How to extract an authentication server group

NetScaler MAS allows you to extract the group of users existing on the external authentication server, and assign them permissions as their role demands and as per the NetScaler definitions. This has two advantages:  

  1. You do not have to create users on NetScaler MAS. Though the groups are extracted into the NetScaler MAS server, they are managed on the external servers from the NetScaler MAS rather than adding them on the system.

  2. NetScaler MAS performs the authorization of users by assigning group permissions to access specific load balancer virtual servers, and for specific applications on the system. In future, when the particular authentication server is removed from the system, the groups and users will be automatically removed from the system.

Configuring groups and assigning group permissions

  1. In NetScaler MAS, navigate to System > User Administration > Groups.

  2. Click Add to create a group.

    localized image

  3. In the Group Settings tab, type the name of the group, set the permissions as admin, readonly, appReadonly, or appAdmin. The other options that you can configure are session timeout, where you can set a timeout limit for the sessions logged in the users of that group, and you can also set the VM instances that can be accessed by the group members.

    Note

    Make sure that the name of the user group created on NetScaler MAS is exactly the same as that created on external authentication servers. If not, the system will not recognize the group and the group members will not be extracted into the system.

    localized image

  4. In the Authorization Settings tab, you can provide authorization settings for the following four groups:

    • Instances

    • Applications

    • Configuration Templates

    • StyleBooks

By default, your user can access all the above groups. You can clear the checkboxes and provide selective access for each of these groups.

For example:

  • You can clear Instances checkbox and select only the required instances that you want to provide access to your users.

  • Clear All Applications checkbox and select only the required applications and templates. When you add applications to a group in NetScaler MA Service, you can use regex to search and add the applications that meet the regex criteria for the groups. The users who are bound to these groups can access only those specific applications. The regex expression specified is persisted in NetScaler MA Service. That is, NetScaler MA Service allows the regex provided in the Add Regular Expression text box to be stored in the system and dynamically updates the authorization scope whenever new applications meet this regex expression. When new applications are added to the system, NetScaler MA Service applies the search criteria to the new applications, and the application that meets the criteria is dynamically added to the group. You do not have to manually add the new applications to the group. The applications are updated dynamically in the system, and the respective group users can see the applications under appropriate modules in NetScaler MA Service.

  • Clear All Configuration templates checkbox to allow access to only the required templates.

  • Clear All StyleBooks checkbox and select the required StyleBooks that your user can access.

  • You can select the required StyleBooks when you create groups and add users to that group. When your user selects the permitted StyleBook, all dependent StyleBooks are also selected. The config packs of that StyleBook are also included in what the user has access to.

    localized image

When you finish creating a group in the system, all the users in external authentication server are extracted into the system. You can check this by selecting the group and clicking Edit. The Users table in Create System Group displays the list of users connected with the group. You can also assign users to the group in the Assign users tab.

If the group name matches the group name on the external authentication server, the user inherits all of the authorization definitions when logged on to the system.

How to extract an authentication server group