Mapping of Active Directory, security groups to the VHQ roles is done based on the claim information sent by ADFS (Active Directory Federation Services), when user logs into VHQ GUI.
VHQ GUI allows for the creation of VHQ roles, where a VHQ role is a collection of VHQ rights/privileges. Based on the types of users using VHQ, such as Administrators, Operators, Helpdesk users, etc., a number of VHQ roles are created where each VHQ role has a different set of VHQ rights.
Once the required VHQ roles are created, Active Directory security groups that are relevant to the VHQ users list is created. For each security group, the corresponding VHQ role name is specified.
Once a VHQ user logs in to VHQ GUI, ADFS provides the list of AD (Active Directory) security group names associated with the given VHQ user, as part of the claim information sent by ADFS system. VHQ server updates the VHQ database to indicate the VHQ roles that should be associated with given VHQ user, based on the list of security groups that ADFS provides for the given user as part of the claim information.
The list of VHQ roles associated with a VHQ user can be seen from the VHQ user profile screen. The following points should be noted about the assignment of VHQ roles to VHQ users:
1. In the case of ADFS based authorization, it is not possible to use VHQ GUI to edit the list of VHQ roles that are assigned to a VHQ user, since this information will come as part of the claim information from ADFS, when a user logs in to VHQ GUI. The only method to update the assignment of VHQ roles assigned to a user will be through ADFS, when a user logs in to VHQ GUI.
NOTE:
The ability to assign VHQ roles or VHQ security groups to VHQ users from the VHQ GUI will be allowed for VHQ mode and AD mode of authorization. It is not allowed for the ADFS mode of authorization.
2. A VHQ user can be associated with multiple VHQ roles, and in this case the user will have the combined VHQ rights from all the VHQ roles that are associated with given VHQ user.
3. If one or more of the security group names as part of the claim information is not configured in VHQ GUI’s Security Groups screen, then VHQ server ignores these security groups, and only use the security groups that are configured in VHQ GUI, in order to determine the VHQ rights that is with the user. In this case, VHQ server will log an entry in the VHQ audit report to indicate the security group names provided by ADFS that is not configured on VHQ GUI’s Security Groups screen.
4. If a VHQ user is not associated with any security group that is defined in VHQ, based on the list of security groups provided by ADFS when user tries to login to VHQ GUI, then VHQ GUI displays invalid user name and password message.
