HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
IMC
cancel
Showing results for 
Search instead for 
Did you mean: 

IMC "Users" vs "Access Users"

 
timaz
Advisor

IMC "Users" vs "Access Users"

Hi;

 

What is the difference between IMC "Users" and "Access Users"?

 

3 REPLIES
johnk3r
Respected Contributor

Re: IMC "Users" vs "Access Users"

Hello.


You are using the module A? I believe the "Access user" option appears only with this module installed.

 

If this is the case follows:

Access user enables you to control the user access. Access user accounts are for AAA.

Users management enables you to manage the basic information for platform users.

**************************************
ATP FLEXNETWORK V3 | ACSA
timaz
Advisor

Re: IMC "Users" vs "Access Users"

I'm using User Access Management (UAM) besides the iMC basid platform. actually I need to know the difference between the "Access Users" and "Platform Users". if I can control the users' access to network resources (AAA and device access) with the "Access Users" which is configurable through UAM module, so what are the benefits of normal "Users" (or Platform Users)?

 

I read the documentation and it says "Users" (not Access Users) can help us to control user's access to network resources. As I know, this is a clear role of "Access Users" not "Users" or "platform Users". so would you mind, please, clearing this for me? tnx a lot.

NeilR
Respected Contributor

Re: IMC "Users" vs "Access Users"

Yeah - I found this confusing as well, and was hoping someone would provide a good explanation. The usage of terms user, account, access user, access account are a bit vauge in the docs, and maybe in the UI as well

 

Here's my take based on usage:

 

"User" is layer on top of "access user" or "access account"  which allows multiple access  credentials to be asscociated with one person - easier to think about this first in the BYOD model:

 

A "User" has an account entry to hold an identity number (for uniquenss) and store personal information: email address,phone etc.

 

That individual may own one or more devices, whose MAC address will be the credential/ID for accessing the network.

 

The "Access User" is the container for the  information about the credential (ie the device MAC)  and relates to how it accesses the network and what services it gets. This includes the Account name (MAC address in this case) and Service type created in the Access Policy section, and all the bindings etc.

 

So a "User", the person, has a one to (possibly) many relationship to "Access User", the access acounts used to access the network.

 

In the device example, each device is mapped to an "Access User", so each device has a unique ID, and can have a unique set of serivces, but all devices map to a "User" to relate ownership.

 

In the case of LDAP users it might seem a bit different because it starts with a one to one relationship between "User" and "Access User" when the account is created by synching from AD.

 

But it works the same. The "User" gets the personal info from AD: Full Name, tel, email and the "Access User" holds the username, services etc.

 

You could then add a MAC device to the LDAP created "user" if that's how you wanted to authenticate them. I'm using the same LDAP credentials to access the WIFI so all the internal users BYOD' s still only have one to one relationship.

 

It would be less confusing if they had kept all the terms consistent with purpose: User is fine with name and ID number. But "Access User" shoudl have been Access account - where ever the word "user" appears under the Access user, substitute "account" and it becomes less confusing.

 

Access Policy and access service have similar layered approach.

 

Took a while for this to sink in. Not sure if I totally get how to always apply it.  But it gives flexibility in solving various authentication problems. Challenge is to understand how to map your problem onto all the various IMC options.

 

If I've mistated anything please correct me. Hope this helps