, only the users you add are trusted users.

Before you begin

Procedure

  1. In the Security Console, click Administration > Trusted Realms > Trusted Users > Add New.

  2. In the Trusted User ID field, enter the user's User ID.

  3. From the Trusted Realm Name drop-down menu, select the trusted realm where the user belongs.

  4. From the Security Domains drop-down menu, select the security domain where the policies for this trusted user are managed.

    Only administrators whose administrative scope includes the security domain you select can manage the user.

  5. In the Default Shell field, enter the shell that users employ to access a UNIX machine.

  6. Click Save.

Add a Trusted User

Only trusted users can access the agents enabled for trusted realm authentication. An authentication agent can be configured to automatically designate all users from a trusted realm as trusted users. You can manually add trusted users if more restriction is necessary. When you manually add trusted users, only the users you add are trusted users.

Before you begin

Procedure

  1. In the Security Console, click Administration > Trusted Realms > Trusted Users > Add New.

  2. In the Trusted User ID field, enter the user's User ID.

  3. From the Trusted Realm Name drop-down menu, select the trusted realm where the user belongs.

  4. From the Security Domains drop-down menu, select the security domain where the policies for this trusted user are managed.

    Only administrators whose administrative scope includes the security domain you select can manage the user.

  5. In the Default Shell field, enter the shell that users employ to access a UNIX machine.

  6. Click Save.

Allow Trusted Users to Authenticate Using RSA RADIUS

To allow trusted users to authenticate using RSA RADIUS, you define these trusted users on the trusted realm before they authenticate. You may also set up a special RADIUS profile for trusted users.

For more details about configuring RADIUS to handle trusted users, see RADIUS Profile Associations.

For more information on associating trusted users with RADIUS attributes, see Map a RADIUS User Attribute Definition to an Identity Source Attribute.

Add Trusted Users to a Trusted User Group

A trusted user group restricts access to an agent that is enabled for trusted realm authentication. When you create a trusted user group, only members of the trusted user group can access the agent that is enabled for trusted realm authentication.

You can add new trusted users to an existing trusted user group.

Procedure

  1. In the Security Console, click Administration > Trusted Realms > Trusted User Groups > Manage Existing.

  2. Use the search fields to find the trusted user group where you are adding users.

  3. From the search results, click the trusted user group name.

  4. From the context menu, click Add More.

  5. Select the checkbox next to the trusted users that you want to add.

  6. Click Add to Trusted User Group.

Assign a Trusted User to RADIUS Profiles

You assign a trusted user to a RADIUS profile to designate the predefined collection of checklist and return list attributes that the RADIUS server applies to the trusted user's network requests.

For example, you might create a profile for all users in a different, trusted RSA Authentication Manager realm that specifies a lower Idle-Timeout value. (The Idle-Timeout value specifies the time to wait for user input before the RADIUS clients logs off the user.)

Procedure

  1. In the Security Console, click RADIUS > RADIUS Profiles > Manage Existing.

  2. Click the profile that you want.

  3. From the context menu, under Associated Trusted Users, click Assign to More.

  4. Use the search fields to find the trusted user whom you want to assign to the profile.

  5. From the list of available trusted users on the Assigned to More Trusted Users page, select the checkbox next to the trusted users that you want to assign to the profile.

  6. Click Assign Profile.

Specify Trusted User Name Identifier

In order for your realm to identify a user from a trusted realm, you must specify a unique identifier that your realm can recognize. This identifier can be the user’s domain name or e-mail address. The identifier must be unique among the trusted realms.

For example, John Smith from Realm A is jsmith in his local realm. When jsmith attempts to authenticate on your realm, your realm does not know jsmith or which realm he comes from. If you define Realm A as yourcompany.com, jsmith is identified within your realm as jsmith@yourcompany.com. You can define multiple identifiers for a trusted realm.

Procedure

  1. Select the trusted realm that you want to edit.

  2. From the context menu, click Edit.

  3. In the Trusted User Name Identifier field under username@, specify a unique domain name that your realm can recognize.

  4. Click Add.

    You can add multiple domain names for a trusted realm.

  5. Click Save.

Edit a Trusted User

Editing a trusted user allows you to make changes to the user's information such as the security domain that manages the user and the User ID.

Procedure

  1. In the Security Console, click Administration > Trusted Realms > Trusted Users > Manage Existing.

  2. Use the search fields to find the trusted user that you want to edit.

  3. From the search results, click the trusted user that you want to edit.

  4. From the context menu, click Edit.

  5. Make any necessary changes to the trusted user record.

  6. Click Save.

Delete a Trusted User

Delete a trusted user to revoke a user’s access privileges on a trusted realm.

Procedure

  1. In the Security Console, click Administration > Trusted Realms > Trusted Users > Manage Existing.

  2. Use the search fields to find the trusted user that you want to delete.

  3. From the search results, click the trusted user that you want to delete.

  4. From the context menu, click Delete.

  5. Click OK.

Edit Domain Name in a Fully Qualified Trusted User Name

The Trusted User Name Identifier combines a user name with the name of the user’s domain to form the Fully Qualified Trusted User Name. This name is used to identify a trusted user from a trusted realm. Use this procedure if you need to add or remove a domain name from the Fully Qualified Trusted User Name.

Use caution when choosing which domain name to remove. If you remove the wrong domain name, your realm might fail to authenticate trusted users from a trusted realm.

Procedure

  1. In the Security Console, click Administration > Trusted Realms > Manage Existing.

  2. Select the trusted realm you want to edit.

  3. From the context menu, click Edit.

  4. Do one of the following:

    • In the Trusted User NameIdentifier field that contains the current domains, select the domain name that you want to remove, and click Remove.

    • In the Trusted User NameIdentifier field, type the domain name that you want to add, and click Add.

  5. Click Save.

Related Tasks

Add a Trusted User

Add Trusted Users to a Trusted User Group

Add a Trusted User Group