Most recent edit on 2009-01-29 14:21:47 by HeicoVanWieringen [Layout repair]
Additions:
Full Logon - The Logon dialog will not be available, the Input Password setting will be ignored, and the Logon menu option will be hidden. Magic will automatically log on the operating system’s current user.
Magic lets you set user security settings using directory services. Magic reads all groups that a user belongs to and matches these user groups with groups defined in the standard Magic security file. If a match is found, all the rights that belong to that group will be granted to the user. It is important to note that under this schema, there is no need to define individual users in the Magic security file, only groups. Setting the environment parameter of ‘Logon’ to ‘Directory’ activates this option. Once set
to ‘Directory’, the logon to the Magic engine is performed automatically according to the user who is currently logged on to the network.
Previous versions of Magic eDeveloper have provided the functionality for logging into Magic by using the operating system’s logon state and by retrieving the user’s assigned group from the Directory Service to determine the user’s rights.
Deletions:
Full Logon - The Logon dialog will not be available, the Input Password setting will be ignored, and the Logon menu option will be hidden. Magic will automatically log on the operating system’s current user.
Magic lets you set user security settings using directory services. Magic reads all groups that a user belongs to and matches these user groups with groups defined in the standard Magic security file. If a match is found, all the rights that belong to that group will be granted to the user. It is important to note that under this schema, there is no need to define individual users in the Magic security file, only groups. Setting the environment parameter of ‘Logon’ to ‘Directory’ activates this option. Once set
to ‘Directory’, the logon to the Magic engine is performed automatically according to the user who is currently logged on to the network.
Previous versions of Magic eDeveloper have provided the functionality for logging into Magic by using the operating system’s logon state and by retrieving the user’s assigned group from the Directory Service to determine the user’s rights.
Edited on 2005-10-06 18:09:35 by HeicoVanWieringen [Typo corrected]
Additions:
Note that the square brackets indicate that what is in between them is optional. They should not be included in the Translation.
Deletions:
Note that the square brackets indicate that what is in between them is optional. They should not be incuded in the Translation.
Edited on 2005-09-29 16:47:40 by GroupsMBM [small spelling fix]
Additions:
From now on, when a user starts Magic, Windows authentication is used and the credentials of the user are determined using the Windows user groups the user belongs to.
Deletions:
From now on, when an user starts Magic, Windows authentication is used and the credentials of the user are determined using the Windows user groups the user belongs to.
Edited on 2005-09-27 09:49:47 by HeicoVanWieringen
Additions:
The syntax for Win32 binding is:
- Magic940SP5 PastReleaseNotes
- see also the SecurityIssues Wiki page
Deletions:
The syntax for Win32 binding is:
Magic940SP5 PastReleaseNotes
Edited on 2005-09-27 09:02:14 by HeicoVanWieringen
Additions:
The various System Logon options are implemented in different ways in previous versions of Magic 9. This page focusses on the implementation of the "Active Directory" System Logon option that came available with Magic 9.30SP3.
the Magic Supervisor implements the company data and application security policy by defining User Groups in Magic and granting these groups predefined Magic rights
Deletions:
The various System Logon options are implemented is different ways in previous versions of Magic 9. This theme focusses on the implementation of the "Active Directory" System Logon option that came available with Magic 9.30SP3.
the Magic Supervisor implements the company data and application security policy by defining User Groups in Magic and granting these groups predefined Magic rights.
Edited on 2005-09-27 08:53:28 by HeicoVanWieringen
No differences.
Oldest known version of this page was edited on 2005-09-27 08:52:20 by HeicoVanWieringen []
Page view:
Using the Active Directory logon setting in Magic
Magic version
9.01SP3 through 9.40SP4
Overview
The "Active Directory" System Logon option in Settings / Environment / System tab enables the user authentication and authorisation within Magic to be handled by the Windows Active directory service.
Magic reads all Windows domain groups that a user belongs to and matches these user groups with groups defined in the Magic security file. If a match is found, all the rights that belong to that group will be granted to the user.
When the System Logon is set to "Active Directory" the Settings / User IDs repository is ignored by Magic so it is not possible to grant individual rights to users when this option is selected. The only place where rights can be effectively granted is in the Settings / User Groups repository.
While the System Logon is set to "Active Directory", user interaction with the security file is not allowed in Toolkit nor in Runtime. This means also that the Settings / Logon function is not available. The only interactive logon functionality available is "Input date" in the Settings / Environment / System tab.
The various System Logon options are implemented is different ways in previous versions of Magic 9. This theme focusses on the implementation of the "Active Directory" System Logon option that came available with Magic 9.30SP3.
Considerations
Shift of responsibilities
Using the "Active Directory" System Logon option frees the Magic SUPERVISOR role of some security tasks and lays these tasks in the hands of the Windows system security administrator. A typical division of responsibilities is as follows:
- the Magic Supervisor implements the company data and application security policy by defining User Groups in Magic and granting these groups predefined Magic rights.
- Magic developers implement these rights as usual in the Magic applications
- the Windows system security administrator defines Windows domain groups that conform to the Magic User Groups
- the Windows system security administrator adds and deletes Windows users to and from these groups as appropriate.
Rethinking the authorisation system
While using the "Active Directory" System Logon setting all authorisation is done on the User Group level, not for individual users. To make this a workable situation the authorisation system must be well designed to fit the security needs of the company. Otherwise a profilation of ad hoc User Groups is likely to occur in time.
Availability of Windows security policy settings
A great advantage of using the "Active Directory" System Logon setting is that you can enforce Windows security policies such as complex passwords, password expirations and account lockout policies.
Convenience for end users and improved password security
With the "Active Directory" System Logon setting end users do not need to logon in Magic and do not need to remember and keep secret yet another password.
Implementation
Minimal Magic version required: 9.30SP4 (see below at "Magic version history").
Operation System: any Windows server edition starting with Windows NT.
The installation of Active Directory is not required.
- Start Magic and ensure that no application is opened
- The System Logon setting in Settings / Environment / System tab must be set to "None" or to "User"
- Logon in Magic with SUPERVISOR privileges, that is, as Magic SUPERVISOR or as a member of the Magic SUPERVISOR GROUP user group
- Make sure that all Magic User Groups conform with (have the same name as) the appropriate predefined Windows user groups
- Go to the Settings / Secret Names repository and create a Secret name:
Name: Directory_Binding
Translation: WinNT:[//YourDomainName/[YourComputerName]]
Note that the square brackets indicate that what is in between them is optional. They should not be incuded in the Translation.
The exact names you place here depends upon the configuration of Windows user groups in your network. Consult your network
administrator for the details.
- Set the System Logon setting to "Active Directory"
- Close Magic.
From now on, when an user starts Magic, Windows authentication is used and the credentials of the user are determined using the Windows user groups the user belongs to.
Magic version history
Magic 9.01SP3
Full Logon - The Logon dialog will not be available, the Input Password setting will be ignored, and the Logon menu option will be hidden. Magic will automatically log on the operating system’s current user.
Magic 9.30
Security Mechanism - Directory Service Support
Magic lets you set user security settings using directory services. Magic reads all groups that a user belongs to and matches these user groups with groups defined in the standard Magic security file. If a match is found, all the rights that belong to that group will be granted to the user. It is important to note that under this schema, there is no need to define individual users in the Magic security file, only groups. Setting the environment parameter of ‘Logon’ to ‘Directory’ activates this option. Once set
to ‘Directory’, the logon to the Magic engine is performed automatically according to the user who is currently logged on to the network.
A new environment setting lets you define a binding string that is required for Magic to work with the directory service:
Directory Binding String
Setting/Environment/External
The Directory Binding string is used to bind into the directory service. During the binding process, Magic automatically concatenates the operating system username to the string and attempts to bind into the operating system.
The syntax for
Win32 binding is:
WinNT:[//DomainName/[ComputerName/[ObjectName[,className]]]]
Due to the fact that not all operating systems have active directory support installed as a default, a new DLL file is provided to support active directory by Magic. The DLL file, Mgactdir.dll, is installed during the installation process.
Magic 9.30SP3
Removing the System Logon FULL Option
The Full option of the System Logon environment setting has been removed.
Directory Binding String
The Directory Binding String is required to direct the Magic engine to the relevant directory service when the System Logon environment setting is set to Directory.
This string is no longer defined in the Magic environment, and it must be set by a secret name of the security file. The Directory Binding String should be defined as the translation of the reserved secret name
Directory_Binding.
Important note: When you set the System Logon environment to Directory, no manipulation of the Magic security file is allowed.
Magic 9.30SP4
Directory Service Support - Enhanced Logon Functionality
Previous versions of Magic eDeveloper have provided the functionality for logging into Magic by using the operating system’s logon state and by retrieving the user’s assigned group from the Directory Service to determine the user’s rights.
This functionality has been further enhanced in Magic eDeveloper 9.3 SP4 and supports all Logon functionality that can be performed for a defined Domain to further retrieve the roles of a user through a defined Directory Service.
You can set Magic eDeveloper to use a Directory Service from the System Logon
environment setting, located under Settings/Environment/System.
When in the Directory mode, any logon procedure (such as the Logon dialog, the Logon function or logging on through a request) will be compared to a defined Domain, and the roles will be retrieved from a defined Directory Service.
For more information about the Directory mode and how to set the Domain Name and the Directory Service, please refer to the Settings chapter in the Reference Guide.
Magic 9.40SP4
Logon Function in Main Program (QCR #571895)
A user logged on by the Logon function in the Main Program was not retained as the
logged-on user for the duration of the application.
Documentation
- Magic940SP5 PastReleaseNotes
- eDeveloper Reference Guide V9.4 SP4d, January 2005
CategoryHowTo CategorySecurity
