Previous      Contents      Index      Next
Sun Java System Directory Editor 1 2004Q4 Installation and Configuration Guide

Chapter 7
Configuring Directory Editor

Use the information provided in this chapter to configure your Directory Editor application to user control access to applications and application components, and to define relative distinguished names (RDN) configurations. This chapter is organized as follows:

Controlling User Access
Working with Naming Attributes

---

Controlling User Access

Authentication and Authorization are terms used to describe methodologies for controlling access to applications or application components.

Authentication is the process by which an application challenges a client to supply credentials — typically providing a user name and password through a log-in page. Based on these credentials, the application determines whether a user (or a different client, such as another application) can use the application.
Authorization assumes that a client has already been authenticated and is in the process of determining whether a client can use a component of the application. Authorization takes a more fine-grained approach to access control.

You can use the Directory Editor Authorization page to authenticate clients and control access to Directory Editor components using fine-grained authorization

Note	By default, you must have the Manager role to access the Authorization page. For more information about roles, see Understanding Roles.

To understand authorization, you must understand the terms role, principal, and accessible components, which are described in the following sections:

Understanding Roles
Understanding Principals
Understanding Accessible Components

Understanding Roles

A role describe a user's function within the enterprise hosting the Directory Editor. For example, your organization may have CEO, help desk administrator, and janitor roles.

Roles determine with which parts of Directory Editor you can interact. By default, Directory Editor is pre-configured with two roles:

Manager: This role has access to all of Directory Editor’s features and functionality.
Default: This role has more limited capabilities within the application.
For example, you can browse directory data but you cannot edit that data.

Directory Editor enables you to add roles that support interactions appropriate for your enterprise. For example, you might want to define a role that allows users to edit directory data but does not allow them to access the Configure tab.

Every role is associated with a set of principals that assume the role (see the next section, Understanding Principals). For Directory Editor, there is a single group in the directory server (called the Manager Group) that serves as the principal corresponding to the Manager role.

You use the Managed Directory page to specify the Manager Group at configuration time (also available after configuration by selecting Configure > Managed Directory). So, if you have a particular user that should have full access to all Directory Editor functions, make that user's DN a member of the Manager Group.

Understanding Principals

A principal represents an entity (such as an individual, corporation, or login ID). The term subject is used to describe entities (typically human users). Subjects can be represented by multiple, differing principals — just as people can be represented by their credit card number to banks and by their UNIX account name to system administrators. The credit card numbers and UNIX account names are principals in this case.

Because Directory Editor is focused on directory data management, its principals are all represented using the following directory objects:

DN (distinguished names)
Directory Server groups
Directory Server roles

A user entering a DN in the log-in page can be represented by several different principals, depending on the data in the directory. For example, if the user’s account ID happens to be a member of a specific group, that user will be represented by the account ID’s DN and by the DN of the group to which the DN belongs.

In Directory Editor, objects representing the user (or subject) are stored in the HTTP session. After the user enters an account ID and a password on the Directory Editor's log-in page, Directory Editor populates the subject with all of the various principals (person entries, groups, and roles) associated with that account ID.

Understanding Accessible Components

Accessible components are the set of internal Directory Editor components that are accessible by the users. Users may not know they are interacting with certain accessible components; consequently, administrators must understand which components are required to complete certain tasks.

Currently, all accessible components are either actions or views.

Actions are represented by a string such as /Edit.
Views are represented by a string is similar to.nav_tab.Edit.

Note	Typically, each view is represented using both an unselected representation and a selected representation, such as .nav_tab_selected.Edit.

The rest of this section provides instructions for defining, editing, and deleting roles. The section is organized as follows:

Accessing the Authorization Page
Defining Directory Editor Roles
Editing Roles
Deleting Roles

Accessing the Authorization Page

To open the Authorization page, select the Configure tab and then select the Authorization tab. The Authorization page is displayed as follows:

Figure 7-1  Authorization Page

This page consists of the following features:

Role table: By default, this table contains the Manager and Default roles.
Create Roles button: Click this button to create additional roles appropriate for your enterprise. (See Defining Directory Editor Roles.)
Edit Selected Roles button: Click this button to change properties, principals, and accessible resources associated with a particular role. (See Editing Roles.)
Delete Selected Roles button: Click this button to remove roles. (See Deleting Roles.)

Defining Directory Editor Roles

Before you can define new Directory Editor roles for your enterprise, you must decide which tasks a common set of users must perform. For example, all of your help desk administrators must have write access to directory data.

After you have identified these tasks, use the following steps to create a new role:

Select Configure > Authorization.
When the Authorization page is displayed (see Figure 7-1), click the Create Role button.
On the Create Role page, enter a meaningful name into the Role Name text box. For example, Help Desk Administrators.

Figure 7-2  Role Properties Tab



Select the Principals tab and use the Principals selection tool to specify the set of principals you want to assume the new role.

Note	At this time, you can only assign groups as principals.

Figure 7-3  Principals Tab



You can select one or more principals from the Principals list and click the button to move them to the Principals Who Assume This Role list. (Press your Shift key and click on items in the list to select multiple principals.)
Click the button to move all principals to the Principals Who Assume This Role list.
Click the button to move all principals from the Principals Who Assume This Role list back to the Principals list.
Select principals from the Principals Who Assume This Role list and click the button to move them back to the Principals list.

For example, you might assign the Directory Administrators to this role.

Select the Accessible Resources tab (Figure 7-4) to specify the set of components that can be accessed by the new role.

Note	For a complete list of available resources; including their type, category, and a description see Appendix B, "Resources for Role Configuration."

Figure 7-4  Accessible Resources Tab



Select one or more resources from the Resources list and click the button to move them to the Resources Accessible By This Role list. (Press your Shift key and click on items in the list to select multiple resources.)
Click the button to move all resources to the Resources Accessible By This Role list.
Click the button to move all resources from the Resources Accessible By This Role list back to the Resources list.
Select resources from the Resources Accessible By This Role list and click the button to move them back to the Resources list.

For example, for a Help Desk Administrator, you might want to assign all the Debug-related resources to this role.

Click Save to save the new role and to add it to the Roles table (or click Cancel to return to the Authorization page without saving your changes).

Figure 7-5 shows the updated Roles table.

Figure 7-5  New Role Added to the Roles Table

Editing Roles

To edit selected authorization roles, use the following steps:

Select Configure > Authorization.
When the Authorization page is displayed, click the checkbox located next to the role you want to edit.

Figure 7-6  Click the Checkbox



Click the Edit Selected Roles button to open the Edit Roles page.

Figure 7-7  Edit Role Page



The process for editing a role is the same as the process you used to create it. Review the instructions provided in Defining Directory Editor Roles if necessary.
When you are finished, click Save (or click Cancel to return to the Authorization page without saving your changes).

Deleting Roles

Note	You cannot delete the Manager or the Default roles.

To delete selected authorization roles, use the following steps:

Select Configure > Authorization.
When the Authorization page is displayed, enable the checkbox(es) located next to the role(s) you want to delete.

Figure 7-8  Click the Checkbox



Click the Delete Selected Role(s) button and Directory Editor will immediately remove the selected role(s) from the Roles table.

---

Working with Naming Attributes

This section provides instructions for defining, editing, and deleting naming attributes. The section is organized as follows:

Accessing the Naming Attributes Page
Creating New Object Class Naming Attribute Mappings
Editing Naming Attributes
Deleting Selected Naming Attributes

Accessing the Naming Attributes Page

To create new objects, Directory Editor must know how to construct DNs (distinguished names) for the new objects.

For example, if your customer wants to use uid (user ID) as the naming attribute for inetOrgPerson instead of cn you might specify the following DN for a newly created entry:

cn=Mike Miller,dc=example,dc=com

instead of:

uid=mmiller,dc=example,dc=com

Directory Editor ships with a small set of default naming attributes to use for object classes, so it is important that you modify these mappings to match the naming conventions used by your enterprise for naming directory objects. You must configure any object class that you add to the create page with naming attributes.

To access the Naming Attributes page,

Select the Configuration > Naming Attributes.

The Naming Attributes page is displayed as follows:

Figure 7-9  Naming Attributes Page

This page consists of the following features:

Naming Attribute Mapping table: By default, this table contains a small set of object classes and their naming attributes.
New button: Click this button to add object classes (and define naming attributes for those object classes) to your enterprise. (See Creating New Object Class Naming Attribute Mappings.)
Edit Selected button: Click this button to edit the naming attributes currently selected for the selected object class. (See Editing Naming Attributes.)
Delete Selected button: Click this button to remove an object class and associated naming attributes from the table. (See Deleting Selected Naming Attributes.)

Creating New Object Class Naming Attribute Mappings

After you have identified these tasks, use the following steps to create a new naming attribute:

Select Configure > Naming Attributes.
When the Naming Attributes page is displayed (see Figure 7-9), click the New button.
A new Naming Attributes page is displayed (Figure 7-10). Select the object class from the Object Class menu.

Figure 7-10  New Naming Attributes Page



Use the Naming Attributes selection tool to specify naming attributes for the new object class, as follows:
Select one or more naming attributes from the Available Attributes list and click the button to move them to the Used Attributes list. (Press your Shift key and click on items in the list to select multiple naming attributes.)
Click the button to move all naming attributes to the Used Attributes list.
Click the button to move all naming attributes from the Used Attributes list back to the Available Attributes list.
Select naming attributes from the Used Attributes list and click the button to move them back to the Available Attributes list.
Use the (move up) and (move down) buttons to change the order of attributes in the Used Attributes list

For example, you might specify a new objectclass called exUser for extending the default user object and have an attribute called exIdentifier as the naming attribute.

Figure 7-11  New Object Class and Naming Attribute Added to the Table



Click Save to save the new object class and attribute(s) (or click Cancel to return to the Naming Attributes page without saving your changes).

Figure 7-12 shows the new entry added to the Object Class table.

Figure 7-12  Updated Table

Editing Naming Attributes

To edit selected naming attributes, use the following steps:

Select Configure > Naming Attributes.
When the Naming Attributes page is displayed, click the checkbox located next to the role you want to edit.

Figure 7-13  Click the Checkbox



Click the Edit Selected button to open a new Naming Attributes page (similar to Figure 7-14).

Figure 7-14  Editing the Naming Attributes



Note that the Object Class menu is not available on this page. Instead, Directory Editor displays the selected object class name.

Use the Naming Attributes selection tool to add or remove naming attributes. Review the instructions provided in Creating New Object Class Naming Attribute Mappings if necessary.
When you are finished, click Save (or click Cancel to return to the Authorization page without saving your changes).

Deleting Selected Naming Attributes

To delete selected naming attributes, use the following steps:

Select Configure > Naming Attributes.
When the Naming Attributes page is displayed, enable the checkbox(es) located next to the object class(es) you want to delete.

Figure 7-15  Click the Checkbox



Click the Delete Selected button and Directory Editor will immediately remove the selected object class(es) from the table.

Previous      Contents      Index      Next

---

Part No: 819-1078-10.   Copyright 2004 Sun Microsystems, Inc. All rights reserved.