Each LogonBox Enterprise product allows you to define any number of Realms.
A Realm is a separate entity where you can connect to a different user directory and set up configuration and resources specifically for this set of users. Each Realm is independent of the others and users logging into an individual Realm will have no knowledge of users or resources in other realms.
The admin user or any user within the System Administrator role has complete access to all the realms defined within the system.
You can assign a user administrative permissions within a single Realm by adding them to the built-in Realm Administrator role.
For example, let’s assume you have an Active Directory and a Linux server, each with their own sets of users. If you set up Realms for both of these sources, then users from both locations will be able to log on to the LogonBox server and access any resources you set up on that particular realm.
Realms do not interact with each other, they provide multi-tenancy so that multiple different sets of users can have their own set of resources or configuration.
As an admin, you can manage and switch Realms using the realms icon in the top right navbar. A dropdown appears which allows you select the realm you want to manage. The realms icon is only visible to System realm users who have either the System Administrator role or any of the Permissions starting with Realm (e.g Realm Read, Realm Manage).
At the bottom left of every page is a status bar showing which user is logged in and which realm currently has focus. This is important for the admin as any resources you create will appear on the currently selected realm.
If you have switched into a realm, after you have completed the tasks you wanted to perform in that realm, you may switch back to your System realm by clicking Manage Realms again, then Back to System.
The Realms Table
Select Manage Realms from the realms menu to see the currently configured realms and to add new ones.
A realm needs to connect to a User Database so that users can authenticate to the server and get assigned resources. This page shows a list of all currently configured user databases. On a new server only System is configured, which uses a Local Database type (i.e all user accounts are stored in the LogonBox server’s own database).
Currently, there are 11 different User Database types supported by LogonBox. These are:
- Active Directory
- Local (stored on the LogonBox server)
- HTTP
- MySQL Tables
- AS400
- MySQL Users
- Azure
- LogonBox Directory
- LDAP
- SSH
Once you click Create, the realm creation follows the same steps as the configuration of your System Realm (i.e the same configuration as in Configure User Database). For more information on connecting to user driectories, see articles named 'Connecting to xxx directory' in this knowledgebase section.
Host Based access
There are two ways your users can log in to their own realm. The first method is to set up a unique hostname for each realm in your external DNS.
This way, users accessing the server through that hostname will only have access to that Realm and won't accidentally select the wrong realm when authenticating.
The users can be completely unaware of other Realms. This can be useful for Managed Service Providers for example.
Once you have set up a DNS hostname for your realm, edit your realm from Manage Realms, click Advanced, then you should see the Hosts tab.
Enter your hostname for this realm and click the + to add the entry. You may also optionally turn on Restrict Hosts here which will force these users to authenticate only via this defined hostname.
Realm Selection access
The second way of authenticating to a realm is via enabling a dropdown so that users can select their realm.
This setting can be found by navigating to System Configuration->Configuration->Authentication where Realm Selection can be turned ON.
Enforce Realm Selection may optionally be turned on here if required. If this setting is OFF, then the default realm (usually System) will be pre-selected in the dropdown. If the setting is ON, the selector will be blank and the user will have to pick their realm.
With Realm Selection turned on, users will see the realm dropdown above their username prompt when they are authenticating to the server.
The System Realm
LogonBox comes by default with a special realm called System. It is this realm which contains the global admin account. This is also the only realm where you can add the System Administrator Role to a user to grant them global admin rights.
The System Administrator can enter, view and modify all other Realms. No other user in any other Realm is able to do this. In order to manage other Realms you must login to the server as a user within the System Realm, with the System Administration Role.
Realm Actions
Looking at the action icons to the right of the realms when in Manage Realms, the actions icon allows you to set that realm as the default. A default realm will be the first in the realm selector.
Another action that can be performed from the gears icon is to force a re-synchronization of the users. Selecting Synchronize will make the LogonBox server connect to the user database immediately and update the users and groups lists.
It is also possible to switch into that realm from this menu using the Manage Realm action.
The second icon next to the Actions button edits the realm to allow you to update any settings, such as a service account password change or altering the user filtering. This shows the same options as creating a new realm.
The third icon creates a copy of that realm. A popup appears to prompt you to enter a name for the new realm. Clicking Update creates the copy. This can be useful if you have multiple directories that have similar configuration and you only need to change a couple of settings.
Finally the last button deletes the realm (can not be done whilst a realm is set as default).
Managed Service Providers
Because of the separation between realms, this can be ideal for use in a Managed Service Provider scenario where you could have several separate companies accessing resources you are managing for them without either of them being able to (or know about) the other company’s resources, by having separate realms with their own host-based restrictions.