test

Sun OpenSSO Enterprise 8.0 Administration Guide

ProcedureTo Create a Dynamic Role

  1. Go to the organization where the Role will be created.

  2. Click the Roles tab.

    A set of default roles are created when an organization is configured, and are displayed in the Roles list. The default roles are:

    Container Help Desk Admin. The Container Help Desk Admin role has read access to all entries in an organizational unit and write access to the userPassword attribute in user entries only in this container unit.

    Organization Help Desk Admin. The Organization Help Desk Administrator has read access to all entries in an organization and write access to the userPassword attribute.

    Note –

    When a sub organization is created, remember that the administration roles are created in the sub organization, not in the parent organization.

    Container Admin. The Container Admin role has read and write access to all entries in an LDAP organizational unit. In OpenSSO Enterprise, the LDAP organizational unit is often referred to as a container.

    Organization Policy Admin. The Organization Policy Administrator has read and write access to all policies, and can create, assign, modify, and delete all policies within that organization.

    People Admin. By default, any user entry in an newly created organization is a member of that organization. The People Administrator has read and write access to all user entries in the organization. Keep in mind that this role DOES NOT have read and write access to the attributes that contain role and group DNs therefore, they cannot modify the attributes of, or remove a user from, a role or a group.

    Note –

    Other containers can be configured with OpenSSO Enterprise to hold user entries, group entries or even other containers. To apply an Administrator role to a container created after the organization has already been configured, the Container Admin Role or Container Help Desk Admin defaults would be used.

    Group Admin. The Group Administrator created when a group is created has read and write access to all members of a specific group, and can create new users, assign users to the groups they manage, and delete the users the that they have created.

    When a group is created, the Group Administrator role is automatically generated with the necessary privileges to manage the group. The role is not automatically assigned to a group member. It must be assigned by the group’s creator, or anyone that has access to the Group Administrator Role.

    Top-level Admin. The Top-level Administrator has read and write access to all entries in the top-level organization. In other words, this Top-level Admin role has privileges for every configuration principal within the OpenSSO Enterprise application.

    Organization Admin. The Organization Administrator has read and write access to all entries in an organization. When an organization is created, the Organization Admin role is automatically generated with the necessary privileges to manage the organization.

  3. Click the New Dynamic button.

  4. Enter a name for the role.

  5. Enter a description for the role.

  6. Choose the role type from the Type menu.

    The role can be either an Administrative role or a Service role. The role type is used by the console to determine and where to start the user in the OpenSSO Enterprise console. An administrative role notifies the console that the possessor of the role has administrative privileges; the service role notifies the console that the possessor is an end user.

  7. Choose a default set of permissions to apply to the role from the Access Permission menu. The permissions provide access to entries within the organization. The default permissions shown are in no particular order. The permissions are:

    No permissions

    No permissions are to be set on the role.

    Organization Admin

    The Organization Administrator has read and write access to all entries in the configured organization.

    Organization Help Desk Admin

    The Organization Help Desk Administrator has read access to all entries in the configured organization and write access to the userPassword attribute.

    Organization Policy Admin

    The Organization Policy Administrator has read and write access to all policies in the organization. The Organization Policy Administrator can not create a referral policy to a peer organization.

    Generally, the No Permissions ACI is assigned to Service roles, while Administrative roles are assigned any of the default ACIs.

  8. Enter the information for the search criteria. The fields are:

    Match

    Allows you to include an operator for any the fields you wish to include for the filter. ALL returns users for all specified fields. ANY returns users for any one of the specified fields.

    First Name

    Search for users by their first name.

    User ID

    Search for a user by User ID.

    Last Name

    Search for users by their last name.

    Full Name

    Search for users by their full name.

    User Status

    Search for users by their status (active or inactive)

  9. Click OK to initiate the search based on the filter criteria. The users defined by the filter criteria are automatically assigned to the role.