Sun Java logo     Previous      Contents      Index      Next     

Sun logo
Sun Java(TM) System Administration Server 5.2 2005Q1 Administration Guide 

Chapter 8
Access Control

This chapter describes how you can use access control instructions to define who can manage and use Sun Java System servers. It contains the following sections:

Overview of Access Control

If a number of administrators in your enterprise use Server Console, you may want to restrict what each of them can see and do. For example, you may want one administrator to handle all server management tasks and another to manage users and groups. You can specify these permissions through the use of Access Control Instructions (ACIs).

ACIs are rules that permit or restrict access to a server, screen element, task, or directory entry. In a single ACI, you can specify access based on user name, IP address, time of day, and a number of other criteria. You can also chain multiple ACIs together in an Access Control List (ACL) to perform complex authorization procedures.

For users, access control is transparent. During login, Administration Server authenticates a user against Directory Server. Directory Server returns the user's administrative privileges and applicable ACIs. The instance of Administration Server evaluates this information and then instructs Server Console to display only those resources and server tasks that the user is allowed to access.

For detailed information about ACIs for a particular Sun Java System server, see the documentation for that server.

Examples of Access Control

The following examples illustrate how an organization might use ACIs to grant and restrict access to servers and data by different administrators.

Jane is an administrator who troubleshoots network problems. She needs to be able to access any server in the enterprise and frequently modifies user account information. As a result, the Configuration Administrator has placed very few restrictions on what she can access. When Jane logs into Server Console, she has a complete view of servers, tabs, and tasks.

Figure 8-1 Unrestricted View of Resources and Tasks

Some administrators may have an unrestricted view of the configuration.

John is also an administrator, but his job is focused on managing instances of Directory Server in the enterprise. As a result, the Configuration Administrator has used ACIs to restrict the onscreen elements and tasks that he can access. When John logs into Server Console, he sees only the servers and tasks required to do his job.

Figure 8-2 Restricted View of Resources and Tasks

Some administrators may have a restricted view of the configuration.

Setting Access Permissions For Servers

You can specify which users have administrative access to servers in the Server Console navigation tree by using the Set Permissions dialog box.

To Set Access Permissions for a Server in the Navigation Tree

  1. Select a server in the Server Console navigation tree.
  2. From the Object menu, choose Set Access Permissions.

    3. Alternatively, you can right-click, and then choose Set Access Permissions.

  3. In the Set Permissions Dialog window, specify who has administrative access to the server.

    4. To add a user to the list of people who can administer the server, click the Add button, and then search for the user or group that you want to grant administrative rights to. For more information on locating users and groups in the directory, see Locating a User or Group in the Directory

    To remove a user from the list, select the user, and then click the Delete button.

    Note that granting a user the right to administer a server does not automatically allow that user to give others the same right. If you want to allow a user to grant administrative rights to other users, you must add him or her to the Configuration Administrators group. For instructions on how to do this, see To Add Users to the Configuration Administrators Group

  4. Click OK when you have finished specifying who can access the server.

Working With Access Control Instructions

When you create Access Control Instructions (ACIs) you specify which users can manage a resource as well as when and how access is granted. Server Console uses two tools to simplify the process of creating and assigning ACIs: ACI Manager and ACI Editor.

The ACI Manager lets you apply ACIs to an object. It is also the dialog box from which you typically launch the ACI Editor.

The ACI Editor lets you create and modify ACIs using a visual interface or a manual editor. Depending upon your needs, you can edit visually, manually, or using both methods.

Whenever you want to work with an object's ACIs, you must use the ACI Manager. If you want to create an ACI for an object, you must also use the ACI Editor.

Each Sun Java System server may have its own uses for the ACI Editor and may have unique ACI extensions. For detailed information about a particular server's ACI options, see the documentation for that server.

What's in an ACI

Any directory entry can include one or more ACIs. Since Sun Java System servers store configuration settings, task entries, and other data as directory entries, you can apply ACIs to this information. These ACIs consist of three sections: a target, permissions, and bind rules.

Target

A target is an object, attribute, or group of objects and attributes to which you're controlling access.

Permissions

Permissions specify the rights that you are granting or denying. The permissions Read, write, and execute are examples of permissions that are typically specified in ACIs.

Bind Rules

Bind rules specify the circumstances under which access is allowed or denied. Bind rules may include any of the following:

ACIs are stored as attributes of the target Directory Server entry. The following example illustrates the use of two ACIs in the same directory entry. The first ACI grants unrestricted access to the user directory to all members of the Directory Administrators group. The second ACI denies access to the user directory to the Directory Administrators group from 1:00 a.m. to 3:00 a.m. (0100 to 0300) on Sunday, Tuesday, and Friday. The more restrictive ACI takes control during the times specified by it. Thus, the end result is that members of the Directory Administrator's group can access the user directory at any time except between 1:00 a.m. and 3:00 a.m. on Sunday, Tuesday, and Friday.

dn: dc=example,dc=com
objectClass: top
objectClass: organization
aci: (target='ldap:///dc=example,dc=com')(targetattr=*)
(version 3.0; acl 'acl 1'; allow (all)
groupdn = 'ldap:///cn=Directory Administrators,
dc=example,dc=com';)
aci: (target='ldap:///dc=example,dc=com')(targetattr=*)
(version 3.0; acl 'acl 2'; deny (all)
groupdn = 'ldap:///cn=Directory Administrators, dc=example,dc=com'
and dayofweek = 'Sun, Tues, Fri' and
(timeofday >= '0100' and timeofday <= '0300');)

Using the ACI Manager and ACI Editor

When you apply ACIs to tasks, user interface elements, or other directory entries, you use the ACI Manager. When setting access permissions for anything other than servers in the Server Console navigation tree (for instance, for tasks or user interface elements), you use the ACI Editor to create new ACIs and to modify existing ones.

While each Sun Java System server has a unique set of items that you can apply ACIs to, the ACI Manager and Editor are shared by all Server Console-based products. For information on a specific server's implementation of ACIs, see that server's documentation.

To Specify What You Want an ACI to Apply To

  1. Select an object that you want to apply ACIs to.
    • To select a task or directory entry click its name.

      • Select a task name in an individual server management window. Select a directory entry in the Directory tab of the Directory Server management window.

    • To select a user interface (UI) element, choose Preferences from the Edit menu, and then click the UI Permissions tab. On the tab, select an onscreen element from the list.
  2. Open the ACI Manager.
    • To open the ACI Manager from a server management window, right-click and choose Set Access Permissions.
    • To open the ACI Manager from the UI Permissions panel of the Preferences dialog box, click the Permissions button.
    • In some servers, you can also open the ACI Manager by choosing Set Access Permissions from the Edit or Object menu.

      • Figure 8-3 Default ACI Manager
      The default manager lets you add, edit, and remove ACIs.

To Create a New ACI With the Visual ACI Editor

  1. In the ACI Manager click New.

    2. The ACI Editor appears.

    Figure 8-4 Visual ACI Editor
    The visual editor helps you construct ACIs.

  2. Enter a name for this ACI in the ACI Name field.
  3. On the Users/Groups tab, click Add.
  4. Identify the users, groups, or administrators to which you want to grant access.
    • First, search for users, groups, or administrators to grant access to:

      • Search for. In this field, enter the name of the user, group, or administrator that you want to add. If you do not know the full name, you can enter any part of it. To find all entries, search for *.

      Search area. Select a set of entries in which you want to search. You can choose Users and Groups, Administrators, or Special Rights.

      Search. Click this button to perform your search.

      The center frame of the Add Users and Groups dialog box displays the results of your search. This is called the results list. The bottom frame shows the users that you've granted access to. This is called the access list.

    • Then, grant access:

      • Click a user, group, or administrator in the results list to select it. You can select multiple entries by pressing Control and clicking the desired users and groups.

      Add. Click this button to add a selected user from the results list to the access list.

      Remove. Click this button to remove a user from the access list.

      If you want to add more users or groups to the access list, you can perform additional searches.

  5. Click OK.
  6. On the Rights tab, specify which actions are permitted as part of this ACI. Select a single action to permit it, or click one of the following buttons:

    7. Check All. Click to select all rights.

    Check None. Click to deselect all rights.

    If you are creating an ACI for a user interface element, and you want to hide the element from the selected users, groups, and hosts, click Check None.

    The rights you select here apply to the users, groups, and administrators that you selected in step 4 as well as the targets, hosts, and times that you specify in steps 7-10.

  7. On the Targets tab, specify the directory entry to which this ACI should apply.

    8. Target directory entry. In this field, enter the DN for the entry to which you want this ACI to apply. By default, the target directory entry is the currently selected object. This is the task or other resource that you selected before you opened the ACI Manager.

    This Entry. Click this button to reset the Target Directory Entry to the DN for the currently selected object.

    Browse. Click this button to locate a directory entry. This opens a directory tree. Choose the entry you want this ACI to apply to and then click OK.

    Filter for sub-entries. In this field, enter an LDAP filter to apply to any entries below the Target Directory Entry.

    An LDAP filter is useful if you want this ACI to apply to multiple entries within a branch of the directory. By default, this field is blank indicating that this ACI applies only to the currently selected object.

    These attributes are affected for all entries. In this list, select the attributes to which you want this ACI to apply. Users listed in this ACI can only access selected attributes.

    Check All. Click this button to select all listed attributes.

    Check None. Click this button to deselect all listed attributes. If no attributes are selected, this ACI applies to the Target Directory Entry.

  8. On the Hosts tab, click Add.
  9. Enter the host name or IP address that you want to grant access to, then click OK. You can use the * wildcard when specifying hosts.
  10. On the Times tab, select the times during which you want to grant access to the desired users, groups, and hosts.

    11. Click a square to select or deselect it. If a square is blue, access is allowed at that time. If a square is white, access is not allowed at that time.

  11. Click OK to save this ACI.

    12. If you selected a task or directory entry, the ACI is automatically applied to it. If you selected a user interface element, you must restart Server Console for the ACI to take effect.

To Create a New ACI With the Manual ACI Editor

  1. In the ACI Manager click New.

    2. The ACI Editor appears.

  2. Enter a name for this ACI in the ACI Name field.
  3. Click Edit Manually.

    4. The ACI Editor switches into manual mode.

    Figure 8-5 Manual ACI Editor
    The manual editor lets you adjust ACIs.

  4. Enter your ACI.
  5. (Optional) Click Check Syntax to verify that your ACI is in the correct format.

    6. Note

    If you decide you'd prefer to edit your ACI using the visual ACI Editor, you can do so by clicking Edit Visually. You may not be able to edit all ACI properties visually. To return to the manual ACI Editor, click Edit Manually. What you created visually appears in the manual editing window and you can add to it.

  6. When you have finished creating your ACI, click OK.

    7. If you selected a task or directory entry (in To Specify What You Want an ACI to Apply To,) the ACI is automatically applied to it. If you selected a user interface element, you must restart Server Console for the ACI to take effect.

To Edit an Existing ACI With the ACI Editor

  1. In the ACI Manager, select the ACI that you want to modify. Click Edit.

    2. The ACI Editor appears.

  2. Make the desired changes.

    3. Use the visual ACI Editor or the manual ACI Editor just as you did to add an ACI. For more information, see the procedures for adding an ACI above.

  3. When you are finished, click OK.

    4. If the ACI was for a task or directory entry, the ACI is automatically applied to the task or entry. If the ACI was for a user interface element, you must restart Server Console for the ACI to take effect.

To Remove an ACI

  1. In the ACI Manager, select the ACI that you want to remove.
  2. Click Remove.
  3. Click OK to remove the ACI.

    4. If the ACI was for a task or directory entry, the ACI is automatically removed from the task or entry. If the ACI was for a user interface element, you must restart Server Console for the removal to take effect.



Previous      Contents      Index      Next     

Part No: 817-7612-10.   Copyright 2005 Sun Microsystems, Inc. All rights reserved.