Chapter 4 Managing Instant Messaging and Presence Policies

The Sun Java^TM System Instant Messaging server provides various functional features such as chat, conferencing, polls, presence access, etc. A policy describes a set of access control privileges that can be associated with these features. In turn, end users and groups can be assigned to policies according to the needs of an organization.

This chapter describes how to define and use policies to manage the access that end users and administrators have to the Sun Java System Instant Messaging server features and privileges:

Overview of Privacy, Security, and Site Policies

Instant Messaging provides the ability to control access to Instant Messaging features and preserve end-user privacy.

Site Policies

Site policies specify end-user access to specific functionality in Instant Messaging. It specifies:

The Instant Messaging administrator has access to all Instant Messaging features. The administrator has MANAGE access to all conference rooms and news channels, can view presence information of any end user, and can view and modify properties such as Contact Lists and Instant Messenger Settings of any end user. The site policy settings have no impact on the administrator’s privileges.

By default, the end user is provided with the privileges to access the presence status of other end users, send alerts to end users, and save properties to the server. In most of the deployments, the default values are not changed. These default values need to be changed when Instant Messaging is used exclusively for the pop-up functionality.

When Instant Messaging is used exclusively for the pop-up functionality, the end user will not be provided with the access privileges to presence information, chat, and news features.

Conference Room and News Channel Access Controls

End users can have the following access privileges on Conference rooms and News channels:


Note	Although certain privileges can be set globally, the administrator can also define exceptions for these privileges. For example, the administrator can deny certain default privileges to select end users, roles, or groups.

End users with the MANAGE privilege can set the default privilege level for all the other end users. These end users can also define the exception rules to grant an access level that is different from the default access level permission given to specific end users or groups.

User Privacy

End users can specify if other end users can see their presence or not. By default, all end users can access the presence information of another end user. End users can also set exceptions for denying this access to certain end user and groups.

If an end user has denied other end users from accessing the end user’s presence status, then that end user’s availability status appears as offline in others contact lists. No alerts or chat invitations can be sent to an end user whose presence status is offline.


Note	Setting the WRITE privilege, grants the end users the READ privilege.

User privacy can be configured using the User Settings window in the Instant Messenger. For more information on configuring user privacy, see Instant Messenger Online Help.

Methods for Controlling End User and Administrator Privileges

Different sites using Sun Java System Instant Messaging server have different needs in terms of enabling and restricting the type of access end users have to the Instant Messaging service. The process of controlling end user and administrator Sun Java System Instant Messaging server features and privileges is referred to as policy management. There are two methods of policy management available: through access control files or through Sun Java System Identity Server.

Introduction to Managing Policies Using Access Control Files

The access control file method for managing policies allows you to adjust end-user privileges in the following areas: news channel management, conference room management, the ability to change preferences in the User Settings dialog, and ability to send alerts. It also allows specific end users to be assigned as system administrators.

Introduction to Managing Policies Using Sun Java System Identity Server

Managing policies through Sun Java System Identity Server gives you control of the same privileges available with the access control file method; however it additionally allows more fine-tuned control over various features, such as: the ability to receive alerts, send polls, receive polls, etc. For a complete list, please refer to table Table 4-4. Furthermore, managing policies using Sun Java System Identity Server gives you finer-tuned control over privileges.

Two types of policies exist: Instant Messaging policies and Presence policies. The Instant Messaging policies govern general Instant Messaging features, such as the ability to send or receive alerts; the ability to manage public conferences and news channels; and the ability to send files. Presence policies govern the control end users have over changing their online status, and in allowing or preventing others from seeing their online or presence information.

Managing Policies: The Method to Use

When choosing which method to use to manage policies, it is also necessary to choose where they will be stored. You select the method for managing policies by editing the iim.conf file and setting the iim.policy.modules parameter to either identity for the Identity Server method or iim_ldap for the access control file method, which is also the default method.

If you will use an LDAP-only deployment—therefore, you will not be using Sun Java System Identity Server—you must use the access control file method. If you are using Sun Java System Identity Server with the Sun Java System Instant Messaging server, and you have installed the Instant Messaging and Presence services components, you can use either policy management method. Please note that managing policies using Sun Java System Identity Server is a more comprehensive method. One advantage of this method is that it allows you to store all end-user information in the directory.

The specific steps for setting which method you want to use to manage policies are as follows:

Policy Configuration Parameters

Table 4-1 lists and describes the new parameters available in the iim.conf file that relate to the increased role that Sun Java System Identity Server can play in Instant Messaging deployments:

Table 4-1 New Parameters Related to Identity Server in iim.conf File
Parameter Name	Use	Values
iim.policy.modules	Indicates if Sun Java System Identity Server is used for policy storage	iim_ldap (default) identity
iim.userprops.store	Indicates if the user properties are in user properties file or from LDAP	file (default) ldap


Note	Currently the iim.userprops.store parameter is only significant when the service definitions for the Presence and Instant Messaging services have been installed.

Managing Policies Using Access Control Files

By default, end users are provided the privileges to access the presence status of other end users, send alerts to end users, and save properties to the server. In most of the deployments, the default values need not be changed.


Note	Although certain privileges can be set globally, the administrator can also define exceptions for these privileges. For example, the administrator can deny certain default privileges to select end users or groups.

Table 4-2 lists the global access control files for Instant Messaging and the privileges these files provide end users.

Access Control File Format

The access control file contains a series of entries that define the privileges. Each entry starts with a tag as follows:

Table 4-2 Access Control Files
ACL File	Privileges
sysSaveUserSettings.acl	Defines who can and cannot change their own preferences.
sysTopicsAdd.acl	Defines who can and cannot create News channels.
sysRoomsAdd.acl	Defines who can and cannot create Conference rooms.
sysSendAlerts.acl	Defines who can and cannot send alerts.
sysWatch.acl	Defines who can and cannot watch changes of other end users. The Sun Java System Instant Messenger window is not displayed for end users who do not have this privilege.
sysAdmin.acl	Reserved for administrators only.This file sets administrative privileges to all Sun Java System Instant Messaging features for all end users. This privilege overrides all the other privileges and gives the administrator MANAGE access to all conference rooms and news channels as well as to end user presence information, settings, and properties.


Note	The d: tag must be the last entry in an access control file. The server ignores all entries after a d: tag. If the d: tag is true, then all other lines are ignored. You cannot set the d:tag as true in an access control file and selectively disallow end users that privilege.

The tag is followed by a colon (:). In case of the default tag it is followed by true or false.

Multiple end users and groups are specified by having multiple end users (u) and groups (g) in lines.

If default is set to true, all other entries in the file are redundant. If default is set to false, only the end users and groups specified in the file will have that particular privilege.

The following are the default d: tag entries in the ACL files for a new installation:

Access Control File Examples


Note	The format and also the existence of all the access control files might change in future releases of the product.

This section shows a sample access control file that shows privileges set for, the sysTopicsAdd.acl file. For information about access control files at the conference room and news channel level (Therefore, roomname.acl and newschannel.acl) see Conference Room and News Channel Access Controls.

sysTopicsAdd.acl File

In the following example, the default d: tag entry for sysTopicsAdd.acl file is false. So the Add and the Delete news channels privileges are available to the end users and groups that appear before the default, namely user1, user2, and the sales group.

Changing End User Privileges

Managing Policies using Sun Java System Identity Server

The Instant Messaging and Presence services in Sun Java System Identity Server provide another way to control end user and administrator privileges. Each service has three types of attributes: dynamic, user, and policy. A policy attribute is the type of attribute used to set privileges.

Policy attributes become a part of the rules when rules are added to a policy created in Identity Server to allow or deny administrator and end-user involvement in various Instant Messaging features, such as receiving poll messages from others.

When Sun Java System Instant Messaging server is installed with Sun Java System Identity Server, several example policies and roles are created. See the Sun Java System Identity Server Getting Started Guide and the Sun Java System Identity Server Administration Guide for more information about policies and roles.

Furthermore, if the example policies are not sufficient, you can create new policies and assign those policies to a role, group, organization, or end user as needed to match your site’s needs.

When the Instant Messaging service or the Presence service are assigned to end users, they receive the dynamic and user attributes applied to them. The dynamic attributes can be assigned to a Sun Java System Identity Server configured role or organization.

When a role is assigned to an end user or an end user is created in an organization, the dynamic attributes then become a characteristic of the end user. The user attributes are assigned directly to each end user. They are not inherited from a role or an organization and, typically, are different for each end user.

When end users log on, they get all the attributes that are applicable to them depending upon which roles are assigned to them and how the policies are applied.

Dynamic, user or policy attributes are associated with end users after assigning the Presence and Instant Messaging Services to these end users.

Instant Messaging Service Attributes

Table 4-3 Identity Server Attributes for Instant Messaging
Service	Policy Attribute	Dynamic Attributes	User Attributes
sunIM	sunIMAllowChat sunIMAllowChatInvite sunIMAllowForumAccess sunIMAllowForumManage sunIMAllowForumModerate sunIMAllowAlertsAccess sunIMAllowAlertsSend sunIMAllowNewsAccess sunIMAllowNewsManage sunIMAllowFileTransfer sunIMAllowContactListManage sunIMAllowUserSettings sunIMAllowPollingAccess sunIMAllowPollingSend	sunIMProperties sunIMRoster sunIMConferenceRoster sunIMNewsRoster	sunIMUserProperties sunIMUserRoster sunIMUserConferenceRoster sunIMUserNewsRoster
sunPresence	sunPresenceAllowAccess sunPresenceAllowPublish sunPresenceAllowManage	sunPresenceDefaultAcess sunPresenceAccessDenied sunPresenceAccessPermitted sunPresenceDevices	sunPresenceEntityDefaultAccess sunPresenceEntityAccessDenied sunPresenceEntityAccessPermitted sunPresenceEntityDevices

For each attribute in the preceding table, a corresponding label appears in the Identity Server admin console. The two following tables list each attribute with its corresponding label and a brief description. Table 4-4 lists and describes the policy attributes and Table 4-5 lists and describes the dynamic and user attributes.

Table 4-4 Sun Java System Identity Server Policy Attributes for Instant Messaging
Policy Attribute	Admin Console Label	Attribute Description
sunIMAllowChat	Ability to Chat	End users can be invited to join chat room and access normal chat functionality
sunIMAllowChatInvite	Ability to Invite others to Chat	End users can invite others to chat
sunIMAllowForumAccess	Ability to Join Conference Rooms	A conference tab shows up in Sun Java System Instant Messenger, allowing end users to join conference rooms
sunIMAllowForumManage	Ability to Manage Conference Rooms	End users are able to create, delete, and manage conference rooms
sunIMAllowForumModerate	Ability to Moderate Conference Rooms	End users can be conference moderators
sunIMAllowAlertsAccess	Ability to Receive Alerts	End users can receive alerts from others
sunIMAllowAlertsSend	Ability to Send Alerts	End users can send alerts to others
sunIMAllowNewsAccess	Ability to Read News	A News button is displayed in Sun Java System Instant Messenger that enables end users to list news channels in order to receive and send news messages
sunIMAllowNewsManage	Ability to Manage News Channels	End users can manage news channels and create, delete, and assign privileges to news channels
sunIMAllowFileTransfer	Ability to Exchange Files	End users can add attachments to alert, chat, and news messages
sunIMAllowContactListManage	Ability to Manage one’s Contact List	End users can manage their own contact lists; they can add and delete users or groups to and from the list; they can rename the folder in their contact list
sunIMAllowUserSettings	Ability to Manage Messenger	A Settings button is displayed in the Sun Java System Instant Messenger that enables end users to change their own Sun Java System Instant Messenger settings
sunIMAllowPollingAccess	Ability to Receive Polls	End users can receive poll messages from others, and they can respond to polls
sunIMAllowPollingSend	Ability to Send Polls	A Poll button is displayed in Sun Java System Instant Messenger that enables end users to send poll messages to others and to receive the responses
sunPresenceAllowAccess	Ability to Access other’s Presence	End users can watch the presence status of others. The contact list, in addition to showing the contact, reflects contacts’ presence status changes by changing the status icon
sunPresenceAllowPublish	Ability to Publish Presence	End users can click to select their status (online, offline, busy, etc.) for others to watch
sunPresenceAllowManage	Ability to Manage Presence Access	An Access tab is displayed in the Settings of the Sun Java System Instant Messenger; end users can set up their own default presence access, presence permitted, or presence denied list

Modifying Attributes Directly

An end user can log into Sun Java System Identity Server admin console and view the values of attributes in the Instant Messaging and Presence service attributes. If the attributes have been defined as modifiable, end users can alter them. However, by default no attributes in the Instant Messaging service are modifiable, nor is it recommended that end users be allowed to modify them. However, from the standpoint of system administration, manipulating attributes directly can be useful.

For example, since roles do not affect some system attributes, such as setting conference subscriptions, system administrators might want to modify the values of these attributes by copying them from another end user (such as a from a conference roster) or modifying them directly. These attributes are listed in Table 4-5.

In reference to table Table 4-5,user attributes can be set by end users through the Sun Java System Identity Server admin console. Dynamic attributes are set by the administrator. A value set for a dynamic attribute overrides or is combined with the corresponding user attribute value.

The nature of corresponding dynamic and user attributes influences how conflicting and complementing information is resolved. For example, Conference Subscriptions from two sources (dynamic and user) complement each other; therefore, the subscriptions are merged. Neither attribute overrides the other.

Table 4-5 Sun Java System Identity Server User and Dynamic Attributes for Instant Messaging
Admin Console Label	User Attribute	Dynamic Attribute	Attribute Description	Conflict Resolution
Messenger Settings	sunIMUser Properties	sunIMProperties	Contains all the properties for Sun Java System Instant Messenger and corresponds to the user.properties file in the file-based user properties storage	Merge-however, if a particular property has a value from both the user and dynamic attribute, the dynamic attribute overrides
Subscriptions	sunIMUserRoster	sunIMRoster	Contains subscription information (not in use yet)	The dynamic information is taken
Conference Subscriptions	sunIMUser ConferenceRoster	sunIMConference Roster	Contains conference room subscription information	Merge-dynamic and user subscriptions are merged
News Channel Subscriptions	sunIMNewsRoster	sunIMUserNews Roster	Contains news channel subscription information	Merge-dynamic and user subscriptions are merged
Default Presence Visibility	sunPresenceEntity DefaultAccess	sunPresenceDefaultAccess	Corresponds to the access setting in Sun Java System Instant Messenger. If checked, the presence status can be viewed by everyone, and if not checked, the presence status can be viewed by no one	The dynamic information is taken
Presence Deny List	sunPresenceEntity AccessDenied	sunPresenceAccess Denied	If the default presence visibility label (see preceding table entry) in the admin console is checked (viewed by everyone), end users can enter others to this list to deny them access to presence status	The dynamic information is taken
Presence Allow List	sunPresenceEntity AccessPermitted	sunPresenceAccess Permitted	If the default presence visibility label (see preceding two table entries) in the admin console is unchecked (viewed by nobody), end users can enter others to this list to allow them access to presence status	The dynamic information is taken
Presence Agents	sunPresenceEntity Devices	sunPresenceDevices	Not used in this release (for future use)	The dynamic information is taken

Pre-Defined Examples of Instant Messaging and Presence Policies

Table 4-6 lists and describes the seven example policies and roles that are created in Sun Java System Identity Server when the Instant Messaging service component is installed. You can add end users to different roles according to the access control you want to give them.

A typical site might want to assign the role IM Regular User (a role that receives the default Instant Messaging and Presence access) to end users who simply use Instant Messenger, but have no responsibilities in administering Instant Messaging policies. The same site might assign the role of IM Administrator (a role associated with the ability to administer Instant Messaging and Presence services) to particular end users with full responsibilities in administering Instant Messaging policies. Table 4-7 lists the default assignment of privileges amongst the policy attributes. If an action is not selected in a rule, the values allow and deny are not relevant as the policy then does not affect that attribute.

Table 4-6 Default Policies and Roles for Identity Sever
Policy	Role the Policy Applies to	Service the Policy Applies to	Policy Description
Default Instant Messaging and presence access	IM Regular User	sunIM, sunPresence	The default access that a regular Instant Messaging end user should have.
Ability to administer Instant Messaging and Presence Service	IM Administrator	sunIM, sunPresence	The access that an Instant Messaging Administrator has, which is access to all Instant Messaging features.
Ability to manage Instant Messaging news channels	IM News Administrator	sunIM	End users can manage news channels by creating, deleting, etc.
Ability to manage Instant Messaging conference rooms	IM Conference Rooms Administrator	sunIM	End users can manage conference rooms by creating, deleting, etc.
Ability to change own Instant Messaging user settings	IM Allow User Settings Role	sunIM	End users can edit settings by clicking the Setting button in theSun Java System Instant Messenger.
Ability to send Instant Messaging alerts	IM Allow Send Alerts Role	sunIM	End users can send alerts in Sun Java System Instant Messenger.
Ability to watch changes on other Instant Messaging end users	IM Allow Watch Changes Role	sunIM	End users can access the presence status of other Instant Messaging end users.

Table 4-7 Assignment of the Default Policies
	Policy
Attribute	Default Instant Messaging and presence access	Ability to administer Instant Messaging and Presence Service	Ability to manage Instant Messaging news channels	Ability to manage Instant Messaging conference rooms	Ability to change own Instant Messaging end-user settings	Ability to send Instant Messaging alerts	Ability to watch changes on other Instant Messaging end-users
sunIMAllowChat	allow	allow
sunIMAllowChatInvite	allow	allow
sunIMAllowForumAccess	allow	allow		allow
sunIMAllowForumManage	deny	allow		allow
sunIMAllowForumModerate	deny	allow		allow
sunIMAllowAlertsAccess	allow	allow				allow
sunIMAllowAlertsSend	allow	allow				allow
sunIMAllowNewsAccess	allow	allow	allow
sunIMAllowNewsManage	deny	allow	allow
sunIMAllowFileTransfer	allow	allow
sunIMAllowContactListManage	allow	allow
sunIMAllowUserSettings	allow	allow			allow
sunIMAllowPollingAccess	allow	allow
sunIMAllowPollingSend	allow	allow
sunPresenceAllowManage	allow	allow
sunPresenceAllowAccess	allow	allow					allow
sunPresenceAllowPublish	allow	allow

Creating New Instant Messaging Policies

To Create a New Policy

Log on to the Identity Server admin console at http://hostname:port/amconsole, for example http://imserver.company22.example.com:80/amconsole

With the Identity Management tab selected, select Policies in the View drop down list in the navigation pane (the lower-left frame).

Click New to bring up the New Policy page in the data pane (the lower-right frame).

Select Normal for the Type of Policy.

Enter a policy description in the Name field, such as Ability to Perform IM Task.

Click Create to make the name of the new policy appear on the policy list in the navigation pane and to make the page in the data pane change to the Edit page for your new policy.

In the Edit page, select Rules in the View drop down list to bring up the Rule Name Service Resource panel inside the Edit page.

Click Add to bring up the Add Rule page.

Select the Service that applies, either Instant Messaging Service or Presence Service.

Each service enables you to allow or deny end users the ability to perform specific actions. For example, Ability to Chat is an action specific to the Instant Messaging service while Ability to Access other’s Presence is an action specific to the Presence service.

Enter a description for a rule in the Rule Name field, such as Rule 1.

Enter the appropriate Resource Name (IMResource or PresenceResource):

IMResource for Instant Messaging Service

PresenceResource for Presence Service

Select the Actions that you want to apply.

Select the Value for each action: Allow or Deny.

Click Create to display this proposed rule in the list of saved rules for that policy.

Click Save to make this proposed rule a saved rule.

Repeat steps 8-15 for any additional rules that you want to apply to that policy. For each new rule, click Save to save the changes to the policy.

Assigning Policies to a Role, Group, Organization, or User

You can assign policies—the default policies for Instant Messaging or Instant Messaging policies that might have been created after Instant Messaging was installed—to a role, group, organization, or user.

To Assign a Policy

Log on to the Identity Server admin console at http://hostname:port/amconsole, for example http://imserver.company22.example.com:80/amconsole

With the Identity Management tab selected, select Policies in the View drop down list in the navigation pane (the lower-left frame).

Click the arrow next to the name of the policy you want to assign in order to bring up the Edit page for that policy in the data pane (the lower-right frame).

In the Edit page, select Subjects in the View drop down list.

Click Add to bring up the Add Subject page, which lists the possible subject types:

Identity Server Roles

LDAP Groups

LDAP Roles

LDAP Users

Organization

Select the subject type that matches the policy, such as Organization.

Click Next

In the Name field, enter a description of the subject.

If desired, select the Exclusive check box.

The Exclusive check box is not selected as the default setting, which means that the policy applies to all members of the subject.

Selecting the Exclusive check box applies the policy to everyone who is not a member of the subject.

In the Available field, search for entries that you want to add to your subject.

Type a search for the entries you want to search for. The default search is *, which displays all the subjects for that subject type.

Click search.

Highlight entries in the Available text box that you want to add to the Selected text box.

Click Add or Add All, whichever applies.

Repeat steps a-d until you have added all the names you want to the Selected text box.

Click Create to display this proposed subject in the list of saved subjects for that policy.

Click Save to make this proposed subject a saved subject.

Repeat steps 5-12 for any additional subjects that you want to add to the policy. For each new subject, click Save to save the changes to the policy.

Creating New Suborganizations Using Identity Server

The ability to create suborganizations using Sun Java System Identity Server enables organizationally separate populations to be created within the Sun Java System Instant Messaging server. Each suborganization can be mapped to a different DNS domain. End users in one suborganization are completely isolated from those in another. The following describes minimal steps to create a new suborganization for Instant Messaging.

To Create a New Suborganization

Log on to the Identity Server admin console at http://hostname:port/amconsole, for example http://imserver.company22.example.com:80/amconsole

Create a new organization:

With the Identity Management tab selected, select Organizations in the View drop down list in the navigation pane (the lower-left frame).

Click New to bring up the New Organization page in the data pane (the lower-right frame).

Enter the following in the appropriate fields:

A suborganization name, such as sub1

A domain name, such as sub1.company22.example.com,

Click Create.

Click the name for the new suborganization, such as sub1, in the navigation pane (Be certain to click the name, not the property arrow at the right.).

Select Services from the View drop down list in the navigation pane

Click Register to bring up the Register Services page in the data pane.

Select the following services under the Authentication heading:

Core

LDAP

Select the following services under the Instant Messaging Configuration heading:

Instant Messaging Service

Presence Service

Click Register to bring up the newly selected services for this suborganization in the navigation pane.

Create service templates for the newly selected services:

In the navigation pane, click the property arrow for a service, starting with the Core service.

The Create Service Template page appears in the data pane.

In the data pane, click Create, which replaces the Create Service Template page with a page of template options for the service you have selected.

You should click Create for each service even when you do not want to modify the template options.

Modify the options for the service template of each service as follows:

Core: Generally, no options need to be modified; go to Step d.

LDAP: Add the prefix of the new suborganization to the DN to Start User Search field. After adding the prefix, the final DN should be in this format:

o=sub1,dc=company22,dc=example,dc=com

Enter the LDAP password in the Password for Root User Bind and Password for Root User Bind (confirm) fields.

Continue to Step d:

Instant Messaging Service: Generally, no options need to be modified; go to Step d.

Presence Service: If you would like to make end-user presence information available to others by default (sites tend to choose this option), select the Dynamic Default Presence Visibility check box before going to Step d.

Click Save.

Repeat steps a through d until you have created service templates for each service.

Adding End Users to New Suborganizations

After new end users have been created in a suborganization they need to be assigned roles. Roles can be inherited from the parent organization as described in the following section.

To Add End Users to a New Suborganization:

Migrating from Instant Messaging 6.0

Non-Migration Option

If your site used the Sun Java System Instant Messaging 6.0 server with the Sun Java System Identity Server 5.1 software to deploy the Instant Messaging service, the old attributes will be honored by the Sun Java System Instant Messaging 6 software. Policy attributes from the Sun Java System Instant Messaging 6.0 server, such as sunIMAllowFileTransfer and sunIMEnableModerator will override the same policy attributes set in the Sun Java System Instant Messaging 6 server.

Migration Option

However, the preferable method for handling the differences in the two Instant Messaging services is to migrate from the Instant Messaging service used for the Sun Java System Instant Messaging 6.0 software and to modify or create a Sun Java System Identity Server policy which uses the Instant Messaging Service and Presence Service from the Sun Java System Instant Messaging 6 software. You should define the new policy in such a way that it provides the same access control to your site as the old policy did.

For example, you can modify a rule in the Default Instant Messaging and presence access policy to set the deny or allow status of each of the policy’s attributes in order for the policy to demonstrate the same behavior that it demonstrated in the Sun Java System Instant Messaging 6.0 server or you can create a new policy with rules that will allow it to behave in the same manner as it did previously.

Migrating Access Control Files

If your site has been using an earlier version of Sun Java System Instant Messaging server (6.0 or earlier), but you have not used an Instant Messaging service—therefore, you have not set end-user privileges by setting policies through the Sun Java System Identity Server— but have instead set end-user privileges by editing access control files, two methods are available to you for replicating the policy set within the access control files and using this information to create Sun Java System Identity Server policies:

Migrate Access Control File Information Manually

Migrate Access Control File Information Automatically

Instead of transferring the access control file information manually, you can perform a one-time migration of this information by issuing a command.

This command will transfer information from the global access control files to the corresponding policy and its subjects. See table Table 4-8 for a list of the global access control files and the policies to which they map.

Migrate Sun Java System Instant Messenger Settings

Table 4-8 Access Control Files and the Policies They Map to
Access Control File	Policy
sysSaveUserSettings.acl	Ability to change own Instant Messaging user settings
sysTopicsAdd.acl	Ability to manage Instant Messaging news channels
sysRoomsAdd.acl	Ability to manage Instant Messaging conference rooms
sysSendAlerts.acl	Ability to send Instant Messaging alerts
sysWatch.acl	Ability to watch changes on other Instant Messaging end users
sysAdmin.acl	Ability to administerInstant Messaging and Presence Service

For Sun Java System Instant Messaging 6.1 server, when the parameter iim.userprops.store is set to ldap in the iim.conf file, the Sun Java System Instant Messenger settings for end users is stored in the sunIMUserProperties user attribute.

If your site has used an earlier version of Sun Java System Instant Messaging server and the Sun Java System Instant Messenger settings have been stored in the user.properties file, after installing the Sun Java System Instant Messaging 6.1 server, the old settings will automatically be migrated to the sunIMUserProperties user attribute as end users log on, as long as the iim.userprops.store parameter is set to ldap in the iim.conf file.

When an end user first logs onto Sun Java System Instant Messaging 6.1 server, the server checks if the sunIMUserProperties user attribute exists and if it is storing the end user’s settings. If the end user’s settings are not found at that location, the server checks if a user.properties file exists for that end user. If the file exists, the server transfers information from the user.properties file to the sunIMUserProperties user attribute. However, if the user.properties file does not exist, the default Sun Java System Instant Messenger setting is the value assigned in the sunIMUserProperties user attribute for that end user.

Previous Contents Index Next
Sun Java System Instant Messaging 6 2004Q2 Administration Guide