Administrative Tools

DirX Access provides the following tools for managing DirX Access:

  • DirX Access Manager – manages persistent data residing in the directory servers employed by DirX Access, such as configuration, authentication policies, RBAC authorization policies, and (optionally) user data. It can also be used to deploy DirX Access product components.

  • DirX Access SysActions and Configuration RESTful Web Services – deploys and configures DirX Access product components

  • Direct Application of System Actions, Configuration and Shadow User Tree - deploys and configures DirX Access product components using manual actions in the installation directory

DirX Access Manager

DirX Access Manager is a single-page web application utilizing the SysActions and Configuration RESTful Web Services. It can be deployed both in and outside of the DirX Access Services container. DirX Access Manager is responsible for managing the DirX Access product components; specifically, the persistent data on configuration, policy and (optionally) user settings that reside in the directory used by DirX Access.

This section describes how to log in to DirX Access Manager and how to use its main navigation menus. For more detailed information on the administrative tasks you can perform with DirX Access Manager, please refer to the chapter “Administrative Tasks.”

Logging In

DirX Access Manager is a single-page web application utilizing the SysActions and Configuration RESTful Web Services. The single-page application as such is by default not protected – it is only a rendering application with no information about the DirX Access installation by itself. The resources actually protected by the authentication are the RESTful endpoints. Hence, the available authentication process and methods is fully dependent on the protection configured for these endpoints at the DirX Access Services container. In principle, any authentication method provided by DirX Access can be used. Subsequently, there are generally two ways how to use the authentication:

  • Via OAuth federation protocol. In this scenario, the DirX Access Manager is in the role of a client, and the SysActions and Configuration RESTful Web Services in the role of relying party. The Identity Provider can be any configured trusted provider, including the DirX Access Server itself. This scenario enables the DirX Access Manager to be deployed anywhere, even outside of the domain of DirX Access Services container.

  • Getting the SSO session from the same DirX Access Server (using any authentication method available). In this case, the DirX Access Manager must be accessible at the same domain and port as the SysActions and Configuration RESTful Web Services.

Regulating the Obligatory Re-login Period

Once you are logged in the DirX Access Manager, you can perform configuration tasks and manage the product. When you log in for the first time, a session is created to mark your presence in the system. It is good security practice to observe a user’s inactivity and perform log out when the session idle time becomes too long. Idle time is counted from the moment of your last action inside DirX Access Manager. The “session idle timeout” and “session lifetime” settings are located in the Configuration | Policy Enforcement points | * | PEP Settings section.

Session Idle Timeout

This session length parameter specifies the time period in seconds from a user’s last activity in the system after which the user will be immediately logged out.

Session Lifetime

This session length parameter specifies the maximum time period in seconds after which the user is logged out regardless of his activity.

If these parameters are not assigned in DirX Access Manager, they are assigned with default values: 600 seconds for “session idle timeout” and 3000 seconds for “session lifetime”. There is no way to set them so that a session does not expire. Please keep in mind that if you set them to zero, you will be locked out of the system and you will need to reset these parameters directly in the LDAP repository.

Working with the DirX Access Manager Interface

DirX Access Manager tailors its interface to provide authenticated administrators with access only to the pages and information allowed to his or her account.

This administration guide describes the interface from the point of view of the most privileged administrative role DirXAccessAdministrator. Administrators with this administrative role have access to all of DirX Access Manager’s features. If a page or element described in this guide is not present in the DirX Access Manager interface when you log in, your administrative role is subordinate to DirXAccessAdministrator and does not have the right to access that page or element.

Common Controls

DirX Access Manager contains a number of pages that configure different abstractions, such as authentication methods and roles. These pages all contain different controls and fields according to the nature of the objects being displayed or managed. However, many of the controls and fields provided in DirX Access Manager are common to multiple pages.

The following image identifies some of the common controls and components in DirX Access Manager interface.

attachments/att++_++6++_++for++_++110493701
Figure 1. Sample DirX Access Manager Page: Deployable web PEPs

Many of the fields and controls found on the sample page above are typical of those found throughout DirX Access Manager.

Checkbox

Fields of type boolean are represented by 3-state checkboxes. The states, depicted on Figure 2, are checked, unchecked and indeterminate.

image-20241002-140355.png
Figure 2. Graphical representation of checkbox in checked, unchecked and indeterminate state

Checkbox is in the indeterminate state if a corresponding field has no value (null) nor default value. Any interaction with the checkbox by a user will remove the indeterminate state and set true or false.

If a user submits a form with a checkbox field in the indeterminate state (value is null), the application performs a create (POST) or update (PUT) operation, sending the data to the DirX Access REST Service. The DirX Access server then supplies a default value for the field, as defined in a corresponding model in a Java library.

Main Menu

This section describes each high-level item DirX Access Manager presents in the main menu and provides general information about the type of tasks administrators can perform in that area of the interface. Chapter 4, “Administration Tasks” provides detailed information about these tasks.

Home

The Home link in the main menu displays the system summary.

Configuration

The Configuration link in the main menu contains the sub-items referencing all the types of configurable objects of DirX Access, together with the policies objects.

System Actions

The System Actions link contains the sub-items of respective system actions provided by DirX Access, predominantly the deployment of the system components.

Wizard

The Wizard link contains sub-items referencing application templates that facilitate DirX Access configuration and deployment. An application template performs tasks necessary to enable a scenario, such as an OAuth server with OpenID Connect, and exposes user inputs for scenario customization. Typically, it creates and updates several DirX Access configuration objects and executes several DirX Access system actions.

The wizard is intended for initial system setup and can be useful for consultants and developers.

Resulting scenarios enabled by application templates are not production ready.

SysActions and Configuration RESTful Web Services

DirX Access is fully deployable and configurable via the SysActions REST Web Service and Config REST Web Service. For more information, please, see corresponding section of the “Integration Guide”.