Setting Up Administration Channels for Delegated Administration

ProcedureTo Set Up Channels for a Role Administrator

Steps
  1. Load the following ACIs. To load, type ldapmodify -D “cn=directory manager” -w -f acis.ldif.

    acis.ldif

    dn:dc=sample,dc=siroe,dc=com
    changetype:modify
    # aci for JDCAdmin1 role
    
    add:aci
    aci: (target= "ldap:///ou=people,o=DeveloperSample,dc=red,dc=iplanet,dc=com") (targetattr = "*")(version 3.0; acl "Allow JDCAdmin1 Role to read and search users"; allow (read,search) roledn = "ldap:///cn=JDCAdmin1,o=DeveloperSample,dc=red,dc=iplanet,dc=com";)
    -
    add:aci
    aci: (target="ldap:///dc=red,dc=iplanet,dc=com") (targetfilter="(entrydn=cn=JDC,o=DeveloperSample,dc=red,dc=iplanet,dc=com)")(targetattr="*")(version 3.0; acl "Allow JDCAdmin1 Role to read and search JDC Role";allow (read,search) roledn="ldap:///cn=JDCAdmin1,o=DeveloperSample,dc=red,dc=iplanet,dc=com";)
    -
    add:aci
    aci: (target="ldap:///ou=people,o=DeveloperSample,dc=red,dc=iplanet,dc=com")(targetattr="nsroledn")(targetfilter="(!(|(nsroledn=cn=Top-level Admin Role,dc=red,dc=iplanet,dc=com)(nsroledn=cn=Top-level Help Desk Admin Role,dc=red,dc=iplanet,dc=com)(nsroledn=cn=Organization Admin Role,o=DeveloperSample,dc=red,dc=iplanet,dc=com)(nsroledn=cn=Top-level Policy Admin Role,dc=red,dc=iplanet,dc=com)))")(targattrfilters="add=nsroledn:(nsroledn=cn=JDC,o=DeveloperSample,dc=red,dc=iplanet,dc=com),del=nsroledn:(nsroledn=cn=JDC,o=DeveloperSample,dc=red,dc=iplanet,dc=com)")(version 3.0; acl "Allow JDCAdmin1 Role to add/remove users to JDC Role"; allow (write)roledn="ldap:///cn=JDCAdmin1,o=DeveloperSample,dc=red,dc=iplanet,dc=com";)
    - 
    
    # aci for JDCAdmin2 role
    
    add:aci
    aci: (target="ldap:///cn=SunPortalportal1DesktopService,dc=red,dc=iplanet,dc=com")(targetfilter=(cn=cn=JDC,o=DeveloperSample,dc=red,dc=iplanet,dc=com))(targetattr="*")(version 3.0; acl "Allow JDCAdmin2 to edit display profile of JDC Role"; allow (all) roledn="ldap:///cn=JDCAdmin2,o=DeveloperSample,dc=red,dc=iplanet,dc=com";)
    -
    add:aci
    aci: (target="ldap:///dc=red,dc=iplanet,dc=com")(targetattr = "*") (version 3.0; acl "Allow JDCAdmin2 to read and search all"; allow (read,search) roledn = "ldap:///cn=JDCAdmin2,o=DeveloperSample,dc=red,dc=iplanet,dc=com";)
  2. Log in to the Sun Java System Access Manager administration console as amAdmin and navigate to the DeveloperSample organization to do the following:

    1. Create a static role JDC with Type set to Service and no access permissions.

    2. Create static roles JDCAdmin1 and JDCAdmin2 of the Administrative type with no access permissions.

    3. Create users jdcuser, jdcuadmin, and jdctadmin.

    4. Assign role JDCAdmin1 to jdcuadmin and role JDCAdmin2 to jdctadmin.

  3. Log out of the Access Manager administration console and log in to the Portal Server management console to do the following:

    1. Select Portals —> portal-ID —> Add DNs and search for role with filter JDC.

    2. Select JDC, JDCAdmin1, and JDCAdmin2 role and click on add to add these roles to the location bar.

    3. Select JDCAdmin2 role from the location bar.

    4. Replace the tokens @SAMPLE_ORG@ and @DEFAULT_ORG@ with the roleDN for the JDC role (for example, cn=JDC,o=DeveloperSample,dc=sample,dc=siroe,dc=com) in the dp-orgadmin.xml file at PortalServer-base/export/dp/admin directory and select the upload display profile link in the tasks section to upload the dp-orgadmin.xml file from PortalServer-base/export/dp/admin directory.

    5. Select Manage Channels and the Containers link.

    6. Select the AdminTabPanelContainer in the tree and click on Show/Hide Channels/containers from the tasks section in the right frame.

    7. Remove UserAdmin container from the available and selected list and click on save.

      This removes the user administration channels for JDCAdmin2 role.

    8. Click on back button and select JDCAdmin1 role from the location bar.

    9. Repeat steps f and g and remove the channels and containers from the available and selected list and click on save.

      This removes the content administration channels for JDCAdmin1 role.

  4. Log out of the Portal Server management console and log in as jdcuadmin and jdctadmin (in the Developer Sample desktop) to view the administration channels in the Admin tab for these users.