Sun ONE Instant Messaging 6.1 |
Chapter 4
Managing Instant Messaging and Presence PoliciesThe Sun ONE Instant Messaging server provides various functional features such as chat, conferencing, polls, presence access, etc. A policy describes a set of access control privileges that can be associated with these features. In turn, end users and groups can be assigned to policies according to the needs of an organization.
This chapter describes how to define and use policies to manage the access that end users and administrators have to the Sun ONE Instant Messaging server features and privileges:
Methods for Controlling End User and Administrator Privileges
Managing Policies Using Access Control Files
Managing Policies using Sun ONE Identity Server
Methods for Controlling End User and Administrator PrivilegesDifferent sites using Sun ONE Instant Messaging server have different needs in terms of enabling and restricting the type of access end users have to the Instant Messaging service. The process of controlling end user and administrator Sun ONE Instant Messaging server features and privileges is referred to as policy management. There are two methods of policy management available: through access control files or through Sun ONE Identity Server.
Introduction to Managing Policies Using Access Control Files
The access control file method for managing policies allows you to adjust end-user privileges in the following areas: news channel management, conference room management, the ability to change preferences in the User Settings dialog, and ability to send alerts. It also allows specific end users to be assigned as system administrators.
Introduction to Managing Policies Using Sun ONE Identity Server
Managing policies through Sun ONE Identity Server gives you control of the same privileges available with the access control file method; however it additionally allows more fine-tuned control over various features, such as: the ability to receive alerts, send polls, receive polls, etc. For a complete list, please refer to table Table 4-4. Furthermore, managing policies using Sun ONE Identity Server gives you finer-tuned control over privileges.
Two types of policies exist: Instant Messaging policies and Presence policies. The Instant Messaging policies govern general Instant Messaging features, such as the ability to send or receive alerts; the ability to manage public conferences and news channels; and the ability to send files. Presence policies govern the control end users have over changing their online status, and in allowing or preventing others from seeing their online or presence information.
Managing Policies: The Method to Use
When choosing which method to use to manage policies, it is also necessary to choose where they will be stored. You select the method for managing policies by editing the iim.conf file and setting the iim.policy.modules parameter to either identity for the Sun ONE Identity Server method or iim_ldap for the access control file method, which is also the default method.
If you will use an LDAP-only deployment—therefore, you will not be using Sun ONE Identity Server—you must use the access control file method. If you are using Sun ONE Identity Server with the Sun ONE Instant Messaging server, and you have installed the Instant Messaging and Presence services components, you can use either policy management method. Please note that managing policies using Sun ONE Identity Server is a more comprehensive method. One advantage of this method is that it allows you to store all end-user information in the directory.
The specific steps for setting which method you want to use to manage policies are as follows:
- Change directories to the directory that contains the iim.conf file.
- Open the iim.conf file using an editor of your choice.
- Edit the iim.policy.modules parameter by setting it to one of the following:
- Edit the iim.userprops.store parameter and set it to either:
- Save your changes.
- Refresh the configuration.
Policy Configuration Parameters
Table 4-1 lists and describes the new parameters available in the iim.conf file that relate to the increased role that Sun ONE Identity Server can play in Instant Messaging deployments:
Note
Currently the iim.userprops.store parameter is only significant when the service definitions for the Presence and Instant Messaging services have been installed.
Managing Policies Using Access Control FilesBy editing access control files you control the following end-user privileges:
By default, end users are provided the privileges to access the presence status of other end users, send alerts to end users, and save properties to the server. In most of the deployments, the default values need not be changed.
The location of the access control files are:
Table 4-2 lists the global access control files for Sun ONE Instant Messaging and the privileges these files provide end users.
Access Control File Format
The access control file contains a series of entries that define the privileges. Each entry starts with a tag as follows:
The tag is followed by a colon (:). In case of the default tag it is followed by true or false.
End-user and group tags are followed by the end-user or group name.
Multiple end users and groups are specified by having multiple end users (u) and groups (g) in lines.
If default is set to true, all other entries in the file are redundant. If default is set to false, only the end users and groups specified in the file will have that particular privilege.
The following are the default d: tag entries in the ACL files for a new installation:
Note
The format and also the existence of all the access control files might change in future releases of the product.
Access Control File Examples
This section shows a sample access control file that shows privileges set for, the sysTopicsAdd.acl file. For information about access control files at the conference room and news channel level (Therefore, roomname.acl and newschannel.acl) see "Conference Room and News Channel Access Controls".
sysTopicsAdd.acl File
In the following example, the default d: tag entry for sysTopicsAdd.acl file is false. So the Add and the Delete news channels privileges are available to the end users and groups that appear before the default, namely user1, user2, and the sales group.
Changing End User Privileges
To change end user privileges:
Managing Policies using Sun ONE Identity ServerThe Instant Messaging and Presence services in Sun ONE Identity Server provide another way to control end user and administrator privileges. Each service has three types of attributes: dynamic, user, and policy. A policy attribute is the type of attribute used to set privileges.
Policy attributes become a part of the rules when rules are added to a policy created in Identity Server to allow or deny administrator and end-user involvement in various Instant Messaging features, such as receiving poll messages from others.
When Sun ONE Instant Messaging server is installed with Sun ONE Identity Server, several example policies and roles are created. See the Sun ONE Identity Server Getting Started Guide and the Sun ONE Identity Server Administration Guide for more information about policies and roles.
Furthermore, if the example policies are not sufficient, you can create new policies and assign those policies to a role, group, organization, or end user as needed to match your site’s needs.
When the Instant Messaging service or the Presence service are assigned to end users, they receive the dynamic and user attributes applied to them. The dynamic attributes can be assigned to a Sun ONE Identity Server configured role or organization.
When a role is assigned to an end user or an end user is created in an organization, the dynamic attributes then become a characteristic of the end user. The user attributes are assigned directly to each end user. They are not inherited from a role or an organization and, typically, are different for each end user.
When end users log on, they get all the attributes that are applicable to them depending upon which roles are assigned to them and how the policies are applied.
Dynamic, user or policy attributes are associated with end users after assigning the Presence and Instant Messaging Services to these end users.
Instant Messaging Service Attributes
Table 4-3 lists the policy, dynamic, and user attributes that each service has:
For each attribute in the preceding table, a corresponding label appears in the Identity Server admin console. The two following tables list each attribute with its corresponding label and a brief description. Table 4-4 lists and describes the policy attributes and Table 4-5 lists and describes the dynamic and user attributes.
Modifying Attributes Directly
An end user can log into Sun ONE Identity Server admin console and view the values of attributes in the Instant Messaging and Presence service attributes. If the attributes have been defined as modifiable, end users can alter them. However, by default no attributes in the Instant Messaging service are modifiable, nor is it recommended that end users be allowed to modify them. However, from the standpoint of system administration, manipulating attributes directly can be useful.
For example, since roles do not affect some system attributes, such as setting conference subscriptions, system administrators might want to modify the values of these attributes by copying them from another end user (such as a from a conference roster) or modifying them directly. These attributes are listed in Table 4-5.
In reference to table Table 4-5,user attributes can be set by end users through the Sun ONE Identity Server admin console. Dynamic attributes are set by the administrator. A value set for a dynamic attribute overrides or is combined with the corresponding user attribute value.
The nature of corresponding dynamic and user attributes influences how conflicting and complementing information is resolved. For example, Conference Subscriptions from two sources (dynamic and user) complement each other; therefore, the subscriptions are merged. Neither attribute overrides the other.
Pre-Defined Examples of Instant Messaging and Presence Policies
Table 4-6 lists and describes the seven example policies and roles that are created in Sun ONE Identity Server when the Instant Messaging service component is installed. You can add end users to different roles according to the access control you want to give them.
A typical site might want to assign the role IM Regular User (a role that receives the default Instant Messaging and Presence access) to end users who simply use Instant Messenger, but have no responsibilities in administering Instant Messaging policies. The same site might assign the role of IM Administrator (a role associated with the ability to administer Instant Messaging and Presence services) to particular end users with full responsibilities in administering Instant Messaging policies. Table 4-7 lists the default assignment of privileges amongst the policy attributes. If an action is not selected in a rule, the values allow and deny are not relevant as the policy then does not affect that attribute.
Creating New Instant Messaging Policies
You can create new policies to fit the specific needs of your site.
To Create a New Policy
- Log on to the Sun ONE Identity Server admin console at http://hostname:port/amconsole, for example http://imserver.company22.example.com:80/amconsole
- With the Identity Management tab selected, select Policies in the View drop down list in the navigation pane (the lower-left frame).
- Click New to bring up the New Policy page in the data pane (the lower-right frame).
- Select Normal for the Type of Policy.
- Enter a policy description in the Name field, such as Ability to Perform IM Task.
- Click Create to make the name of the new policy appear on the policy list in the navigation pane and to make the page in the data pane change to the Edit page for your new policy.
- In the Edit page, select Rules in the View drop down list to bring up the Rule Name Service Resource panel inside the Edit page.
- Click Add to bring up the Add Rule page.
- Select the Service that applies, either Instant Messaging Service or Presence Service.
Each service enables you to allow or deny end users the ability to perform specific actions. For example, Ability to Chat is an action specific to the Instant Messaging service while Ability to Access other’s Presence is an action specific to the Presence service.
- Enter a description for a rule in the Rule Name field, such as Rule 1.
- Enter the appropriate Resource Name (IMResource or PresenceResource):
- Select the Actions that you want to apply.
- Select the Value for each action: Allow or Deny.
- Click Create to display this proposed rule in the list of saved rules for that policy.
- Click Save to make this proposed rule a saved rule.
- Repeat steps 8-15 for any additional rules that you want to apply to that policy. For each new rule, click Save to save the changes to the policy.
Assigning Policies to a Role, Group, Organization, or User
You can assign policies—the default policies for Instant Messaging or Instant Messaging policies that might have been created after Instant Messaging was installed—to a role, group, organization, or user.
To Assign a Policy
- Log on to the Sun ONE Identity Server admin console at http://hostname:port/amconsole, for example http://imserver.company22.example.com:80/amconsole
- With the Identity Management tab selected, select Policies in the View drop down list in the navigation pane (the lower-left frame).
- Click the arrow next to the name of the policy you want to assign in order to bring up the Edit page for that policy in the data pane (the lower-right frame).
- In the Edit page, select Subjects in the View drop down list.
- Click Add to bring up the Add Subject page, which lists the possible subject types:
- Select the subject type that matches the policy, such as Organization.
- Click Next
- In the Name field, enter a description of the subject.
- If desired, select the Exclusive check box.
The Exclusive check box is not selected as the default setting, which means that the policy applies to all members of the subject.
Selecting the Exclusive check box applies the policy to everyone who is not a member of the subject.
- In the Available field, search for entries that you want to add to your subject.
- Type a search for the entries you want to search for. The default search is *, which displays all the subjects for that subject type.
- Click search.
- Highlight entries in the Available text box that you want to add to the Selected text box.
- Click Add or Add All, whichever applies.
- Repeat steps a-d until you have added all the names you want to the Selected text box.
- Click Create to display this proposed subject in the list of saved subjects for that policy.
- Click Save to make this proposed subject a saved subject.
- Repeat steps 5-12 for any additional subjects that you want to add to the policy. For each new subject, click Save to save the changes to the policy.
Creating New Suborganizations Using Identity Server
The ability to create suborganizations using Sun ONE Identity Server enables organizationally separate populations to be created within the Sun ONE Instant Messaging server. Each suborganization can be mapped to a different DNS domain. End users in one suborganization are completely isolated from those in another. The following describes minimal steps to create a new suborganization for Instant Messaging.
To Create a New Suborganization
- Log on to the Sun ONE Identity Server admin console at http://hostname:port/amconsole, for example http://imserver.company22.example.com:80/amconsole
- Create a new organization:
- Register services for the newly created suborganization.
- Click the name for the new suborganization, such as sub1, in the navigation pane (Be certain to click the name, not the property arrow at the right.).
- Select Services from the View drop down list in the navigation pane
- Click Register to bring up the Register Services page in the data pane.
- Select the following services:
Under the Authentication heading:
- Click Register to bring up the newly selected services for this suborganization in the navigation pane.
- Create service templates for the newly selected services:
- In the navigation pane, click the property arrow for a service, starting with the Core service.
The Create Service Template page appears in the data pane.
- In the data pane, click Create, which replaces the Create Service Template page with a page of template options for the service you have selected.
You should click Create for each service even when you do not want to modify the template options.
- Modify the options for the service template of each service as follows:
- Core: Generally, no options need to be modified; go to Step d.
- LDAP: Perform the following actions before going to Step d:
- Add the prefix of the new suborganization to the DN to Start User Search field. After adding the prefix, the final DN should be in this format:
o=sub1,dc=company22,dc=example,dc=com
- Enter the LDAP password in the Password for Root User Bind and Password for Root User Bind (confirm) fields.
- Instant Messaging Service: Generally, no options need to be modified; go to Step d.
- Presence Service: If you would like to make end-user presence information available to others by default (sites tend to choose this option), select the Dynamic Default Presence Visibility check box before going to Step d.
- Click Save.
- Repeat steps a through d until you have created service templates for each service.
Adding End Users to New Suborganizations
After new end users have been created in a suborganization they need to be assigned roles. Roles can be inherited from the parent organization as described in the following section.
To Add End Users to a New Suborganization:
- Go to the parent organization and select Roles from the View drop down list. The specific steps are:
- Click on the property arrow to the right of the role you wish to assign in order to bring up a page for that role in the data pane (the lower-right frame).
- Select Users from the View drop down list in the data pane.
- Click Add to bring up the Add Users page.
- Enter a matching pattern to identify users. For example, in the UserId field an asterisk,*, lists all users.
- Click Filter to bring up the Select User page.
- Display the parentage path in the Select User page:
- Select the users to be assigned to this role.
- Click Submit.
Migrating from the Instant Messaging Service of Sun ONE Instant Messaging 6.0 ServerNon-Migration Option
If your site used the Sun ONE Instant Messaging 6.0 server with the Sun ONE Identity Server 5.1 software to deploy the Instant Messaging service, the old attributes will be honored by the Sun ONE Instant Messaging 6.1 software. Policy attributes from the Sun ONE Instant Messaging 6.0 server, such as sunIMAllowFileTransfer and sunIMEnableModerator will override the same policy attributes set in the Sun ONE Instant Messaging 6.1 server.
Migration Option
However, the preferable method for handling the differences in the two Instant Messaging services is to migrate from the Instant Messaging service used for the Sun ONE Instant Messaging 6.0 software and to modify or create a Sun ONE Identity Server policy which uses the Instant Messaging Service and Presence Service from the Sun ONE Instant Messaging 6.1 software. You should define the new policy in such a way that it provides the same access control to your site as the old policy did.
For example, you can modify a rule in the Default Instant Messaging and presence access policy to set the deny or allow status of each of the policy’s attributes in order for the policy to demonstrate the same behavior that it demonstrated in the Sun ONE Instant Messaging 6.0 server or you can create a new policy with rules that will allow it to behave in the same manner as it did previously.
Migrating Access Control Files
If your site has been using an earlier version of Sun ONE Instant Messaging server (6.0 or earlier), but you have not used an Instant Messaging service—therefore, you have not set end-user privileges by setting policies through the Sun ONE Identity Server— but have instead set end-user privileges by editing access control files, two methods are available to you for replicating the policy set within the access control files and using this information to create Sun ONE Identity Server policies:
Migrate Access Control File Information Manually
Migrate Access Control File Information Automatically
Migrate Access Control File Information Manually
The high-level steps for this method are as follows:
- Open each access control file (one at a time). For example, sysTopicsAdd.acl and sysRoomsAdd.acl.
For more information about the location and format of access control files, see "Managing Policies Using Access Control Files".
- In each file, read the value for the default line. The default line starts with the letter d followed by a colon (d:).
- In the Sun ONE Identity Server admin console within the Default instant messaging and presence access policy, set a rule to the same default value you read from the access control file.
- Assign all the regular Instant Messaging end users the role of IM Regular User
- For end users listed in these access control files who have different privileges, such as the ability to manage conference rooms or news channels, add them to the corresponding roles that have those privileges. See Table 4-6 for the role that each default policy applies to.
Migrate Access Control File Information Automatically
Instead of transferring the access control file information manually, you can perform a one-time migration of this information by issuing a command.
Type the following command:
imadmin migrate
This command will transfer information from the global access control files to the corresponding policy and its subjects. See table Table 4-8 for a list of the global access control files and the policies to which they map.
Migrate Sun ONE Instant Messenger Settings
For Sun ONE Instant Messaging 6.1 server, when the parameter iim.userprops.store is set to ldap in the iim.conf file, the Sun ONE Instant Messenger settings for end users is stored in the sunIMUserProperties user attribute.
If your site has used an earlier version of Sun ONE Instant Messaging server and the Sun ONE Instant Messenger settings have been stored in the user.properties file, after installing the Sun ONE Instant Messaging 6.1 server, the old settings will automatically be migrated to the sunIMUserProperties user attribute as end users log on, as long as the iim.userprops.store parameter is set to ldap in the iim.conf file.
When an end user first logs onto Sun ONE Instant Messaging 6.1 server, the server checks if the sunIMUserProperties user attribute exists and if it is storing the end user’s settings. If the end user’s settings are not found at that location, the server checks if a user.properties file exists for that end user. If the file exists, the server transfers information from the user.properties file to the sunIMUserProperties user attribute. However, if the user.properties file does not exist, the default Sun ONE Instant Messenger setting is the value assigned in the sunIMUserProperties user attribute for that end user.