Chapter 6       Administration Attributes


The Administration Service consists of global and organization attributes. The values applied to the global attributes are applied across the iPlanet Directory Server Access Management Edition (DSAME) configuration and are inherited by every configured organization. They can not be applied directly to roles or organizations as the goal of global attributes is to customize the DSAME application. Values applied to the organization attributes are default values for each organization configured and can be changed when the service is registered to the organization. The organization attributes are not inherited by entries of the organization. The Administration Attributes are divided into:

• Global Attributes

• Organization Attributes

Global Attributes

---

The global attributes in the Administration Service are:

• Default Role Permissions (ACIs)

• Dynamic Admin Roles ACIs

• Show People Containers

• Display Containers In Menu

• Show Group Containers

• Managed Group Type

• Service Hierarchy

Default Role Permissions (ACIs)

This attribute defines a list of default access control instructions (ACIs) or permissions that are used to grant administrator privileges when creating new roles. One of these ACIs is selected depending on the level of privilege desired. DSAME ships with two default role permissions:

Organization Admin

The Organization Administrator has read and write access to all entries in the configured organization. This role is named iPlanetAMOrgAdminRole.

Organization Help Desk Admin

The Organization Help Desk Administrator has read access to all entries in the configured organization and write access to the userPassword attribute. This role is named iPlanetAMOrgHelpDeskAdminRole.

---

Note

Roles are defined using the format aci_name | aci_desc | dn:aci ## dn:aci ## dn:aci where: aci_name is the name of the role. aci_desc is a description of the access these ACIs allow. For maximum usability, assume the reader of this description does not understand ACIs or other directory concepts. dn:aci represents pairs of DNs and ACIs separated by ##. DSAME sets each ACI in the associated DN entry. This format also supports tags that can be substituted for values that would otherwise have to be specified literally in an ACI: ROLENAME, ORGANIZATION, GROUPNAME and PCNAME. Using these tags lets you define roles flexible enough to be used as defaults. When a role is created based on one of the default roles, tags in the ACI resolve to values taken from the DN of the new role.

---

Dynamic Admin Roles ACIs

This attribute defines the access control instructions for the administrator roles that are created dynamically when a group, organization, container or people container is configured using DSAME. These roles are used for granting administrative privileges for the specific grouping of entries created. The default ACIs can be modified only under this attribute listing.

---

Caution

Administrators at the organization and people container level have a wider scope of access than do group administrators. But, by default, when a user is added to a group administrator role that user can change the password of anyone in the group. This would include any organization or people container administrator who is a member of that group.

---

Group Admin

The Group Administrator has read and write access to all members of a specific group. When a group is created, the Group Admin role is automatically generated with the necessary privileges to manage the group. The role is not automatically assigned to a group member. It must be assigned by the group's creator.

Organization Admin

The Organization Administrator has read and write access to all entries in an organization. When an organization is created, the Organization Admin role is automatically generated with the necessary privileges to manage the organization. This role is titled iPlanetAMOrgAdminRole.

Organization Help Desk Admin

The Organization Help Desk Administrator has read access to all entries in an organization and write access to the userPassword attribute. This role is titled iPlanetAMOrgHelpDeskAdminRole.

---

Note	When a sub-organization is created, remember that the administration roles are created in the sub-organization, not in the parent org.

---

People Container Admin

By default, any user entry in an newly created organization is a member of that organization's People Container. The People Container Administrator has read and write access to all entries in the organization's People Container. This role is titled People Admin. Keep in mind that the People Admin DOES NOT have read and write access to the attributes that contain role and group DNs therefore, they cannot modify the attributes of, or remove a user from, a role or a group.

---

Note

Other containers can be configured with DSAME to hold user entries, group entries or even other containers. To apply an administrator role to a container created after the organization has already been configured, the iPlanetAMOrgUnitAdminRole or iPlanetAMOrgUnitHelpDeskAdminRole defaults would be used.

---

Organizational Unit Admin

The Organizational Unit Administrator has read and write access to all entries in an LDAP organizational unit. In DSAME, the LDAP organizational unit is often referred to as a container. This role is titled iPlanetAMOrgUnitAdminRole.

Organizational Unit Help Desk Admin

The Organizational Unit Help Desk Administrator has read access to all entries in an organizational unit and write access to the userPassword attribute in user entries only in this organizational unit. This role is titled iPlanetAMOrgUnitHelpDeskAdminRole.

Top Level Admin

The Top Level Administrator has read and write access to all entries in the top level organization. In other words, this Top Level Admin role has privileges for every configuration principal within the DSAME application. This role is titled SuperAdminRole.

Show People Containers

This attribute specifies whether to display People Containers in the DSAME console. If this option is selected, the menu choice People Containers displays in the Show menu at the top level for organizations instead of Users. The administrator must logout and log back in for this change to take effect.

People containers are organizational units containing only user profiles. iPlanet recommends that you use a single people container in your DIT and leverage the flexibility of roles to manage access and services. The default behavior of the DSAME console is therefore to hide the People Container. However, if you have multiple people containers in your DIT, select Show People Containers to display People Containers as managed objects in the DSAME console.

Display Containers In Menu

This attribute specifies whether to display any containers in the Show menu of the DSAME console. The default value is false. An administrator can optionally chose either:

• false (checkbox not selected) — Containers are not listed among the choices on the Show menu at the top level for organizations and other containers.

• true (checkbox selected) — Containers are listed among the choices on the Show menu at the top level and for organizations and other containers.

  
  

  ---

  Note	The Display Containers in Menu option is only available when DSAME is installed using the default mode. When compliant installation is chosen, organizational units are never created.

  ---

  
  

Show Group Containers

This attribute specifies whether to show Group Containers in the DSAME console. If this option is selected, the menu choice Group Containers displays in the Show menu for organizations and containers. Group containers are organizational units for groups.

Managed Group Type

This option specifies whether subscription groups created through the DSAME console are static or dynamic. The console will either create and display subscription groups that are static or dynamic, not both. (Filtered groups are always supported regardless of the value given to this attribute.) The default value is dynamic.

• A static group explicitly lists each group member using the groupOfNames or groupOfUniqueNames object class. The group entry contains the uniqueMember attribute for each member of the group. Members of static groups are manually added; the user entry itself remains unchanged. Static groups are suitable for groups with few members.

• A dynamic group uses a memberOf attribute in the entry of each group member. Members of dynamic groups are generated through the use of an LDAP filter which searches and returns all entries which contain the memberOf attribute. Dynamic groups are suitable for groups that have a very large membership.

• A filtered group uses an LDAP filter to search and return members that meet the requirement of the filter. For instance, the filter can generate members with a specific uid (uid=g*) or email address (email=*@sun.com). In these examples, the LDAP filter would return all users whose uid begins with g or whose email address ends with sun.com, respectively. Filtered groups can only be created within the User Management view by choosing Membership by Filter. See "Managed Groups" for more information.

An administrator can select one of the following:

• Dynamic — Groups created through the Membership By Subscription option will be dynamic.

• Static — Groups created through the Membership By Subscription option will be static.

  
  

  ---

  Note	The Managed Group Type option is only available when DSAME is installed using the default mode. When compliant installation is chosen, the Managed Group Type is always static.

  ---

  
  

Service Hierarchy

This listing of services defines the order of precedence for default and externally configured services. The service tree in the Service Management interface is drawn dynamically based on the values in this attribute. If a new service is configured and added to DSAME, it must also be added to this attribute or it will not show up in the Service Management display.

Organization Attributes

---

The organization attributes in the administration service are:

• Groups Default People Container

• Maximum Results Returned From Search

• Timeout For Search (sec.)

• Groups People Container List

• Display User's Roles

• Display User's Groups

• User Group Self Subscription

• User Profile Display Options

• User Creation Default Roles

• View Menu Entries

Groups Default People Container

This field specifies the default people container where users will be placed when they are created by a group administrator. There is no default value. A valid value is the DN of a people container (organizational unit). See the note under Groups People Container List attribute for the People Container fallback order.

Maximum Results Returned From Search

This field defines the maximum number of results returned from a search. The default value is 100.

---

Caution

Do not set this value above 500. The search will be refused.

---

Timeout For Search (sec.)

This field defines the amount of time (in number of seconds) that a search will continue before timing out. It is used to stop potentially long searches. After the maximum search time is reached, an error is returned. The default is 5 seconds.

Groups People Container List

This field specifies a list of People Containers from which a group administrator can choose when creating a new user. This list can be used if there are multiple people containers in the directory tree and the Show People Container attribute is set to false. (If no People Containers are specified in this list or in the Groups Default People Container field, users are created in the default DSAME people container, ou=people.) There is no default value for this field.

---

Note	When a user is created, this attribute is checked for a container in which to place the entry. If the attribute is empty, the Groups Default People Container attribute is checked for a container. If the latter attribute is empty, the entry is created under ou=People.

---

Display User's Roles

This option specifies whether to display a list of roles assigned to a user as part of their user profile page. The default value is true (checkbox selected). An administrator can select from the following:

• false (checkbox not selected) — The user profile page does not include a list of roles assigned to the user.

• true (checkbox selected) — The user profile page includes a list of roles assigned to the user.

Display User's Groups

This option specifies whether to display a list of groups the user belongs to as part of their user profile page. The default value is true (checkbox selected). An administrator can select from the following:

• false (checkbox not selected) — The user profile page does not include a list of groups the user belongs to.

• true (checkbox selected) — The user profile page includes a list of groups the user belongs to.

User Group Self Subscription

This option specifies whether users can add themselves to groups that are open to subscription. The default value is true (checkbox selected). An administrator can select from the following:

• false (checkbox not selected) — The list of groups the user belongs to is not modifiable by the user.

• true (checkbox selected) — The list of groups the user belongs to is modifiable by the user.

  
  

  ---

  Note	This option applies only when the Display User's Groups option is selected.

  ---

  
  

User Profile Display Options

This menu specifies the information displayed as the user profile. The default value is UserOnly. An administrator can select from the following:

• UserOnly — Display viewable User service attribute values from the User subschema.

  User service attribute values are viewable by the user when the attribute contains the keyword Display. See the iPlanet Directory Server Access Management Edition Programmer's Guide for details.

• ByService — Display attribute values from dynamic subschema for services that have it.

• Combined — Display viewable User service attribute values from the User subschema and attribute values from dynamic subschema for services that have it.

User Creation Default Roles

This listing defines roles that will be assigned to newly created users automatically. There is no default value. An administrator can input the DN of one or more roles.

---

Note	This field only takes a full Distinguished Name address, not a role name.

---

View Menu Entries

This field lists the Java classes of services that will be displayed in the View menu at the top of the DSAME console. The syntax is i18N key | java class name. (The i18N key is used for the localized name of the entry in the View menu.)