HP 3PAR StoreServ 7450 4-node HP 3PAR StoreServ Storage Concepts Guide (OS 3.1 - Page 23

Each group to which a user is a member is compared against the mapping parameters. Mapping occurs sequentially with a group first compared to the super-map parameter. If no match is made, the group is then compared with the service-map parameter, and so on. For example, if a match is made for group A with the super-map parameter, the user belonging to group A is authorized with Super rights to the system. With this process, a user can be authenticated, but not authorized if no group membership exists. In this case, the user is subsequently denied access to the system. Authorization on Systems Using Virtual Domains As discussed in "Authorization" (page 22), a user's group association determines that user's role within the system. On systems using virtual domains, this process is taken one step further where the user's groups are mapped to system domains. Therefore, the user's role within a specific group is carried over to the domain(s) mapped to that group. For instructions on authorizing LDAP users on systems using Domains, see Chapter 4, Managing User Accounts and Connections in the HP 3PAR OS CLI Administrator's Manual. The group-to-domain mapping relationship: • LDAP User 1 has membership to Group B. • Group-to-role mapping determines that Group B uses the Edit role. • Group-to-domain mapping establishes a match between Group B and Domain A. • LDAP User 1 has Edit role access to all objects in Domain A. LDAP Authentication and Authorization 23