Sun Java System Instant Messaging 6 2004Q2 Administration Guide |
Chapter 4
Managing Instant Messaging and Presence PoliciesThe Sun JavaTM System Instant Messaging server provides various functional features such as chat, conferencing, polls, presence access, etc. A policy describes a set of access control privileges that can be associated with these features. In turn, end users and groups can be assigned to policies according to the needs of an organization.
This chapter describes how to define and use policies to manage the access that end users and administrators have to the Sun Java System Instant Messaging server features and privileges:
Overview of Privacy, Security, and Site PoliciesInstant Messaging provides the ability to control access to Instant Messaging features and preserve end-user privacy.
Site Policies
Site policies specify end-user access to specific functionality in Instant Messaging. It specifies:
The Instant Messaging administrator has access to all Instant Messaging features. The administrator has MANAGE access to all conference rooms and news channels, can view presence information of any end user, and can view and modify properties such as Contact Lists and Instant Messenger Settings of any end user. The site policy settings have no impact on the administrator’s privileges.
By default, the end user is provided with the privileges to access the presence status of other end users, send alerts to end users, and save properties to the server. In most of the deployments, the default values are not changed. These default values need to be changed when Instant Messaging is used exclusively for the pop-up functionality.
When Instant Messaging is used exclusively for the pop-up functionality, the end user will not be provided with the access privileges to presence information, chat, and news features.
For more information on configuring site policies, see Managing Instant Messaging and Presence Policies.
Conference Room and News Channel Access Controls
End users can have the following access privileges on Conference rooms and News channels:
- MANAGE - full access, which includes the ability to set the conference room or the news channel privilege for other end users.
- WRITE - privilege to add contents to the conference room or the news channel.
- READ - privilege to read the conference room or the news channel contents.
- NONE - no access privileges.
End users with the MANAGE privilege can set the default privilege level for all the other end users. These end users can also define the exception rules to grant an access level that is different from the default access level permission given to specific end users or groups.
User Privacy
End users can specify if other end users can see their presence or not. By default, all end users can access the presence information of another end user. End users can also set exceptions for denying this access to certain end user and groups.
If an end user has denied other end users from accessing the end user’s presence status, then that end user’s availability status appears as offline in others contact lists. No alerts or chat invitations can be sent to an end user whose presence status is offline.
User privacy can be configured using the User Settings window in the Instant Messenger. For more information on configuring user privacy, see Instant Messenger Online Help.
Methods for Controlling End User and Administrator PrivilegesDifferent sites using Sun Java System Instant Messaging server have different needs in terms of enabling and restricting the type of access end users have to the Instant Messaging service. The process of controlling end user and administrator Sun Java System Instant Messaging server features and privileges is referred to as policy management. There are two methods of policy management available: through access control files or through Sun Java System Identity Server.
Introduction to Managing Policies Using Access Control Files
The access control file method for managing policies allows you to adjust end-user privileges in the following areas: news channel management, conference room management, the ability to change preferences in the User Settings dialog, and ability to send alerts. It also allows specific end users to be assigned as system administrators.
Introduction to Managing Policies Using Sun Java System Identity Server
Managing policies through Sun Java System Identity Server gives you control of the same privileges available with the access control file method; however it additionally allows more fine-tuned control over various features, such as: the ability to receive alerts, send polls, receive polls, etc. For a complete list, please refer to table Table 4-4. Furthermore, managing policies using Sun Java System Identity Server gives you finer-tuned control over privileges.
Two types of policies exist: Instant Messaging policies and Presence policies. The Instant Messaging policies govern general Instant Messaging features, such as the ability to send or receive alerts; the ability to manage public conferences and news channels; and the ability to send files. Presence policies govern the control end users have over changing their online status, and in allowing or preventing others from seeing their online or presence information.
Managing Policies: The Method to Use
When choosing which method to use to manage policies, it is also necessary to choose where they will be stored. You select the method for managing policies by editing the iim.conf file and setting the iim.policy.modules parameter to either identity for the Identity Server method or iim_ldap for the access control file method, which is also the default method.
If you will use an LDAP-only deployment—therefore, you will not be using Sun Java System Identity Server—you must use the access control file method. If you are using Sun Java System Identity Server with the Sun Java System Instant Messaging server, and you have installed the Instant Messaging and Presence services components, you can use either policy management method. Please note that managing policies using Sun Java System Identity Server is a more comprehensive method. One advantage of this method is that it allows you to store all end-user information in the directory.
The specific steps for setting which method you want to use to manage policies are as follows:
- Change directories to the directory that contains the iim.conf file.
- Open the iim.conf file using an editor of your choice.
- Edit the iim.policy.modules parameter by setting it to one of the following:
- Edit the iim.userprops.store parameter and set it to either:
- Save your changes.
- Refresh the configuration.
Policy Configuration Parameters
Table 4-1 lists and describes the new parameters available in the iim.conf file that relate to the increased role that Sun Java System Identity Server can play in Instant Messaging deployments:
Note
Currently the iim.userprops.store parameter is only significant when the service definitions for the Presence and Instant Messaging services have been installed.
Managing Policies Using Access Control FilesBy editing access control files you control the following end-user privileges:
By default, end users are provided the privileges to access the presence status of other end users, send alerts to end users, and save properties to the server. In most of the deployments, the default values need not be changed.
The location of the access control files are:
Table 4-2 lists the global access control files for Instant Messaging and the privileges these files provide end users.
Access Control File Format
The access control file contains a series of entries that define the privileges. Each entry starts with a tag as follows:
The tag is followed by a colon (:). In case of the default tag it is followed by true or false.
End-user and group tags are followed by the end-user or group name.
Multiple end users and groups are specified by having multiple end users (u) and groups (g) in lines.
If default is set to true, all other entries in the file are redundant. If default is set to false, only the end users and groups specified in the file will have that particular privilege.
The following are the default d: tag entries in the ACL files for a new installation:
Access Control File Examples
This section shows a sample access control file that shows privileges set for, the sysTopicsAdd.acl file. For information about access control files at the conference room and news channel level (Therefore, roomname.acl and newschannel.acl) see Conference Room and News Channel Access Controls.
sysTopicsAdd.acl File
In the following example, the default d: tag entry for sysTopicsAdd.acl file is false. So the Add and the Delete news channels privileges are available to the end users and groups that appear before the default, namely user1, user2, and the sales group.
Changing End User Privileges
To change end user privileges:
Managing Policies using Sun Java System Identity ServerThe Instant Messaging and Presence services in Sun Java System Identity Server provide another way to control end user and administrator privileges. Each service has three types of attributes: dynamic, user, and policy. A policy attribute is the type of attribute used to set privileges.
Policy attributes become a part of the rules when rules are added to a policy created in Identity Server to allow or deny administrator and end-user involvement in various Instant Messaging features, such as receiving poll messages from others.
When Sun Java System Instant Messaging server is installed with Sun Java System Identity Server, several example policies and roles are created. See the Sun Java System Identity Server Getting Started Guide and the Sun Java System Identity Server Administration Guide for more information about policies and roles.
Furthermore, if the example policies are not sufficient, you can create new policies and assign those policies to a role, group, organization, or end user as needed to match your site’s needs.
When the Instant Messaging service or the Presence service are assigned to end users, they receive the dynamic and user attributes applied to them. The dynamic attributes can be assigned to a Sun Java System Identity Server configured role or organization.
When a role is assigned to an end user or an end user is created in an organization, the dynamic attributes then become a characteristic of the end user. The user attributes are assigned directly to each end user. They are not inherited from a role or an organization and, typically, are different for each end user.
When end users log on, they get all the attributes that are applicable to them depending upon which roles are assigned to them and how the policies are applied.
Dynamic, user or policy attributes are associated with end users after assigning the Presence and Instant Messaging Services to these end users.
Instant Messaging Service Attributes
Table 4-3 lists the policy, dynamic, and user attributes that each service has:
For each attribute in the preceding table, a corresponding label appears in the Identity Server admin console. The two following tables list each attribute with its corresponding label and a brief description. Table 4-4 lists and describes the policy attributes and Table 4-5 lists and describes the dynamic and user attributes.
Modifying Attributes Directly
An end user can log into Sun Java System Identity Server admin console and view the values of attributes in the Instant Messaging and Presence service attributes. If the attributes have been defined as modifiable, end users can alter them. However, by default no attributes in the Instant Messaging service are modifiable, nor is it recommended that end users be allowed to modify them. However, from the standpoint of system administration, manipulating attributes directly can be useful.
For example, since roles do not affect some system attributes, such as setting conference subscriptions, system administrators might want to modify the values of these attributes by copying them from another end user (such as a from a conference roster) or modifying them directly. These attributes are listed in Table 4-5.
In reference to table Table 4-5,user attributes can be set by end users through the Sun Java System Identity Server admin console. Dynamic attributes are set by the administrator. A value set for a dynamic attribute overrides or is combined with the corresponding user attribute value.
The nature of corresponding dynamic and user attributes influences how conflicting and complementing information is resolved. For example, Conference Subscriptions from two sources (dynamic and user) complement each other; therefore, the subscriptions are merged. Neither attribute overrides the other.
Pre-Defined Examples of Instant Messaging and Presence Policies
Table 4-6 lists and describes the seven example policies and roles that are created in Sun Java System Identity Server when the Instant Messaging service component is installed. You can add end users to different roles according to the access control you want to give them.
A typical site might want to assign the role IM Regular User (a role that receives the default Instant Messaging and Presence access) to end users who simply use Instant Messenger, but have no responsibilities in administering Instant Messaging policies. The same site might assign the role of IM Administrator (a role associated with the ability to administer Instant Messaging and Presence services) to particular end users with full responsibilities in administering Instant Messaging policies. Table 4-7 lists the default assignment of privileges amongst the policy attributes. If an action is not selected in a rule, the values allow and deny are not relevant as the policy then does not affect that attribute.
Creating New Instant Messaging Policies
You can create new policies to fit the specific needs of your site.
To Create a New Policy
- Log on to the Identity Server admin console at http://hostname:port/amconsole, for example http://imserver.company22.example.com:80/amconsole
- With the Identity Management tab selected, select Policies in the View drop down list in the navigation pane (the lower-left frame).
- Click New to bring up the New Policy page in the data pane (the lower-right frame).
- Select Normal for the Type of Policy.
- Enter a policy description in the Name field, such as Ability to Perform IM Task.
- Click Create to make the name of the new policy appear on the policy list in the navigation pane and to make the page in the data pane change to the Edit page for your new policy.
- In the Edit page, select Rules in the View drop down list to bring up the Rule Name Service Resource panel inside the Edit page.
- Click Add to bring up the Add Rule page.
- Select the Service that applies, either Instant Messaging Service or Presence Service.
Each service enables you to allow or deny end users the ability to perform specific actions. For example, Ability to Chat is an action specific to the Instant Messaging service while Ability to Access other’s Presence is an action specific to the Presence service.
- Enter a description for a rule in the Rule Name field, such as Rule 1.
- Enter the appropriate Resource Name (IMResource or PresenceResource):
- Select the Actions that you want to apply.
- Select the Value for each action: Allow or Deny.
- Click Create to display this proposed rule in the list of saved rules for that policy.
- Click Save to make this proposed rule a saved rule.
- Repeat steps 8-15 for any additional rules that you want to apply to that policy. For each new rule, click Save to save the changes to the policy.
Assigning Policies to a Role, Group, Organization, or User
You can assign policies—the default policies for Instant Messaging or Instant Messaging policies that might have been created after Instant Messaging was installed—to a role, group, organization, or user.
To Assign a Policy
- Log on to the Identity Server admin console at http://hostname:port/amconsole, for example http://imserver.company22.example.com:80/amconsole
- With the Identity Management tab selected, select Policies in the View drop down list in the navigation pane (the lower-left frame).
- Click the arrow next to the name of the policy you want to assign in order to bring up the Edit page for that policy in the data pane (the lower-right frame).
- In the Edit page, select Subjects in the View drop down list.
- Click Add to bring up the Add Subject page, which lists the possible subject types:
- Select the subject type that matches the policy, such as Organization.
- Click Next
- In the Name field, enter a description of the subject.
- If desired, select the Exclusive check box.
The Exclusive check box is not selected as the default setting, which means that the policy applies to all members of the subject.
Selecting the Exclusive check box applies the policy to everyone who is not a member of the subject.
- In the Available field, search for entries that you want to add to your subject.
- Type a search for the entries you want to search for. The default search is *, which displays all the subjects for that subject type.
- Click search.
- Highlight entries in the Available text box that you want to add to the Selected text box.
- Click Add or Add All, whichever applies.
- Repeat steps a-d until you have added all the names you want to the Selected text box.
- Click Create to display this proposed subject in the list of saved subjects for that policy.
- Click Save to make this proposed subject a saved subject.
- Repeat steps 5-12 for any additional subjects that you want to add to the policy. For each new subject, click Save to save the changes to the policy.
Creating New Suborganizations Using Identity Server
The ability to create suborganizations using Sun Java System Identity Server enables organizationally separate populations to be created within the Sun Java System Instant Messaging server. Each suborganization can be mapped to a different DNS domain. End users in one suborganization are completely isolated from those in another. The following describes minimal steps to create a new suborganization for Instant Messaging.
To Create a New Suborganization
- Log on to the Identity Server admin console at http://hostname:port/amconsole, for example http://imserver.company22.example.com:80/amconsole
- Create a new organization:
- Register services for the newly created suborganization.
- Click the name for the new suborganization, such as sub1, in the navigation pane (Be certain to click the name, not the property arrow at the right.).
- Select Services from the View drop down list in the navigation pane
- Click Register to bring up the Register Services page in the data pane.
- Select the following services under the Authentication heading:
- Select the following services under the Instant Messaging Configuration heading:
- Click Register to bring up the newly selected services for this suborganization in the navigation pane.
- Create service templates for the newly selected services:
- In the navigation pane, click the property arrow for a service, starting with the Core service.
The Create Service Template page appears in the data pane.
- In the data pane, click Create, which replaces the Create Service Template page with a page of template options for the service you have selected.
You should click Create for each service even when you do not want to modify the template options.
- Modify the options for the service template of each service as follows:
- Core: Generally, no options need to be modified; go to Step d.
- LDAP: Add the prefix of the new suborganization to the DN to Start User Search field. After adding the prefix, the final DN should be in this format:
o=sub1,dc=company22,dc=example,dc=com
Enter the LDAP password in the Password for Root User Bind and Password for Root User Bind (confirm) fields.
Continue to Step d:
- Instant Messaging Service: Generally, no options need to be modified; go to Step d.
- Presence Service: If you would like to make end-user presence information available to others by default (sites tend to choose this option), select the Dynamic Default Presence Visibility check box before going to Step d.
- Click Save.
- Repeat steps a through d until you have created service templates for each service.
Adding End Users to New Suborganizations
After new end users have been created in a suborganization they need to be assigned roles. Roles can be inherited from the parent organization as described in the following section.
To Add End Users to a New Suborganization:
- Go to the parent organization and select Roles from the View drop down list. The specific steps are:
- Click on the property arrow to the right of the role you wish to assign in order to bring up a page for that role in the data pane (the lower-right frame).
- Select Users from the View drop down list in the data pane.
- Click Add to bring up the Add Users page.
- Enter a matching pattern to identify users. For example, in the UserId field an asterisk,*, lists all users.
- Click Filter to bring up the Select User page.
- Display the parentage path in the Select User page:
- Select the users to be assigned to this role.
- Click Submit.
Migrating from Instant Messaging 6.0Non-Migration Option
If your site used the Sun Java System Instant Messaging 6.0 server with the Sun Java System Identity Server 5.1 software to deploy the Instant Messaging service, the old attributes will be honored by the Sun Java System Instant Messaging 6 software. Policy attributes from the Sun Java System Instant Messaging 6.0 server, such as sunIMAllowFileTransfer and sunIMEnableModerator will override the same policy attributes set in the Sun Java System Instant Messaging 6 server.
Migration Option
However, the preferable method for handling the differences in the two Instant Messaging services is to migrate from the Instant Messaging service used for the Sun Java System Instant Messaging 6.0 software and to modify or create a Sun Java System Identity Server policy which uses the Instant Messaging Service and Presence Service from the Sun Java System Instant Messaging 6 software. You should define the new policy in such a way that it provides the same access control to your site as the old policy did.
For example, you can modify a rule in the Default Instant Messaging and presence access policy to set the deny or allow status of each of the policy’s attributes in order for the policy to demonstrate the same behavior that it demonstrated in the Sun Java System Instant Messaging 6.0 server or you can create a new policy with rules that will allow it to behave in the same manner as it did previously.
Migrating Access Control Files
If your site has been using an earlier version of Sun Java System Instant Messaging server (6.0 or earlier), but you have not used an Instant Messaging service—therefore, you have not set end-user privileges by setting policies through the Sun Java System Identity Server— but have instead set end-user privileges by editing access control files, two methods are available to you for replicating the policy set within the access control files and using this information to create Sun Java System Identity Server policies:
Migrate Access Control File Information Manually
Migrate Access Control File Information Automatically
Migrate Access Control File Information Manually
The high-level steps for this method are as follows:
- Open each access control file (one at a time). For example, sysTopicsAdd.acl and sysRoomsAdd.acl.
For more information about the location and format of access control files, see Managing Policies Using Access Control Files.
- In each file, read the value for the default line. The default line starts with the letter d followed by a colon (d:).
- In the Sun Java System Identity Server admin console within the Default instant messaging and presence access policy, set a rule to the same default value you read from the access control file.
- Assign all the regular Instant Messaging end users the role of IM Regular User
- For end users listed in these access control files who have different privileges, such as the ability to manage conference rooms or news channels, add them to the corresponding roles that have those privileges. See Table 4-6 for the role that each default policy applies to.
Migrate Access Control File Information Automatically
Instead of transferring the access control file information manually, you can perform a one-time migration of this information by issuing a command.
Type the following command:
imadmin migrate
This command will transfer information from the global access control files to the corresponding policy and its subjects. See table Table 4-8 for a list of the global access control files and the policies to which they map.
Migrate Sun Java System Instant Messenger Settings
For Sun Java System Instant Messaging 6.1 server, when the parameter iim.userprops.store is set to ldap in the iim.conf file, the Sun Java System Instant Messenger settings for end users is stored in the sunIMUserProperties user attribute.
If your site has used an earlier version of Sun Java System Instant Messaging server and the Sun Java System Instant Messenger settings have been stored in the user.properties file, after installing the Sun Java System Instant Messaging 6.1 server, the old settings will automatically be migrated to the sunIMUserProperties user attribute as end users log on, as long as the iim.userprops.store parameter is set to ldap in the iim.conf file.
When an end user first logs onto Sun Java System Instant Messaging 6.1 server, the server checks if the sunIMUserProperties user attribute exists and if it is storing the end user’s settings. If the end user’s settings are not found at that location, the server checks if a user.properties file exists for that end user. If the file exists, the server transfers information from the user.properties file to the sunIMUserProperties user attribute. However, if the user.properties file does not exist, the default Sun Java System Instant Messenger setting is the value assigned in the sunIMUserProperties user attribute for that end user.