Sun Java logo     Previous      Contents      Index      Next     

Sun logo
Sun Java System Portal Server 6 2004Q2 Administration Guide 

Chapter 4
Configuring Delegated Administration

This chapter describes how to configure delegated administration for Sun Java™ System Portal Server.

This chapter contains these sections:

Overview of Delegated Administration

As enterprises create larger and more complex portals, a centralized administration model is no longer viable. Delegated administration or Line of Business (LOB) administration addresses this issue by delegating or distributing the administration tasks to the actual portal users.

The Sun Java System Portal Server allows you to delegate administration functions to users by using roles. Role-based administration enables an enterprise to break its business into smaller organizations or lines of business (LOB) and then allows different users to administer the organizations, suborganizations, users, policy, roles, and channels of the LOB based on the user’s roles.

Table 4-1 lists and defines some important delegated administration terms as they apply in the Sun Java System Portal Server. The table contains two columns: the first column lists the term and the second column gives a brief description.

Table 4-1  Delegated Administration Terms

Term

Description

Privilege

The combination of a single resource and a single action that can be performed upon the resource (for example, view a static web page, view paystubs in a paycheck application, modify W-4 data in the paycheck application, and so on).

Action

Actions are a procedure or operation that can be performed on a resource (for example, read a catalog, write a catalog, get email using POP, get email using IMAP, and so on).

Resource

A resource is something that can be abstractly represented in software and whose access is controlled and protected. In Sun Java System Identity Server, the Resource refers to the URL Access only.

Top-level Admin role

A role that has complete management rights to all policy and identity settings.

Organization admin role

A role that has complete management rights to policy and identity settings for an organization.

Line of Business (LOB)

Line of business capabilities are administration capabilities that can be done by a business analyst or equivalent position. LOB administrators are able to perform administrative tasks that do not require Top-level Admin capabilities to complete. Typically, LOB capabilities, such as adding or removing users to and from roles that grant access to resources, would be available only within their sphere of interest.

Role administrator role

A role administrator role is a role with the access permissions to administer some other specific roles and a certain set of user objects. For example, adding or removing users from a role or editing role level attributes.

Role administrator

Role administrators are users to whom role administrator roles have been assigned.

Delegated Administration Roles

The Sun Java Sytem Identity Server administration console provides role-based delegated administration capabilities to different kinds of administrators to manage organizations, users, policy, roles, and channels based on the given permissions.

Sun Java Sytem Identity Server administration console provides a number of predefined administrator roles for delegating administration functions. They are as follows:

For detailed information on these roles, refer to the Sun Java Sytem Identity Server product documentation.

Note

Sun Java Sytem Identity Server also implements three other roles: Top-level Admin, Top-level Help Desk Admin, and Deny Write Access. These roles are created during installation and only exist at the root of the installation. Any new organizations created will not get these three roles. By default, when a new organization is created, three roles get created with it: Organization Admin, Organization Help Desk Admin, and People Admin.

You can use these predefined administrator roles to set up your delegated administration implementation if their function fits the need. For example, if the directory structure for your model comprises an organization with multiple sub-organizations, you could assign Organization Admin roles to users to create delegated administrators for each of the suborganizations. However, if the organizational structure of your enterprise is more complicated, you might want to create a delegated administration model that targets your specific needs. To do this, the Sun Java Sytem Identity Server administration console allows you to define delegated administrator roles with privileges specific to your business needs.

To implement an enterprise-specific delegated administration model, there are three critical conceptual roles:

The Top-level Admin Role is created when the system is set up, and the Organization Admin Role is created automatically when a new organization is set up. The Role Administrator Role is a role you create based on the requirements of the delegated administration model. The access permissions for the Role Administrator Role are defined by directly editing the corresponding Access Control Instructions (ACIs).

In a delegated administration, the following principles apply:

Developing a Delegated Administration Model

In order to delegate administration functions for the Sun Java System Portal Server appropriately, you should develop a delegated administration model to help determine the administration roles required for you enterprise. Consider the following when developing your model:

Configuring Delegated Administration

The high-level steps that you perform to configure a delegated administration implementation for the Sun Java System Portal Server are:

  1. Defining the ACI settings for the Role Administrator Roles
  2. Creating new Admin Roles for the delegation model
  3. Assigning Role Administrator Roles to users
  4. Configuring Additional Restrictions on a Role

Defining the ACI Settings for Role Administrator Roles

To configure the appropriate privileges for any of the role administrator roles you identified in your delegation model, you must define the appropriate permissions in an ACI for each unique role in your delegation model. You can define an ACI permission template for a role using the Sun Java Sytem Identity Server administration console or the Directory Server console. You can also define an ACI for a specific role using the ldapmodify command.

Use the following format when defining ACI permission templates in the Sun Java Sytem Identity Server administration console or with the Directory Server console:

permission_name | aci_desc| dn:aci ## dn:aci ## dn:aci

where:

permission_name is the name of the permssion.

aci_desc is a text description of the access these ACIs allow.

dn:aci represents pairs of DNs and ACIs separated by ##. Sun Java Sytem Identity Server sets each ACI in the associated DN entry.

This format also supports tags that can be substituted for values that would otherwise have to be specified literally in an ACI: ROLENAME, ORGANIZATION, GROUPNAME, and PCNAME. Using these tags lets you define roles flexible enough to be used as defaults. When a role is created based on one of the default roles, tags in the ACI resolve to values taken from the DN of the new role.

For detailed information setting ACIs, refer to the Sun Java Sytem Identity Server Programmer’s Guide.

Note

In these example ACI definitions, the root suffix is assumed to be dc=sesta,dc=com.

To Define an ACI Using the Command Line

  1. Create a text file containing the ACI settings for use with the ldapmodify command. For example, the following file, acis.ldif, contains an ACI definition of two roles called JDCAdmin1 and JDCAdmin2.

    dn:dc=sesta,dc=com

    changetype:modify

    # aci for JDCAdmin1 role

    # This role can add/delete users from JDC role

    add:aci

    aci: (target= "ldap:///ou=people,dc=sesta,dc=com") (targetattr = "*")(version 3.0; acl "Allow JDCAdmin1 Role to read and search users"; allow (read,search) roledn = "ldap:///cn=JDCAdmin1,dc=sesta,dc=com";)

    -

    add:aci

    aci: (target="ldap:///dc=sesta,dc=com") (targetfilter="(entrydn=cn=JDC,dc=sesta,dc=com)")(targetattr="*")(version 3.0; acl "Allow JDCAdmin1 Role to read and search JDC Role";allow (read,search) roledn="ldap:///cn=JDCAdmin1,dc=sesta,dc=com";)

    -

    add:aci

    aci: (target="ldap:///ou=people,dc=sesta,dc=com")(targetattr="nsroledn")(targetfilter="(!(|(nsro ledn=cn=Top-level Admin Role,dc=sesta,dc=com)(nsroledn=cn=Top-level Help Desk Admin Role,dc=sesta,dc=com)(nsroledn=cn=Organization Admin Role,dc=sesta,dc=com)(nsroledn=cn=Top-level Policy Admin Role,dc=sesta,dc=com)))")(targattrfilters="add=nsroledn:(nsroledn=cn=JDC,dc=sesta,dc=com),d el=nsroledn:(nsroledn=cn=JDC,dc=sesta,dc=com)")(version 3.0; acl "Allow JDCAdmin1 Role to add/remove users to JDC Role"; allow (write)roledn="ldap:///cn=JDCAdmin1,dc=sesta,dc=com";)

    -

    # aci for JDCAdmin2 role

    # This role can add/remove channels from the JDC role’s display profile

    add:aci

    aci: (target="ldap:///cn=SunPortalDesktopService,dc=sesta,dc=com")(targetfilter=(cn=cn=JDC,dc=se sta,dc=com))(targetattr="*")(version 3.0; acl "Allow JDCAdmin2 to edit display profile of JDC Role"; allow (all) roledn="ldap:///cn=JDCAdmin2,dc=sesta,dc=com";)

    -

    add:aci

    aci: (target="ldap:///dc=sesta,dc=com")(targetattr = "*") (version 3.0; acl "Allow JDCAdmin2 to read and search all"; allow (read,search) roledn = "ldap:///cn=JDCAdmin2,dc=sesta,dc=com";)

  2. Change directories to Sun Java Sytem Identity Server utilities directory. For example,

    3. cd /BaseDir/SUNWam/bin

  3. Set LD_LIBRARY_PATH to include IS_BASEDIR/SUNWam/ldaplib/solaris/sparc/ldapsdk
  4. Execute the following command.

    5. ./ldapmodify -D "DS_DIRMGR_DN" -w DS_DIRMGR_PASSWORD -f /tmp/acis.ldif

  5. Log in to the Sun Java System Identity Server administration console as administrator.

    6. By default, Identity Management is selected in the location pane and Organizations is selected in the Navigation pane.

  6. Navigate to the organization or suborganization to create a new role (such as JDCAdmin1 and JDCAdmin2).
    1. Choose Roles from the View menu and click New.
    2. The New Role page appears in the data pane.
    3. Enter the role information (Name, Description, Role Type,Access Permissions) and click Create (for example, a static role JDC with "Type=Service" and "Access Permissions=No Permissions").

      4. The new role appears in the navigation pane.

  7. Create "Desktop" service template for role you created.
    1. Choose Services from the View menu.
    2. Click the properties arrow next to the Desktop service.
    3. Accept or modify the default attribute values for the Desktop service and click Save.
  8. Create a tab in the role display profile (for example, the role display profile for JDC).
    1. Navigate to the role where the tab will be created.
    2. Choose Services from the View menu in the navigation pane.
    3. Click the properties arrow next to Desktop in the navigation pane.
    4. The Desktop attributes page appears in the data pane.
    5. In the Desktop page, click the Channel and Container Management link.
    6. The Channels page appears, with the container path set at the root.
    7. Click the Container that you want to add the channel or container to.
    8. The top of the page displays the container path where the channel will be added. Defined channels and container, if any, appear in lists.
    9. Click Add to add a container channel or channel.
    10. To add a container channel, click Add under Container Channel. To add a channel, click Add under Channel.
    11. The Add Channel page appears.
    12. Type a channel name and select the type of provider from the menu.
    13. Click Create.

      14. Refer to Chapter 7, "Administering the Display Profile" for more information.

  9. Create a user (such as admin1 or admin2).
    1. Navigate to the role where the user will be created.
    2. Choose Users from the View menu and click New.
    3. The New User page appears in the data pane.
    4. Select the services to assign to the user and click Next.
    5. Enter the user information and click Create.
    6. The new user appears in the navigation pane.
  10. Assign a role to a user (such as JDCadmin1 to admin1 or JDCadmin2 to admin2).
    1. Navigate to the organization or suborganization where the role will be assigned.
    2. Choose Users from the View menu.
    3. Click the properties arrow next to the user who will be assigned the role.
    4. The user profile information appears in the data pane.
    5. Click Roles from the View menu in the data pane.
    6. The Add Roles page appears.
    7. Check the box next to the roles to assign and click Save.
    8. The Roles for this User box is updated with the assigned roles.
    9. Click Save to save the changes.
  11. Logout from the admin conole.

To Define an ACI Using the Admin Console

  1. Log in to the Sun Java Sytem Identity Server administration console as Top-level Admin.

    2. By default, Identity Management is selected in the location menu, and Organizations is selected in the navigation pane.

  2. Click Service Configuration in the location pane.
  3. Click the properties arrow next to the Administration service.

    4. The administration attributes appear in the data pane.

  4. In the Default Role Permissions (ACIs) entry field, type in the ACI definition and click Add. For example, for the JDCAdmin1 and JDCAdmin1 role defined previously, you would enter the following:

    5. JDCAdmin1|Add/delete users from JDC role|dc=sesta,dc=com:aci: (target= "ldap:///ou=people,dc=sesta,dc=com") (targetattr = "*")(version 3.0; acl "Allow JDCAdmin1 Role to read and search users"; allow (read,search) roledn = "ldap:///cn=JDCAdmin1,dc=sesta,dc=com";)##dc=sesta,dc=com:aci: (target="ldap:///dc=sesta,dc=com") (targetfilter="(entrydn=cn=JDC,dc=sesta,dc=com)")(targetattr="*")(version 3.0; acl "Allow JDCAdmin1 Role to read and search JDC Role";allow (read,search) roledn="ldap:///cn=JDCAdmin1,dc=sesta,dc=com";) ##dc=sesta,dc=com:aci:(target="ldap:///ou=people,dc=sesta,dc=com")(targetattr="nsroledn")(targetfilter="(!(|(nsroledn=cn=Top-level Admin Role,dc=sesta,dc=com)(nsroledn=cn=Top-level Help Desk Admin Role,dc=sesta,dc=com)(nsroledn=cn=Organization Admin Role,dc=sesta,dc=com)(nsroledn=cn=Top-level Policy Admin Role,dc=sesta,dc=com)))")(targattrfilters="add=nsroledn:(nsroledn=cn=JDC,dc=sesta,dc=com),del=nsroledn:(nsroledn=cn=JDC,dc=sesta,dc=com)")(version 3.0; acl "Allow JDCAdmin1 Role to add/remove users to JDC Role"; allow (write)roledn="ldap:///cn=JDCAdmin1,dc=sesta,dc=com";)

    JDCAdmin2|Add/remove channels from the JDC role|dc=sesta,dc=com:aci:(target="ldap:///cn=SunPortalDesktopService,dc=sesta,dc=com")(targetfilter=(cn=cn=JDC,dc=sesta,dc=com))(targetattr="*")(version 3.0; acl "Allow JDCAdmin2 to edit display profile of JDC Role"; allow (all) roledn="ldap:///cn=JDCAdmin2,dc=sesta,dc=com";)##dc=sesta,dc=com:aci: (target="ldap:///dc=sesta,dc=com")(targetattr = "*") (version 3.0; acl "Allow JDCAdmin2 to read and search all"; allow (read,search) roledn = "ldap:///cn=JDCAdmin2,dc=sesta,dc=com";)

    The new ACI appears in the Default Role Permissions (ACIs) list.

  5. Click Save.

To Create a New Admin Role for the Delegation Model

Once you have created an ACI defining the permissions for a delegated administration role, you must create a role for using that ACI definition.

  1. Log in to the Sun Java Sytem Identity Server administration console as Top-level Admin or Organization Admin.

    2. By default, Identity Management is selected in the location menu, and Organizations is selected in the navigation pane.

  2. Navigate to the organization or suborganization where the role will be created.

    3. All created organizations are displayed in the navigation pane.

    Note

    If this is a new organization, you must register all the services and create the appropriate templates. See Chapter 3, "Administering Authentication, Users, and Services" for more information.

  3. Choose Roles from the View menu and click New.

    4. The New Role page appears in the data pane.

  4. Enter a name, select static role, and click Next.
  5. Enter the description and choose Administrative as the type.
  6. Select the Access Permissions:
    1. If you created the ACI definition for the role using the Administration Console, select the role you created from the Access Permissions list.
    2. If you created the ACI definition for the role using the command line, select No Permissions as the role name will not be listed in the Access Permissions list.
  7. Click Create.

    8. The new role appears in the navigation pane.

To Assign a Role Administrator Role

  1. Log in to the Sun Java System Identity Server administration console as administrator.

    2. By default, Identity Management is selected in the location menu, and Organizations is selected in the navigation pane.

  2. Navigate to the organization or suborganization where the role was created.

    3. All created organizations are displayed in the navigation pane.

  3. Choose Roles from the View menu.
  4. Click the properties arrow for the role to assign.
  5. Choose Users from the View menu in the data pane and click Add.

    6. The Add Users page appears in the data pane.

  6. Specify the values for the fields to find the user to assign and click Filter.

    7. A list of users displays.

  7. Check the box next to the users to which to assign the role or click Select All to choose all the users.
  8. Click Submit.

    9. The list of users for this role box is updated with the assigned users.

To Configure Additional Restrictions on a Role Administrator Role

You can configure a role with a restricted set of capabilities. One common restriction you might want is a role with permissions to modify the display profile and perform content management functions, but that is restricted from viewing the rest of the Desktop attributes.

You can also set up delegated administrators with a start DN view. The start DN view is the directory location below which the delegated administrator can see and modify entities.

To configure additional restrictions on a role:

  1. Log in to the Sun Java System Identity Server administration console as administrator.

    2. By default, Identity Management is selected in the location menu, and Organizations is selected in the navigation pane.

  2. Navigate to the organization or suborganization where containing the role to configure.

    3. All created organizations are displayed in the navigation pane.

  3. Choose Roles from the View menu.
  4. Select the role to configure.
  5. Select Services from the View menu.
  6. To restrict the role to only display profile or channel management capabilities, do the following:
    1. Click the Edit link for the Desktop service.
    2. Create a User service template at this role.

      3. The Desktop page appears in the data pane.

    3. Unselect the Show Desktop Attributes checkbox.
    4. Specify a DN in Admin DN Starting V.
    5. Click Save.

      Note

      If the Show Desktop Attributes checkbox is unselected, when users with this role access the Desktop services, they will not be able to see the Desktop attributes; they will only see the Channel and Container Management link. In addition, they will only be able to see the channels and containers defined at the role level.

  7. To restrict the role to a particular start DN, do the following:
    1. Click the Edit link for the User service.
    2. Create a User service template for the role.

      3. The User page appears in the data pane.

    3. Specify a DN in Admin DN Starting View. For example, cn=JDC, dc=sesta, dc=com.
    4. Click Save.


Previous      Contents      Index      Next     

Copyright 2004 Sun Microsystems, Inc. All rights reserved.