Previous      Contents      Index      Next
Sun Java System Directory Editor 1 2005Q1 Installation and Configuration Guide

Chapter 7
Configuring Directory Editor

Use the information provided in this chapter to configure your Directory Editor application to control user access to applications and application components, and to define relative distinguished names (RDN) configurations. This chapter is organized as follows:

Controlling User Access
Working with Roles
Working with Naming Attributes
Editing the Startup Properties
Editing the Managed Directory Properties

---

Controlling User Access

Authentication and Authorization are terms used to describe methodologies for controlling access to applications or application components.

Authentication is the process by which an application challenges a client to supply credentials — typically providing a user name and password through a log-in page. Based on these credentials, the application determines whether a user (or a different client, such as another application) can use the application.
Authorization assumes that a client has already been authenticated and is in the process of determining whether a client can use a component of the application. Authorization takes a more fine-grained approach to access control.

You can use the Directory Editor Authorization page to authenticate clients and to control access to Directory Editor components using fine-grained authorization.

Note	By default, you must have the Manager role to access the Authorization page. For more information about roles, see Understanding Roles.

To understand authorization, you must understand the terms role, principal, and capabilities. These terms are described in the following sections:

Understanding Roles
Understanding Principals
Understanding Capabilities

Understanding Roles

A role describes a user's function within the enterprise hosting Directory Editor and determines with which parts of Directory Editor the user can interact.

By default, Directory Editor is pre-configured with two roles:

Manager: This role has access to all of Directory Editor’s features and functionality.
Default: This role has more limited capabilities within the application.
For example, you can browse directory data but you cannot edit that data.

Directory Editor enables you to add roles that support interactions appropriate for your enterprise, and these roles can consist of individual users or a group of users.

For example, if you create CEO, help desk administrator, and HR administrator roles for your organization, it is probably not necessary for each of these roles to have the same access capabilities.

Every role is associated with a set of principals that assume the role (see the next section, Understanding Principals).

For Directory Editor, there is a single group in the directory server (called the Manager Group) that serves as the principal corresponding to the Manager role.
You use the Managed Directory page to specify the Manager Group at configuration time (also available after configuration by selecting Configure > Managed Directory). So, if you have a particular user that should have full access to all Directory Editor functions, make that user's DN a member of the Manager Group.

Understanding Principals

A principal represents an entity (such as an individual, corporation, or login ID). The term subject is used to describe entities (typically human users). Subjects can be represented by multiple, differing principals — just as people can be represented by their credit card number to banks and by their UNIX account name to system administrators. The credit card numbers and UNIX account names are principals in this case.

Because Directory Editor is focused on directory data management, its principals are all represented using the following directory objects:

DN (distinguished names)
Directory Server groups
Directory Server roles

A user entering a DN in the log-in page can be represented by several different principals, depending on the data in the directory. For example, if the user’s account ID happens to be a member of a specific group, that user will be represented by the account ID’s DN and by the DN of the group to which the DN belongs.

In Directory Editor, objects representing the user (or subject) are stored in the HTTP session. After the user enters an account ID and a password on the Directory Editor's log-in page, Directory Editor populates the subject with all of the various principals (person entries, groups, and roles) associated with that account ID.

Note	If you edit the Manager role’s default principals, you can restore the original settings by clicking the Restore Default Setting button located on the Principals tab.

Understanding Capabilities

Capabilities are rights to perform actions within Directory Editor. A capability aggregates a set of resources that are necessary to perform the associated action (see Appendix A, "Resources for Capability Configuration").

By default, the Directory Editor capabilities include:

Browse: Enables the user to browse the directory.
Configure: Enables the user to configure the application.
Debug: Enables the user to debug the application.

Directory Editor provides several Debug pages that you can access from the following URL if you are assigned the Debug capability:

<protocol>//<host>[:<port>]/de/Debug.do

Edit/Create: Enables the user to edit and create directory entries.
Search: Enables the user to search the directory.

Note	If you edit the Default role’s default capabilities, you can restore the original settings by clicking the Restore Default Setting button located on the Capabilities tab.

---

Working with Roles

This section provides instructions for defining, editing, and deleting roles. The section is organized as follows:

Accessing the Authorization Page
Creating Directory Editor Roles
Editing Roles
Deleting Roles

Accessing the Authorization Page

To open the Authorization page, select the Configure tab and then select the Authorization tab. The Authorization page is displayed as follows:

Figure 7-1  Authorization Page

This page consists of the following features:

Create Role button: Click this button to create additional roles appropriate for your enterprise. (See Creating Directory Editor Roles.)
Edit Selected Role button: Click this button to change the properties, principals, and capabilities associated with a particular role. (See Editing Roles.)
Delete Selected Role(s) button: Click this button to remove roles. (See Deleting Roles.)
Role table: By default, this table contains the Manager and Default roles.

Creating Directory Editor Roles

Before you can define new Directory Editor roles for your enterprise, you must decide which tasks a common set of users must perform. For example, all of your help desk administrators must have write access to directory data.

After you have identified these tasks, use the following steps to create a new role:

Select Configure > Authorization.
When the Authorization page is displayed (see Figure 7-1), click the Create Role button.
On the New Role page, enter a meaningful name into the Role Name text box. For example, Site Managers.

Figure 7-2  Role Properties Tab



To specify a set of principals for this role, select the Principals tab and then click the Search for Principals button.

Figure 7-3  Principals Tab



When the Search for Principals page is displayed (Figure 7-4), use one of the search tabs (Basic, Advanced, or Filtered) to search the directory for identity, group, or role objects you want to assume the new role.

Figure 7-4  Search for Principals Page



Define the parameters for your search and then click the Search button.

Note	If necessary, see Chapter 6, "Searching Directories" to review the instructions for using these search tabs.

For example, if you want all Managers to assume the new role, you can use the Basic Search tab to search for Directory Administrators as follows:

Figure 7-5  Adding Objects to the Principals Set



In the Results from Search table, enable the Results checkbox(es) to select principals for the new role and then click the Add Selected Principals button.

The New Role page redisplays and the Principal table now contains the principal(s) you specified.

Figure 7-6  Principal Table



Note	To remove principals from the Principal table (and from the new role), enable the checkbox to the right of the principal name(s), and then click the Remove Selected button.

Select the Capabilities tab (Figure 7-7) to specify a set of actions that can be performed by users who assume the new role.

Figure 7-7  Capabilities Tab



Select one or more capabilities from the Available Capabilities list and click to move them to the Capabilities Of This Role list. (Press your Shift key and click on items in the list to select multiple resources.)
Click to move all resources to the Capabilities Of This Role list.
Click to move all resources from the Capabilities Of This Role list back to the Available Capabilities list.
Select resources from the Capabilities Of This Role list and click to move them back to the Available Capabilities list.

For example, you might want to assign all of the capabilities to the Help Desk Administrator role.

Click Save to save the new role and to add it to the Roles table (or click Cancel to return to the Authorization page without saving your changes).

Figure 7-8 shows the updated Roles table.

Figure 7-8  New Role Added to the Roles Table

Editing Roles

To edit selected authorization roles, use the following steps:

Select Configure > Authorization.
When the Authorization page is displayed, click the checkbox located next to the role you want to edit.

Figure 7-9  Click the Checkbox



Click the Edit Selected Role button to open the Edit page.

Figure 7-10  Edit Page



The process for editing a role is the same as the process you used to create it. Review the instructions provided in Creating Directory Editor Roles if necessary.

Note	If you edit the Manager role’s default principals, you can restore the original settings by clicking the Restore Default Setting button located on the Principals tab. Editing the Manager principals on the Principals tab is the same as editing the Manager Principal fields on the Managed Directory page (Configure > Managed Directory). If you edit the Default role’s default capabilities, you can restore the original settings by clicking the Restore Default Setting button located on the Capabilities tab.

When you are finished, click Save (or click Cancel to return to the Authorization page without saving your changes).

Deleting Roles

Note	You cannot delete the Manager or the Default roles.

To delete selected roles, use the following steps:

Select Configure > Authorization.
When the Authorization page is displayed, enable the checkbox(es) located next to the role(s) you want to delete.

Figure 7-11  Click the Checkbox



Click the Delete Selected Role(s) button and Directory Editor will immediately remove the selected role(s) from the Roles table.

---

Working with Naming Attributes

This section provides instructions for defining, editing, and deleting naming attributes. The section is organized as follows:

Accessing the Naming Attributes Page
Creating New Object Class - Naming Attribute Mappings
Editing Naming Attributes
Deleting Selected Naming Attributes

Accessing the Naming Attributes Page

To create new objects, Directory Editor must know how to construct DNs (distinguished names) for the new objects.

For example, if your customer wants to use uid (user ID) as the naming attribute for inetOrgPerson instead of cn you might specify the following DN for a newly created entry:

cn=Mike Miller,dc=example,dc=com

instead of:

uid=mmiller,dc=example,dc=com

Directory Editor ships with a small set of default naming attributes to use for object classes, so it is important that you modify these mappings to match the naming conventions used by your enterprise for naming directory objects. You must configure any object class that you add to the Create page with naming attributes.

To access the Naming Attributes page, select Configuration > Naming Attributes.

The Naming Attributes page is displayed as follows:

Figure 7-12  Naming Attributes Page

This page consists of the following features:

Naming Attribute Mapping table: By default, this table contains a small set of object classes and their naming attributes.
New button: Click this button to add object classes (and define naming attributes for those object classes) to your enterprise. (See Creating New Object Class - Naming Attribute Mappings.)
Edit Selected button: Click this button to edit the naming attributes currently selected for the selected object class. (See Editing Naming Attributes.)
Delete Selected button: Click this button to remove an object class and associated naming attributes from the table. (See Deleting Selected Naming Attributes.)

Creating New Object Class - Naming Attribute Mappings

After you have identified these tasks, use the following steps to create a new naming attribute:

Select Configure > Naming Attributes.
When the Naming Attributes page is displayed (see Figure 7-12), click the New button.
A new Naming Attributes page is displayed (Figure 7-13). Select the object class from the Object Class menu.

Figure 7-13  New Naming Attributes Page



Use the Naming Attributes selection tool to specify naming attributes for the new object class, as follows:
Select one or more naming attributes from the Available Attributes list and click the button to move them to the Used Attributes list. (Press your Shift key and click on items in the list to select multiple naming attributes.)
Click the button to move all naming attributes to the Used Attributes list.
Click the button to move all naming attributes from the Used Attributes list back to the Available Attributes list.
Select naming attributes from the Used Attributes list and click the button to move them back to the Available Attributes list.
Use the (move up) and (move down) buttons to change the order of attributes in the Used Attributes list

For example, you might specify a new objectclass called exUser for extending the default user object and have an attribute called exIdentifier as the naming attribute.

Figure 7-14  New Object Class and Naming Attribute Added to the Table



Click Save to save the new object class and attribute(s) (or click Cancel to return to the Naming Attributes page without saving your changes).

Figure 7-15 shows the new entry added to the Object Class table.

Figure 7-15  Updated Table

Editing Naming Attributes

To edit selected naming attributes, use the following steps:

Select Configure > Naming Attributes.
When the Naming Attributes page is displayed, click the checkbox located next to the role you want to edit.
Click the Edit Selected button to open a new Naming Attributes page (similar to Figure 7-16).

Figure 7-16  Editing the Naming Attributes



Note that the Object Class menu is not available on this page. Instead, Directory Editor displays the selected object class name.

Use the Naming Attributes selection tool to add or remove naming attributes. Review the instructions provided in Creating New Object Class - Naming Attribute Mappings if necessary.
When you are finished, click Save (or click Cancel to return to the Authorization page without saving your changes).

Deleting Selected Naming Attributes

To delete selected naming attributes, use the following steps:

Select Configure > Naming Attributes.
When the Naming Attributes page is displayed, enable the checkbox(es) located next to the object class(es) you want to delete.

Figure 7-17  Click the Checkbox



Click the Delete Selected button and Directory Editor will immediately remove the selected object class(es) from the table.

---

Editing the Startup Properties

After initially configuring the Startup Properties page, you can edit any of the property values by selecting Configuration > Startup.

The steps for editing any of the properties provided on this tab are the same as the steps you performed during the initial configuration.

---

Editing the Managed Directory Properties

After initially configuring the Managed Directory page, you can edit any of the specified property values by selecting Configuration > Managed Directory.

The steps for editing any of the properties provided on this tab are the same as the steps you performed during the initial configuration — except for the Manager Principals parameter.

After completing the initial configuration of Directory Editor, the program adds a Search for Principals button beneath the Manager Principals text boxes so you can search the directory for principals.

Note	Completing these Manager Principals fields is the same as selecting Configure > Authorization and editing the Manager role’s principals on the Principals tab.

To search for principals to add to the Manager Principals set,

Click the Search for Principals button.

Figure 7-18  Search for Principals button



When the Search for Principals page is displayed (Figure 7-19), select one of the search tabs (Basic, Advanced, or Filtered) to search the directory for User, Organization, Group, or All objects.

Figure 7-19  Search for Principals Page



Define the parameters for your search and then click the Search button.

Note	If necessary, see Chapter 6, "Searching Directories" to review the instructions for using these search tabs.

For example, if you add all Directory Administrators to the Manager Principals list, you can select the Basic Search tab to search for Directory Administrators as follows:

Figure 7-20  Adding Objects to the Principals Set



When a Results table is displayed with the results of your search, enable the appropriate Results checkbox(es) to select those principals and then click the Add Selected Principals button.

The Managed Directory page redisplays. Note that the Manager Principals list now contains the principal(s) you specified.

Figure 7-21  New Manager Principals List

Previous      Contents      Index      Next

---

Part No: 819-2191.   Copyright 2004 Sun Microsystems, Inc. All rights reserved.