iManager 1.5 Roles Defined
Articles and Tips: article
01 Jun 2003
Last month we discussed how to access iManager 1.5 and navigating through iManager. This month, we will begin our discussion of the services you can administer using iManager and the pre-defined roles that allow you to administer those services.
Adding Users to Roles
After iManager is installed, the tree admin will be the only user that will have access to the roles in iManager. In a new tree installation, this user is the admin user. By default, this user will own and be a member of all the roles that were created during the iManager installation. Since you shouldn't use the admin user in a production environment (because of security risks), you need to understand how to add other members to existing roles in order to set up your distributed administration approach.
It is good security practice to assign another user besides admin as a member of all the iManager roles. Follow these steps in order to assign a user as a member of a role.
Log in as Admin into iManager.
Click the Configure button and you will see a screen like Figure 1.
Click the Modify Members button next to the role where you want to add a member.
Click the Browse button next to the name field.
Browse to the user you are going to add as a member using the blue arrows.
When all of the users you want to add as a member of the role appear in the selected objects field, select OK .
Browse to and select a scope where the user will be able to perform the functions of the role. You can select to allow the user to perform the function at the top level of the tree or in one organizational unit. You can also select multiple containers to be the scope for the operation.
Check or uncheck the Inheritable check box, depending if you want the user to perform this role in subcontainers of the specified scope.
Click OK to accept the changes made to the role.
Click OK to return to the main menu.
As an example, let's say that you have assigned a user as a member of the Group Membership role. This role allows a member to modify all properties for that role, including contact information such as location, department, and description other properties. A member of this group can also change the list of members for this group and all properties for this object.
For some organizations that use a decentralized approach to administration, this level of responsibility assignment is not granular enough. You may want to assign a user to a role that can only change the group membership list, but not all the properties for this object. You may want to assign a user to administer a list of selective attributes, but not the entire list of attributes for that object.
In this instance, you could use a property book. Property books can help you more effectively view and manage a large number of attributes. The property essentially keeps track of a list of attributes that an administrative user can manage. A role can be created that holds a property book. The property book specifies the list of attributes that can be managed. The user who is made a member of the role would then only be able to manage the properties specified within the property book.
This finely grained approach could be more effective for large corporations where there is a need to distribute a large load of object administration. Help desk technicians, administrative assistants, or other personnel could manage attributes for objects in the tree. This would help offload day-to-day object administration from the network staff.
Follow these steps to create a role with a property book that allows members to only edit the group membership list for a group object.
Create a role called "Group User Admin" but do not assign any tasks to the role when prompted.
Assign members and scopes to the role.
Select the Configure button on the top navigation bar.
Expand Property Book Configuration.
Click Create Property Book .
Type " Group Users" for the name of the property book.
Click the Browse button next to the Module text field.
Click Search to search for all the modules in the tree.
Select a module such as eDirectory Partition and replica Management.
Click Next .
Add the user and group objects from the available objects field and click Next .
Add the manageGroupUsersPage.
Click Next .
Assign the property book to the Group User Admin role you created previously.
Click Next .
Click Finish .
Click OK .
Note: The pages that appear are dependent upon the objects you select in the previous step.
You can test this by performing the following steps:
Log in as the user you assigned to this role.
Close the iManager configuration wizard by clicking the Close button.
You will then see the role that has been assigned to this user, which is the Group User Admin role.
Click on the Group Users task.
Click the Browse button by the object name field.
Select a group object from your tree and click OK .
You will then see only the members tab for the group object. You can modify members of the group, but cannot modify any other properties.
You have just completed all the steps necessary to create a role, to create a property book, and to assign a user to use the role. The member of this role will only have the rights to change the group membership for the groups in the context specified by the role. This can be done with many other properties and objects, which makes it a very powerful solution for distributing the network administration load.
It may be necessary to modify the owner for a collection. This may be important as you don't want to use the Admin user for all network administration, since each administrator will use their own user object. You will need to assign more users other than Admin as owners of the collection object, which will give them rights to all the roles within the collection.
Perform the following steps in order to assign additional owners of the collection object.
Log in to iManager as Admin.
Click the Configure button on the top navigation bar. You will see the roles that belong to the configure screen, as shown in the Figure 2.
Expand the Collection Configuration.
Select " Modify Collection Owners ".
Click the Browse button to search for the collection object.
Click Search to search the tree for collection objects and select the object to which you want to add owners.
Click OK .
Click the plus button to add owners.
Browse and select the users you want to be additional owners of the collection. You can repeat this step to add additional users.
Click OK .
Click OK .
All the roles that belong tothe configuration screen.
Novell iManager also allows administrators to set up user self-management so that users in the network can modify their own personal information when they are authenticated to the network as themselves.
User self-management is enabled with the [This] special trustee name in eDirectory. [This] is a special eDirectory trustee name that allows you to modify attributes on the authenticated object only.
This also allows day-to-day user object administration to be distributed down to the user level, so that they can keep track of their object attributes. Perform the following steps to enable user self-management.
In order to enable User Self Management, you must change a statement in the iManager config file. The file is named eMFrame.cfg and is found in the eMFrame/Web-INF directory. You can only add the [This] trustee assignment to containers, not to individual users. Perform the following steps in order to set up User Self Management.
Make sure you are using eDirectory 8.7.
Open the eMFrame.cfg file on your iManager server.
Find the line that reads Provider.eMFrame.This.enable=false and change "false" to "true".
Save the file.
Stop and restart Tomcat.
Install the eGuide Configuration plug-in, if you have not installed eGuide on your iManager server by going to the configure screen in iManager.
Select Plug-in Setup and Install > Install Plug-in.
Click on the Role Configuration > Modify eGuide Roles Task.
On the Modify eGuide Roles page, find the eGuide Self-Management role.
Click on the Modify Tasks button next to this role in order to add or remove tasks from the role.
All User objects in the container will inherit the ability to modify attributes on their own objects, according to the tasks in the role.
Creating a New Module
iManager also allows you to create a new module. Although the modules that are already installed are enough to manage the pre-defined tasks, you may want to create your own tasks and assign them to your own roles and a new module to organize your custom tasks in eDirectory.
To illustrate this, let's say that you have a custom-created application that makes changes to custom or predefined attributes in the directory. You can create a new module object and new tasks for this module, and you can define a new role to perform the tasks of the module object. Then you can associate users with the new role object and the application can use a user within this role to perform its tasks. To create a new role and new tasks, perform the following steps.
Expand Module configuration and click Create Module .
Enter a name for the module and select its context, such as Role Based Service.
Click OK twice. This creates a new module.
Expand Task Configuration and click Create iManager task .
Select a class for the task, such as user, browse to the destination, and task for the plug-in type.
Select the attributes you want the task to modify and click Next .
Click Next twice.
Assign a name for the task, the collection, and the role it will belong to and click Finish .
In this month's article, we talked about the Configuration screen in iManager. We learned how to set up property books and user self-management. Now that we have thoroughly talked about distributed administration and roles in iManager, next month we'll discuss how to administer the services on a network using iManager.
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.