Instant Messaging provides various functional features such as chat, conferencing, polls, presence access, etc. A policy describes a set of access control privileges that can be associated with these features. In turn, end users and groups can be assigned to policies according to the needs of an organization.
This chapter describes how to define and use policies to manage the access that end users and administrators have to the Instant Messaging server features and privileges:
Instant Messaging provides the ability to control access to Instant Messaging features and preserve end-user privacy.
Site policies specify end-user access to specific functionality in Instant Messaging. Site policies specify the ability to:
Access the presence status of other end users
Send alerts to other end users
Save properties on the server
Create and manage conference rooms
Create and manage news channels
The Instant Messaging administrator has access to all Instant Messaging features. The administrator has MANAGE access to all conference rooms and news channels, can view presence information of any end user, and can view and modify properties such as Contact Lists and Instant Messenger Settings of any end user. The site policy settings have no impact on the administrator’s privileges.
By default, the end user is provided with the privileges to access the presence status of other end users, send alerts to end users, and save properties to the server. In most of the deployments, the default values are not changed. These default values need to be changed when Instant Messaging is used exclusively for the pop-up functionality.
When Instant Messaging is used exclusively for the pop-up functionality, the end user will not be provided with the access privileges to presence information, chat, and news features.
Although certain privileges can be set globally, the administrator can also define exceptions for these privileges. For example, the administrator can deny certain default privileges to select end users, roles, or groups.
End users can have the following access privileges on Conference rooms and News channels:
MANAGE - full access, which includes the ability to set the conference room or the news channel privilege for other end users.
WRITE - privilege to add contents to the conference room or the news channel.
READ - privilege to read the conference room or the news channel contents.
NONE - no access privileges.
End users with the MANAGE privilege can set the default privilege level for all the other end users. These end users can also define the exception rules to grant an access level that is different from the default access level permission given to specific end users or groups.
Setting the WRITE privilege, also grants the end users the READ privilege.
End users can specify whether other end users can see their presence. By default, all end users can access the presence information of all other end users. End users can also set exceptions for denying this access to certain end user and groups.
If an end user has denied other end users from accessing the end user’s presence status, then that end user’s availability status appears as offline in other end user's contact lists. No alerts or chat invitations can be sent to an end user whose presence status is offline.
User privacy can be configured using the User Settings window in the Instant Messenger. For more information on configuring user privacy, see Instant Messenger Online Help.
Different sites using Instant Messaging server have different needs in terms of enabling and restricting the type of access end users have to the Instant Messaging service. The process of controlling end user and administrator Instant Messaging server features and privileges is referred to as policy management. There are two methods of policy management available: through access control files or through Sun JavaTM System Access Manager.
Managing Policies Using Access Control Files - The access control file method for managing policies allows you to adjust end-user privileges in the following areas: news channel management, conference room management, the ability to change preferences in the User Settings dialog, and ability to send alerts. It also allows specific end users to be assigned as system administrators.
Managing Policies using Sun Java System Access Manager - This method gives you control of the same privileges available with the access control file method; however, it additionally allows more fine-tuned control over various features, such as the ability to receive alerts, send polls, receive polls, etc. For a complete list, see Table 17–3. Furthermore, managing policies using Sun Java System Access Manager gives you finer-tuned control over privileges.
Two types of policies exist, Instant Messaging policies and Presence policies. The Instant Messaging policies govern general Instant Messaging features, such as the ability to send or receive alerts, the ability to manage public conferences and news channels, and the ability to send files. Presence policies govern the control end users have over changing their online status, and in allowing or preventing others from seeing their online or presence information.
If your deployment does not include Sun Java System Access Manager, you must use the access control file method to manage policies. If you are using Sun Java System Access Manager with the Instant Messaging server, and you have installed the Instant Messaging and Presence services components, you can use either policy management method. Managing policies using Sun Java System Access Manager is a more comprehensive method. One advantage of this method is that it allows you to store all end-user information in the directory.
When you choose which method to use to manage policies, you must also choose where they will be stored. Select the method for managing policies by editing the iim.conf file and setting the iim.policy.modules parameter to either identity for the Access Manager method or iim_ldap for the access control file method, which is also the default method.
Follow these steps to set which method you want to use to manage policies.
Open iim.conf.
See iim.conf File Syntax for instructions on locating and modifying iim.conf.
Edit the iim.policy.modules parameter by setting it to one of the following:
iim_ldap (default, the access control file method)
identity (the Access Manager method)
If you choose identity, you can run imadmin assign_services to assign Instant Messaging and presence services to existing users.
Edit the iim.userprops.store parameter and set it to either:
ldap (To store user properties in LDAP.)
If you choose ldap, you can run imadmin assign_services to add the required objectclasses that store user properties to user entries in the directory.
file (Default, to store user properties in files.)
Save and close iim.conf.
Refresh the configuration.
Table 17–1 lists and describes the parameters available in iim.conf that relate to the increased role that Sun Java System Access Manager can play in Instant Messaging deployments.
Table 17–1 Parameters Related to Access Manager in iim.conf
Parameter Name |
Use |
Values |
---|---|---|
iim.policy.modules |
Indicates if Sun Java System Access Manager or the directory is used for policy storage. |
iim_ldap (default) identity |
iim.userprops.store |
Indicates if the user properties are in a user properties file or stored in LDAP. Only significant when the service definitions for the Presence and Instant Messaging services have been installed. |
file (Default if you chose not to use Access Manager for policy when you ran the configure utility.) ldap (Default if you chose to use Access Manager for policy when you ran the configure utility.) |
By editing access control files you control the following end-user privileges:
Access to the presence status of the other end users
Send alerts to other end users
Save properties on the server
Create new conference rooms
Create new news channels
By default, end users are provided the privileges to access the presence status of other end users, send alerts to end users, and save properties to the server. For most deployments, default values do not need to be changed.
Although certain privileges can be set globally, the administrator can also define exceptions for these privileges. For example, the administrator can deny certain default privileges to select end users or groups.
In addition, if you are enforcing policy through access control files in your deployment, those files must be the same for all servers in a server pool.
Table 17–2 lists the global access control files for Instant Messaging and the privileges these files provide end users.
Table 17–2 Access Control Files
ACL File |
Privileges |
---|---|
sysSaveUserSettings.acl |
Defines who can and cannot change their own preferences. Users who do not have this privilege cannot add contacts, create conferences, etc. |
sysTopicsAdd.acl |
Defines who can and cannot create News channels. |
sysRoomsAdd.acl |
Defines who can and cannot create Conference rooms. |
sysSendAlerts.acl |
Defines who can and cannot send alerts. Disabling sysSendAlerts also disables polls. |
sysWatch.acl |
Defines who can and cannot watch changes of other end users. The Instant Messenger window is displayed for end users who do not have this privilege allowing “conference and news channel subscription and non-subscription” only. |
sysAdmin.acl |
Reserved for administrators only. This file sets administrative privileges to all Instant Messaging features for all end users. This privilege overrides all the other privileges and gives the administrator the ability to create and manage conference rooms and news channels as well as access to end user presence information, settings, and properties. |
Change to the im-cfg-base/acls directory.
See Instant Messaging Server Directory Structure for information on locating im-cfg-base.
Edit the appropriate access control file.
For example:
vi sysTopicsAdd.acl |
See Table 17–2 for a list of access control files.
Save the changes.
End users need to refresh the Instant Messenger window to see the changes.
If you are enforcing policy through access control files in your deployment, the content of the files must be the same for all servers in a server pool. To ensure this, copy the files from one server to each of the other nodes in the pool. See Access Control File Location for information on finding these files.
The location of the access control files is im-cfg-base/acls. Where im-cfg-base is the configuration directory. See Instant Messaging Server Directory Structure for information about the default location of the configuration directory.
The access control file contains a series of entries that define the privileges. Each entry starts with a tag as follows:
d: - default
u: - user
g: - group
The tag is followed by a colon (:). In case of the default tag it is followed by true or false.
End-user and group tags are followed by the end-user or group name.
Multiple end users and groups are specified by having multiple end users (u) and groups (g) in lines.
The d: tag must be the last entry in an access control file. The server ignores all entries after a d: tag. If the d: tag is true, all other entries in the file are redundant and are ignored. You cannot set the d: tag as true in an access control file and selectively disallow end users that privilege. If default is set to false, only the end users and groups specified in the file will have that particular privilege.
The following are the default d: tag entries in the ACL files for a new installation:
sysAdmin.acl - Contains d:false
sysTopicsAdd.acl - Contains d:true
sysRoomsAdd.acl - Contains d:true
sysSaveUserSettings.acl - Contains d:true
sysSendAlerts.acl - Contains d:true
sysWatch.acl - Contains d:true
The format and also the existence of all the access control files might change in future releases of the product.
Disabling sysSendAlerts also disables polls.
In the following example, the d: tag entry for sysTopicsAdd.acl file is false. Therefore, the Add and the Delete news channels privileges are available to the end users and groups that appear before the d: entry, namely user1, user2, and the sales group.
# Example sysTopicsAdd.acl file u:user1 u:user2 g:cn=sales,ou=groups,o=siroe d:False |
The Instant Messaging and Presence services in Sun Java System Access Manager provide another way to control end user and administrator privileges. Each service has three types of attributes: dynamic, user, and policy. A policy attribute is the type of attribute used to set privileges.
Policy attributes become a part of the rules when rules are added to a policy created in Access Manager to allow or deny administrator and end-user involvement in various Instant Messaging features, such as receiving poll messages from others.
When Instant Messaging server is installed with Sun Java System Access Manager, several example policies and roles are created. See the Sun Java System Access Manager Getting Started Guide and the Sun Java System Access Manager Administration Guide for more information about policies and roles.
You can create new policies and assign those policies to a role, group, organization, or end user as needed to match your site’s needs.
When the Instant Messaging service or the Presence service are assigned to end users, they receive the dynamic and user attributes applied to them. The dynamic attributes can be assigned to an Access Manager configured role or organization.
When a role is assigned to an end user or an end user is created in an organization, the dynamic attributes become a characteristic of the end user. The user attributes are assigned directly to each end user, they are not inherited from a role or an organization and, typically, are different for each end user. When an end users logs on, they get all the attributes that are applicable to them depending upon which roles are assigned to them and how the policies are applied.
Dynamic, user or policy attributes are associated with end users after assigning the Presence and Instant Messaging Services to these end users.
Table 17–3 lists the policy, dynamic, and user attributes for each service.
Table 17–3 Access Manager Attributes for Instant Messaging
Service |
Policy Attribute |
Dynamic Attributes |
User Attributes |
---|---|---|---|
sunIM |
sunIMAllowChat sunIMAllowChatInvite sunIMAllowForumAccess sunIMAllowForumManage sunIMAllowForumModerate sunIMAllowAlertsAccess sunIMAllowAlertsSend sunIMAllowNewsAccess sunIMAllowNewsManage sunIMAllowFileTransfer sunIMAllowContactListManage sunIMAllowUserSettings sunIMAllowPollingAccess sunIMAllowPollingSend |
sunIMProperties sunIMRoster sunIMConferenceRoster sunIMNewsRoster sunIMPrivateSettings |
sunIMUserProperties sunIMUserRoster sunIMUserConferenceRoster sunIMUserNewsRoster sunIMUserPrivateSettings |
sunPresence |
sunPresenceAllowAccess sunPresenceAllowPublish sunPresenceAllowManage |
sunPresenceDevices sunPresencePrivacy |
sunPresenceEntityDevices sunPresenceUserPrivacy |
For each attribute in the preceding table, a corresponding label appears in the Access Manager admin console. Table 17–4 lists and describes the policy attributes and Table 17–5 lists and describes the dynamic and user attributes.
Table 17–4 Access Manager Policy Attributes for Instant Messaging
Policy Attribute |
Admin Console Label |
Attribute Description |
---|---|---|
sunIMAllowChat |
Ability to Chat |
End users can be invited to join chat room and access normal chat functionality |
sunIMAllowChatInvite |
Ability to Invite others to Chat |
End users can invite others to chat |
sunIMAllowForumAccess |
Ability to Join Conference Rooms |
A conference tab shows up in Instant Messenger, allowing end users to join conference rooms |
sunIMAllowForumManage |
Ability to Manage Conference Rooms |
End users are able to create, delete, and manage conference rooms |
sunIMAllowForumModerate |
Ability to Moderate Conference Rooms |
End users can be conference moderators |
sunIMAllowAlertsAccess |
Ability to Receive Alerts |
End users can receive alerts from others |
sunIMAllowAlertsSend |
Ability to Send Alerts |
End users can send alerts to others |
sunIMAllowNewsAccess |
Ability to Read News |
A News button is displayed in Instant Messenger that enables end users to list news channels in order to receive and send news messages |
sunIMAllowNewsManage |
Ability to Manage News Channels |
End users can manage news channels and create, delete, and assign privileges to news channels |
sunIMAllowFileTransfer |
Ability to Exchange Files |
End users can add attachments to alert, chat, and news messages |
sunIMAllowContactListManage |
Ability to Manage one’s Contact List |
End users can manage their own contact lists; they can add and delete users or groups to and from the list; they can rename the folder in their contact list |
sunIMAllowUserSettings |
Ability to Manage Messenger |
A Settings button is displayed in Instant Messenger that enables end users to change their own Instant Messenger settings |
sunIMAllowPollingAccess |
Ability to Receive Polls |
End users can receive poll messages from others, and they can respond to polls |
sunIMAllowPollingSend |
Ability to Send Polls |
A Poll button is displayed in Instant Messenger that enables end users to send poll messages to others and to receive the responses |
sunPresenceAllowAccess |
Ability to Access other’s Presence |
End users can watch the presence status of others. The contact list, in addition to showing the contact, reflects contacts’ presence status changes by changing the status icon |
sunPresenceAllowPublish |
Ability to Publish Presence |
End users can click to select their status (online, offline, busy, etc.) for others to watch |
sunPresenceAllowManage |
Ability to Manage Presence Access |
An Access tab is displayed in Instant Messenger settings that allows end users to set up their own default presence access, presence permitted, or presence denied list |
An end user can log into theAccess Manager admin console and view the values of attributes in the Instant Messaging and Presence service attributes. If the attributes have been defined as modifiable, end users can alter them. By default no attributes in the Instant Messaging service are modifiable, nor is it recommended that end users be allowed to modify them. However, from the standpoint of system administration, manipulating attributes directly can be useful.
For example, since roles do not affect some system attributes, such as setting conference subscriptions, system administrators might want to modify the values of these attributes by copying them from another end user (such as from a conference roster) or modifying them directly. These attributes are listed in Table 17–5.
User attributes can be set by end users through the Sun Java System Access Manager admin console. Dynamic attributes are set by the administrator. A value set for a dynamic attribute overrides or is combined with the corresponding user attribute value.
The nature of corresponding dynamic and user attributes influences how conflicting and complementing information is resolved. For example, Conference Subscriptions from two sources (dynamic and user) complement each other, so the subscriptions are merged. Neither attribute overrides the other.
Table 17–5 Access Manager User and Dynamic Attributes for Instant Messaging
Admin Console Label |
User Attribute |
Dynamic Attribute |
Attribute Description |
Conflict Resolution |
---|---|---|---|---|
Messenger Settings |
sunIMUserProperties |
sunIMProperties |
Contains all the properties for Instant Messenger and corresponds to the user.properties file in the file-based user properties storage |
Merge. Unless a particular property has a value from both the user and dynamic attribute, then the dynamic attribute overrides. |
Subscriptions |
sunIMUserRoster |
sunIMRoster |
Contains subscription information (user contact list roster) |
Merge. If a Jabber identifier is present in both the user and dynamic attribute, then the nickname will be taken from the user attribute, the group will be a union of all groups from both user and dynamic attributes, the subscription value will be the highest value from the user and dynamic value. |
Conference Subscriptions |
sunIMUserConferenceRoster |
sunIMConferenceRoster |
Contains conference room subscription information |
Merge. Dynamic and user subscriptions are merged, and duplicates are removed. |
News Channel Subscriptions |
sunIMUserNewsRoster |
sunIMNewsRoster |
Contains news channel subscription information |
Merge. Dynamic and user subscriptions are merged and duplicates are removed. |
Presence Agents |
sunPresenceEntityDevices |
sunPresenceDevices |
Not used in this release (for future use) |
The dynamic information is used. |
Privacy |
sunPresenceUserPrivacy |
sunPresencePrivacy |
Corresponds to the privacy setting in Instant Messenger |
Merge. the dynamic value is used if there is a conflict. |
Instant Messenger Preferences |
sunIMUserPrivateSettings |
sunIMPrivateSettings |
Store private preferences here that are not stored in Messenger Settings |
Merge. |
Table 17–6 lists and describes the seven example policies and roles that are created in Sun Java System Access Manager when the Instant Messaging service component is installed. You can add end users to different roles according to the access control you want to give them.
A typical site might want to assign the role IM Regular User (a role that receives the default Instant Messaging and Presence access) to end users who simply use Instant Messenger, but have no responsibilities in administering Instant Messaging policies. The same site might assign the role of IM Administrator (a role associated with the ability to administer Instant Messaging and Presence services) to particular end users with full responsibilities in administering Instant Messaging policies. Table 17–7 lists the default assignment of privileges amongst the policy attributes. If an action is not selected in a rule, the values allow and deny are not relevant as the policy then does not affect that attribute.
Table 17–6 Default Policies and Roles for Sun Java System Access Manager
Policy |
Role to Which the Policy Applies |
Service to Which the Policy Applies |
Policy Description |
---|---|---|---|
Default Instant Messaging and presence access |
IM Regular User |
sunIM, sunPresence |
The default access that a regular Instant Messaging end user should have. |
Ability to administer Instant Messaging and Presence Service |
IM Administrator |
sunIM, sunPresence |
The access that an Instant Messaging Administrator has, which is access to all Instant Messaging features. |
Ability to manage Instant Messaging news channels |
IM News Administrator |
sunIM |
End users can manage news channels by creating, deleting, etc. |
Ability to manage Instant Messaging conference rooms |
IM Conference Rooms Administrator |
sunIM |
End users can manage conference rooms by creating, deleting, etc. |
Ability to change own Instant Messaging user settings |
IM Allow User Settings Role |
sunIM |
End users can edit settings modifying values in the Settings dialog box in Instant Messenger. |
Ability to send Instant Messaging alerts |
IM Allow Send Alerts Role |
sunIM |
End users can send alerts in Instant Messenger. |
Ability to watch changes on other Instant Messaging end users |
IM Allow Watch Changes Role |
sunIM |
End users can access the presence status of other Instant Messaging end users. |
Table 17–7 Default Policy Assignments
Policy |
|||||||
---|---|---|---|---|---|---|---|
Attribute |
Default access |
Can administer Instant Messaging and Presence Service |
Can manage news channels |
Can manage conference rooms |
Can change own end-user settings |
Can send alerts |
Can watch changes to other users |
sunIMAllowChat |
allow |
allow | |||||
sunIMAllowChatInvite |
allow |
allow | |||||
sunIMAllowForumAccess |
allow |
allow |
allow | ||||
sunIMAllowForumManage |
deny |
allow |
allow | ||||
sunIMAllowForumModerate |
deny |
allow |
allow | ||||
sunIMAllowAlertsAccess |
allow |
allow |
allow | ||||
sunIMAllowAlertsSend |
allow |
allow |
allow | ||||
sunIMAllowNewsAccess |
allow |
allow |
allow | ||||
sunIMAllowNewsManage |
deny |
allow |
allow | ||||
sunIMAllowFileTransfer |
allow |
allow | |||||
sunIMAllowContactListManage |
allow |
allow | |||||
sunIMAllowUserSettings |
allow |
allow |
allow | ||||
sunIMAllowPollingAccess |
allow |
allow | |||||
sunIMAllowPollingSend |
allow |
allow | |||||
sunPresenceAllowManage |
allow |
allow | |||||
sunPresenceAllowAccess |
allow |
allow |
allow |
||||
sunPresenceAllowPublish |
allow |
allow |
You can create new policies to fit the specific needs of your site.
Log in to the Access Manager admin console at http://hostname:port/amconsole.
For example:
http://imserver.company22.example.com:80/amconsole
Select the Identity Management tab.
Select Policies in the View drop down list in the navigation pane (the lower-left frame).
Click New.
The New Policy page appears in the data pane (the lower-right frame).
Select Normal for the Type of Policy.
Enter a policy description in the Name field.
For example:
Ability to Perform IM Task. |
Click Create.
Access Manager admin console displays the name of the new policy in the policy list in the navigation pane and brings up the Edit page for your new policy.
On the Edit page, select Rules in the View drop down list.
The Rule Name Service Resource panel appears inside the Edit page.
Click Add.
The Add Rule page appears.
Select the Service that applies.
You can select either Instant Messaging Service or Presence Service.
Each service enables you to allow or deny end users the ability to perform specific actions. For example, Ability to Chat is an action specific to the Instant Messaging service while Ability to Access other’s Presence is an action specific to the Presence service.
Enter a description for a rule in the Rule Name field.
For example:
Rule 1 |
Enter the appropriate Resource Name.
Enter either:
IMResource for Instant Messaging Service
or
PresenceResource for Presence Service
Select the Actions that you want to apply.
Select the Value for each action.
You can select either Allow or Deny.
Click Create.
The proposed rule is displayed in the list of saved rules for that policy.
Click Save.
The proposed rule becomes a saved rule.
Repeat steps 9-16 for any additional rules that you want to apply to that policy.
You can assign policies to a role, group, organization, or user. This includes the default policies or policies that were created after Instant Messaging was installed.
Log in to the Access Manager admin console at http://hostname:port/amconsole.
For example:
http://imserver.company22.example.com:80/amconsole
Select the Identity Management tab.
Select Policies in the View drop down list in the navigation pane (the lower-left frame).
Click the arrow next to the name of the policy you want to assign.
The Edit page for that policy appears in the data pane (the lower-right frame).
On the Edit page, select Subjects in the View drop down list.
Click Add.
The Add Subject page appears, which lists the possible subject types:
Access Manager Roles
LDAP Groups
LDAP Roles
LDAP Users
Organization
Select the subject type that matches the policy.
For example, Organization.
Click Next.
In the Name field, enter a description of the subject.
(Optional) Select the Exclusive check box.
The Exclusive check box is not selected as the default setting, which means that the policy applies to all members of the subject.
Selecting the Exclusive check box applies the policy to everyone who is not a member of the subject.
In the Available field, search for entries that you want to add to your subject.
Type a search for the entries you want to search for.
The default search is *, which displays all the subjects for that subject type.
Click search.
Highlight entries in the Available text box that you want to add to the Selected text box.
Click Add or Add All, whichever applies.
Repeat steps a-d until you have added all the names you want to the Selected text box.
Click Create.
The proposed subject appears in the list of proposed subjects for that policy.
Click Save.
The proposed subject becomes a saved subject.
Repeat steps 6-13 for any additional subjects that you want to add to the policy.
The ability to create suborganizations using Sun Java System Access Manager enables organizationally separate populations to be created within the Instant Messaging server. Each suborganization can be mapped to a different DNS domain. End users in one suborganization are completely isolated from those in another. The following procedure describes minimal steps to create a new suborganization for Instant Messaging.
Log in to the Access Manager admin console at http://hostname:port/amconsole.
For example:
http://imserver.company22.example.com:80/amconsole
Select the Identity Management tab.
Create a new organization:
Select Organizations in the View drop down list in the navigation pane (the lower-left frame).
Click New.
The New Organization page appears in the data pane (the lower-right frame).
Enter a suborganization name.
For example:
sub1 |
Enter a domain name.
For example:
sub1.company22.example.com |
Click Create.
Register services for the newly created suborganization:
Click the name for the new suborganization in the navigation pane.
For example, click sub1. Ensure that you click the name, not the property arrow at the right.
Select Services from the View drop down list in the navigation pane.
Click Register.
The Register Services page appears in the data pane.
Select the following services under the Authentication heading:
Core
LDAP
Select the following services under the Instant Messaging Configuration heading:
Instant Messaging Service
Presence Service
Click Register.
The newly selected services for this suborganization appear in the navigation pane.
Create service templates for the newly selected services:
In the navigation pane, click the property arrow for a service, starting with the Core service.
The Create Service Template page appears in the data pane.
In the data pane, click Create.
A page displaying a list of template options for the service you have selected appears.
You should click Create for each service even when you do not want to modify the template options.
Modify the options for the service template of each service as follows:
Core: Generally, no options need to be modified.
LDAP: Add the prefix of the new suborganization to the DN to Start User Search field.
After adding the prefix, the final DN should be in this format:
o=sub1,dc=company22,dc=example,dc=com
Enter the LDAP password in the Password for Root User Bind and Password for Root User Bind (confirm) fields.
Instant Messaging Service: Generally, no options need to be modified.
Click Save.
Repeat steps a-d until you have created service templates for each service.
After new end users have been created in a suborganization they need to be assigned roles. Roles can be inherited from the parent organization.
Log in to the Access Manager admin console at http://hostname:port/amconsole.
For example:
http://imserver.company22.example.com:80/amconsole
Select the Identity Management tab.
Select Roles in the View drop down list in the navigation pane (the lower-left frame).
Click on the property arrow to the right of the role you wish to assign.
A page for that role appears in the data pane (the lower-right frame).
Select Users from the View drop down list in the data pane.
Click Add.
The Add Users page appears.
Enter a matching pattern to identify users.
For example, in the UserId field an asterisk, *, lists all users.
Click Filter.
The Select User page appears.
On the Select User page, check the Show Parentage Path check box and click Refresh.
The parentage path is displayed.
Select the users to be assigned to this role.
Click Submit.