test

Sun Java System Portal Server 7.1 Administration Guide

Setting Up Delegated Administration Channels

This topic shows you how to set up delegated administration channels at the organization, role, and user level on the Developers Sample Desktop.

ProcedureTo Set Up a Delegated Administration Channel

  1. Set up access control instructions to allow or restrict access to the Desktop channel.

    • For administrator access at the organization level, access control instructions are set up by Access Manager by default.

    • For administrator access at the role level or the user level, Portal Server administrators must set up access control instructions.

      1. Load the sample ACIs into the Directory Server.

        Type ldapmodify -D "cn=directory manager"-w -f acis.ldif.

        Here is the sample ACI content: 


        #

acis.ldif

dn:dc=sample,dc=siroe,dc=com
changetype:modify

# aci for JDCAdmin1 role

add:aci
aci: (target= "ldap:///ou=people,o=DeveloperSample,dc=red,dc=iplanet,dc=com") 
(targetattr = "*")
(version 3.0; acl "Allow JDCAdmin1 Role to read and search users"; 
allow (read,search) 
roledn = "ldap:///cn=JDCAdmin1,o=DeveloperSample,dc=red,dc=iplanet,dc=com";)
-
add:aci
aci: (target="ldap:///dc=red,dc=iplanet,dc=com") 
(targetfilter="(entrydn=cn=JDC,o=DeveloperSample,dc=red,dc=iplanet,dc=com)")
(targetattr="*")
(version 3.0; acl "Allow JDCAdmin1 Role to read and search JDC Role";
allow (read,search) 
roledn="ldap:///cn=JDCAdmin1,o=DeveloperSample,dc=red,dc=iplanet,dc=com";)
-
add:aci
aci: (target="ldap:///ou=people,o=DeveloperSample,dc=red,dc=iplanet,dc=com")
(targetattr="nsroledn")
(targetfilter="(!(|(nsroledn=cn=Top-level Admin Role,dc=red,dc=iplanet,dc=com)
(nsroledn=cn=Top-level Help Desk Admin Role,dc=red,dc=iplanet,dc=com)
(nsroledn=
cn=Organization Admin Role,o=DeveloperSample,dc=red,dc=iplanet,dc=com)
(nsroledn=cn=Top-level Policy Admin Role,dc=red,dc=iplanet,dc=com)))")
(targattrfilters="add=nsroledn:
(nsroledn=cn=JDC,o=DeveloperSample,dc=red,dc=iplanet,dc=com),
del=nsroledn:(nsroledn=cn=JDC,o=DeveloperSample,dc=red,dc=iplanet,dc=com)")
(version 3.0; acl "Allow JDCAdmin1 Role to add/remove users to JDC Role"; 
allow (write)
roledn="ldap:///cn=JDCAdmin1,o=DeveloperSample,dc=red,dc=iplanet,dc=com";)
- 

# aci for JDCAdmin2 role

add:aci
aci: 
(target="ldap:///cn=SunPortalportal1DesktopService,dc=red,dc=iplanet,dc=com")
(targetfilter=
(cn=cn=JDC,o=DeveloperSample,dc=red,dc=iplanet,dc=com))(targetattr="*")
(version 3.0; acl "Allow JDCAdmin2 to edit display profile of JDC Role"; 
allow (all) 
roledn="ldap:///cn=JDCAdmin2,o=DeveloperSample,dc=red,dc=iplanet,dc=com";)
-
add:aci
aci: (target="ldap:///dc=red,dc=iplanet,dc=com")(targetattr = "*") 
(version 3.0; acl "Allow JDCAdmin2 to read and search all"; 
allow (read,search) 
roledn = "ldap:///cn=JDCAdmin2,o=DeveloperSample,dc=red,dc=iplanet,dc=com";)

#

      2. Find and replace every occurrence of o=DeveloperSample,dc=red,dc=iplanet with dc=sample,dc=hostname,dc=com.

  2. Define the delegated administrator's role.

    1. Log in to the Sun JavaTM System Access Manager management console.

      For information about the Access Manager console, see the Sun Java System Access Manager 7.1 Administration Guide.

    2. Navigate to the DeveloperSample organization.

    3. Create one of the following:

      • A new suborganization

        When you create a new organization, Access Manager sets up an Organization Admin role for the organization.

        1. Register all the required services for this new organization.

        2. Create a new user, and assign the Organization Admin role to this user.

      • New delegated administration roles:

        1. Create the following new roles:

          • End-User Role — Create a role JDC, set Type to Service, and turn off access permissions.

          • Content Administration Role — Create a role JDCAdmin2, set Type to Administrative, and turn off access permissions.

          • User Administration Role — Create a role JDCAadmin1, set Type to User, and turn off access permissions.

        2. Create the following new users:

          • jdcuser — Assign to the role JDC.

          • jdcuadmin — Assign to the role JDCAadmin1.

          • jdctadmin — Assign to the role JDCAdmin2.

    4. (Optional) Log out of the Access Manager console.

  3. Ensure that the Portal Desktop service attribute values for the admin role DNs match the Portal Desktop service attribute values for your Portal.

    The Desktop service attribute values for the admin role DNs are:

    • content.admin.role.dn

    • user.admin.role.dn

    If the Portal Desktop service attribute values do not match these values, when a user who belongs to the admin role authenticates to the Portal, the user can be presented with the incorrect Desktop.

    For example, if you set the DeveloperSample Portal Desktop service attribute values to:

    • Parent Container: JSPTabContainer

    • EditContainer: JSPEditContainer

    • Default Type: developer_sample

    And you set both admin role DNs to:

    cn=Organization Admin Role, o=DeveloperSample, dc=siroe, dc=com

    You must set the Portal Desktop service attributes for the admin role DN to:

    cn=Organization Admin Role, o=DeveloperSample, dc=siroe, dc=com

  4. Edit the taskadmin.properties file.

    1. Open the taskadmin.properties file in the portal-base-directory/samples/taskadmin directory.

    2. Identify your values for the following variables:

      • am.admin.dn — the top-level administrator DN (for example, amadmin)

      • default.org.dn — the top-level or default organization (for example. dc=sun,dc=com)

      • ps.portal.id — the portal identifier (for example, portal1)

      • ps.parent.tab.container — the portal Desktop parent container name (for example, ASCTabContainer)

      • ps.default.type — the portal Desktop type (for example, enterprise_sample)

      • content.admin.role.dn — DN where the content admin channels and containers are loaded

      • user.admin.role.dn — DN where the user admin channels and containers are loaded

      • managed.content.dn — DN managed by the content admin role

    3. Change the default values to match your deployment.

         # ------------------------------------------------------
   # General settings
   # ------------------------------------------------------
   #
   # psadmin password file (file name and directory path)
   # example: /tmp/password
   #
   psadmin.password.file=/tmp/password //password file contains the password
    #
   # Portal configuration location
   # example: /etc/opt/SUNWportal
   #
   ps.config.location=/etc/opt/SUNWportal
   #
   # Portal identifier
   # example: portal1
   #
   ps.portal.id=portal1
   #
   # Access Manager admin dn
   # example: uid=amAdmin,ou=People,dc=siroe,dc=com
   #
   am.admin.dn=uid=amAdmin,ou=People,dc=siroe,dc=com
   #
   # Access Manager default organization
   # example: dc=siroe,dc=com
   #
   default.org.dn=dc=siroe,dc=com
   #
   # ------------------------------------------------------
   # Task admin general settings
   # ------------------------------------------------------
   #
   # Parent tab container
   # example: JSPTabContainer
   #
   ps.parent.tab.container=JSPTabContainer
   #
   # Parent tab container provider
   # example: JSPTabContainerProvider
   #
   ps.parent.tab.container.provider=JSPTabContainerProvider
   #
   # Portal default type
   # example: developer_sample
   #
   ps.default.type=developer_sample
   #
   # ------------------------------------------------------
   # Content admin settings
   # ------------------------------------------------------
   #
   # Content admin role dn. The content admin channels and containers
   # are loaded to this dn.
   # example: see below
   #
   content.admin.role.dn=cn=Organization Admin Role,o=DeveloperSample,dc=siroe,dc=com
   #
   # Managed content dn. The dn managed by the 'content.admin.role.dn'.
   # example: see below
   #
   managed.content.dn=o=DeveloperSample,dc=siroe,dc=com
   #
   # ------------------------------------------------------
   # User admin settings
   # ------------------------------------------------------
   #
   # User admin role dn. The user admin channels and containers
   # are loaded to this dn.
   # example: see below
   #
   user.admin.role.dn=cn=Organization Admin Role,o=DeveloperSample,dc=siroe,dc=com
   #
   # ======================================================
   # Examples
   # ======================================================
   #
   # Organization admin example:
   #   content.admin.role.dn=cn=Organization Admin Role,o=DeveloperSample,dc=siroe,dc=com
   #   managed.content.dn=o=DeveloperSample,dc=siroe,dc=com
   #   user.admin.role.dn=cn=Organization Admin Role,o=DeveloperSample,dc=siroe,dc=com
   #
   # Role admin example:
   #   content.admin.role.dn=cn=JDCAdmin2,o=DeveloperSample,dc=siroe,dc=com
   #   managed.content.dn=cn=JDC,o=DeveloperSample,dc=siroe,dc=com
   #   user.admin.role.dn=cn=JDCAdmin1,o=DeveloperSample,dc=siroe,dc=com

    4. Run the ant command.

      /usr/sfw/bin/ant -f ps-base-directory/samples/taskadmin/build.xml -Dprops.location=/tmp

      tmp is the location of taskadmin.properties file

  5. Verify the addition.

    1. Log in to the new delegated administrator's user Desktop.

    2. View the new delegated administration channel.

      • For an organization delegated administrator, verify that the administration channel appears for this organization in the Admin tab of the Developer Sample.

      • For a role or user delegated administrator, verify that the administration channel appears for this user in the Admin tab of the Developer Sample.

    3. Log out of the user Desktop.