Sun Java System Access Manager 7 2005Q4 Administration Guide

Groups

A group represents a collection of users with a common function, feature or interest. Typically, this grouping has no privileges associated with it. Groups can exist at two levels; within an organization and within other managed groups. Groups that exist within other groups are called sub-groups. Sub groups are child nodes that “physically” exist within a parent group.

Access Manager also supports nested groups, which are “representations” of existing groups contained in a single group. As opposed to sub groups, nested groups can exist anywhere in the DIT. They allow you to quickly set up access permissions for a large number of users.

There are two types of groups you can create; static groups and dynamic groups. Users can only be manually added to static groups, while dynamic groups control the addition of users through a filter. Nested or sub groups can be added to both types.

Static Group

A static group is created based on the Managed Group Type you specify. Group members are added to a group entry using the groupOfNames or groupOfUniqueNames object class.


Note –

By default, the managed group type is dynamic. You can change this default in the Administration service configuration.


Dynamic Group

A dynamic group is created through the use of an LDAP filter. All entries are funneled through the filter and dynamically assigned to the group. The filter would look for any attribute in an entry and return those that contain the attribute. For example, if you were to create a group based on a building number, you can use the filter to return a list all users containing the building number attribute.


Note –

Access Manager should be configured with Directory Server to use the referential integrity plug-in. When the referential integrity plug-in is enabled, it performs integrity updates on specified attributes immediately after a delete or rename operation. This ensures that relationships between related entries are maintained throughout the database. Database indexes enhance the search performance in Directory Server. For more information on enabling the plug-in, see the Sun Java System Access Manager 6 2005Q1 Migration Guide.


ProcedureTo Create a Static Group

  1. Navigate to the organization, group, or group container where the new group will be created.

  2. From the Groups list, click New Static.

  3. Enter a name for the group in the Name field. Click Next.

  4. Select the Users Can Subscribe to this Group attribute to allow users to subscribe to the group themselves.

  5. Click OK.

    Once the group is created, you can edit the Users Can Subscribe to this Group attribute by selecting the name of the group and clicking the General tab.

ProcedureTo Add or Remove Members to a Static Group

  1. From the Groups list, select the group to which you will add members.

  2. Choose an action to perform in the Select Action menu. The actions you can perform are as follows:

    New User

    This action creates a new user and adds the user to the group when the user information is saved.

    Add User

    This action adds an existing user to the group. When you select this action, you create a search criteria which will specify users you wish to add. The fields used to construct the criteria use either an ANY or ALL operator. ALL returns users for all specified fields. ANY returns users for any one of the specified fields. If a field is left blank, it will match all possible entries for that particular attribute.

    Once you have constructed the search criteria, click Next. From the returned list of users, select the users you wish to add and click Finish.

    Add Group

    This action adds a nested group to the current group. When you select this action, you create a search criteria, including search scope, the name of the group (the “*” wildcard is accepted), and you can specify whether users can subscribe to the group themselves. Once you have entered the information, click Next. From the returned list of groups, select the group you wish to add and click Finish.

    Remove Members

    This action will remove members (which includes users and groups) from the group, but will not delete them. Select the member(s) you wish to remove and choose Remove Members from the Select Actions menu.

    Delete Members

    This action will permanently delete the member you select. Select the member(s) you wish to delete and choose Delete Members.

ProcedureTo Create a Dynamic Group

  1. Navigate to the organization or group where the new group will be created.

  2. Click the Groups tab.

  3. Click New Dynamic.

  4. Enter a name for the group in the Name field.

  5. Construct the LDAP search filter.

    By default, Access Manager displays the Basic search filter interface. The Basic fields used to construct the filter use either an ANY or ALL operator. ALL returns users for all specified fields. ANY returns users for any one of the specified fields. If a field is left blank it will match all possible entries for that particular attribute.

  6. When you click OK all users matching the search criteria are automatically added to the group.

ProcedureTo Add or Remove Members to a Dynamic Group

  1. Form the Groups list, click the name of the group to which you will add members.

  2. Choose an action to perform in the Select Action menu. The actions you can perform are as follows:

    Add Group

    This action adds a nested group to the current group. When you select this action, you create a search criteria, including search scope, the name of the group (the “*” wildcard is accepted), and you can specify whether users can subscribe to the group themselves. Once you have entered the information, click Next. From the returned list of groups, select the group you wish to add and click Finish.

    Remove Members

    This action will remove members (which includes groups) from the group, but will not delete them. Select the member(s) you wish to remove and choose Remove Members

    Delete Members

    This action will permanently delete the member you select. Select the member(s) you wish to delete and choose Delete Members.

To Add a Group to a Policy

Access Manager objects are added to a policy through the policy’s subject definition. When a policy is created or modified, organizations, roles, groups, and users can be defined as the subject in the policy’s Subject page. Once the subject is defined, the policy will be applied to the object. For more information, see Managing Policies.