Sun Java System Portal Server 6 2004Q2 Administration Guide |
Chapter 4
Configuring Delegated AdministrationThis chapter describes how to configure delegated administration for Sun Java System Portal Server.
This chapter contains these sections:
Overview of Delegated AdministrationAs enterprises create larger and more complex portals, a centralized administration model is no longer viable. Delegated administration or Line of Business (LOB) administration addresses this issue by delegating or distributing the administration tasks to the actual portal users.
The Sun Java System Portal Server allows you to delegate administration functions to users by using roles. Role-based administration enables an enterprise to break its business into smaller organizations or lines of business (LOB) and then allows different users to administer the organizations, suborganizations, users, policy, roles, and channels of the LOB based on the user’s roles.
Table 4-1 lists and defines some important delegated administration terms as they apply in the Sun Java System Portal Server. The table contains two columns: the first column lists the term and the second column gives a brief description.
Delegated Administration Roles
The Sun Java Sytem Identity Server administration console provides role-based delegated administration capabilities to different kinds of administrators to manage organizations, users, policy, roles, and channels based on the given permissions.
Sun Java Sytem Identity Server administration console provides a number of predefined administrator roles for delegating administration functions. They are as follows:
For detailed information on these roles, refer to the Sun Java Sytem Identity Server product documentation.
You can use these predefined administrator roles to set up your delegated administration implementation if their function fits the need. For example, if the directory structure for your model comprises an organization with multiple sub-organizations, you could assign Organization Admin roles to users to create delegated administrators for each of the suborganizations. However, if the organizational structure of your enterprise is more complicated, you might want to create a delegated administration model that targets your specific needs. To do this, the Sun Java Sytem Identity Server administration console allows you to define delegated administrator roles with privileges specific to your business needs.
To implement an enterprise-specific delegated administration model, there are three critical conceptual roles:
The Top-level Admin Role is created when the system is set up, and the Organization Admin Role is created automatically when a new organization is set up. The Role Administrator Role is a role you create based on the requirements of the delegated administration model. The access permissions for the Role Administrator Role are defined by directly editing the corresponding Access Control Instructions (ACIs).
In a delegated administration, the following principles apply:
- User privileges are granted by the user’s role.
- Privileges are granted on a per individual user basis by defining a role with desired privileges and assigning this role to the individual user.
- Sets of users can be grouped together by assigning them a specific role. These users will be granted the set of privileges and inherit the values for dynamic attributes that are defined for that role.
- Users can have multiple or aggregated roles. Users with multiple roles have access to combined features of all their roles. When there is a conflict in the features granted by aggregated roles, conflict resolution is based on the priority configured through Conflict Resolution Level defined for the each of the services for those roles. There are seven conflict resolution settings available ranging from Highest to Lowest. When an attribute conflict occurs as role templates from multiple rolers are merged, the attribute on the template set with the highest conflict resolution level is returned.
Developing a Delegated Administration ModelIn order to delegate administration functions for the Sun Java System Portal Server appropriately, you should develop a delegated administration model to help determine the administration roles required for you enterprise. Consider the following when developing your model:
- Focus on the business requirements of your enterprise. In general, the proposed solution for the role-based delegated administration should be parallel with the business requirements.
- Develop a directory structure that enables users to be grouped so they can access their required resources and have their administration needs managed by a delegated administrator.
- Try to fit your business entities into a more standard tree structure as much as possible while still addressing all the business requirements. You can use a structure with a hierarchy of organizations and suborganizations or a flat directory tree structure. In a flat directory structure, all the entities are defined immediately beneath the top level organization and all the roles (including Role Administrator Roles) are “parallel” to each other in terms of the organizational hierarchy. For example, all the users who are affiliated with business unit would be created in people containers under the top-level organization. For each of the access roles and administrative roles needed in your model a corresponding role at the top-level would be created.
Configuring Delegated AdministrationThe high-level steps that you perform to configure a delegated administration implementation for the Sun Java System Portal Server are:
Defining the ACI Settings for Role Administrator Roles
To configure the appropriate privileges for any of the role administrator roles you identified in your delegation model, you must define the appropriate permissions in an ACI for each unique role in your delegation model. You can define an ACI permission template for a role using the Sun Java Sytem Identity Server administration console or the Directory Server console. You can also define an ACI for a specific role using the ldapmodify command.
Use the following format when defining ACI permission templates in the Sun Java Sytem Identity Server administration console or with the Directory Server console:
permission_name | aci_desc| dn:aci ## dn:aci ## dn:aci
where:
permission_name is the name of the permssion.
aci_desc is a text description of the access these ACIs allow.
dn:aci represents pairs of DNs and ACIs separated by ##. Sun Java Sytem Identity Server sets each ACI in the associated DN entry.
This format also supports tags that can be substituted for values that would otherwise have to be specified literally in an ACI: ROLENAME, ORGANIZATION, GROUPNAME, and PCNAME. Using these tags lets you define roles flexible enough to be used as defaults. When a role is created based on one of the default roles, tags in the ACI resolve to values taken from the DN of the new role.
For detailed information setting ACIs, refer to the Sun Java Sytem Identity Server Programmer’s Guide.
To Define an ACI Using the Command Line
- Create a text file containing the ACI settings for use with the ldapmodify command. For example, the following file, acis.ldif, contains an ACI definition of two roles called JDCAdmin1 and JDCAdmin2.
- Change directories to Sun Java Sytem Identity Server utilities directory. For example,
cd /BaseDir/SUNWam/bin
- Set LD_LIBRARY_PATH to include IS_BASEDIR/SUNWam/ldaplib/solaris/sparc/ldapsdk
- Execute the following command.
./ldapmodify -D "DS_DIRMGR_DN" -w DS_DIRMGR_PASSWORD -f /tmp/acis.ldif
- Log in to the Sun Java System Identity Server administration console as administrator.
By default, Identity Management is selected in the location pane and Organizations is selected in the Navigation pane.
- Navigate to the organization or suborganization to create a new role (such as JDCAdmin1 and JDCAdmin2).
- Choose Roles from the View menu and click New.
- The New Role page appears in the data pane.
- Enter the role information (Name, Description, Role Type,Access Permissions) and click Create (for example, a static role JDC with "Type=Service" and "Access Permissions=No Permissions").
The new role appears in the navigation pane.
- Create "Desktop" service template for role you created.
- Create a tab in the role display profile (for example, the role display profile for JDC).
- Navigate to the role where the tab will be created.
- Choose Services from the View menu in the navigation pane.
- Click the properties arrow next to Desktop in the navigation pane.
- The Desktop attributes page appears in the data pane.
- In the Desktop page, click the Channel and Container Management link.
- The Channels page appears, with the container path set at the root.
- Click the Container that you want to add the channel or container to.
- The top of the page displays the container path where the channel will be added. Defined channels and container, if any, appear in lists.
- Click Add to add a container channel or channel.
- To add a container channel, click Add under Container Channel. To add a channel, click Add under Channel.
- The Add Channel page appears.
- Type a channel name and select the type of provider from the menu.
- Click Create.
Refer to Chapter 7, "Administering the Display Profile" for more information.
- Create a user (such as admin1 or admin2).
- Assign a role to a user (such as JDCadmin1 to admin1 or JDCadmin2 to admin2).
- Navigate to the organization or suborganization where the role will be assigned.
- Choose Users from the View menu.
- Click the properties arrow next to the user who will be assigned the role.
- The user profile information appears in the data pane.
- Click Roles from the View menu in the data pane.
- The Add Roles page appears.
- Check the box next to the roles to assign and click Save.
- The Roles for this User box is updated with the assigned roles.
- Click Save to save the changes.
- Logout from the admin conole.
To Define an ACI Using the Admin Console
- Log in to the Sun Java Sytem Identity Server administration console as Top-level Admin.
By default, Identity Management is selected in the location menu, and Organizations is selected in the navigation pane.
- Click Service Configuration in the location pane.
- Click the properties arrow next to the Administration service.
The administration attributes appear in the data pane.
- In the Default Role Permissions (ACIs) entry field, type in the ACI definition and click Add. For example, for the JDCAdmin1 and JDCAdmin1 role defined previously, you would enter the following:
JDCAdmin1|Add/delete users from JDC role|dc=sesta,dc=com:aci: (target= "ldap:///ou=people,dc=sesta,dc=com") (targetattr = "*")(version 3.0; acl "Allow JDCAdmin1 Role to read and search users"; allow (read,search) roledn = "ldap:///cn=JDCAdmin1,dc=sesta,dc=com";)##dc=sesta,dc=com:aci: (target="ldap:///dc=sesta,dc=com") (targetfilter="(entrydn=cn=JDC,dc=sesta,dc=com)")(targetattr="*")(version 3.0; acl "Allow JDCAdmin1 Role to read and search JDC Role";allow (read,search) roledn="ldap:///cn=JDCAdmin1,dc=sesta,dc=com";) ##dc=sesta,dc=com:aci:(target="ldap:///ou=people,dc=sesta,dc=com")(targetattr="nsroledn")(targetfilter="(!(|(nsroledn=cn=Top-level Admin Role,dc=sesta,dc=com)(nsroledn=cn=Top-level Help Desk Admin Role,dc=sesta,dc=com)(nsroledn=cn=Organization Admin Role,dc=sesta,dc=com)(nsroledn=cn=Top-level Policy Admin Role,dc=sesta,dc=com)))")(targattrfilters="add=nsroledn:(nsroledn=cn=JDC,dc=sesta,dc=com),del=nsroledn:(nsroledn=cn=JDC,dc=sesta,dc=com)")(version 3.0; acl "Allow JDCAdmin1 Role to add/remove users to JDC Role"; allow (write)roledn="ldap:///cn=JDCAdmin1,dc=sesta,dc=com";)
JDCAdmin2|Add/remove channels from the JDC role|dc=sesta,dc=com:aci:(target="ldap:///cn=SunPortalDesktopService,dc=sesta,dc=com")(targetfilter=(cn=cn=JDC,dc=sesta,dc=com))(targetattr="*")(version 3.0; acl "Allow JDCAdmin2 to edit display profile of JDC Role"; allow (all) roledn="ldap:///cn=JDCAdmin2,dc=sesta,dc=com";)##dc=sesta,dc=com:aci: (target="ldap:///dc=sesta,dc=com")(targetattr = "*") (version 3.0; acl "Allow JDCAdmin2 to read and search all"; allow (read,search) roledn = "ldap:///cn=JDCAdmin2,dc=sesta,dc=com";)
The new ACI appears in the Default Role Permissions (ACIs) list.
- Click Save.
To Create a New Admin Role for the Delegation Model
Once you have created an ACI defining the permissions for a delegated administration role, you must create a role for using that ACI definition.
- Log in to the Sun Java Sytem Identity Server administration console as Top-level Admin or Organization Admin.
By default, Identity Management is selected in the location menu, and Organizations is selected in the navigation pane.
- Navigate to the organization or suborganization where the role will be created.
All created organizations are displayed in the navigation pane.
Note
If this is a new organization, you must register all the services and create the appropriate templates. See Chapter 3, "Administering Authentication, Users, and Services" for more information.
- Choose Roles from the View menu and click New.
The New Role page appears in the data pane.
- Enter a name, select static role, and click Next.
- Enter the description and choose Administrative as the type.
- Select the Access Permissions:
- If you created the ACI definition for the role using the Administration Console, select the role you created from the Access Permissions list.
- If you created the ACI definition for the role using the command line, select No Permissions as the role name will not be listed in the Access Permissions list.
- Click Create.
The new role appears in the navigation pane.
To Assign a Role Administrator Role
- Log in to the Sun Java System Identity Server administration console as administrator.
By default, Identity Management is selected in the location menu, and Organizations is selected in the navigation pane.
- Navigate to the organization or suborganization where the role was created.
All created organizations are displayed in the navigation pane.
- Choose Roles from the View menu.
- Click the properties arrow for the role to assign.
- Choose Users from the View menu in the data pane and click Add.
The Add Users page appears in the data pane.
- Specify the values for the fields to find the user to assign and click Filter.
A list of users displays.
- Check the box next to the users to which to assign the role or click Select All to choose all the users.
- Click Submit.
The list of users for this role box is updated with the assigned users.
To Configure Additional Restrictions on a Role Administrator Role
You can configure a role with a restricted set of capabilities. One common restriction you might want is a role with permissions to modify the display profile and perform content management functions, but that is restricted from viewing the rest of the Desktop attributes.
You can also set up delegated administrators with a start DN view. The start DN view is the directory location below which the delegated administrator can see and modify entities.
To configure additional restrictions on a role:
- Log in to the Sun Java System Identity Server administration console as administrator.
By default, Identity Management is selected in the location menu, and Organizations is selected in the navigation pane.
- Navigate to the organization or suborganization where containing the role to configure.
All created organizations are displayed in the navigation pane.
- Choose Roles from the View menu.
- Select the role to configure.
- Select Services from the View menu.
- To restrict the role to only display profile or channel management capabilities, do the following:
- Click the Edit link for the Desktop service.
- Create a User service template at this role.
The Desktop page appears in the data pane.
- Unselect the Show Desktop Attributes checkbox.
- Specify a DN in Admin DN Starting V.
- Click Save.
Note
If the Show Desktop Attributes checkbox is unselected, when users with this role access the Desktop services, they will not be able to see the Desktop attributes; they will only see the Channel and Container Management link. In addition, they will only be able to see the channels and containers defined at the role level.
- To restrict the role to a particular start DN, do the following: