Siebel Security Guide > Security Adapter Authentication > Security Adapter Deployment Options >

Configuring Roles Defined in the Directory

Responsibilities assigned to each user in Siebel Business Applications provide users with access to particular views in the application. Responsibilities are created in the Siebel application and are stored in the Siebel database. One or more responsibilities are typically associated with each user in the Administration - Application screen.

Creating roles in the LDAP directory or Active Directory is another means of associating Siebel responsibilities with users. Roles are useful for managing large collections of responsibilities. A user has access to all the views associated with all the responsibilities that are directly or indirectly associated with the user.

You can choose to store users' Siebel responsibilities as roles in a directory attribute instead of in the Siebel database in the following authentication strategies:

• Security adapter authentication: LDAP, ADSI, custom (not database authentication)
• Web SSO authentication

NOTE:  You can store Siebel user responsibilities as roles in a directory attribute but you cannot store Siebel user positions as roles in a directory attribute.

It is recommended that you assign responsibilities in the database or in the directory, but not in both places. If you define a directory attribute for roles, but you do not use it to associate responsibilities with users, then leave the attribute empty. If you use roles to administer user responsibilities, then create responsibilities in the Siebel application, but do not assign responsibilities to users through the Siebel application interface.

To configure roles defined in the directory

1. In the directory, define a directory attribute for roles.

   To make sure that you can assign more than one responsibility to any user, define the roles directory attribute as a multivalue attribute. The security adapters supported by Siebel Business Applications cannot read more than one responsibility from a single-value attribute.

2. For each user, in the directory attribute for roles, enter the names of the Siebel responsibilities that you want the user to have. Enter one responsibility name, such as Web Registered User, in each element of the multivalue field. Role names are case-sensitive.
3. Configure the security adapters provided with Siebel Business Applications to retrieve roles for a user from the directory by setting the RolesAttributeType parameter for the LDAP or ADSI security adapter. For example, for the LDAP security adapter, define the following parameter:

   RolesAttributeType= attribute_in_which_roles_are_stored

   For information about setting Siebel Gateway Name Server configuration parameters, see Siebel Gateway Name Server Parameters. For Developer Web Client, define these parameters in the corresponding section in the application configuration file, such as uagent.cfg for Siebel Call Center. For Gateway Name Server authentication, define these parameters in the gateway.cfg file.