In this task, you perform feature-level access control, a powerful tool that enables or disables client functionality. You create a new instant messaging role and corresponding policy that limits the instant messaging functionality to the basic features. Users assigned to this new role are not able to join conference rooms, send polls, or perform any of the other advanced instant messaging tasks.
Access Manager uses the Instant Messaging Service and the Presence Service to manage the Instant Messaging policy. The Instant Messaging Service contains the policy rules for communicating with others, as well as the ability to chat, exchange files, join conferences, send alerts, and more. The Presence Service contains the policy rules for determining the ability of users to share their presence with others, as well as to access, manage, or publish one's presence.
Use a completely new web browser to start Access Manager.
For example, http://wireless.map.beta.com/amconsole.
If you are using Internet Explorer for the Portal Server desktop and Communications Express, start Mozilla or Firefox.
Log in as user amadmin with the password adminpass.
In the top level organization (o=isp), choose Roles from the View drop-down menu in the left pane of the Access Manager console.
Click New to create a new role.
Select Static Role, type IM Limited User in the Name field, and click Next.
Define the following:
Description: Limited access role
Type of Role: Service
Access Permissions: Organization Administrator
Click Finish to create the role.
Now that you have created this new role, create policies that apply to this role.
Click the Service Configuration tab to add the appropriate Subject Type.
You will use the Subject Type to define a subject for the new policy you will create later.
In the left pane, click the property arrow beside Policy Configuration.
In the right pane, scroll down until you see a list of Selected Policy Subjects. In Selected Policy Subjects, choose all the available subjects, then click Save.
Click the Identity Management tab.
Choose Services from the View drop-down menu in the left pane.
Click the property arrow beside Policy Configuration.
Verify that all Selected Policy Subjects are selected.
In the top level organization (o=isp), choose Policies from the View drop-down menu in the left pane of the Access Manager console.
Click New to create a new policy.
Choose Rules from the View drop-down menu in the right pane of the Access Manager Console.
Click the New button to define rules for this policy.
Select Instant Messaging Service for the Rule Type and click Next.
Type IMLimitedRule for the Rule Name.
Type IMResource for the Resource Name.
Select all Action check boxes.
Click the Deny radio button for the following Actions:
Ability to Exchange Files
Ability to Join Conference Rooms
Ability to Manage Conference Rooms
Ability to Manage News Channels
Ability to Moderate Conference Rooms
Ability to Read News
Ability to Send Alerts
Ability to Send Polls
You have successfully created an Instant Messaging Service rule for this policy.
Click New to define another rule for this policy.
Select Presence Service for the Rule Type and click Next.
Type PresenceLimitedRule for the Rule Name.
Type PresenceResource for the Resource Name.
Select all Action check boxes, but do not click any Deny radio buttons.
All Actions are allowed.
You have successfully created a Presence Service rule for this policy.
Choose Subjects from the View drop-down menu in the right pane of the Access Manager console.
Click New to define the mapping between policies and roles.
Ensure that the Subject Type is Access Manager Roles and click Next.
If "Access Manager Roles" is not an available Subject Type, restart Web Server and retry this step.
Type IM Limited User in the Name field then click Search to search through the list of available Access Manager Roles.
Find the role isp > IM Limited User, highlight this role, and click Add.
Click the IM Limited User checkbox, then click Save.
The new roles and policies have been created. Next you assign Tina to this new Role and note the effect on her Instant Messaging client.
Choose Roles from the View drop-down menu in the left pane of the Access Manager console.
Click on the properties arrow to the right of the IM Limited User role.
The IM Limited User pane appears.
In the right pane, choose Users from the View drop-down menu.
Click Add on the right pane.
Type Tina in the User ID field and click Next.
Select the check box next to Tina's name and click the Finish button.
You have assigned Tina the Instant Messaging Limited User Role, so she has limited access to Instant Messaging.
Choose Organizations from the View drop-down menu in the left pane of the Access Manager console.
Click the link of the organization where user tina exists, for example map.beta.com
Choose Services from the View drop-down menu in the left pane of the Access Manager console.
Click on the properties arrow to the right of the Policy Configuration service.
The Policy Configuration pane appears.
In the right pane, type the LDAP Bind Password in the appropriate text entry boxes. (For example, type adminpass.) Then click Save.
Launch the Instant Messenger client then log in as tina.
Duncan initially has kathy and robert in his Instant Messaging buddy list. The user tina has not yet been added. You can click the Start button from the same Instant Messenger window you used to start kathy. If you start Tina's Instant Messenger, notice that her window has very limited Instant Messaging functionality. This type of provisioning is feature-level provisioning that involves defining roles and policies for these roles. Changing the policy has the effect of removing or adding functionality to the client itself. You can experiment changing the policy and restarting Tina's client to observe the effect. You can also apply the appropriate role to others and see its effect as you start Instant Messaging as those users.