Users and groups
Security Verify Access maintains information about its users and groups in the user registry. We can use ISAM to create create new users and groups, or we can import user registry information into ISAM from another registry, as long as the users and groups are not already in the ISAM registry. Basic users, or users in the registry that are not imported to the ISAM, are supported.
ISAM supports two types of group definitions.
- static group
- dynamic groups
Static groups maintain group membership as an explicit list of members (users.
Dynamic groups are available when we use an LDAP registry or an Active directory. Members are automatically resolved when the group is accessed based on the results of a search filter. For example, we create a dynamic group for members of department XYZ. If importing a new user whose data matches an entry in the search filter, the user is automatically added to the group. If an existing employee switches departments, the user is automatically removed from the group. Manual intervention is not required. Dynamic groups cannot be created or maintained with ISAM utilities or user interfaces. The vendor-specific tools must be used to create and maintain dynamic groups. ISAM, however, can import and use these dynamic groups after they are created.
ISAM supports different types of users. When a domain is created, a special user known as the domain administrator is created. For the management domain, the domain administrator is sec_master. The sec_master user and associated password are created during the configuration of the ISAM policy server. For other domains, the user ID and password of the domain administrator are established when the domain is created. The domain administrator has nearly complete control of the domain. Think of the domain administrator as the ISAM equivalent to the Linux or UNIX root account or the Microsoft Windows Administrator user.
The domain administrator is added as a member of the ISAM iv-admin group within the domain. The iv-admin group represents those users with domain administration privileges. When adding users to the iv-admin group, ensure that we do not compromise the security of your domain.
Parent topic: Security Verify Access administration