How to assign specific APM Domain access priviledge on users in a custom Microsoft Active Directory Container?

Document ID : KB000071635
Last Modified Date : 22/02/2018
Show Technical Document Details
This article describes the ways to apply a universal Domain Access Policy in EEM to all users from within a custom user containers in Microsoft Active Directory. Please take note that in this scenario, the users are not grouped in an Active Directory userGroup, but a custom user Container. 
This is a configuration scenario that uses Microsoft AD for user authentication and CA EEM for user authorization. The steps discussed in this article are based on the following sample environment we have set up to mimic the actual end user's environment.

The AD Domain used is
The custom User Container created is CANorthRyde
The users added to this custom User Container are as follow:

Custom AD User Containers

The objective of the set up is to restrict users within container CANorthRyde to only have access to APM domain W3_T1Domain through CA EEM.
CA Application Performance Management Integration (APM) with CA Embedded Entitlement Manager (EEM) and Microsoft Active Directory (AD)
As this is not a typical user group authorization scenario where an AD userGroup is used, there is a slight workaround we use which we feel is the easiest way to filter out all other users and only include users in custom Container CANorthRyde in the policy configurations.

To achieve this, in CA EEM Admin Console > Congifure > User Store where you configure the LDAP Directory, include the custom Domain path in the Base DN. This will ensure only the users in container CANorthRyde will show up in any user search in CA EEM. 

For example:
Include the custom Domain in the Base DN

Note: You can remove the CN=CANorthRyde value from the Base DN after the Domain Access Policy setup is completed for users in this container, and repeat the same for other custom containers.

Once the users filtering workaround is done, there are two options to assign the Domain Access Policy to these users.

Option 1: - Use this option if you want to control domain access of these users directly on the Policy level

1. In CA EEM Admin Console, click on Manage Access Policies, and expand Access Policy node in the policies tree on the bottom left panel.
2. Click on the icon preceding the Domain node to create a New Access Policy
3. You will see that only the users in CANorthRyde container are showing when you search for users, which you can then select all and add to this policy.

New Access Policy

4. Once you've added all the users for this policy, scroll down to add the resource.
5. In this case, we would like to restrict these users access to only a domain named "W3_T1Domain". Just type the domain name in the Add Resource field and click the User-added image icon:

Add New Resource

6. Save the changes and you have completed the steps required to restrict users in custom container CANorthRyde to have access to only domain W3_T1Domain.

Option 2 - Use this option if you want to control domain access of these users on the User Group level

1. In CA EEM Admin Console, click on Manage Access Policies, and click on the icon preceding the Domain node to create New Dynamic Group Policy:

New Dynamic Group Policy

2. Add the users from container CANorthRyde to this policy, and use Add Resource to create the Dynamic Group name:

CANorthRyde Dynamic Group

3. Make sure the belong action is checked.
4. Save the changes and this will create an EEM Dynamic Group that includes all the users from AD custom container CANorthRyde.
5. Repeat the steps in Option 1 to assign the Domain Access Policy to this Dynamic Group.
6. A slight variation is to search for Dynamic Group instead of User when adding Identities to the policy:
Domain access on dynamic group

7. Click Save and the domain access policy will be applied on the dynamic group CANorthRyde AD Group.
Additional Information:
How to implement CA EEM and LDAP for Authentication and Authorization of CA APM
Configuring CA APM to use LDAP Authentication (Introscope and APM CE [CEM]).
Can I create an EEM user group with Read-Only access to APM and then assign LDAP users to this group?
How to configure CEM with LDAP authentication using your own LDAP groups