Chapter 4   User Management


This chapter describes the user management features of iPlanet Directory Server Access Management Edition (DSAME). The User Management interface provides a way to view, manage and configure all DSAME objects and identities. This chapter contains the following sections:

• The User Management Interface

• Managing DSAME Objects

• Properties Function

The User Management Interface

---

There are two types of user management views. Depending on the roles of the user logging in, they might gain access to the User Management View or the User Profile View.

User Management View

When a user with an administrative role authenticates to the DSAME, their default view is the User Management View. In this view the administrator can perform all user-based administrative tasks. This can include, but is not limited to, creating objects and identities, configuring services and assigning policies.

Figure 4-1    User Management View with Organization Properties Displayed

User Profile View

When a user without an administrative role authenticates to the DSAME, the default view is their own User Profile. In this view the user can modify the values of the attributes particular to their personal profile. This can include, but is not limited to, name, home address and password. The attributes displayed in the User Profile View can be extended. For more information on adding customized attributes for objects and identities, see the iPlanet Directory Server Access Management Edition Programmer's Guide.

Figure 4-2    User Profile View

Managing DSAME Objects

---

The User Management interface contains all the components needed to view and manage the DSAME objects (organization, configured enterprise organizations and their corresponding groups, roles, users, policies and containers). This section explains the object types and details on how to configure them.

Organizations

This object represents the top level of a hierarchical structure used by an enterprise to manage its departments and resources. Upon installation, DSAME dynamically creates a top-level organization (default o=isp) to manage the DSAME enterprise configurations. Additional organizations can be created after installation to manage separate enterprises. All created organizations fall beneath the top-level organization.

Create an Organization

1. Choose Organizations from the Show menu in User Management.

   All created organizations display in the navigation pane.

2. Click New in the navigation pane.

   The Create Organization template displays in the data pane.

3. Enter a value for the name of the Organization in the New Organization template.

4. Choose a status of active or inactive.

   The default is active. This can be changed at any time during the life of the organization by selecting the Properties icon. Choosing inactive disables log in to the organization.

5. Click Create.

   The new organization displays in the navigation pane.

Delete an Organization

1. Choose Organizations from the Show menu in User Management.

   All created organizations display in the navigation pane.

2. Select the checkbox next to the name of the Organization to be deleted.

3. Click Delete.

   
   

   ---

   Note	There is no warning message when performing a delete. All entries within the organization will be deleted.

   ---

   
   

Containers

The container entry is used when, due to object class and attribute differences, it is not possible to use an organization entry. It is important to remember that the DSAME container entry and the DSAME organization entry are not necessarily equivalent to the LDAP object classes organizationalUnit and organization. They are abstract DSAME entries. Ideally, the organization entry will be used instead of the container entry.

Create a Container

1. Navigate to the navigation pane of the Organization or Container where the new Container will be created.

   Use the Show menu in the navigation pane and the Location path in the location pane.

2. Click New.

   A Container template displays in the data pane.

3. Enter the name of the Container to be created.

4. Click Create.

Delete a Container

1. Navigate to the navigation pane of the Organization or Container which contains the Container to be deleted.

   Use the Show menu in the navigation pane and the Location path in the location pane.

2. Choose Containers from the Show menu.

3. Select the checkbox next to the name of the Container to be deleted.

4. Click Delete.

   
   

   ---

   Note	Deleting a container will delete all objects that exist in that Container. This includes all objects and sub Containers.

   ---

   
   

People Containers

A People Container is the default LDAP organizational unit to which all users are assigned when they are created within an organization. People Containers can be found at the organization level and at the People Container level as a sub People Container. They can only contain other People Containers and users. Additional People Containers can be added into the organization, if desired.

---

Note	The display of People Containers is optional. To view People Containers you must select Show People Containers in the DSAME Administration service. For more information, see "Show People Containers".

---

Create a People Container

1. Navigate to the navigation pane of the Organization or People Container where the new People Container will be created.

   Use the Show menu in the navigation pane and the Location path in the location pane.

2. Click New.

   A People Container template displays in the data pane.

3. Enter the name of the People Container to be created.

4. Click Create.

Delete a People Container

1. Navigate to the navigation pane of the organization or People Container which contains the People Container to be deleted.

   Use the Show menu in the navigation pane and the Location path in the location pane.

2. Choose People Containers from the Show menu.

3. Select the checkbox next to the name of the People Container to be deleted.

4. Click Delete.

   
   

   ---

   Note	Deleting a People Container will delete all objects that exist in that People Container. This includes all users and sub People Containers.

   ---

   
   

Group Containers

A Group Container is used to manage groups. It can only contain groups and other group containers. The group container Groups is dynamically assigned as the parent entry for all managed groups. Additional group containers can be added, if desired.

Create a Group Container

1. Navigate to the navigation pane of the Organization or the Group Container which contains the Group Container to be created.

   Use the Show menu in the navigation pane and the Location path in the location pane.

2. Choose Group Containers from the Show menu.

   The default Groups was created during the organization's creation.

3. Click New.

4. Type a value in the Name field and press Create.

   The new Group Container displays in the navigation pane.

Delete a Group Container

1. Navigate to the navigation pane of the Organization which contains the Group Container to be deleted.

   Use the Show menu in the navigation pane and the Location path in the location pane.

2. Choose Group Containers from the Show menu.

   The default Groups and all created Group Containers display in the navigation pane.

3. Select the checkbox next to the Group Container to be deleted.

4. Click Delete Selected.

Roles

This grouping represents a selection of privileged operations. By applying the role to a user or a service, the principal can perform the operations. For example, by confining certain privileges to an Employee role or a Manager role and applying the role to a user, the user's accessibility is confined to the privileges granted it by the role.

Create a Role

1. Navigate to the navigation pane of the Organization where the role will be created.

   Choose Organizations from the Show menu in User Management and select the organization from the navigation pane. The Location path displays the default top-level organization and chosen organization.

2. Choose Roles from the Show menu.

   The default roles created when an organization is configured display in the navigation pane:

   • Organization Admin Role

   • Organization Help Desk Admin Role

   • People Admin

   For descriptions of these roles, see "Dynamic Admin Roles ACIs" of the Attribute Reference section.

3. Click New in the navigation pane.

   The Create Role template appears in the data pane.

4. Enter a name for the role.

5. Enter a description of the role.

6. Choose the role type from the Type menu.

   The role can be either an Administrative role or a Service role. The role type is used by the DSAME console to figure out where to start the user in the DIT. An administrative role notifies the console that the possessor of the role has administrative privileges; the service role notifies the console that the possessor is an end user.

7. Choose a default set of ACIs to apply to the role from the Access Permission menu.

   The default ACIs are permissions to access entries within the organization. They are discussed in the section "Default Role Permissions (ACIs)". No permissions can also be chosen. (The default ACIs shown are in no particular order.)

8. Click Create.

Delete a Role

1. Navigate to the organization that contains the role for deletion.

   Choose Organizations from the Show menu in User Management and select the organization from the navigation pane. The Location path displays the default top-level organization and chosen organization.

2. Choose Roles from the Show menu.

3. Select the checkbox next to the name of the role.

4. Click Delete.

Add Users to a Role

1. Navigate to the Organization that contains the role to modify.

   Choose Organizations from the Show menu in User Management and select the organization from the navigation pane. The Location path displays the default top-level organization and chosen organization.

2. Choose Roles from the Show menu.

3. Select the role to modify.

4. Choose Users from the Show menu.

5. Click Add.

   A search window appears in the data pane.

6. Enter a user id.

   Search criteria can also be entered (including first name, last name or active/inactive) if specific user id information is not available.

7. Choose the users from the names returned by selecting the checkbox next to the user name.

8. Click Save.

Remove Users from a Role

1. Navigate to the Organization that contains the role to modify.

   Choose Organizations from the Show menu in User Management and select the organization from the navigation pane. The Location path displays the default top-level organization and chosen organization.

2. Choose Roles from the Show menu.

3. Select the role to modify.

4. Choose Users from the Show menu.

5. Select the checkbox of the users for removal.

6. Click Delete.

Services

Activating a service for an organization is a two step process. In the first step you need to register the service with the organization. After a service is registered, a template configured specifically for that organization must be created. For additional information, see Chapter 2 "Service Management."

---

Note	A new service must first be imported into the DSAME through the command line's amadmin. Information on importing a service's XML schema can be found in the iPlanet Directory Server Access Management Edition Programmer's Guide.

---

Register a Service

1. Navigate to the Organization where you will add services.

   Choose Organizations from the Show menu in User Management and select the organization from the navigation pane. The Location path displays the default top-level organization and chosen organization.

2. Choose Services from the Show menu.

3. Click Register.

   The data pane will display a list of services available to register to this organization.

4. Select the checkbox next to the services to be added.

5. Click Register.

Create a Template for a Service

1. Navigate to the organization or role where the registered service exists.

   Choose Organizations from the Show menu in User Management and select the organization from the navigation pane. The Location path displays the default top-level organization and chosen organization.

2. Choose Services from the Show menu

3. Click the properties icon next to the name of the service to be activated.

   The data pane displays the message No Template Available For This Service.

4. Click Create.

   The data pane displays the default attributes and values for this service.

5. Accept or modify the default values and click Save.

   A template is created for this service for the parent organization or role.

Unregister a Service

1. Navigate to the organization where you will remove services.

   Choose Organizations from the Show menu in User Management and select the organization from the navigation pane. The Location path displays the default top-level organization and chosen organization.

2. Choose Services from the Show menu.

3. Select the checkboxes for the services to remove.

4. Click Unregister.

Policies

Policies define rules to help protect an organization's web resources. They can be assigned to organizations and roles only. Policies cannot be created, deleted or viewed in User Management; they can only be assigned. See Chapter 3 "Policy Management for information on how to configure policies.

Assign a Policy

1. Navigate to the Organization or Role where the policy will be added.

   Use the Show menu in the navigation pane and the Location path in the location pane.

2. Choose Policies in the Show menu.

3. Click Assign.

   A list of registered policies displays in the data pane.

4. Select the checkbox for the policy to assign.

5. Click Assign.

Unassign a Policy

1. Navigate to the organization or role where the policy exists.

   Use the Show menu in the navigation pane and the Location path in the location pane.

2. Choose Policies in the Show menu.

3. Select the checkbox next to the policy to be deleted.

4. Click Unassign.

   
   

   ---

   Note	These procedures assign and unassign policy from roles and organizations; they do not delete the policy. In order to delete a named policy from the DSAME, navigate to Policy Management, select the named policy's checkbox and click Delete.

   ---

   
   

Users

Users represent the identity of a person. They are created within an organization's default People Container. If Show People Containers in the Administration service of the organization is disabled, users are visible at the organization level. If Show People Containers is enabled, users are visible within the organization's default People Container. (People Containers are discussed on page 47.)

Create a User

1. Navigate to the Organization or People Container where the user should be created.

   Use the Show menu in the navigation pane and the Location path in the location pane.

2. Choose Users from the Show menu.

3. Click New.

4. Enter values for the required attributes and any optional fields.

   Information on the user profile attributes can be found in "User Profile Attributes".

5. Click Create.

Delete a User

1. Navigate to the Organization or People Container where the user exists.

   Use the Show menu in the navigation pane and the Location path in the location pane.

2. Choose Users from the Show menu.

3. Select the checkbox next to the name of the user to be deleted.

4. Click Delete.

Managed Groups

This grouping represents a collection of users with a common function, feature or interest. Typically, this grouping has no privileges associated with it. They can exist at two levels, within an organization and within other managed groups as a sub group. Users can be added to Managed Groups either statically or dynamically (filtered).

Membership By Subscription. A group created by subscription creates a group based on the option chosen in Managed Group Type. If the Managed Group Type value is static, group members are added to a group entry using the groupOfNames or groupOfUniqueNames object class. If the Managed Group Type value is dynamic, a LDAP filter is used to search and return only user entries that contain the memberof attribute.

Membership By Filter. A filtered group is one that is created through the use of a LDAP filter. All entries are funneled through the filter and dynamically assigned to the group. The filter would look for any attribute in an entry and return those that contain the attribute.

Create a Managed Group

1. Navigate to the Organization or Managed Group where the group will be created.

   Use the Show menu in the navigation pane and the Location path in the location pane. Managed groups are listed underneath Group Containers.

2. Choose Managed Groups from the Show menu.

3. Click New.

4. Select the group type from within the data pane.
   1. If a static subscription group is to be created, select Membership By Subscription.
      1. Enter a name for the group in the Name field.

      2. Add users to the group by selecting Add.

         Adding users to the group is optional. They can be added after the group is created.

      3. Enter a user id to search for a user entry or configure a LDAP filter.

      4. Choose the users from the names returned by selecting the checkbox next to the user name and pressing Create.

      5. Select Users Can Subscribe to this Group to allow users to subscribe to the group themselves.

      6. Click Create.

   2. If a dynamic (LDAP filtered) group is to be created, select Membership By Filter and click Save.
      1. Enter a name for the group in the Name field.

      2. Construct the LDAP search filter.

         The fields used to construct the filter use either an OR or AND operator. All the fields listed in the UI are used. If a field is left blank it will match all possible entries for that particular attribute.

      3. Click Create.

Delete a Managed Group

1. Navigate to the Organization or Managed Group where the group exists.

   Use the Show menu in the navigation pane and the Location path in the location pane. Managed groups are listed underneath Group Containers.

2. Choose Managed Groups from the Show menu.

3. Select the checkbox next to the name of the group to be deleted.

4. Click Delete.

Role Profile View

---

A Role Based Profile allows for customizing the services available to a role, and the access level for the service attributes, on a per-role basis. Using a Role Based Profile, an administrator can customize the Service and End User pages, and create service administrators who only have access to specific services. For example, an administrator can deny write-access to one or more attributes in the user services for a given role, and a user possessing this role will not be able to modify these attributes. A policy administrator role can be created by granting access to all policy services, but denying access to other services. An administrator possessing the policy administrator role will then be able to create and assign policies, but will be denied from performing user management tasks.

To display the Role Profile page, click on the Properties button associated with a given role in the Show Roles page, as shown in Figure 4-3.

Figure 4-3   

Role Profile View

Customize Service Access

1. In the Role Profile page, click Edit in the Services listing. The Service Access page is displayed, as shown in Figure 4-4.

2. Choose a service that is to be granted to the role by clicking on the service name in the Display column. By default, a role has access to all services.

3. Click Save.

   
   

   ---

   Note	When access to a service is denied (not checked), the service will not be displayed in the Console for the user possessing the role. Additionally, it is not possible to register or unregister a user, assign the service to a user, or create, delete, view or modify the Service template.

   ---

   
   

Figure 4-4    Service Access Page

Customize Attribute Access

1. In the Role Profile page, click Edit in the Service Attribute listing. The Attribute Access page is displayed, as shown in Figure 4-5.

2. Use the Jump menu to display the attributes for a particular service.

3. Assign an access level to an attribute by selecting the Read/Write or Read Only check boxes.

4. Click Save.

   
   

   ---

   Note	If neither the Read/Write or Read Only options are selected for a given attribute, read and write access to that attribute is denied.

   ---

   
   

Figure 4-5   

Attribute Access Page

For more information on specific Service attributes, see Part 2 of this manual, the Attribute Reference Guide.

Properties Function

---

To view or modify an entry's properties, click the arrow next to the object's name. It's attributes and corresponding values are displayed in the data pane. Different objects display different properties.

• Organizations properties allow status modification between active and inactive.

• Role properties include role and permission descriptions and the services registered to the role. ACI details can be viewed by selecting Show Access Permissions.

• User properties include, but are not limited to, basic user information such as first name, last name, home address, telephone number and password.

• The Groups configurable attribute, aside from the naming attribute, is allowing or disallowing the user to self-subscribe themselves to the group.

• Containers do not have any configurable attributes excepting the naming attribute.

• Policy properties are a listing of the URLs being affected by the policy.

• Service properties include any of the attribute listed in Part 2, "Attribute Reference Guide" depending on the service.

See the iPlanet Directory Server Access Management Edition Programmer's Guide for information on how to extend an entry's properties.