Security Verify Access management domains

If we use LDAP as our user registry, ISAM provides for one or more administrative domains. A domain consists of all the users, groups, and resources that require protection along with the associated security policy used to protect those resources. Depending on the installed resource managers, resources can be any physical or logical entity, including objects such as files, directories, web pages, printer and network services, and message queues. Any security policy implemented in a domain affects only the objects in that domain. Users with authority to complete tasks in one domain do not necessarily have the authority to complete those tasks in other domains.

The initial domain in an LDAP registry is called the management domain and is created when the policy server is configured. During policy server configuration, we are prompted for the management domain name and the location Distinguished Name (DN) within the LDAP Directory Information Tree (DIT) on the LDAP server where the information about the domain is maintained. If the location is not specified, the location is assumed to be a stand-alone suffix on the LDAP server. Whether we use the default location or specify a different location in the LDAP DIT, the location specified for the management domain must exist unless the user registry is Novell eDirectory. For Novell eDirectory, if we do not specify the location, ISAM uses the root location as the location. The root location is a domain location that does not have a suffix. If you enter a specific location for the management domain, ensure the location we are specifying exists.

When an ISAM domain is created, including the initial management domain, an entry is created in the LDAP server called a secAuthorityInfo object. This object represents the ISAM domain and is named according to the secAuthority attribute with the name of the domain as its value; for example: secAuthority=<domain_name>.

If we do not provide a different name, the default name of the management domain is Default, making the secAuthorityInfo object name secAuthority=Default.

Parent topic: User registry configuration