Previous Contents Index Next |
iPlanet Directory Server Access Management Edition Administration Guide |
Chapter 6 Administration Attributes
The Administration Service consists of global and organization attributes. The values applied to the global attributes are applied across the iPlanet Directory Server Access Management Edition (DSAME) configuration and are inherited by every configured organization. They can not be applied directly to roles or organizations as the goal of global attributes is to customize the DSAME application. Values applied to the organization attributes are default values for each organization configured and can be changed when the service is registered to the organization. The organization attributes are not inherited by entries of the organization. The Administration Attributes are divided into:
Global Attributes
Global Attributes
The global attributes in the Administration Service are:
Show People Containers
Default Role Permissions (ACIs)
Show People Containers
This attribute specifies whether to display People Containers in the DSAME console. If this option is selected, the menu choice People Containers displays in the Show menu for Organizations, Containers and Group Containers. People Containers will be seen at the top-level only for a flat DIT.People containers are organizational units containing user profiles.It is recommended that you use a single people container in your DIT and leverage the flexibility of roles to manage access and services. The default behavior of the DSAME console is therefore to hide the People Container. However, if you have multiple people containers in your DIT, select Show People Containers to display People Containers as managed objects in the DSAME console.
Display Containers In Menu
This attribute specifies whether to display any containers in the Show menu of the DSAME console. The default value is false. An administrator can optionally chose either:
false (checkbox not selected) Containers are not listed among the choices on the Show menu at the top level for organizations and other containers.
true (checkbox selected) Containers are listed among the choices on the Show menu at the top level and for organizations and other containers.
Show Group Containers
This attribute specifies whether to show Group Containers in the DSAME console. If this option is selected, the menu choice Group Containers displays in the Show menu for organizations, containers, and group containers. Group containers are organizational units for groups.
Managed Group Type
This option specifies whether subscription groups created through the DSAME Console are static or dynamic. The console will either create and display subscription groups that are static or dynamic, not both. (Filtered groups are always supported regardless of the value given to this attribute.) The default value is dynamic.
A static group explicitly lists each group member using the groupOfNames or groupOfUniqueNames object class. The group entry contains the uniqueMember attribute for each member of the group. Members of static groups are manually added; the user entry itself remains unchanged. Static groups are suitable for groups with few members.
An administrator can select one of the following:A dynamic group uses a memberOf attribute in the entry of each group member. Members of dynamic groups are generated through the use of an LDAP filter which searches and returns all entries which contain the memberOf attribute. Dynamic groups are suitable for groups that have a very large membership.
A filtered group uses an LDAP filter to search and return members that meet the requirement of the filter. For instance, the filter can generate members with a specific uid (uid=g*) or email address (email=*@sun.com). In these examples, the LDAP filter would return all users whose uid begins with g or whose email address ends with sun.com, respectively. Filtered groups can only be created within the User Management view by choosing Membership by Filter. See "Managed Groups" for more information.
Dynamic Groups created through the Membership By Subscription option will be dynamic.
Static Groups created through the Membership By Subscription option will be static.
Note The Managed Group Type option is only available when DSAME is installed using the default mode.
Attribute Uniqueness Enabled
When this attribute is selected as true, attribute uniqueness is enabled and verified for every user creation. The default is false.
Default Role Permissions (ACIs)
This attribute defines a list of default access control instructions (ACIs) or permissions that are used to grant administrator privileges when creating new roles. One of these ACIs is selected depending on the level of privilege desired. DSAME ships with two default role permissions:
Organization Help Desk Admin
The Organization Help Desk Administrator has read access to all entries in the configured organization and write access to the userPassword attribute.
Organization Admin
The Organization Administrator has read and write access to all entries in the configured organization.
Domain Component Tree Enabled
The Domain Component tree (DC tree) is an iPlanet-specific DIT structure used by many iPlanet components to map between DNS names and organizations' entries.When this option is enabled, the DC tree entry for an organization is created, provided that the DNS name of the organization is entered at the time the organization is created. The DNS name field will appear in the Organization Create page. This option is only applicable to top level organizations, and will not be displayed for suborganizations.
Any status change made to the inetdomainstatus attribute through the DSAME SDK in the organization tree will update the corresponding DC tree entry status. (Updates to status that are not made through the DSAME SDK will not be synchronized.) For example, if a new organization, sun, is created with the DNS name attribute sun.com, the following entry will be created in the DC tree:
The DC tree may optionally have its own root suffix configured by setting com.iplanet.am.domaincomponent in AMCONFIG.properties. By default, this is set to the DMSAME root. If a different suffix is desired, this suffix must be created using LDAP commands. The ACIs for administrators that create organizations required modification so that they have unrestricted access to the new DC tree root.
- dc=sun,dc=com,o=internet,<root suffix>
Admin Groups Enabled
This option specifies whether to create the DomainAdministrators and DomainHelpDeskAdministrators groups. If selected (true), these groups are created and associated with the Organization Admin Role and Organization Help Desk Admin Role, respectively. Once created, adding or removing a user to one of these associated roles automatically adds or removes the user from the corresponding group. This behavior, however, does not work in reverse. Adding or removing a user to one of these groups will not add or remove the user in their associated roles.The DomainAdministrators and DomainHelpDeskAdministrators groups are only created in organizations that are created after this option is enabled.
Compliance User Deletion Enabled
This option specifies whether a user's entry will be deleted, or just marked as deleted, from the directory. When a user's entry is deleted and this option is selected (true), the user's entry will still exist in the directory, but will be marked as deleted. User entries that are marked for deletion are not returned during Directory Server searches. If this option is not selected, the user's entry will be deleted from the directory.
Dynamic Admin Roles ACIs
This attribute defines the access control instructions for the administrator roles that are created dynamically when a group, organization, container or people container is configured using DSAME. These roles are used for granting administrative privileges for the specific grouping of entries created. The default ACIs can be modified only under this attribute listing.
Top-level Admin
The Top-level Administrator has read and write access to all entries in the top level organization. In other words, this Top-level Admin role has privileges for every configuration principal within the DSAME application.
Organization Admin
The Organization Administrator has read and write access to all entries in an organization. When an organization is created, the Organization Admin role is automatically generated with the necessary privileges to manage the organization.
Organization Help Desk Admin
The Organization Help Desk Administrator has read access to all entries in an organization and write access to the userPassword attribute.
Note When a sub-organization is created, remember that the administration roles are created in the sub-organization, not in the parent organization.
Container Admin
The Container Admin role has read and write access to all entries in an LDAP organizational unit. In DSAME, the LDAP organizational unit is often referred to as a container.
Container Help Desk Admin
The Container Help Desk Admin role has read access to all entries in an organizational unit and write access to the userPassword attribute in user entries only in this organizational unit.
Group Admin
The Group Administrator has read and write access to all members of a specific group, and can create new users, assign users to the groups they manage, and delete the users the that they have created.When a group is created, the Group Administrator role is automatically generated with the necessary privileges to manage the group. The role is not automatically assigned to a group member. It must be assigned by the group's creator, or anyone that has access to the Group Administrator Role.
People Container Admin
By default, any user entry in an newly created organization is a member of that organization's People Container. The People Container Administrator has read and write access to all entries in the organization's People Container. Keep in mind that the this role DOES NOT have read and write access to the attributes that contain role and group DNs therefore, they cannot modify the attributes of, or remove a user from, a role or a group.
User Profile Service Classes
This attribute lists the services that will have a custom display in the User Profile page. The default display generated by the Administration Console may not be sufficient for some services. This attribute creates a custom display for any service, giving full control over what and how the service information is displayed. The syntax is as follows:
Organization Attributes
The organization attributes in the administration service are:
Groups Default People Container
Maximum Results Returned From Search
User Creation Notification List
User Deletion Notification List
Groups Default People Container
This field specifies the default People Container where users will be placed when they are created. There is no default value. A valid value is the DN of a people container. See the note under Groups People Container List attribute for the People Container fallback order.
Groups People Container List
This field specifies a list of People Containers from which a Group Administrator can choose when creating a new user. This list can be used if there are multiple People Containers in the directory tree. (If no People Containers are specified in this list or in the Groups Default People Container field, users are created in the default DSAME people container, ou=people.) There is no default value for this field. The syntax for this attribute is as follows:
For a Group Administrator to have access to the relevant People Container, this attribute must be set before creating the group.
- <group name>|<dn of people container>
Display User's Roles
This option specifies whether to display a list of roles assigned to a user as part of their user profile page. If the value is false (not selected), the user profile page shows the user's roles only for administrators. The default value is false.
User Profile Display Class
This attribute specifies the java class used by the Administration Console when it displays the User Profile pages.
Display User's Groups
This option specifies whether to display a list of groups assigned to a user as part of their user profile page. If the value is false (not selected), the user profile page shows the user's groups only for administrators. The default value is false.
User Group Self Subscription
This option specifies whether users can add themselves to groups that are open to subscription. If the value is false, the user profile page allows the user's group membership to be modified only by an administrator. The default value is false.
Note This option applies only when the Display User's Groups option is selected.
User Profile Display Options
This menu specifies which service attributes will be displayed in the user profile page. An administrator can select from the following:
UserOnly Display viewable User schema attributes for services assigned to the user.
Combined Display viewable User and Dynamic schema attributes for services assinged to the user.
- User service attribute values are viewable by the user when the attribute contains the keyword Display. See the iPlanet Directory Server Access Management Edition Programmer's Guide for details.
User Creation Default Roles
This listing defines roles that will be assigned to newly created users automatically. There is no default value. An administrator can input the DN of one or more roles.
Note This field only takes a full Distinguished Name address, not a role name.
View Menu Entries
This field lists the Java classes of services that will be displayed in the View menu at the top of the DSAME console. The syntax is i18N key | java class name. (The i18N key is used for the localized name of the entry in the View menu.)
Maximum Results Returned From Search
This field defines the maximum number of results returned from a search. The default value is 100.
Do not set this value above 500. The search will be refused.
Timeout For Search (sec.)
This field defines the amount of time (in number of seconds) that a search will continue before timing out. It is used to stop potentially long searches. After the maximum search time is reached, an error is returned. The default is 5 seconds.
JSP Directory Name
This field specifies the name of the directory that contains the .jsp files used to construct the Administration Console, to give an organization a different appearance (customization). The .jsp files need to be copied into the directory that is specified in this field.
Online Help Documents
This field lists the online help links that will be created on the main DSAME help page. This allows other applications to add their online help links in the DSAME page. The format for this attribute is as follows:
For example:
- linki18nkey | html page to load when clicked | i18n properties file
- DSAME Help | /dpAdminHelp.html | amAdminModuleMsgs
Required Services
This field lists the services that are dynamically added to the users' entries when they are created. Administrators can choose which services are added at the time of creation.This attribute is not used by the console, but by the DSAME SDK. Users that are dynamically created will be assigned the services listed in this attribute.
User Search Key
This attribute defines the attribute name that is to be searched upon when performing a simple search in the Navigation page. The default value for this attribute is cn. For example, if this attribute uses the default:If you enter j* in the Name field in the Navigation frame, users whose names begins with "j" or "J" will be displayed.
User Search Return Attribute
This attribute defines the attribute name used when displaying the users returned from a simple search. The default of this attribute is cn, and the full name of the user will be displayed.
User Creation Notification List
This field defines a list of email addresses that will be sent notification when a new user is created.
User Deletion Notification List
This field defines a list of email addresses that will be sent notification when a new user is deleted.
User Modification Notification List
This field defines a list of attributes and email addresses associated with the attribute. When a user modification occurs on an attribute defined in the list, the email address associated with the attribute will be sent notification. Each attribute can have a different set of addresses associated to it.
Note The attribute name is the same as it appears in the Directory Server schema, and not as the display name in the Administration Console.
Unique Attribute List
This attribute is a list of attributes defined in the iPlanet Directory Server schema. When the Attribute Uniqueness Enabled attribute is selected as true, each parent organization of the user that is being created is checked to see if the Unique Attribute List attribute is configured. If it is configured, a search is executed starting from that organization for the entire subtree, to determine if any users exist with any of the attribute values contained in the list. If such an entry exists, an error is returned. If such an entry does not exist, the next suborganization is checked. Once all suborganizations have been checked, the user is created.
Previous Contents Index Next
Copyright © 2002 Sun Microsystems, Inc. All rights reserved.
Last Updated May 09, 2002