Mapping Directory Users to Additional Accounts

A common practice is to set up hosts so that users have a regular account and a privileged account. For example, a user named alice could have target accounts named alice and admin-alice.

To allow access to all the user's accounts, you will need to set up additional mapping (by default users are only mapped to one user name).

📘

Note

PrivX only supports mapping to additional accounts that are related by prefix or suffix. For example, the user named alice may be mapped to admin-alice or alice-admin.

To map the users of a user directory to additional accounts:

  1. Configure mapping for the users in a user directory. To do this, go to Administration→Directories and Edit the user directory.

  2. Expand Advanced directory settings. Under Attribute mapping, specify mappings like the following:

    prefix%name%=mapping_name

    or

    %name%suffix=mapping_name

    In the examples, replace the values as follows:

    • prefix/suffix - Prefix or suffix of the users' additional accounts.
    • mapping_name - Arbitrary name of the mapping. May be used to describe the type of accounts this mapping grants access to.

    For example, if the user named alice also has a privileged target account named admin-alice, you could specify:

    admin-%name%=admin_accounts

    Save your changes to the directory settings.

  3. (Optional) Verify that users are mapped to correct target-account names. To do this, go to Administration→Users and View any user from the user directory. The additional account(s) they may access are described under Custom attributes.

25882588
  1. Allow users to access the additional accounts on the target host. To do this, go to Administration→Hosts and Edit the target host, then under Accounts add an account with the following criteria:

    • Account type: Directory
    • Username attribute: Set this to the name of the mapping. In the previous example this would be admin_accounts.
    • Roles: Add the roles who may access additional accounts.

    Save your changes to the host settings.

Users should now be able to access the additional accounts via the GUI at Connections→Hosts, or by connecting with native clients.


Did this page help you?