4.7 Configuring JIT

This section describes how to configure Just in Time (JIT) security attributes.

To configure Just in Time (JIT) security attributes, follow these steps:
  1. Login as the SYSADMN and update the following in the System Configuration Details.
    1. Select the Authentication Type as LDAP Authentication and SMS Authorization and click Add. Provide your LDAP Server Details and click Save.
    2. Check the JIT Provisioning Enabled option.
  2. Login to LDAP Server and create the Application User Groups and users and map them.
In the Atomic Schema a new table FCC_GROUP_SEC_ATTR_MAP is introduced to configure the Security attributes mapping to the Application User Groups.
  1. Login to Atomic Schema and configure security attributes to the User groups.
  2. Populate the V_GROUP_CD column with the User groups mapped to User.
    For ECM, valid values are:
    • V_SEC_ATTR_CD column: JRSDCN, ORG, BUSDMN and CASETYPE.
    • V_SEC_ATTR_VAL column: Jurisdiction,Organization, Business Domain and Casetype
    • These values must be available in the KDD_JRSDCN and KDD_JRSDCN_TL,KDD_ORG and KDD_ORG_TL, KDD_BUS_DMN and KDD_BUS_DMN_TL,KDD_CASE_TYPE_SUBTYPE and KDD_CASE_TYPE_SUBTYPE_TL table respectively.
  3. Configure the following additional User Attributes:
    • Case Own Flag: Create the CMCASEOWNFLUG group in the LDAP Server and map to the User in LDAP.

      If the Case Own Flag for a User should be Y, then map this group to the User.

      If the Case Own Flag for a User should be N , then make sure it is not mapped to the User.

    • Reporting/Line Organization : Create a User group with Prefix as ORG_CD (from KDD_ORG table) and suffix as LORG.

      For example: If TestOrgA is the Line organization then create a User group as TESTORGALORG.

      Note:

      If the Usergroup is created and mapped to the Infodom/Segment and LINEORG Role in the OFSAA Application, then it should also be created in LDAP and mapped to the User. Verify that only one LORG group is mapped for a user. If the LORG Group is mapped as part of any other Application then there is no need to map again.
  4. Configure the Security Mapping for the Pool Users in the FCC_GROUP_SEC_ATTR_MAP table in the Atomic Schema.
    • V_GROUP_CD column: Populated with the LORG group created above.
    • For ECM , Valid values for the V_SEC_ATTR_CD column are JRSDCN, BUSDMN and CASETYPE.
    • For ECM , Valid values for the V_SEC_ATTR_VAL column are Jurisdiction, Business domain and Casetype. These must be available in KDD_JRSDCN and KDD_JRSDCN_TL,KDD_ORG and KDD_ORG_TL, KDD_BUS_DMN and KDD_BUS_DMN_TL,KDD_CASE_TYPE_SUBTYPE and KDD_CASE_TYPE_SUBTYPE_TL table respectively.
  5. Login with the New User in the Application and verify the completed security attributes mapping, and that the User is able to see pages based on their Roles and can see the Cases based on the security attribute mapping.

Configure JIT for Existing Users

Use this section to configure JIT for an existing user.

If extra User groups are mapped in the LDAP Server, then follow these steps:

Login with Admin user and verify the following:

  • Security attributes mappings are complete.
  • Users can view pages based on their Roles.
  • Users can view Cases based on the security attribute mapping.

If any User groups are unmapped in the LDAP server then follow these steps:

  • Unmap the User groups from Application.
  • Login with Admin user and navigate to Batch Maintenance.
  • Create a Batch, and add the ECM task FCC_ECM_JIT_SYNCH.

If the User group mapping does not require any changes and only Security Attribute Mapping changes are required, follow these steps:

  • Login with Admin user and navigate to Batch Maintenance.
  • Create a Batch, and add the ECM task FCC_ECM_JIT_SYNCH.

In the Batch Execution screen, execute the Batch. You can monitor the batch progress in the Batch Monitor screen.

Running this batch will sync security attributes mapping for all users in the KDD_REVIEW_OWNER table.

Disable LDAP Users

To disable user who are disabled on LDAP, follow these steps:
  1. Log in as the Admin user and Navigate to Batch Maintenance and create a Batch.

    For ECM, add the ECM task FCC_ECM_JIT_DIS_USR to the newly created Batch.

  2. Edit the Task by providing one or more User IDs, enclosed in Single Quotes (‘) in the Parameter Section. Multiple IDs must be comma (,) separated.

    For example: 'CMSUP,CASEANA' where CMSUP,CASEANA are users to be disabled in the KDD_REVIEW_OWNER table.