This section describes how to use Access Manager to provision users and how to configure archiving for Instant Messaging. Access Manager enables you to create roles and policies and apply those to users to define their access rights. Previously, this guide described how easy it is to assign a user to a given role. This section enables you to examine policy and role creation to define a new Instant Messaging policy.
In The Instant Messaging Demo, you learned that access and privacy filters can be used by end users to block Instant Messaging traffic or presence updates from certain individuals. Additional flexibility can be obtained by deploying filters that perform text conversion or block certain payloads that contain viruses. For example, an administrator can create a filter that blocks or converts obscene words in an instant messaging conversation. Other uses include text translation, rich text to plain text conversion, or domain level blocking. Sun Java System Instant Messaging provides a Message Conversion API that developers can use to create more complex filters that can be applied to the Instant Messaging Server. Learn more about API level filtering from the Instant Messaging product documentation (http://docs.sun.com/app/docs/coll/1309.3).
In this task, you perform feature-level access control, a powerful tool that enables or disables client functionality. You create a new instant messaging role and corresponding policy that limits the instant messaging functionality to the basic features. Users assigned to this new role are not able to join conference rooms, send polls, or perform any of the other advanced instant messaging tasks.
Access Manager uses the Instant Messaging Service and the Presence Service to manage the Instant Messaging policy. The Instant Messaging Service contains the policy rules for communicating with others, as well as the ability to chat, exchange files, join conferences, send alerts, and more. The Presence Service contains the policy rules for determining the ability of users to share their presence with others, as well as to access, manage, or publish one's presence.
Use a completely new web browser to start Access Manager.
For example, http://wireless.map.beta.com/amconsole.
If you are using Internet Explorer for the Portal Server desktop and Communications Express, start Mozilla or Firefox.
Log in as user amadmin with the password adminpass.
In the top level organization (o=isp), choose Roles from the View drop-down menu in the left pane of the Access Manager console.
Click New to create a new role.
Select Static Role, type IM Limited User in the Name field, and click Next.
Define the following:
Description: Limited access role
Type of Role: Service
Access Permissions: Organization Administrator
Click Finish to create the role.
Now that you have created this new role, create policies that apply to this role.
Click the Service Configuration tab to add the appropriate Subject Type.
You will use the Subject Type to define a subject for the new policy you will create later.
In the left pane, click the property arrow beside Policy Configuration.
In the right pane, scroll down until you see a list of Selected Policy Subjects. In Selected Policy Subjects, choose all the available subjects, then click Save.
Click the Identity Management tab.
Choose Services from the View drop-down menu in the left pane.
Click the property arrow beside Policy Configuration.
Verify that all Selected Policy Subjects are selected.
In the top level organization (o=isp), choose Policies from the View drop-down menu in the left pane of the Access Manager console.
Click New to create a new policy.
Choose Rules from the View drop-down menu in the right pane of the Access Manager Console.
Click the New button to define rules for this policy.
Select Instant Messaging Service for the Rule Type and click Next.
Type IMLimitedRule for the Rule Name.
Type IMResource for the Resource Name.
Select all Action check boxes.
Click the Deny radio button for the following Actions:
Ability to Exchange Files
Ability to Join Conference Rooms
Ability to Manage Conference Rooms
Ability to Manage News Channels
Ability to Moderate Conference Rooms
Ability to Read News
Ability to Send Alerts
Ability to Send Polls
You have successfully created an Instant Messaging Service rule for this policy.
Click New to define another rule for this policy.
Select Presence Service for the Rule Type and click Next.
Type PresenceLimitedRule for the Rule Name.
Type PresenceResource for the Resource Name.
Select all Action check boxes, but do not click any Deny radio buttons.
All Actions are allowed.
You have successfully created a Presence Service rule for this policy.
Choose Subjects from the View drop-down menu in the right pane of the Access Manager console.
Click New to define the mapping between policies and roles.
Ensure that the Subject Type is Access Manager Roles and click Next.
If "Access Manager Roles" is not an available Subject Type, restart Web Server and retry this step.
Type IM Limited User in the Name field then click Search to search through the list of available Access Manager Roles.
Find the role isp > IM Limited User, highlight this role, and click Add.
Click the IM Limited User checkbox, then click Save.
The new roles and policies have been created. Next you assign Tina to this new Role and note the effect on her Instant Messaging client.
Choose Roles from the View drop-down menu in the left pane of the Access Manager console.
Click on the properties arrow to the right of the IM Limited User role.
The IM Limited User pane appears.
In the right pane, choose Users from the View drop-down menu.
Click Add on the right pane.
Type Tina in the User ID field and click Next.
Select the check box next to Tina's name and click the Finish button.
You have assigned Tina the Instant Messaging Limited User Role, so she has limited access to Instant Messaging.
Choose Organizations from the View drop-down menu in the left pane of the Access Manager console.
Click the link of the organization where user tina exists, for example map.beta.com
Choose Services from the View drop-down menu in the left pane of the Access Manager console.
Click on the properties arrow to the right of the Policy Configuration service.
The Policy Configuration pane appears.
In the right pane, type the LDAP Bind Password in the appropriate text entry boxes. (For example, type adminpass.) Then click Save.
Launch the Instant Messenger client then log in as tina.
Duncan initially has kathy and robert in his Instant Messaging buddy list. The user tina has not yet been added. You can click the Start button from the same Instant Messenger window you used to start kathy. If you start Tina's Instant Messenger, notice that her window has very limited Instant Messaging functionality. This type of provisioning is feature-level provisioning that involves defining roles and policies for these roles. Changing the policy has the effect of removing or adding functionality to the client itself. You can experiment changing the policy and restarting Tina's client to observe the effect. You can also apply the appropriate role to others and see its effect as you start Instant Messaging as those users.
The Sun Java Communications Suite provides the following two ways to archive chat sessions:
Archive provider API. Using this API, developers can extend the archive capability.
Portal Server search database or Message Store. Without changing any capabilities, you can archive chat sessions in Portal Server's search database or in Messaging Server's Message Store.
By default, the single host deployment example, on which this evaluation guide is based, uses the Message Store to archive chat sessions. By viewing Duncan's inbox, you can see that he has several messages that contain the chat conversations he had with Kathy and others.
The single host deployment example, on which this evaluation guide is based, does not include the Portal Server as an installation component. To change the archive store from the Message Store to the Portal Server search database requires that the Portal Server first be installed. Installation of the Portal Server is beyond the scope of this evaluation. However, if you install the Portal Server, you can change the archive store to the Portal Server search database to archive chat sessions by doing the following:
Edit the /etc/opt/SUNWiim/default/config/iim.conf file and set the following parameter:
iim_server.msg_archive.provider = "com.iplanet.im.server.IMPSArchive"
Restart the Instant Messaging server.
Perform a poll, or a chat, to generate some Instant Messaging data. For performing poll or chat, see The Instant Messaging Demo.
Click the Search tab from within Duncan's Portal Server desktop.
In the Find field, type a key word such as poll or a word from the chat, and click Search.
The results of the search are displayed. Note that the poll results look like actual final poll results, not extraneous data points. Also, the entire conversation is returned, not just the sentence containing the keyword.