Hitachi

JP1 Version 12 JP1/Data Highway - Server Administrator Guide

B. Authentication Rule

In the list of authentication rules, the settings for authentication rules are displayed from top to bottom. The users with the setting conditions that match the authentication rules with ACCEPT in the Action column are accepted for authentication.

If the user is accepted for authentication, the corresponding policy is applied for authentication of the user. If the authentication group and authentication network (which is the address of a network that users connect to) of the user match those of the rules, the authentication policy specified in the rule is applied.

This system adopts the first-match rule. If the user with the settings matches two or more authentication rules, the system selects the first rule that was found in the matched authentication rules.

In the first-match rule, if the same authentication group and authentication network are specified for different authentication rules, the authentication rule at the top of the list is applied. This is applied only to a rule that shows ACCEPT in the Action column.

When the rules are scanned from top to bottom, and a rule that matches the user setting is set to DENY, the policy defined in the matched rule is rejected.

However, if the same policy defined in the rule whose action is set to DENY is also defined in the rule whose action is set to ACCEPT, the policy is not rejected as long as a rule with ACCEPT is in the higher position in the list.

In general, the rule for accepting the authentication (the rules with ACCEPT selected) is created first so that the rule can be located at a higher position in the list of authentication rules. Then, the rule to reject all the default settings (the rule with DENY selected) is created so that it can be located at the end of the list. This makes the application of authentication rules easy-to-understand and more reasonable. You can add another DENY rule between the rules with ACCEPT status and DENY in the list only if you want to add an exceptional rule.

If no authentication rule is matched with the user's settings, the standard authentication rule is applied, which is the default value throughout the JP1/DH - Server system.

When a user belongs to multiple groups

The first-match rule is also applied when a user belongs to multiple groups. The order of the groups in the user setting does not matter.

The following table shows an example of a group hierarchy in which a Parent group has A, B, and C groups as its children.

Table B‒1: Example of the application of authentication rules when a user belongs to multiple groups

No.

Group user belongs to (from top to bottom)

Authentication rule definition

(from top to bottom)

Rule to be applied

1

A

1. B ACCEPT

2. A ACCEPT

2. A ACCEPT

2

A

B

1. B ACCEPT

3

B

A

1. B ACCEPT

4

A

1. B ACCEPT

2. A DENY

2. A DENY

5

A

B

1. B ACCEPT

6

A

1. B DENY

2. A ACCEPT

2. A ACCEPT

7

A

B

1. B DENY

To Page Top

All Rights Reserved. Copyright (C) 2019, Hitachi, Ltd.

All Rights Reserved. Copyright (C) 2019, Hitachi Solutions, Ltd.