Part III Managing Delegated Administration

Chapter 13 Managing Delegated Administration Channels

Portal Server enables portal administrators to delegate the responsibility for managing various tasks in a particular organization to other individuals, called delegated administrators. Decentralizing administrative functions can improve portal management, especially in complex organizations. Portal administrators can set up channels for delegated administrators to use for managing the Desktop.

To perform administration tasks, delegated administrators use a set of administrative portlets on the Portal Server Desktop. This topic shows you how to set up these channels on the Developers Sample Desktop so that you can design a basic Desktop for delegated administrators.

Understanding Portal Delegated Administration

Portal Server provides a set of administrative portlets on the Portal Server Desktop. The portlets allow administrators to set up specialized channels for delegated administrators to use in managing the Desktop and end-user roles. The three delegated administration roles are the following:

Organization admin role — Manages the Desktop content and end users in the defined organization.
Content administrator role — Manages the Desktop content of end users in the defined organization.
User administrator role — Manages end users in the defined organization and can assign or remove assignments of end-user roles.

This topic shows you how to set up these channels on the Developers Sample Desktop so that you can design a basic Desktop for delegated administrators.

Setting Up Delegated Administration Channels

This topic shows you how to set up delegated administration channels at the organization, role, and user level on the Developers Sample Desktop.

To Set Up a Delegated Administration Channel

Set up access control instructions to allow or restrict access to the Desktop channel.

For administrator access at the organization level, access control instructions are set up by Access Manager by default.

For administrator access at the role level or the user level, Portal Server administrators must set up access control instructions.

Load the sample ACIs into the Directory Server.

Type ldapmodify -D "cn=directory manager"-w -f acis.ldif.

Here is the sample ACI content:

#

acis.ldif

dn:dc=sample,dc=siroe,dc=com
changetype:modify

# aci for JDCAdmin1 role

add:aci
aci: (target= "ldap:///ou=people,o=DeveloperSample,dc=red,dc=iplanet,dc=com") 
(targetattr = "*")
(version 3.0; acl "Allow JDCAdmin1 Role to read and search users"; 
allow (read,search) 
roledn = "ldap:///cn=JDCAdmin1,o=DeveloperSample,dc=red,dc=iplanet,dc=com";)
-
add:aci
aci: (target="ldap:///dc=red,dc=iplanet,dc=com") 
(targetfilter="(entrydn=cn=JDC,o=DeveloperSample,dc=red,dc=iplanet,dc=com)")
(targetattr="*")
(version 3.0; acl "Allow JDCAdmin1 Role to read and search JDC Role";
allow (read,search) 
roledn="ldap:///cn=JDCAdmin1,o=DeveloperSample,dc=red,dc=iplanet,dc=com";)
-
add:aci
aci: (target="ldap:///ou=people,o=DeveloperSample,dc=red,dc=iplanet,dc=com")
(targetattr="nsroledn")
(targetfilter="(!(|(nsroledn=cn=Top-level Admin Role,dc=red,dc=iplanet,dc=com)
(nsroledn=cn=Top-level Help Desk Admin Role,dc=red,dc=iplanet,dc=com)
(nsroledn=
cn=Organization Admin Role,o=DeveloperSample,dc=red,dc=iplanet,dc=com)
(nsroledn=cn=Top-level Policy Admin Role,dc=red,dc=iplanet,dc=com)))")
(targattrfilters="add=nsroledn:
(nsroledn=cn=JDC,o=DeveloperSample,dc=red,dc=iplanet,dc=com),
del=nsroledn:(nsroledn=cn=JDC,o=DeveloperSample,dc=red,dc=iplanet,dc=com)")
(version 3.0; acl "Allow JDCAdmin1 Role to add/remove users to JDC Role"; 
allow (write)
roledn="ldap:///cn=JDCAdmin1,o=DeveloperSample,dc=red,dc=iplanet,dc=com";)
- 

# aci for JDCAdmin2 role

add:aci
aci: 
(target="ldap:///cn=SunPortalportal1DesktopService,dc=red,dc=iplanet,dc=com")
(targetfilter=
(cn=cn=JDC,o=DeveloperSample,dc=red,dc=iplanet,dc=com))(targetattr="*")
(version 3.0; acl "Allow JDCAdmin2 to edit display profile of JDC Role"; 
allow (all) 
roledn="ldap:///cn=JDCAdmin2,o=DeveloperSample,dc=red,dc=iplanet,dc=com";)
-
add:aci
aci: (target="ldap:///dc=red,dc=iplanet,dc=com")(targetattr = "*") 
(version 3.0; acl "Allow JDCAdmin2 to read and search all"; 
allow (read,search) 
roledn = "ldap:///cn=JDCAdmin2,o=DeveloperSample,dc=red,dc=iplanet,dc=com";)

#

Find and replace every occurrence of o=DeveloperSample,dc=red,dc=iplanet with dc=sample,dc=hostname,dc=com.

Define the delegated administrator's role.
1. Log in to the Sun Java^TM System Access Manager management console.
  
  For information about the Access Manager console, see the Sun Java System Access Manager 7.1 Administration Guide.
2. Navigate to the DeveloperSample organization.
3. Create one of the following:
  - A new suborganization
    
    When you create a new organization, Access Manager sets up an Organization Admin role for the organization.
    1. Register all the required services for this new organization.
    2. Create a new user, and assign the Organization Admin role to this user.
  - New delegated administration roles:
    1. Create the following new roles:
      - End-User Role — Create a role JDC, set Type to Service, and turn off access permissions.
      - Content Administration Role — Create a role JDCAdmin2, set Type to Administrative, and turn off access permissions.
      - User Administration Role — Create a role JDCAadmin1, set Type to User, and turn off access permissions.
    2. Create the following new users:
      - jdcuser — Assign to the role JDC.
      - jdcuadmin — Assign to the role JDCAadmin1.
      - jdctadmin — Assign to the role JDCAdmin2.
4. (Optional) Log out of the Access Manager console.

Ensure that the Portal Desktop service attribute values for the admin role DNs match the Portal Desktop service attribute values for your Portal.

The Desktop service attribute values for the admin role DNs are:
- content.admin.role.dn
- user.admin.role.dn
If the Portal Desktop service attribute values do not match these values, when a user who belongs to the admin role authenticates to the Portal, the user can be presented with the incorrect Desktop.

For example, if you set the DeveloperSample Portal Desktop service attribute values to:
- Parent Container: JSPTabContainer
- EditContainer: JSPEditContainer
- Default Type: developer_sample
And you set both admin role DNs to:

cn=Organization Admin Role, o=DeveloperSample, dc=siroe, dc=com

You must set the Portal Desktop service attributes for the admin role DN to:

cn=Organization Admin Role, o=DeveloperSample, dc=siroe, dc=com

Edit the taskadmin.properties file.

Open the taskadmin.properties file in the portal-base-directory/samples/taskadmin directory.

Identify your values for the following variables:
- am.admin.dn — the top-level administrator DN (for example, amadmin)
- default.org.dn — the top-level or default organization (for example. dc=sun,dc=com)
- ps.portal.id — the portal identifier (for example, portal1)
- ps.parent.tab.container — the portal Desktop parent container name (for example, ASCTabContainer)
- ps.default.type — the portal Desktop type (for example, enterprise_sample)
- content.admin.role.dn — DN where the content admin channels and containers are loaded
- user.admin.role.dn — DN where the user admin channels and containers are loaded
- managed.content.dn — DN managed by the content admin role

Change the default values to match your deployment.

   # ------------------------------------------------------
   # General settings
   # ------------------------------------------------------
   #
   # psadmin password file (file name and directory path)
   # example: /tmp/password
   #
   psadmin.password.file=/tmp/password //password file contains the password
    #
   # Portal configuration location
   # example: /etc/opt/SUNWportal
   #
   ps.config.location=/etc/opt/SUNWportal
   #
   # Portal identifier
   # example: portal1
   #
   ps.portal.id=portal1
   #
   # Access Manager admin dn
   # example: uid=amAdmin,ou=People,dc=siroe,dc=com
   #
   am.admin.dn=uid=amAdmin,ou=People,dc=siroe,dc=com
   #
   # Access Manager default organization
   # example: dc=siroe,dc=com
   #
   default.org.dn=dc=siroe,dc=com
   #
   # ------------------------------------------------------
   # Task admin general settings
   # ------------------------------------------------------
   #
   # Parent tab container
   # example: JSPTabContainer
   #
   ps.parent.tab.container=JSPTabContainer
   #
   # Parent tab container provider
   # example: JSPTabContainerProvider
   #
   ps.parent.tab.container.provider=JSPTabContainerProvider
   #
   # Portal default type
   # example: developer_sample
   #
   ps.default.type=developer_sample
   #
   # ------------------------------------------------------
   # Content admin settings
   # ------------------------------------------------------
   #
   # Content admin role dn. The content admin channels and containers
   # are loaded to this dn.
   # example: see below
   #
   content.admin.role.dn=cn=Organization Admin Role,o=DeveloperSample,dc=siroe,dc=com
   #
   # Managed content dn. The dn managed by the 'content.admin.role.dn'.
   # example: see below
   #
   managed.content.dn=o=DeveloperSample,dc=siroe,dc=com
   #
   # ------------------------------------------------------
   # User admin settings
   # ------------------------------------------------------
   #
   # User admin role dn. The user admin channels and containers
   # are loaded to this dn.
   # example: see below
   #
   user.admin.role.dn=cn=Organization Admin Role,o=DeveloperSample,dc=siroe,dc=com
   #
   # ======================================================
   # Examples
   # ======================================================
   #
   # Organization admin example:
   #   content.admin.role.dn=cn=Organization Admin Role,o=DeveloperSample,dc=siroe,dc=com
   #   managed.content.dn=o=DeveloperSample,dc=siroe,dc=com
   #   user.admin.role.dn=cn=Organization Admin Role,o=DeveloperSample,dc=siroe,dc=com
   #
   # Role admin example:
   #   content.admin.role.dn=cn=JDCAdmin2,o=DeveloperSample,dc=siroe,dc=com
   #   managed.content.dn=cn=JDC,o=DeveloperSample,dc=siroe,dc=com
   #   user.admin.role.dn=cn=JDCAdmin1,o=DeveloperSample,dc=siroe,dc=com

Run the ant command.

/usr/sfw/bin/ant -f ps-base-directory/samples/taskadmin/build.xml -Dprops.location=/tmp

tmp is the location of taskadmin.properties file

Verify the addition.
1. Log in to the new delegated administrator's user Desktop.
2. View the new delegated administration channel.
  - For an organization delegated administrator, verify that the administration channel appears for this organization in the Admin tab of the Developer Sample.
  - For a role or user delegated administrator, verify that the administration channel appears for this user in the Admin tab of the Developer Sample.
3. Log out of the user Desktop.

Chapter 14 Using the Portal Server Delegated Administration Tag Library

The Portal Server delegated administration tag library allows you to do the following:

Modify out-of-the-box delegated administration portlets
Develop portlets that provide new delegated administration functions
Write administration portlets with custom user interfaces
Create and administer channels based on JSPProvider

Understanding the Delegated Administration Tag Library

The Tag Library for Delegated Administration describes the tags for writing delegated administration portlets and provides syntax for them. The tag library supports tasks for the following administrative functions:

Provider management
Portlet management
User management
WSRP management

To Access the Reference for Delegated Administration Tags

The Tag Library for Delegated Administration provides tag names and syntax.

Go to Tag Library for Delegated Administration

Select what contents you want to view.
- Expand the title to view sections that you can select.
  - Tags for Desktop Channel and Container Management Tasks
  - Tags for Portlet Management Tasks
  - Tags for User Management Tasks
  - Tags for Web Services for Remote Portlets (WSRP) Management Tasks
- Click the title link to view the beginning of the reference.

Previous: Part II Managing the Search Server