23.6 Configuring Administrator Access to Messaging Server

This section mostly pertains to the Sun Java System LDAP Schema v. 1. This section contains the following subsections:

• 23.6.1 Hierarchy of Delegated Administration

• To Provide Access to the Server as a Whole

• 23.6.2 To Restrict Access to Specific Tasks

This section describes how to control the ways in which server administrators can gain access to Messaging Server. Administrative access to a given Messaging Server and to specific Messaging Server tasks occurs within the context of delegated server administration.

Delegated server administration is a feature of most Sun Java System servers; it refers to the capability of an administrator to provide other administrators with selective access to individual servers and server features. This chapter briefly summarizes delegated server tasks. For more detailed information, see the chapter on delegating server administration in Managing Servers with iPlanet Console.

23.6.1 Hierarchy of Delegated Administration

When you install the first Sun Java System server on your network, the installation program automatically creates a group in the LDAP user directory called the Configuration Administrators group. By default, the members of the Configuration Administrators group have unrestricted access to all hosts and servers on your network.

The Configuration Administrators group is at the top of an access hierarchy, such as the following, that you can create to implement delegated administration (if Sun Java System LDAP Schema v. 1 is used) for Messaging Server:

1. Configuration administrator. The “super user” for the network of Sun Java System servers. Has complete access to all resources.

2. Server administrator. A domain administrator might create groups to administer each type of server. For example, a Messaging Administrators group might be created to administer all Messaging Servers in an administrative domain or across the whole network. Members of that group have access to all Messaging Servers (but no other servers) in that administrative domain.

3. Task administrator. Finally, any of the above administrators might create a group, or designate an individual user, with restricted access to a single Messaging Server or a set of Messaging Servers. Such a task administrator is permitted to perform only specific, limited server tasks (such as starting or stopping the server only, or accessing logs of a given service).

Console provides convenient interfaces that allow an administrator to perform the following tasks:

• Grant a group or an individual access to a specific Messaging Server, as described in “Providing Access to the Server as a Whole” (next).

• Restrict that access to specific tasks on a specific Messaging Server, as described in 23.6.2 To Restrict Access to Specific Tasks.

To Provide Access to the Server as a Whole

This section describes to give a user or group permission to access a given instance of Messaging Server.

1. Log in to Console as an administrator with access to the Messaging Server you want to provide access to.

2. Select that server in the Console window.

   From the Console menu, choose Object, then choose Set Access Permissions.

3. Add or edit the list of users and groups with access to the server.

   (For more complete instructions, see the chapter on delegating server administration in Managing Servers with iPlanet Console.)

   Once you have set up the list of individuals and groups that have access to the particular Messaging Server, you can then use ACIs, as described next, to delegate specific server tasks to specific people or groups on that list.

23.6.2 To Restrict Access to Specific Tasks

An administrator typically connects to a server to perform one or more administrative tasks. Common administrative tasks are listed in the Messaging Server Tasks form in Console.

By default, access to a particular Messaging Server means access to all of its tasks. However, each task in the Task form can have an attached set of access-control instructions (ACIs). The server consults those ACIs before giving a connected user (who must already be a user with access permissions to the server as a whole) access to any of the tasks. In fact, the server displays in the Tasks form only those tasks to which the user has permission.

If you have access to a Messaging Server, you can create or edit ACIs on any of the tasks (that is, on any of the tasks to which you have access), and thus restrict the access that other users or groups can have to them.

To Restrict the Task Access of a User or Group

1. Log in to the Console as an administrator with access to the Messaging Server you want to provide restricted access to.

2. Open the server and select a task in the server’s Tasks form by clicking on the Task text.

3. From the Edit menu, choose Set Access Permissions, and add or edit the list of access rules to give a user or group the kind of access you want them to have.

4. Repeat the process for other tasks, as appropriate.

   (For more complete instructions, see the chapter on delegating server administration in Managing Servers with iPlanet Console.)

   ACIs and how to create them are described more fully in the chapter on delegating server administration in Managing Servers with iPlanet Console.