Security Guide for Siebel eBusiness Applications > Security Adapter Authentication > Security Adapter Deployment Options >

Configuring Roles Defined in Directory

Roles are an alternate means of associating Siebel responsibilities with users. This option can be implemented in the following authentication strategies:

• Security adapter authentication: LDAP, ADSI, custom (not database authentication)
• Web SSO authentication

Responsibilities assigned to each user in Siebel applications provide users with access to particular views. Responsibilities are created in the Siebel application and are stored in the Siebel Database. One or more responsibilities are typically associated with each user in the Administration - Application screen.

Roles in the LDAP/ADS directory are another means of associating Siebel responsibilities with users. Roles are useful for managing large collections of responsibilities. A user has access to all the views associated with all the responsibilities that are directly or indirectly associated with the user.

CAUTION:  It is recommended that you assign responsibilities in the database or in the directory, but not in both places. If you define a directory attribute for roles, but you do not use it to associate responsibilities with users, leave the attribute empty.

If you use roles to administer user responsibilities, follow these guidelines:

• Create responsibilities in the Siebel application, but do not also assign users any responsibilities through the Siebel application interface.
• To allow assigning more than one responsibility to any user, you must define the directory attribute for roles as a multivalue attribute. Siebel-supported security adapters cannot read more than one responsibility from a single-value attribute.
• The directory attribute for roles should contain the names of the Siebel responsibilities that you want the user to have. Enter one responsibility name, such as Web Registered User, in each element of the multivalue field. Role names are case-sensitive.

You can configure Siebel-provided security adapters to retrieve roles for a user from the directory. For each Siebel application that uses roles, set the following parameter value for the LDAP or ADSI security adapter.

For example, for the LDAP security adapter, define the following parameter:

RolesAttributeType= attribute_in_which_roles_are_stored

For information about setting Siebel configuration parameters, see Configuration Parameters Related to Authentication.