Authentication vs. authorization, Figure 38 authorization flow diagram, 40 d – Raritan Computer DKX116 User Manual

40

D

OMINION

KX U

SER

M

ANUAL

Authentication vs. Authorization

When your Dominion KX unit is configured for remote authentication, the external authentication server is
used primarily for the purposes of authentication, not authorization.

Authorization is determined by Dominion KX on the basis of user groups. That is, once a given user is
allowed to access the Dominion KX system in general (authenticated), that user’s specific permission
(authorization) is determined by Dominion KX based upon the user’s group.

The external authentication server can assist in authorization by informing Dominion KX about the user
group to which a user belongs whenever the authentication server approves a given user’s login request.
The sections Implementing LDAP Remote Authentication and Implementing RADIUS Remote
Authentication that follow explain this in more detail.

This is most easily described via a simple flow diagram:

User login with

username /

password

username in

internal

database?

password

correct?

Login

denied

Login

allowed

Permissions

determined by

internal user group

Internal

lookup of

user group

External

authentication server

configured?

Login

denied

External

authentication

query

Valid

username /

password?

Login

denied

External

authentication

reply

Login

allowed

User group

name provided

by authentication

server?

Permissions

determined by

internal user group,

“NONE”

User group

found in internal

database?

YES

NO

YES

NO

NO

YES

NO

YES

YES

NO

Permissions

determined by

internal user group,

“UNKNOWN”

Permissions

determined by

internal user group

YES

NO

Figure 38 Authorization Flow Diagram

Note the importance of the group to which a given user belongs, as well as the need to configure the groups
named, “UNKNOWN” and “NONE.” If the external authentication server returns a group name that is not
recognized by Dominion KX, that user’s permissions are determined by the permanent group named
“UNKNOWN.” If the external authentication server does not return a group name, that user’s permissions
are determined by the permanent group named “NONE.”

Please see the sections LDAP or RADIUS in this chapter to determine how to configure your
authentication server to return user group information to Dominion KX as part of its reply to an
authentication query.