Sun Java System Access Manager 7 2005Q4 Administration Guide

Chapter 10 Directory Management

The Directory Management tab is only displayed when you install Access Manager in Legacy mode. This directory management feature provides an identity management solution for Sun Java System Directory Server-enabled Access Manager deployments.

For more information on the Legacy Mode installation option, see the Sun Java Enterprise System 2005Q4 Installation Guide for UNIX

Managing Directory Objects

The Directory Management tab contains all the components needed to view and manage the Directory Server objects. This section explains the object types and details how to configure them. User, role, group, organization, sub organization and container objects can be defined, modified or deleted using either the Access Manager console or the command line interface. The console has default administrators with varying degrees of privileges used to create and manage the directory objects. (Additional administrators can be created based on roles.) The administrators are defined within the Directory Server when installed with Access Manager. The Directory Server objects you can manage are:

Organizations

An Organization represents the top-level of a hierarchical structure used by an enterprise to manage its departments and resources. Upon installation, Access Manager dynamically creates a top-level organization (defined during installation) to manage the Access Manager enterprise configurations. Additional organizations can be created after installation to manage separate enterprises. All created organizations fall beneath the top-level organization.

ProcedureTo Create an Organization

  1. Click the Directory Management tab.

  2. In the Organizations list, click New.

  3. Enter the values for the fields. Only Name is required. The fields are:

    Name

    Enter a value for the name of the Organization.

    Domain Name

    Enter the full Domain Name System (DNS) name for the organization, if it has one.

    Organization Status

    Choose a status of active or inactive . The default is active. This can be changed at any time during the life of the organization by selecting the Properties icon. Choosing inactive disables user access when logging in to the organization.

    Organization Aliases

    This field defines alias names for the organization, allowing you to use the aliases for authentication with a URL login. For example, if you have an organization named exampleorg, and define 123 and abc as aliases, you can log into the organization using any of the following URLs:

    http://machine.example.com/amserver/UI/Login?org=exampleorg

    http://machine.example.com/amserver/UI/Login?org=abc

    http://machine.example.com/amserver/UI/Login?org=123

    Organization alias names must be unique throughout the organization. You can use the Unique Attribute List to enforce uniqueness.

    DNS Alias Names

    Allows you to add alias names for the DNS name for the organization. This attribute only accepts “real” domain aliases (random strings are not allowed). For example, if you have a DNS named example.com, and define example1.com and example2.com as aliases for an organization named exampleorg, you can log into the organization using any of the following URLs:

    http://machine.example.com/amserver/UI/

    Login?org=exampleorg

    http://machine.example1.com/amserver/

    UI/Login?org=exampleorg

    http://machine.example2.com/amserver/

    UI/Login?org=exampleorg

    Unique Attribute List

    Allows you to add a list of unique attribute names for users in the organization. For example, if you add a unique attribute name specifying an email address, you would not be able to create two users with the same email address. This field also accepts a comma-separated list. Any one of the attribute names in the list defines uniqueness. For example, if the field contains the following list of attribute names:

    PreferredDomain, AssociatedDomain

    and PreferredDomain is defined as http://www.example.com for a particular user, then the entire comma-separated list is defined as unique for that URL. Adding the naming attribute 'ou' to the Unique Attribute List will not enforce uniqueness for the default groups, people containers. (ou=Groups,ou=People).

    Uniqueness is enforced for all sub organizations.

  4. Click OK.

    The new organization displays in the Organization list. To edit any of the properties that you defined during creation of the organization, click the name of the organization you wish to edit, change the properties and click Save.

ProcedureTo Delete an Organization

  1. Select the checkbox next to the name of the organization to be deleted.

  2. Click Delete.


    Note –

    There is no warning message when performing a delete. All entries within the organization will be deleted and you can not perform an undo.


To Add an Organization to a Policy

Access Manager objects are added to a policy through the policy’s subject definition. When a policy is created or modified, organizations, roles, groups, and users can be defined as the subject. Once the subject is defined, the policy will be applied to the object. For more information, see Managing Policies.

Containers

The container entry is used when, due to object class and attribute differences, it is not possible to use an organization entry. It is important to remember that the Access Manager container entry and the Access Manager organization entry are not necessarily equivalent to the LDAP object classes organizationalUnit and organization. They are abstract identity entries. Ideally, the organization entry will be used instead of the container entry.


Note –

The display of containers is optional. To view containers you must select Show Containers in the Administration service under Configuration>Console Properties.


ProcedureTo Create a Container

  1. Select the location link of the organization or container where the new container will be created.

  2. Click the Containers tab.

  3. Click New in the Containers list.

  4. Enter the name of the container to be created.

  5. Click OK.

ProcedureTo Delete a Container

  1. Click the Containers tab.

  2. Select the checkbox next to the name of the container to be deleted.

  3. Click Delete.


    Note –

    Deleting a container will delete all objects that exist in that Container. This includes all objects and sub containers.


Group Containers

A group container is used to manage groups. It can contain only groups and other group containers. The group container Groups is dynamically assigned as the parent entry for all managed groups. Additional group containers can be added, if desired.


Note –

The display of group containers is optional. To view group containers you must select Enable Group Containers in the Administration service under Configuration>Console Properties.


ProcedureTo Create a Group Container

  1. Select the location link of the organization or the group container which will contain the new group container.

  2. Select the Group Containers tab.

  3. Click New in the Group Containers list.

  4. Enter a value in the Name field and click OK. The new group container displays in the Group Containers list.

ProcedureTo Delete a Group Container

  1. Navigate to the organization which contains the group container to be deleted.

  2. Choose the Group Containers tab.

  3. Select the checkbox next to the group container to be deleted.

  4. Click Delete.

Groups

A group represents a collection of users with a common function, feature or interest. Typically, this grouping has no privileges associated with it. Groups can exist at two levels; within an organization and within other managed groups. Groups that exist within other groups are called sub-groups. Sub groups are child nodes that “physically” exist within a parent group.

Access Manager also supports nested groups, which are “representations” of existing groups contained in a single group. As opposed to sub groups, nested groups can exist anywhere in the DIT. They allow you to quickly set up access permissions for a large number of users.

There are two types of groups you can create; static groups and dynamic groups. Users can only be manually added to static groups, while dynamic groups control the addition of users through a filter. Nested or sub groups can be added to both types.

Static Group

A static group is created based on the Managed Group Type you specify. Group members are added to a group entry using the groupOfNames or groupOfUniqueNames object class.


Note –

By default, the managed group type is dynamic. You can change this default in the Administration service configuration.


Dynamic Group

A dynamic group is created through the use of an LDAP filter. All entries are funneled through the filter and dynamically assigned to the group. The filter would look for any attribute in an entry and return those that contain the attribute. For example, if you were to create a group based on a building number, you can use the filter to return a list all users containing the building number attribute.


Note –

Access Manager should be configured with Directory Server to use the referential integrity plug-in. When the referential integrity plug-in is enabled, it performs integrity updates on specified attributes immediately after a delete or rename operation. This ensures that relationships between related entries are maintained throughout the database. Database indexes enhance the search performance in Directory Server. For more information on enabling the plug-in, see the Sun Java System Access Manager 6 2005Q1 Migration Guide.


ProcedureTo Create a Static Group

  1. Navigate to the organization, group, or group container where the new group will be created.

  2. From the Groups list, click New Static.

  3. Enter a name for the group in the Name field. Click Next.

  4. Select the Users Can Subscribe to this Group attribute to allow users to subscribe to the group themselves.

  5. Click OK.

    Once the group is created, you can edit the Users Can Subscribe to this Group attribute by selecting the name of the group and clicking the General tab.

ProcedureTo Add or Remove Members to a Static Group

  1. From the Groups list, select the group to which you will add members.

  2. Choose an action to perform in the Select Action menu. The actions you can perform are as follows:

    New User

    This action creates a new user and adds the user to the group when the user information is saved.

    Add User

    This action adds an existing user to the group. When you select this action, you create a search criteria which will specify users you wish to add. The fields used to construct the criteria use either an ANY or ALL operator. ALL returns users for all specified fields. ANY returns users for any one of the specified fields. If a field is left blank, it will match all possible entries for that particular attribute.

    Once you have constructed the search criteria, click Next. From the returned list of users, select the users you wish to add and click Finish.

    Add Group

    This action adds a nested group to the current group. When you select this action, you create a search criteria, including search scope, the name of the group (the “*” wildcard is accepted), and you can specify whether users can subscribe to the group themselves. Once you have entered the information, click Next. From the returned list of groups, select the group you wish to add and click Finish.

    Remove Members

    This action will remove members (which includes users and groups) from the group, but will not delete them. Select the member(s) you wish to remove and choose Remove Members from the Select Actions menu.

    Delete Members

    This action will permanently delete the member you select. Select the member(s) you wish to delete and choose Delete Members.

ProcedureTo Create a Dynamic Group

  1. Navigate to the organization or group where the new group will be created.

  2. Click the Groups tab.

  3. Click New Dynamic.

  4. Enter a name for the group in the Name field.

  5. Construct the LDAP search filter.

    By default, Access Manager displays the Basic search filter interface. The Basic fields used to construct the filter use either an ANY or ALL operator. ALL returns users for all specified fields. ANY returns users for any one of the specified fields. If a field is left blank it will match all possible entries for that particular attribute.

  6. When you click OK all users matching the search criteria are automatically added to the group.

ProcedureTo Add or Remove Members to a Dynamic Group

  1. Form the Groups list, click the name of the group to which you will add members.

  2. Choose an action to perform in the Select Action menu. The actions you can perform are as follows:

    Add Group

    This action adds a nested group to the current group. When you select this action, you create a search criteria, including search scope, the name of the group (the “*” wildcard is accepted), and you can specify whether users can subscribe to the group themselves. Once you have entered the information, click Next. From the returned list of groups, select the group you wish to add and click Finish.

    Remove Members

    This action will remove members (which includes groups) from the group, but will not delete them. Select the member(s) you wish to remove and choose Remove Members

    Delete Members

    This action will permanently delete the member you select. Select the member(s) you wish to delete and choose Delete Members.

To Add a Group to a Policy

Access Manager objects are added to a policy through the policy’s subject definition. When a policy is created or modified, organizations, roles, groups, and users can be defined as the subject in the policy’s Subject page. Once the subject is defined, the policy will be applied to the object. For more information, see Managing Policies.

People Containers

A people container is the default LDAP organizational unit to which all users are assigned when they are created within an organization. People containers can be found at the organization level and at the people container level as a sub People Container. They can contain only other people containers and users. Additional people containers can be added into the organization, if desired.


Note –

The display of people containers is optional. To view People Containers you must select Enable People Containers in the Administration Service.


ProcedureCreate a People Container

  1. Navigate to the organization or people container where the new people container will be created.

  2. Click New from the People Container list.

  3. Enter the name of the people container to be created.

  4. Click OK.

ProcedureTo Delete a People Container

  1. Navigate to the organization or people container which contains the people container to be deleted.

  2. Select the checkbox next to the name of the people container to be deleted.

  3. Click Delete.


    Note –

    Deleting a people container will delete all objects that exist in that people container. This includes all users and sub people containers.


Users

A user represents an individual’s identity. Through the Access Manager Identity Management module, users can be created and deleted in organizations, containers and groups and can be added or removed from roles and/or groups. You can also assign services to the user.


Note –

If a user in a sub organization is created with the same user ID as amadmin, the login will fail for amadmin. If this problem occurs, the administrator should change the user’s ID through the Directory Server console. This enables the administrator to login to the default organization. Additionally, the DN to Start User Search in the authentication service can be set to the people container DN to ensure that a unique match is returned during the login process.


ProcedureTo Create a User

  1. Navigate to the organization, container or people container where the user is to be created.

  2. Click the user tab.

  3. Click New from the user list.

  4. Enter data for the following values:

    User ID

    This field takes the name of the user with which he or she will log into Access Manager. This property may be a non-DN value.

    First Name

    This field takes the first name of the user. The First Name value and the Last Name value identify the user in the Currently Logged In field. This is not a required value.

    Last Name

    This field takes the last name of the user. The First Name value and the Last Name value identify the user.

    Full Name

    This field takes the full name of the user.

    Password

    This field takes the password for the name specified in the User Id field.

    Password (Confirm)

    Confirm the password.

    User Status

    This option indicates whether the user is allowed to authenticate through Access manager. Only active users can authenticate. The default value is Active.

  5. Click OK.

ProcedureTo Edit the User Profile

When a user who has not been assigned an administrative role authenticates to the Access Manager, the default view is their own User Profile. Additionally, administrators with the proper privileges can edit user profiles. In this view the user can modify the values of the attributes particular to their personal profile. The attributes displayed in the User Profile view can be extended. For more information on adding customized attributes for objects and identities, see the Access Manager Developer's Guide.

  1. Select the user who's profile is to be edited. By default, the General view is displayed.

  2. Edit the following fields:

    First Name

    This field takes the first name of the user.

    Last Name

    This field takes the last name of the user.

    Full Name

    This field takes the full name of the user.

    Password

    Click the Edit link to add and confirm the user password.

    Email Address

    This field takes the email address of the user.

    Employee Number

    This field takes the employee number of the user.

    Telephone Number

    This field takes the telephone number of the user.

    Home Address

    This field can take the home address of the user.

    User Status

    This option indicates whether the user is allowed to authenticate through Access Manager. Only active users can authenticate through Access Manager. The default value is Active. Either of the following can be selected from the pull-down menu: .

    • Active — The user can authenticate through Access Manager.

    • Inactive — The user cannot authenticate through Access Manager, but the user profile remains stored in the directory.


      Note –

      Changing the user status to Inactive only affects authentication through Access Manager. The Directory Server uses the nsAccountLock attribute to determine user account status. User accounts inactivated for Access Manager authentication can still perform tasks that do not require Access Manager. To inactivate a user account in the directory, and not just for Access Manager authentication, set the value of nsAccountLock to false. If delegated administrators at your site will be inactivating users on a regular basis, consider adding the nsAccountLock attribute to the Access Manager User Profile page. See the Sun Java System Access Manager 7 2005Q4 Developer’s Guide for details.


    Account Expiration Date

    If this attribute is present, the authentication service will disallow login if the current date and time has passed the specified Account Expiration Date. The format for this attribute is mm/dd/yyyy hh:mm.

    User Authentication Configuration

    This attribute sets the authentication chain for the user.

    User Alias List

    The field defines a list of aliases that may be applied to the user. In order to use any aliases configured in this attribute, the LDAP service has to be modified by adding the iplanet-am-user-alias-list attribute to the User Entry Search Attributes field in the LDAP service.

    Preferred Locale

    This field specifies the locale for the user.

    Success URL

    This attribute specifies the URL that the user will be redirected to upon successful authentication.

    Failure URL.

    This attribute specifies the URL that the user will be redirected to upon unsuccessful authentication.

    Password Reset Options

    This is used to select the questions on the forgotten password page, which is used to recover a forgotten password.

    User Discovery Resource Offering

    Sets the User Discovery service's resource offering for the user.

    MSIDSN Number

    Defines the user's MSISDN number if using MSISDN authentication.

ProcedureTo Add a User to Roles and Groups

  1. Click the Users tab.

  2. Click the name of the user you wish to modify.

  3. Select either the Roles or Groups tab.

  4. Select the role or group to which you wish to add the user and click Add.

  5. Click Save.


    Note –

    To remove a user from Roles or groups, Select roles or groups and click Remove and then Save.


To Add a User to a Policy

Access Manager objects are added to a policy through the policy’s subject definition. When a policy is created or modified, organizations, roles, groups, and users can be defined as the subject in the policy’s Subject page. Once the subject is defined, the policy will be applied to the object. For more information, see Managing Policies.

Roles

Roles are a Directory Server entry mechanism similar to the concept of a group. A group has members; a role has members. A role’s members are LDAP entries that possess the role. The criteria of the role itself is defined as an LDAP entry with attributes, identified by the Distinguished Name (DN) attribute of the entry. Directory Server has a number of different types of roles but Access Manager can manage only one of them: the managed role.


Note –

The other Directory Server role types can still be used in a directory deployment; they just can not be managed by the Access Manager console. Other Directory Server types can be used in a policy’s subject definition. For more information on policy subjects, see Creating Policies.


Users can possess one or more roles. For example, a contractor role which has attributes from the Session Service and the Password Reset Service might be created. When new contractor employees join the company, the administrator can assign them this role rather than setting separate attributes in the contractor entry. If the contractor is working in the Engineering department and requires services and access rights applicable to an engineering employee, the administrator could assign the contractor to the engineering role as well as the contractor role.

Access Manager uses roles to apply access control instructions. When first installed, Access Manager configures access control instructions (ACIs) that define administrator permissions. These ACIs are then designated in roles (such as Organization Admin Role and Organization Help Desk Admin Role) which, when assigned to a user, define the user’s access permissions.

Users can view their assigned roles only if the Show Roles on User Profile Page attribute is enabled in the Administration Service.


Note –

Access Manager should be configured with Directory Server to use the referential integrity plug-in. When the referential integrity plug-in is enabled, it performs integrity updates on specified attributes immediately after a delete or rename operation. This ensures that relationships between related entries are maintained throughout the database. Database indexes enhance the search performance in Directory Server. For more information on enabling the plug-in, see the Sun Java System Access Manager 6 2005Q1 Migration Guide.


There are two types of roles:

ProcedureTo Create a Static Role

  1. Go to the organization where the Role will be created.

  2. Click the Roles tab.

    A set of default roles are created when an organization is configured, and are displayed in the Roles list. The default roles are:

    Container Help Desk Admin. The Container Help Desk Admin role has read access to all entries in an organizational unit and write access to the userPassword attribute in user entries only in this container unit.

    Organization Help Desk Admin. The Organization Help Desk Administrator has read access to all entries in an organization and write access to the userPassword attribute.


    Note –

    When a sub organization is created, remember that the administration roles are created in the sub organization, not in the parent organization.


    Container Admin. The Container Admin role has read and write access to all entries in an LDAP organizational unit. In Access Manager, the LDAP organizational unit is often referred to as a container.

    Organization Policy Admin. The Organization Policy Administrator has read and write access to all policies, and can create, assign, modify, and delete all policies within that organization.

    People Admin. By default, any user entry in an newly created organization is a member of that organization. The People Administrator has read and write access to all user entries in the organization. Keep in mind that this role DOES NOT have read and write access to the attributes that contain role and group DNs therefore, they cannot modify the attributes of, or remove a user from, a role or a group.


    Note –

    Other containers can be configured with Access Manager to hold user entries, group entries or even other containers. To apply an Administrator role to a container created after the organization has already been configured, the Container Admin Role or Container Help Desk Admin defaults would be used.


    Group Admin. The Group Administrator created when a group is created has read and write access to all members of a specific group, and can create new users, assign users to the groups they manage, and delete the users the that they have created.

    When a group is created, the Group Administrator role is automatically generated with the necessary privileges to manage the group. The role is not automatically assigned to a group member. It must be assigned by the group’s creator, or anyone that has access to the Group Administrator Role.

    Top-level Admin. The Top-level Administrator has read and write access to all entries in the top-level organization. In other words, this Top-level Admin role has privileges for every configuration principal within the Access Manager application.

    Organization Admin. The Organization Administrator has read and write access to all entries in an organization. When an organization is created, the Organization Admin role is automatically generated with the necessary privileges to manage the organization.

  3. Click the New Static button.

  4. Enter a name for the role.

  5. Enter a description of the role.

  6. Choose the role type from the Type menu.

    The role can be either an Administrative role or a Service role. The role type is used by the console to determine and here to start the user in the Access Manager console. An administrative role notifies the console that the possessor of the role has administrative privileges; the service role notifies the console that the possessor is an end user.

  7. Choose a default set of permissions to apply to the role from the Access Permission menu. The permissions provide access to entries within the organization. The default permissions shown are in no particular order. The permissions are:

    No permissions

    No permissions are to be set on the role.

    Organization Admin

    The Organization Administrator has read and write access to all entries in the configured organization.

    Organization Help Desk Admin

    The Organization Help Desk Administrator has read access to all entries in the configured organization and write access to the userPassword attribute.

    Organization Policy Admin

    The Organization Policy Administrator has read and write access to all policies in the organization. The Organization Policy Administrator can not create a referral policy to a peer organization.

    Generally, the No Permissions ACI is assigned to Service roles, while Administrative roles are assigned any of the default ACIs.

ProcedureTo Add Users to a Static Role

  1. Click the name of the role to which you wish to add users.

  2. In the Members list, select Add User from the Select Action menu.

  3. Enter the information for the search criteria. You can choose to search for users based on one or more the displayed fields The fields are:

    Match

    Allows you to select the fields you wish to include for the filter. ALL returns users for all specified fields. ANY returns users for any one of the specified fields.

    First Name

    Search for users by their first name.

    User ID

    Search for a user by User ID.

    Last Name

    Search for users by their last name.

    Full Name

    Search for users by their full name.

    User Status

    Search for users by their status (active or inactive)

  4. Click Next to begin the search. The results of the search are displayed.

  5. Choose the users from the names returned by selecting the checkbox next to the user name.

  6. Click Finish.

    The Users are now assigned to the role.

ProcedureTo Create a Dynamic Role

  1. Go to the organization where the Role will be created.

  2. Click the Roles tab.

    A set of default roles are created when an organization is configured, and are displayed in the Roles list. The default roles are:

    Container Help Desk Admin. The Container Help Desk Admin role has read access to all entries in an organizational unit and write access to the userPassword attribute in user entries only in this container unit.

    Organization Help Desk Admin. The Organization Help Desk Administrator has read access to all entries in an organization and write access to the userPassword attribute.


    Note –

    When a sub organization is created, remember that the administration roles are created in the sub organization, not in the parent organization.


    Container Admin. The Container Admin role has read and write access to all entries in an LDAP organizational unit. In Access Manager, the LDAP organizational unit is often referred to as a container.

    Organization Policy Admin. The Organization Policy Administrator has read and write access to all policies, and can create, assign, modify, and delete all policies within that organization.

    People Admin. By default, any user entry in an newly created organization is a member of that organization. The People Administrator has read and write access to all user entries in the organization. Keep in mind that this role DOES NOT have read and write access to the attributes that contain role and group DNs therefore, they cannot modify the attributes of, or remove a user from, a role or a group.


    Note –

    Other containers can be configured with Access Manager to hold user entries, group entries or even other containers. To apply an Administrator role to a container created after the organization has already been configured, the Container Admin Role or Container Help Desk Admin defaults would be used.


    Group Admin. The Group Administrator created when a group is created has read and write access to all members of a specific group, and can create new users, assign users to the groups they manage, and delete the users the that they have created.

    When a group is created, the Group Administrator role is automatically generated with the necessary privileges to manage the group. The role is not automatically assigned to a group member. It must be assigned by the group’s creator, or anyone that has access to the Group Administrator Role.

    Top-level Admin. The Top-level Administrator has read and write access to all entries in the top-level organization. In other words, this Top-level Admin role has privileges for every configuration principal within the Access Manager application.

    Organization Admin. The Organization Administrator has read and write access to all entries in an organization. When an organization is created, the Organization Admin role is automatically generated with the necessary privileges to manage the organization.

  3. Click the New Dynamic button.

  4. Enter a name for the role.

  5. Enter a description for the role.

  6. Choose the role type from the Type menu.

    The role can be either an Administrative role or a Service role. The role type is used by the console to determine and where to start the user in the Access Manager console. An administrative role notifies the console that the possessor of the role has administrative privileges; the service role notifies the console that the possessor is an end user.

  7. Choose a default set of permissions to apply to the role from the Access Permission menu. The permissions provide access to entries within the organization. The default permissions shown are in no particular order. The permissions are:

    No permissions

    No permissions are to be set on the role.

    Organization Admin

    The Organization Administrator has read and write access to all entries in the configured organization.

    Organization Help Desk Admin

    The Organization Help Desk Administrator has read access to all entries in the configured organization and write access to the userPassword attribute.

    Organization Policy Admin

    The Organization Policy Administrator has read and write access to all policies in the organization. The Organization Policy Administrator can not create a referral policy to a peer organization.

    Generally, the No Permissions ACI is assigned to Service roles, while Administrative roles are assigned any of the default ACIs.

  8. Enter the information for the search criteria. The fields are:

    Match

    Allows you to include an operator for any the fields you wish to include for the filter. ALL returns users for all specified fields. ANY returns users for any one of the specified fields.

    First Name

    Search for users by their first name.

    User ID

    Search for a user by User ID.

    Last Name

    Search for users by their last name.

    Full Name

    Search for users by their full name.

    User Status

    Search for users by their status (active or inactive)

  9. Click OK to initiate the search based on the filter criteria. The users defined by the filter criteria are automatically assigned to the role.

ProcedureTo Remove Users from a Role

  1. Navigate to the Organization that contains the role to modify.

    Choose Organizations from the View menu in the Identity Management module and select the Roles tab.

  2. Select the role to modify.

  3. Choose Users from the View menu.

  4. Select the checkbox next to each user to be removed.

  5. Click Remove user from the Select Action menu.

    The users are now removed from the role.

To Add a Role to a Policy

Access Manager objects are added to a policy through the policy’s subject definition. When a policy is created or modified, organizations, roles, groups, and users can be defined as the subject in the policy’s Subject page. Once the subject is defined, the policy will be applied to the object. For more information, see Managing Policies.