The Instant Messaging and Presence services in Sun Java System Access Manager provide another way to control end user and administrator privileges. Each service has three types of attributes: dynamic, user, and policy. A policy attribute is the type of attribute used to set privileges.
Policy attributes become a part of the rules when rules are added to a policy created in Access Manager to allow or deny administrator and end-user involvement in various Instant Messaging features, such as receiving poll messages from others.
When Instant Messaging server is installed with Sun Java System Access Manager, several example policies and roles are created. See the Sun Java System Access Manager Getting Started Guide and the Sun Java System Access Manager Administration Guide for more information about policies and roles.
You can create new policies and assign those policies to a role, group, organization, or end user as needed to match your site’s needs.
When the Instant Messaging service or the Presence service are assigned to end users, they receive the dynamic and user attributes applied to them. The dynamic attributes can be assigned to an Access Manager configured role or organization.
When a role is assigned to an end user or an end user is created in an organization, the dynamic attributes become a characteristic of the end user. The user attributes are assigned directly to each end user, they are not inherited from a role or an organization and, typically, are different for each end user. When an end users logs on, they get all the attributes that are applicable to them depending upon which roles are assigned to them and how the policies are applied.
Dynamic, user or policy attributes are associated with end users after assigning the Presence and Instant Messaging Services to these end users.
Table 17–3 lists the policy, dynamic, and user attributes for each service.
Table 17–3 Access Manager Attributes for Instant Messaging
Service |
Policy Attribute |
Dynamic Attributes |
User Attributes |
---|---|---|---|
sunIM |
sunIMAllowChat sunIMAllowChatInvite sunIMAllowForumAccess sunIMAllowForumManage sunIMAllowForumModerate sunIMAllowAlertsAccess sunIMAllowAlertsSend sunIMAllowNewsAccess sunIMAllowNewsManage sunIMAllowFileTransfer sunIMAllowContactListManage sunIMAllowUserSettings sunIMAllowPollingAccess sunIMAllowPollingSend |
sunIMProperties sunIMRoster sunIMConferenceRoster sunIMNewsRoster sunIMPrivateSettings |
sunIMUserProperties sunIMUserRoster sunIMUserConferenceRoster sunIMUserNewsRoster sunIMUserPrivateSettings |
sunPresence |
sunPresenceAllowAccess sunPresenceAllowPublish sunPresenceAllowManage |
sunPresenceDevices sunPresencePrivacy |
sunPresenceEntityDevices sunPresenceUserPrivacy |
For each attribute in the preceding table, a corresponding label appears in the Access Manager admin console. Table 17–4 lists and describes the policy attributes and Table 17–5 lists and describes the dynamic and user attributes.
Table 17–4 Access Manager Policy Attributes for Instant Messaging
Policy Attribute |
Admin Console Label |
Attribute Description |
---|---|---|
sunIMAllowChat |
Ability to Chat |
End users can be invited to join chat room and access normal chat functionality |
sunIMAllowChatInvite |
Ability to Invite others to Chat |
End users can invite others to chat |
sunIMAllowForumAccess |
Ability to Join Conference Rooms |
A conference tab shows up in Instant Messenger, allowing end users to join conference rooms |
sunIMAllowForumManage |
Ability to Manage Conference Rooms |
End users are able to create, delete, and manage conference rooms |
sunIMAllowForumModerate |
Ability to Moderate Conference Rooms |
End users can be conference moderators |
sunIMAllowAlertsAccess |
Ability to Receive Alerts |
End users can receive alerts from others |
sunIMAllowAlertsSend |
Ability to Send Alerts |
End users can send alerts to others |
sunIMAllowNewsAccess |
Ability to Read News |
A News button is displayed in Instant Messenger that enables end users to list news channels in order to receive and send news messages |
sunIMAllowNewsManage |
Ability to Manage News Channels |
End users can manage news channels and create, delete, and assign privileges to news channels |
sunIMAllowFileTransfer |
Ability to Exchange Files |
End users can add attachments to alert, chat, and news messages |
sunIMAllowContactListManage |
Ability to Manage one’s Contact List |
End users can manage their own contact lists; they can add and delete users or groups to and from the list; they can rename the folder in their contact list |
sunIMAllowUserSettings |
Ability to Manage Messenger |
A Settings button is displayed in Instant Messenger that enables end users to change their own Instant Messenger settings |
sunIMAllowPollingAccess |
Ability to Receive Polls |
End users can receive poll messages from others, and they can respond to polls |
sunIMAllowPollingSend |
Ability to Send Polls |
A Poll button is displayed in Instant Messenger that enables end users to send poll messages to others and to receive the responses |
sunPresenceAllowAccess |
Ability to Access other’s Presence |
End users can watch the presence status of others. The contact list, in addition to showing the contact, reflects contacts’ presence status changes by changing the status icon |
sunPresenceAllowPublish |
Ability to Publish Presence |
End users can click to select their status (online, offline, busy, etc.) for others to watch |
sunPresenceAllowManage |
Ability to Manage Presence Access |
An Access tab is displayed in Instant Messenger settings that allows end users to set up their own default presence access, presence permitted, or presence denied list |
An end user can log into theAccess Manager admin console and view the values of attributes in the Instant Messaging and Presence service attributes. If the attributes have been defined as modifiable, end users can alter them. By default no attributes in the Instant Messaging service are modifiable, nor is it recommended that end users be allowed to modify them. However, from the standpoint of system administration, manipulating attributes directly can be useful.
For example, since roles do not affect some system attributes, such as setting conference subscriptions, system administrators might want to modify the values of these attributes by copying them from another end user (such as from a conference roster) or modifying them directly. These attributes are listed in Table 17–5.
User attributes can be set by end users through the Sun Java System Access Manager admin console. Dynamic attributes are set by the administrator. A value set for a dynamic attribute overrides or is combined with the corresponding user attribute value.
The nature of corresponding dynamic and user attributes influences how conflicting and complementing information is resolved. For example, Conference Subscriptions from two sources (dynamic and user) complement each other, so the subscriptions are merged. Neither attribute overrides the other.
Table 17–5 Access Manager User and Dynamic Attributes for Instant Messaging
Admin Console Label |
User Attribute |
Dynamic Attribute |
Attribute Description |
Conflict Resolution |
---|---|---|---|---|
Messenger Settings |
sunIMUserProperties |
sunIMProperties |
Contains all the properties for Instant Messenger and corresponds to the user.properties file in the file-based user properties storage |
Merge. Unless a particular property has a value from both the user and dynamic attribute, then the dynamic attribute overrides. |
Subscriptions |
sunIMUserRoster |
sunIMRoster |
Contains subscription information (user contact list roster) |
Merge. If a Jabber identifier is present in both the user and dynamic attribute, then the nickname will be taken from the user attribute, the group will be a union of all groups from both user and dynamic attributes, the subscription value will be the highest value from the user and dynamic value. |
Conference Subscriptions |
sunIMUserConferenceRoster |
sunIMConferenceRoster |
Contains conference room subscription information |
Merge. Dynamic and user subscriptions are merged, and duplicates are removed. |
News Channel Subscriptions |
sunIMUserNewsRoster |
sunIMNewsRoster |
Contains news channel subscription information |
Merge. Dynamic and user subscriptions are merged and duplicates are removed. |
Presence Agents |
sunPresenceEntityDevices |
sunPresenceDevices |
Not used in this release (for future use) |
The dynamic information is used. |
Privacy |
sunPresenceUserPrivacy |
sunPresencePrivacy |
Corresponds to the privacy setting in Instant Messenger |
Merge. the dynamic value is used if there is a conflict. |
Instant Messenger Preferences |
sunIMUserPrivateSettings |
sunIMPrivateSettings |
Store private preferences here that are not stored in Messenger Settings |
Merge. |
Table 17–6 lists and describes the seven example policies and roles that are created in Sun Java System Access Manager when the Instant Messaging service component is installed. You can add end users to different roles according to the access control you want to give them.
A typical site might want to assign the role IM Regular User (a role that receives the default Instant Messaging and Presence access) to end users who simply use Instant Messenger, but have no responsibilities in administering Instant Messaging policies. The same site might assign the role of IM Administrator (a role associated with the ability to administer Instant Messaging and Presence services) to particular end users with full responsibilities in administering Instant Messaging policies. Table 17–7 lists the default assignment of privileges amongst the policy attributes. If an action is not selected in a rule, the values allow and deny are not relevant as the policy then does not affect that attribute.
Table 17–6 Default Policies and Roles for Sun Java System Access Manager
Policy |
Role to Which the Policy Applies |
Service to Which the Policy Applies |
Policy Description |
---|---|---|---|
Default Instant Messaging and presence access |
IM Regular User |
sunIM, sunPresence |
The default access that a regular Instant Messaging end user should have. |
Ability to administer Instant Messaging and Presence Service |
IM Administrator |
sunIM, sunPresence |
The access that an Instant Messaging Administrator has, which is access to all Instant Messaging features. |
Ability to manage Instant Messaging news channels |
IM News Administrator |
sunIM |
End users can manage news channels by creating, deleting, etc. |
Ability to manage Instant Messaging conference rooms |
IM Conference Rooms Administrator |
sunIM |
End users can manage conference rooms by creating, deleting, etc. |
Ability to change own Instant Messaging user settings |
IM Allow User Settings Role |
sunIM |
End users can edit settings modifying values in the Settings dialog box in Instant Messenger. |
Ability to send Instant Messaging alerts |
IM Allow Send Alerts Role |
sunIM |
End users can send alerts in Instant Messenger. |
Ability to watch changes on other Instant Messaging end users |
IM Allow Watch Changes Role |
sunIM |
End users can access the presence status of other Instant Messaging end users. |
Table 17–7 Default Policy Assignments
Policy |
|||||||
---|---|---|---|---|---|---|---|
Attribute |
Default access |
Can administer Instant Messaging and Presence Service |
Can manage news channels |
Can manage conference rooms |
Can change own end-user settings |
Can send alerts |
Can watch changes to other users |
sunIMAllowChat |
allow |
allow | |||||
sunIMAllowChatInvite |
allow |
allow | |||||
sunIMAllowForumAccess |
allow |
allow |
allow | ||||
sunIMAllowForumManage |
deny |
allow |
allow | ||||
sunIMAllowForumModerate |
deny |
allow |
allow | ||||
sunIMAllowAlertsAccess |
allow |
allow |
allow | ||||
sunIMAllowAlertsSend |
allow |
allow |
allow | ||||
sunIMAllowNewsAccess |
allow |
allow |
allow | ||||
sunIMAllowNewsManage |
deny |
allow |
allow | ||||
sunIMAllowFileTransfer |
allow |
allow | |||||
sunIMAllowContactListManage |
allow |
allow | |||||
sunIMAllowUserSettings |
allow |
allow |
allow | ||||
sunIMAllowPollingAccess |
allow |
allow | |||||
sunIMAllowPollingSend |
allow |
allow | |||||
sunPresenceAllowManage |
allow |
allow | |||||
sunPresenceAllowAccess |
allow |
allow |
allow |
||||
sunPresenceAllowPublish |
allow |
allow |
You can create new policies to fit the specific needs of your site.
Log in to the Access Manager admin console at http://hostname:port/amconsole.
For example:
http://imserver.company22.example.com:80/amconsole
Select the Identity Management tab.
Select Policies in the View drop down list in the navigation pane (the lower-left frame).
Click New.
The New Policy page appears in the data pane (the lower-right frame).
Select Normal for the Type of Policy.
Enter a policy description in the Name field.
For example:
Ability to Perform IM Task. |
Click Create.
Access Manager admin console displays the name of the new policy in the policy list in the navigation pane and brings up the Edit page for your new policy.
On the Edit page, select Rules in the View drop down list.
The Rule Name Service Resource panel appears inside the Edit page.
Click Add.
The Add Rule page appears.
Select the Service that applies.
You can select either Instant Messaging Service or Presence Service.
Each service enables you to allow or deny end users the ability to perform specific actions. For example, Ability to Chat is an action specific to the Instant Messaging service while Ability to Access other’s Presence is an action specific to the Presence service.
Enter a description for a rule in the Rule Name field.
For example:
Rule 1 |
Enter the appropriate Resource Name.
Enter either:
IMResource for Instant Messaging Service
or
PresenceResource for Presence Service
Select the Actions that you want to apply.
Select the Value for each action.
You can select either Allow or Deny.
Click Create.
The proposed rule is displayed in the list of saved rules for that policy.
Click Save.
The proposed rule becomes a saved rule.
Repeat steps 9-16 for any additional rules that you want to apply to that policy.
You can assign policies to a role, group, organization, or user. This includes the default policies or policies that were created after Instant Messaging was installed.
Log in to the Access Manager admin console at http://hostname:port/amconsole.
For example:
http://imserver.company22.example.com:80/amconsole
Select the Identity Management tab.
Select Policies in the View drop down list in the navigation pane (the lower-left frame).
Click the arrow next to the name of the policy you want to assign.
The Edit page for that policy appears in the data pane (the lower-right frame).
On the Edit page, select Subjects in the View drop down list.
Click Add.
The Add Subject page appears, which lists the possible subject types:
Access Manager Roles
LDAP Groups
LDAP Roles
LDAP Users
Organization
Select the subject type that matches the policy.
For example, Organization.
Click Next.
In the Name field, enter a description of the subject.
(Optional) Select the Exclusive check box.
The Exclusive check box is not selected as the default setting, which means that the policy applies to all members of the subject.
Selecting the Exclusive check box applies the policy to everyone who is not a member of the subject.
In the Available field, search for entries that you want to add to your subject.
Type a search for the entries you want to search for.
The default search is *, which displays all the subjects for that subject type.
Click search.
Highlight entries in the Available text box that you want to add to the Selected text box.
Click Add or Add All, whichever applies.
Repeat steps a-d until you have added all the names you want to the Selected text box.
Click Create.
The proposed subject appears in the list of proposed subjects for that policy.
Click Save.
The proposed subject becomes a saved subject.
Repeat steps 6-13 for any additional subjects that you want to add to the policy.
The ability to create suborganizations using Sun Java System Access Manager enables organizationally separate populations to be created within the Instant Messaging server. Each suborganization can be mapped to a different DNS domain. End users in one suborganization are completely isolated from those in another. The following procedure describes minimal steps to create a new suborganization for Instant Messaging.
Log in to the Access Manager admin console at http://hostname:port/amconsole.
For example:
http://imserver.company22.example.com:80/amconsole
Select the Identity Management tab.
Create a new organization:
Select Organizations in the View drop down list in the navigation pane (the lower-left frame).
Click New.
The New Organization page appears in the data pane (the lower-right frame).
Enter a suborganization name.
For example:
sub1 |
Enter a domain name.
For example:
sub1.company22.example.com |
Click Create.
Register services for the newly created suborganization:
Click the name for the new suborganization in the navigation pane.
For example, click sub1. Ensure that you click the name, not the property arrow at the right.
Select Services from the View drop down list in the navigation pane.
Click Register.
The Register Services page appears in the data pane.
Select the following services under the Authentication heading:
Core
LDAP
Select the following services under the Instant Messaging Configuration heading:
Instant Messaging Service
Presence Service
Click Register.
The newly selected services for this suborganization appear in the navigation pane.
Create service templates for the newly selected services:
In the navigation pane, click the property arrow for a service, starting with the Core service.
The Create Service Template page appears in the data pane.
In the data pane, click Create.
A page displaying a list of template options for the service you have selected appears.
You should click Create for each service even when you do not want to modify the template options.
Modify the options for the service template of each service as follows:
Core: Generally, no options need to be modified.
LDAP: Add the prefix of the new suborganization to the DN to Start User Search field.
After adding the prefix, the final DN should be in this format:
o=sub1,dc=company22,dc=example,dc=com
Enter the LDAP password in the Password for Root User Bind and Password for Root User Bind (confirm) fields.
Instant Messaging Service: Generally, no options need to be modified.
Click Save.
Repeat steps a-d until you have created service templates for each service.
After new end users have been created in a suborganization they need to be assigned roles. Roles can be inherited from the parent organization.
Log in to the Access Manager admin console at http://hostname:port/amconsole.
For example:
http://imserver.company22.example.com:80/amconsole
Select the Identity Management tab.
Select Roles in the View drop down list in the navigation pane (the lower-left frame).
Click on the property arrow to the right of the role you wish to assign.
A page for that role appears in the data pane (the lower-right frame).
Select Users from the View drop down list in the data pane.
Click Add.
The Add Users page appears.
Enter a matching pattern to identify users.
For example, in the UserId field an asterisk, *, lists all users.
Click Filter.
The Select User page appears.
On the Select User page, check the Show Parentage Path check box and click Refresh.
The parentage path is displayed.
Select the users to be assigned to this role.
Click Submit.