Sun logo      Previous      Contents      Index      Next     

Sun ONE Identity Server 6.1 Administration Guide

Chapter 16  
Administration Service Attributes

The Administration Service consists of global and organization attributes. The values applied to the global attributes are applied across the Sun ONE Identity Server configuration and are inherited by every configured organization. They can not be applied directly to roles or organizations as the goal of global attributes is to customize the Identity Server application. Values applied to the organization attributes are default values for each organization configured and can be changed when the service is registered to the organization. The organization attributes are not inherited by entries of the organization. The Administration Attributes are divided into:

Global Attributes

The global attributes in the Administration Service are:

Enable Federation Management

When selected, this field enables Federation Management. It is selected by default. To disable this feature, deselect the field The Federation Management Service tab will not appear in the console.

Enable User Management

When selected as True, this field enables User Management. This is enabled by default.

Show People Containers

This attribute specifies whether to display People Containers in the Identity Server console. If this option is selected, the menu choice People Containers displays in the View menu for Organizations, Containers and Group Containers. People Containers will be seen at the top-level only for a flat DIT.

People containers are organizational units containing user profiles. It is recommended that you use a single people container in your DIT and leverage the flexibility of roles to manage accounts and services. The default behavior of the Identity Server console is to hide the People Container. However, if you have multiple people containers in your DIT, select Show People Containers to display People Containers as managed objects in the Identity Server console.

Display Containers In Menu

This attribute specifies whether to display any containers in the View menu of the Identity Server console. The default value is false. An administrator can optionally chose either:

Show Group Containers

This attribute specifies whether to show Group Containers in the Identity Server console. If this option is selected, the menu choice Group Containers displays in the View menu for organizations, containers, and group containers. Group containers are organizational units for groups.

Managed Group Type

This option specifies whether subscription groups created through the console are static or dynamic. The console will either create and display subscription groups that are static or dynamic, not both. (Filtered groups are always supported regardless of the value given to this attribute.) The default value is dynamic.

An administrator can select one of the following:

Default Role Permissions (ACIs)

This attribute defines a list of default access control instructions (ACIs) or permissions that are used to grant administrator privileges when creating new roles. One of these ACIs is selected depending on the level of privilege desired. Identity Server ships with four default role permissions:

No Permissions

No permissions are to be set on the role.

Organization Admin

The Organization Administrator has read and write access to all entries in the configured organization.

Organization Help Desk Admin

The Organization Help Desk Administrator has read access to all entries in the configured organization and write access to the userPassword attribute.

Organization Policy Admin

The Organization Policy Administrator has read and write access to all policies in the organization. The Organization Policy Administrator can not create a referral policy to a peer organization.

Note

Roles are defined using the format aci_name | aci_desc | dn:aci ## dn:aci ## dn:aci where:

  • aci_name is the name of the ACI.
  • aci_desc is a description of the access these ACIs allow. For maximum usability, assume the reader of this description does not understand ACIs or other directory concepts.

aci_name and aci_desc are i18n keys contained in the amAdminUserMsgs.properties file. The values displayed in the console come from the .properties file, and the keys are used to retrieve those values.

  • dn:aci represents pairs of DNs and ACIs separated by ##. Identity Server sets each ACI in the associated DN entry. This format also supports tags that can be substituted for values that would otherwise have to be specified literally in an ACI: ROLENAME, ORGANIZATION, GROUPNAME and PCNAME. Using these tags lets you define roles flexible enough to be used as defaults. When a role is created based on one of the default roles, tags in the ACI resolve to values taken from the DN of the new role.

Domain Component Tree Enabled

The Domain Component tree (DC tree) is a specific DIT structure used by many Sun ONE components to map between DNS names and organizations’ entries.

When this option is enabled, the DC tree entry for an organization is created, provided that the DNS name of the organization is entered at the time the organization is created. The DNS name field will appear in the Organization Create page. This option is only applicable to top-level organizations, and will not be displayed for suborganizations.

Any status change made to the inetdomainstatus attribute through the Identity Server SDK in the organization tree will update the corresponding DC tree entry status. (Updates to status that are not made through the Identity Server SDK will not be synchronized.) For example, if a new organization, sun, is created with the DNS name attribute sun.com, the following entry will be created in the DC tree:

dc=sun,dc=com,o=internet,root suffix

The DC tree may optionally have its own root suffix configured by setting com.iplanet.am.domaincomponent in AMConfig.properties. By default, this is set to the Identity Server root. If a different suffix is desired, this suffix must be created using LDAP commands. The ACIs for administrators that create organizations required modification so that they have unrestricted access to the new DC tree root.

Admin Groups Enabled

This option specifies whether to create the DomainAdministrators and DomainHelpDeskAdministrators groups. If selected (true), these groups are created and associated with the Organization Admin Role and Organization Help Desk Admin Role, respectively. Once created, adding or removing a user to one of these associated roles automatically adds or removes the user from the corresponding group. This behavior, however, does not work in reverse. Adding or removing a user to one of these groups will not add or remove the user in the user’s associated roles.

The DomainAdministrators and DomainHelpDeskAdministrators groups are only created in organizations that are created after this option is enabled.

Note

This option does not apply to suborganizations, with the exception of the root org. At the root org, the ServiceAdministrators and ServiceHelpDesk Administrators groups are created and associated with the Top-level Admin and Top-level Help Desk Admin roles, respectively. The same behavior applies.

Compliance User Deletion Enabled

This option specifies whether a user’s entry will be deleted, or just marked as deleted, from the directory. When a user’s entry is deleted and this option is selected (true), the user’s entry will still exist in the directory, but will be marked as deleted. User entries that are marked for deletion are not returned during Directory Server searches. If this option is not selected, the user’s entry will be deleted from the directory.

Dynamic Admin Roles ACIs

This attribute defines the access control instructions for the administrator roles that are created dynamically when a group or organization is configured using Identity Server. These roles are used for granting administrative privileges for the specific grouping of entries created. The default ACIs can be modified only under this attribute listing.

Caution

Administrators at the Organization level have a wider scope of access than do group administrators. But, by default, when a user is added to a group administrator role, that user can change the password of anyone in the group. This would include any organization administrator who is a member of that group.

Container Help Desk Admin

The Container Help Desk Admin role has read access to all entries in an organizational unit and write access to the userPassword attribute in user entries only in this container unit.

Organization Help Desk Admin

The Organization Help Desk Administrator has read access to all entries in an organization and write access to the userPassword attribute.

Note

When a suborganization is created, remember that the administration roles are created in the suborganization, not in the parent organization.

Container Admin

The Container Admin role has read and write access to all entries in an LDAP organizational unit. In Identity Server, the LDAP organizational unit is often referred to as a container.

Organization Policy Admin

The Organization Policy Administrator has read and write access to all policies, and can create, assign, modify, and delete all policies within that organization.

People Container Admin

By default, any user entry in an newly created organization is a member of that organization’s People Container. The People Container Administrator has read and write access to all user entries in the organization’s People Container. Keep in mind that this role DOES NOT have read and write access to the attributes that contain role and group DNs therefore, they cannot modify the attributes of, or remove a user from, a role or a group.

Note

Other containers can be configured with Identity Server to hold user entries, group entries or even other containers. To apply an Administrator role to a container created after the organization has already been configured, the Container Admin Role or Container Help Desk Admin defaults would be used.

Group Admin

The Group Administrator has read and write access to all members of a specific group, and can create new users, assign users to the groups they manage, and delete the users the that they have created.

When a group is created, the Group Administrator role is automatically generated with the necessary privileges to manage the group. The role is not automatically assigned to a group member. It must be assigned by the group’s creator, or anyone that has access to the Group Administrator Role.

Top-level Admin

The Top-level Administrator has read and write access to all entries in the top-level organization. In other words, this Top-level Admin role has privileges for every configuration principal within the Identity Server application.

Organization Admin

The Organization Administrator has read and write access to all entries in an organization. When an organization is created, the Organization Admin role is automatically generated with the necessary privileges to manage the organization.

User Profile Service Classes

This attribute lists the services that will have a custom display in the User Profile page. The default display generated by the console may not be sufficient for some services. This attribute creates a custom display for any service, giving full control over what and how the service information is displayed. The syntax is as follows:

service name | relative url

Note

Services that are listed in this attribute will not display in the User Create pages. Any data configuration for a custom service display must be performed the User Profile pages.

DC Node Attribute List

This field defines the set of attributes that will be set in the DC tree entry when an object is created. The default parameters are:

Search Filters for Deleted Objects

This field defines the search filters for objects to be removed when User Compliance Deletion mode is enabled.

Organization Attributes

The organization attributes in the administration service are:

Groups Default People Container

This field specifies the default People Container where users will be placed when they are created. There is no default value. A valid value is the DN of a people container. See the note under Groups People Container List attribute for the People Container fallback order.

Groups People Container List

This field specifies a list of People Containers from which a Group Administrator can choose when creating a new user. This list can be used if there are multiple People Containers in the directory tree. (If no People Containers are specified in this list or in the Groups Default People Container field, users are created in the default Identity Server people container, ou=people.) There is no default value for this field. The syntax for this attribute is as follows:

group name|dn of people container

Note

When a user is created, this attribute is checked for a container in which to place the entry. If the attribute is empty, the Groups Default People Container attribute is checked for a container. If the latter attribute is empty, the entry is created under ou=people.

User Profile Display Class

This attribute specifies the Java class used by the Identity Server console when it displays the User Profile pages.

Display User's Roles

This option specifies whether to display a list of roles assigned to a user as part of the user’s user profile page. If the value is false (not selected), the user profile page shows the user’s roles only for administrators. The default value is false.

Display User's Groups

This option specifies whether to display a list of groups assigned to a user as part of the user’s user profile page. If the value is false (not selected), the user profile page shows the user’s groups only for administrators. The default value is false.

User Group Self Subscription

This option specifies whether users can add themselves to groups that are open to subscription. If the value is false, the user profile page allows the user’s group membership to be modified only by an administrator. The default value is false.

Note

This option applies only when the Display User’s Groups option is selected.

User Profile Display Options

This menu specifies which service attributes will be displayed in the user profile page. An administrator can select from the following:

User Creation Default Roles

This listing defines roles that will be assigned to newly created users automatically. There is no default value. An administrator can input the DN of one or more roles.

Note

This field only takes a full Distinguished Name address, not a role name.

View Menu Entries

This field lists the Java classes of services that will be displayed in the View menu at the top of the console. The syntax is i18N key | java class name. (The i18N key is used for the localized name of the entry in the View menu.)

Maximum Results Returned From Search

This field defines the maximum number of results returned from a search. The default value is 100.

Caution

Use caution when setting this attribute to large value. For sizing limits, see the Sun ONE Directory Server Installation and Tuning Guide at the following location:

http://docs.sun.com/db/doc/816-6697-10

Timeout For Search (sec.)

This field defines the amount of time (in number of seconds) that a search will continue before timing out. It is used to stop potentially long searches. After the maximum search time is reached, an error is returned. The default is 5 seconds.

JSP Directory Name

This field specifies the name of the directory that contains the .jsp files used to construct the console, to give an organization a different appearance (customization). The .jsp files need to be copied into the directory that is specified in this field.

Online Help Documents

This field lists the online help links that will be created on the main Identity Server help page. This allows other applications to add their online help links in the Identity Server page. The format for this attribute is as follows:

linki18nkey | html page to load when clicked | i18n properties file

For example:

IdentityServer Help | /AMAdminHelp.html | amAdminModuleMsgs

Required Services

This field lists the services that are dynamically added to the users’ entries when they are created. Administrators can choose which services are added at the time of creation.

This attribute is not used by the console, but by the Identity Server SDK. Users that are dynamically created and created by the amadmin command line utility will be assigned the services listed in this attribute.

User Search Key

This attribute defines the attribute name that is to be searched upon when performing a simple search in the Navigation page. The default value for this attribute is cn. For example, if this attribute uses the default:

If you enter j* in the Name field in the Navigation frame, users whose names begins with “j” or “J” will be displayed.

User Search Return Attribute

This field defines the attribute name used when displaying the users returned from a simple search. The default of this attribute is uid cn. This will display the user ID and the user’s full name.

The attribute name that is listed first is also used as the key for sorting the set of users that will be returned. To avoid performance degradation, use an attribute whose value is set in a user's entry.

User Creation Notification List

This field defines a list of email addresses that will be sent notification when a new user is created. Multiple email addresses can be specified, as in the following syntax:

e-mail|locale|charset

e-mail|locale|charset

e-mail|locale|charset

The notification list also accepts different locales by using the |locale option. For example, to send the notification to an administrator in France:

someuser@example.com|fr|fr

See Table 19-1 for a list of locales.

Note

The sender email ID can be changed by modifying property 497 in amProfile.properties, which is located, by default, at IdentityServer_base/Identity-Server/SUNWam/locale.

User Deletion Notification List

This field defines a list of email addresses that will be sent notification when a user is deleted. Multiple email addresses can be specified, as in the following syntax:

e-mail|locale|charset

e-mail|locale|charset

e-mail|locale|charset

The notification list also accepts different locales by using the |locale option. For example, to send the notification to an administrator in France:

someuser@example.com|fr|fr

See Table 19-1 for a list of locales.

Note

The sender email ID can be changed by modifying property 497 in amProfile.properties, which is located, by default, at IdentityServer_base/Identity-Server/SUNWam/locale. The default sender ID is DSAME.

User Modification Notification List

This field defines a list of attributes and email addresses associated with the attribute. When a user modification occurs on an attribute defined in the list, the email address associated with the attribute will be sent notification. Each attribute can have a different set of addresses associated to it. Multiple email address can be specified, as in the following syntax:

attrName e-mail|locale|charset e-mail|locale|charset .....

attrName e-mail|locale|charset e-mail|locale|charset .....

The self keyword may be used in place of one of the addresses. This sends mail to the user whose profile was modified.

For example:

manager someuser@sun.com|self|admin@sun.com

Mail will be sent to the address specified in the manager attribute, someuser@sun.com, admin@sun, the person who modified the user (self).

The notification list also accepts different locales by using the |locale option. For example, to send the notification to an administrator in France:

manager someuser@sun.com|self|admin@sun.com|fr

See Table 19-1 for a list of locales.

Note

The attribute name is the same as it appears in the Directory Server schema, and not as the display name in the console.

Maximum Entries Per Page

This attribute allows you to define the maximum rows that can be displayed per page. The default is 25. For example, if a user search returns 100 rows, there will be 4 pages with 25 rows displayed in each page.

Display Options

This attribute allows you to add values to configure the display options in the Identity Server console. Enter the vaule and click Add to configure the display options. The possible values are as follows:

Table 16-1  Display Options Values

Parameter

Description and Syntax

generateUserCN

When set to true, this parameter dynamically generates the User CN when the user is created. The default is false. Syntax:

generateUserCN=[false|true]

userAttributeNameForProfileTitle

Determines the value of the user attribute displayed on the title of the User Profile Page. uid is the default.

Syntax:

userAttributeNameForProflleTitle=[uid|userAttribute]

autoSelect

When set to true (default), this parameter enables Identity Server to automatically select the first item of a given identity object type in the Navigation view.

Syntax:

autoselect=[true|false]

disableIntitialSearch

This value disables the initial Identity Server search for one or more identity object types. Disabling the initial search decreases the time to display the Identity Server console. The service attribute in the console that corresponds to this directive is Display Options, an organization attribute in the Administration Service. This console option takes precedence over any value defined in com.iplanet.am.console.display.off. If configuring this property in AMConfig.properties do not configure it using the console (and vica versa)

Syntax (multiple values are delimited by a comma):

disableInitialSearch=[users|organizaitons|peopleContainers|organizationalUnits|roles|groups|policies]

defaultUserView

This parameter sets the default view in the View menu of the User Profile page. All values are set by default.

Syntax:

defaultUserView=[roles|groups|services|IplanetAMUserService|service name]

defaultGroupView

This parameter sets the default view in the View menu of the Group Profile page. All values are set by default.

Syntax:

defaultGroupView=[general|users]

defaultRoleView

This parameter sets the default view in the View menu of the Role Profile page. All values are set by default.

Syntax:

defaultRoleView=[general|users|services]

defaultPolicyView

This parameter sets the default view in the View menu of the Policy Profile page. All values are set by default.

Syntax:

defaultPolicyView=[general|rules|subjects|referrals|conditions]

defaultFederationHostedProviderView

This parameter sets the default view in the View menu of the Hosted Provider Profile page of the Federation Management module. All values are set by default. Syntax:

defaultFederationHostedProviderView=[general|serviceProvider|identityProvider|authenticaionDomain|trustedProviders|identityServerConfiguration]

defaultFederationRemoteProviderView

This parameter sets the default view in the View menu of the Remote Provider Profile page of the Federation Management module. All values are set by default. Syntax:

defaultFederationRemoteProviderView=[general|serviceProvider|identityProvider|authenticaionDomain]

rootNavMenu

This parameter sets the default view of identity objects in the root suffix navigation view. All values are set by default.

Syntax:

rootNavMenu=[organizations|organizationalUnits|groupContainers|peopleContainers|roles|groups|users|policies]

organizationNavMenu

This parameter sets the default view of identity objects in the Organization navigation view. All values are set by default.

Syntax:

organizationNavMenu=[organizations|organizationalUnits|groupContainers|peopleContainers|roles|groups|users|policies]

groupContainerNavMenu

This parameter sets the default view of identity objects in the Group Container navigation view. All values are set by default.

Syntax:

groupContainerNavMenu=[groupContainers|groups]

peopleContainerNavMenu

This parameter sets the default view of identity objects in the People Container navigation view. All values are set by default.

Syntax:

peopleContainerNavMenu=[peopleContainers|users]

federationNavMenu

This parameter sets the default view of identity objects in the Federation Management module navigation view. All values are set by default.

Syntax:

federationNavMenu=[authenticationDomains|hostedProviders|remoteProviders]

userProfileMenu

This parameter sets the sub-view menu entries in the User Profile page. All values are set by default.

Syntax:

userProfileMenu=[roles|groups|services|iPlanetAMUserService|service name]

groupProfileMenu

This parameter sets the sub-view menu entries in the Group Profile page. All values are set by default.

Syntax:

groupProfileMenu=[general|users]

roleProfileMenu

This parameter sets the sub-view menu entries in the Role Profile page. All values are set by default.

Syntax:

roleProfileMenu=[general|users|services]

policyProfileMenu

This parameter sets the sub-view menu entries in the Policy Profile page. All values are set by default.

Syntax:

policyProfileMenu=[general|rules|subjects|referrals|conditions]

federationRemoteProviderProfileMenu

This parameter sets the sub-view menu entries in the Federation Remote Provider Profile page. All values are set by default.

Syntax:

federationRemoteProviderProfileMenu=[general|serviceProvider| identityProvider|authenticationDomain]

FederationHostedProviderProfileMenu

This parameter sets the sub-view menu entries in the Federation Hosted Provider Profile page. All values are set by default.

Syntax:

federationHostedProviderProfileMenu=[general|serviceProvider|identityProvider|authenticationDomain|trustedProviders|identityServerConfiguration]

Event Listener Classes

This attribute contains a list of listeners that receive creation, modification and deletion events from the Identity Server console.

Pre and Post Processing Classes

This field defines a list of implementation classes through plug-ins that extend the com.iplanet.am.sdk.AMCallBack class to receive callbacks during pre and post processing operations for users, organization, roles and groups. The operations are:

You must enter the full class name of the plug-in. For example:

com.iplanet.am.sdk.AMCallbacSample

You must then change the class path of your web container (from the Identity Server installation base) to include the full path to the location of the plug-in class.

External Attributes Fetch Enabled

This option enables callbacks for plug-ins to retrieve external attributes (any external application-specific attribute). External attributes are not cached in the Identity Server SDK, so this attribute allows you enable attribute retrieval per organization level. By default, this option is not enabled.



Previous      Contents      Index      Next     

Copyright 2003 Sun Microsystems, Inc. All rights reserved.