Portal Server enables portal administrators to delegate the responsibility for managing various tasks in a particular organization to other individuals, called delegated administrators. Decentralizing administrative functions can improve portal management, especially in complex organizations. Portal administrators can set up channels for delegated administrators to use for managing the Desktop.
To perform administration tasks, delegated administrators use a set of administrative portlets on the Portal Server Desktop. This topic shows you how to set up these channels on the Developers Sample Desktop so that you can design a basic Desktop for delegated administrators.
Portal Server provides a set of administrative portlets on the Portal Server Desktop. The portlets allow administrators to set up specialized channels for delegated administrators to use in managing the Desktop and end-user roles. The three delegated administration roles are the following:
Organization admin role — Manages the Desktop content and end users in the defined organization.
Content administrator role — Manages the Desktop content of end users in the defined organization.
User administrator role — Manages end users in the defined organization and can assign or remove assignments of end-user roles.
This topic shows you how to set up these channels on the Developers Sample Desktop so that you can design a basic Desktop for delegated administrators.
This topic shows you how to set up delegated administration channels at the organization, role, and user level on the Developers Sample Desktop.
Set up access control instructions to allow or restrict access to the Desktop channel.
For administrator access at the organization level, access control instructions are set up by Access Manager by default.
For administrator access at the role level or the user level, Portal Server administrators must set up access control instructions.
Load the sample ACIs into the Directory Server.
Type ldapmodify -D "cn=directory manager"-w -f acis.ldif
.
Here is the sample ACI content:
# acis.ldif dn:dc=sample,dc=siroe,dc=com changetype:modify # aci for JDCAdmin1 role add:aci aci: (target= "ldap:///ou=people,o=DeveloperSample,dc=red,dc=iplanet,dc=com") (targetattr = "*") (version 3.0; acl "Allow JDCAdmin1 Role to read and search users"; allow (read,search) roledn = "ldap:///cn=JDCAdmin1,o=DeveloperSample,dc=red,dc=iplanet,dc=com";) - add:aci aci: (target="ldap:///dc=red,dc=iplanet,dc=com") (targetfilter="(entrydn=cn=JDC,o=DeveloperSample,dc=red,dc=iplanet,dc=com)") (targetattr="*") (version 3.0; acl "Allow JDCAdmin1 Role to read and search JDC Role"; allow (read,search) roledn="ldap:///cn=JDCAdmin1,o=DeveloperSample,dc=red,dc=iplanet,dc=com";) - add:aci aci: (target="ldap:///ou=people,o=DeveloperSample,dc=red,dc=iplanet,dc=com") (targetattr="nsroledn") (targetfilter="(!(|(nsroledn=cn=Top-level Admin Role,dc=red,dc=iplanet,dc=com) (nsroledn=cn=Top-level Help Desk Admin Role,dc=red,dc=iplanet,dc=com) (nsroledn= cn=Organization Admin Role,o=DeveloperSample,dc=red,dc=iplanet,dc=com) (nsroledn=cn=Top-level Policy Admin Role,dc=red,dc=iplanet,dc=com)))") (targattrfilters="add=nsroledn: (nsroledn=cn=JDC,o=DeveloperSample,dc=red,dc=iplanet,dc=com), del=nsroledn:(nsroledn=cn=JDC,o=DeveloperSample,dc=red,dc=iplanet,dc=com)") (version 3.0; acl "Allow JDCAdmin1 Role to add/remove users to JDC Role"; allow (write) roledn="ldap:///cn=JDCAdmin1,o=DeveloperSample,dc=red,dc=iplanet,dc=com";) - # aci for JDCAdmin2 role add:aci aci: (target="ldap:///cn=SunPortalportal1DesktopService,dc=red,dc=iplanet,dc=com") (targetfilter= (cn=cn=JDC,o=DeveloperSample,dc=red,dc=iplanet,dc=com))(targetattr="*") (version 3.0; acl "Allow JDCAdmin2 to edit display profile of JDC Role"; allow (all) roledn="ldap:///cn=JDCAdmin2,o=DeveloperSample,dc=red,dc=iplanet,dc=com";) - add:aci aci: (target="ldap:///dc=red,dc=iplanet,dc=com")(targetattr = "*") (version 3.0; acl "Allow JDCAdmin2 to read and search all"; allow (read,search) roledn = "ldap:///cn=JDCAdmin2,o=DeveloperSample,dc=red,dc=iplanet,dc=com";) # |
Find and replace every occurrence of o=DeveloperSample,dc=red,dc=iplanet with dc=sample,dc=hostname,dc=com.
Define the delegated administrator's role.
Log in to the Sun JavaTM System Access Manager management console.
For information about the Access Manager console, see the Sun Java System Access Manager 7.1 Administration Guide.
Navigate to the DeveloperSample organization.
Create one of the following:
A new suborganization
When you create a new organization, Access Manager sets up an Organization Admin role for the organization.
New delegated administration roles:
Create the following new roles:
End-User Role — Create a role JDC, set Type to Service, and turn off access permissions.
Content Administration Role — Create a role JDCAdmin2, set Type to Administrative, and turn off access permissions.
User Administration Role — Create a role JDCAadmin1, set Type to User, and turn off access permissions.
Create the following new users:
jdcuser — Assign to the role JDC.
jdcuadmin — Assign to the role JDCAadmin1.
jdctadmin — Assign to the role JDCAdmin2.
(Optional) Log out of the Access Manager console.
Ensure that the Portal Desktop service attribute values for the admin role DNs match the Portal Desktop service attribute values for your Portal.
The Desktop service attribute values for the admin role DNs are:
content.admin.role.dn
user.admin.role.dn
If the Portal Desktop service attribute values do not match these values, when a user who belongs to the admin role authenticates to the Portal, the user can be presented with the incorrect Desktop.
For example, if you set the DeveloperSample Portal Desktop service attribute values to:
Parent Container: JSPTabContainer
EditContainer: JSPEditContainer
Default Type: developer_sample
And you set both admin role DNs to:
cn=Organization Admin Role, o=DeveloperSample, dc=siroe, dc=com
You must set the Portal Desktop service attributes for the admin role DN to:
cn=Organization Admin Role, o=DeveloperSample, dc=siroe, dc=com
Edit the taskadmin.properties file.
Open the taskadmin.properties file in the portal-base-directory/samples/taskadmin directory.
Identify your values for the following variables:
am.admin.dn — the top-level administrator DN (for example, amadmin)
default.org.dn — the top-level or default organization (for example. dc=sun,dc=com)
ps.portal.id — the portal identifier (for example, portal1)
ps.parent.tab.container — the portal Desktop parent container name (for example, ASCTabContainer)
ps.default.type — the portal Desktop type (for example, enterprise_sample)
content.admin.role.dn — DN where the content admin channels and containers are loaded
user.admin.role.dn — DN where the user admin channels and containers are loaded
managed.content.dn — DN managed by the content admin role
Change the default values to match your deployment.
# ------------------------------------------------------ # General settings # ------------------------------------------------------ # # psadmin password file (file name and directory path) # example: /tmp/password # psadmin.password.file=/tmp/password //password file contains the password # # Portal configuration location # example: /etc/opt/SUNWportal # ps.config.location=/etc/opt/SUNWportal # # Portal identifier # example: portal1 # ps.portal.id=portal1 # # Access Manager admin dn # example: uid=amAdmin,ou=People,dc=siroe,dc=com # am.admin.dn=uid=amAdmin,ou=People,dc=siroe,dc=com # # Access Manager default organization # example: dc=siroe,dc=com # default.org.dn=dc=siroe,dc=com # # ------------------------------------------------------ # Task admin general settings # ------------------------------------------------------ # # Parent tab container # example: JSPTabContainer # ps.parent.tab.container=JSPTabContainer # # Parent tab container provider # example: JSPTabContainerProvider # ps.parent.tab.container.provider=JSPTabContainerProvider # # Portal default type # example: developer_sample # ps.default.type=developer_sample # # ------------------------------------------------------ # Content admin settings # ------------------------------------------------------ # # Content admin role dn. The content admin channels and containers # are loaded to this dn. # example: see below # content.admin.role.dn=cn=Organization Admin Role,o=DeveloperSample,dc=siroe,dc=com # # Managed content dn. The dn managed by the 'content.admin.role.dn'. # example: see below # managed.content.dn=o=DeveloperSample,dc=siroe,dc=com # # ------------------------------------------------------ # User admin settings # ------------------------------------------------------ # # User admin role dn. The user admin channels and containers # are loaded to this dn. # example: see below # user.admin.role.dn=cn=Organization Admin Role,o=DeveloperSample,dc=siroe,dc=com # # ====================================================== # Examples # ====================================================== # # Organization admin example: # content.admin.role.dn=cn=Organization Admin Role,o=DeveloperSample,dc=siroe,dc=com # managed.content.dn=o=DeveloperSample,dc=siroe,dc=com # user.admin.role.dn=cn=Organization Admin Role,o=DeveloperSample,dc=siroe,dc=com # # Role admin example: # content.admin.role.dn=cn=JDCAdmin2,o=DeveloperSample,dc=siroe,dc=com # managed.content.dn=cn=JDC,o=DeveloperSample,dc=siroe,dc=com # user.admin.role.dn=cn=JDCAdmin1,o=DeveloperSample,dc=siroe,dc=com
Run the ant command.
/usr/sfw/bin/ant -f ps-base-directory/samples/taskadmin/build.xml -Dprops.location=/tmp
tmp is the location of taskadmin.properties file
Verify the addition.
Log in to the new delegated administrator's user Desktop.
View the new delegated administration channel.
For an organization delegated administrator, verify that the administration channel appears for this organization in the Admin tab of the Developer Sample.
For a role or user delegated administrator, verify that the administration channel appears for this user in the Admin tab of the Developer Sample.
Log out of the user Desktop.
The Portal Server delegated administration tag library allows you to do the following:
Modify out-of-the-box delegated administration portlets
Develop portlets that provide new delegated administration functions
Write administration portlets with custom user interfaces
Create and administer channels based on JSPProvider
The Tag Library for Delegated Administration describes the tags for writing delegated administration portlets and provides syntax for them. The tag library supports tasks for the following administrative functions:
Provider management
Portlet management
User management
WSRP management
The Tag Library for Delegated Administration provides tag names and syntax.
Select what contents you want to view.
Expand the title to view sections that you can select.
Tags for Desktop Channel and Container Management Tasks
Tags for Portlet Management Tasks
Tags for User Management Tasks
Tags for Web Services for Remote Portlets (WSRP) Management Tasks
Click the title link to view the beginning of the reference.