Sun Java logo     Previous      Contents      Index      Next     

Sun logo
Sun Java System Access Manager 6 2005Q1 Administration Guide 

Chapter 4
Identity Management

This chapter describes the identity management features of Sun Java™ System Access Manager 6 2005Q1. The Identity Management module interface provides a way to view, manage and configure all Access Manager objects and identities. This chapter contains the following sections:

The Access Manager Console

The Access Manager console is divided into three sections: the Location pane, the Navigation pane and the Data pane. By using all three panes, the administrator is able to navigate the directory, perform user and service configurations and create policies.

Header Pane

The Header pane runs along the top of the console. The tabs in the Header pane allow the administrator to switch between the different management module views:

The Location field provides a trail to the administrator’s position in the directory tree. This path is used for navigational purposes.

The Welcome field displays the name of the user that is currently running the console with a link to the user profile.

The Search link displays an interface that allows the user to search for entries of a specific Access Manager object type. Use the pull-down menu to select the object type and enter the search string.The Results are returned in the search table. Wildcards are accepted.

The Help link opens a browser window containing information on Identity Management, Current Sessions, Federation Management and Part IV of this documentation, the Attribute Reference.

The Logout link allows the user to log out of the Access Manager.

Navigation Pane

The Navigation pane is the left portion of the Access Manager console. The Directory Object portion (within the grey box) displays the name of the directory object that is currently open and its Properties link. (Most objects displayed in the Navigation pane will have a corresponding Properties link. Selecting this link will render the entry’s attributes in the Data pane to the right.) The View menu lists the directories under the selected directory object. Depending on the number of sub-directories, a paging mechanism is provided.

Data Pane

The Data peneplain is the right portion of the console. This is where all object attributes and their values are displayed and configured and where entries are selected for their respective group, role or organization.

Tip

You can select or deselect all of the items in a list by clicking the Select All, or Deselect All icons.

Select All and Deselect All icons

 

There are two basic views of the Access Manager graphical user interface. Depending on the roles of the user logging in, they might gain access to the Identity Management view or the User Profile view.

Identity Management View

When a user with an administrative role authenticates to the Access Manager, the default view is the Identity Management view. In this view the administrator can perform administrative tasks. Depending on the role of the administrator, this can include creating, deleting and managing objects (users, organizations, policies, and so forth), and configuring services.

User Profile View

When a user who has not been assigned an administrative role authenticates to the Access Manager, the default view is the user’s own User Profile. In this view the user can modify the values of the attributes particular to the user’s personal profile. This can include, but is not limited to, name, home address and password. The attributes displayed in the User Profile View can be extended. For more information on adding customized attributes for objects and identities, see the Access Manager Developer’s Guide.

Properties Function

To view or modify an entry’s properties, click the Properties arrow next to the object’s name. Its attributes and corresponding values are displayed in the Data pane. Different objects display different properties.

See the Access Manager Developer’s Guide for information on how to extend an entry’s properties.

The Identity Management Interface

The Identity Management interface allows for the creation and management of identity-related objects. User, role, group, policies, organization, suborganization and container objects and more can be defined, modified or deleted using either the Access Manager console or the command line interface. The console has default administrators with varying degrees of privileges used to create and manage the organizations, groups, containers, users, services, and policies. (Additional administrators can be created based on roles.) The administrators are defined within the Directory Server when installed with Access Manager.

Managing Access Manager Objects

The User Management interface contains all the components needed to view and manage the Access Manager objects (organizations, groups, users, services, roles policies, container objects, and agents). This section explains the object types and details how to configure them.

For most Access Manager object types, you can optionally configure Display Options and Available Actions to show or hide the way in which the web interfaces are displayed in the Access Manager console. Configuration is done at the organization and role levels and users inherit the configuration from the organization in which they reside and the roles that are assigned to them. These settings are described at the end of this chapter.

Organizations

An Organization represents the top-level of a hierarchical structure used by an enterprise to manage its departments and resources. Upon installation, Access Manager dynamically creates a top-level organization (defined during installation) to manage the Access Manager enterprise configurations. Additional organizations can be created after installation to manage separate enterprises. All created organizations fall beneath the top-level organization.

To Create an Organization

  1. Choose Organizations from the View menu in the Identity Management module.
  2. Click New in the Navigation pane.
  3. Enter the values for the fields. Only Name is required. The fields are:

    4. Name. Enter a value for the name of the Organization.

    Domain Name. Enter the full Domain Name System (DNS) name for the organization, if it has one.

    Organization Status. Choose a status of active or inactive.

    The default is active. This can be changed at any time during the life of the organization by selecting the Properties icon. Choosing inactive disables user access when logging in to the organization.

    Organization Aliases. This field defines alias names for the organization, allowing you to use the aliases for authentication with a URL login. For example, if you have an organization named exampleorg, and define 123 and abc as aliases, you can log into the organization using any of the following URLs:

    http://machine.example.com/amserver/UI/Login?org=exampleorg

    http://machine.example.com/amserver/UI/Login?org=abc

    http://machine.example.com/amserver/UI/Login?org=123

    Organization alias names must be unique throughout the organization. You can use the Unique Attribute List to enforce uniqueness.

    DNS Alias Names. Allows you to add alias names for the DNS name for the organization. This attribute only accepts “real” domain aliases (random strings are not allowed). For example, if you have a DNS named example.com, and define example1.com and example2.com as aliases for an organization named exampleorg, you can log into the organization using any of the following URLs:

    http://machine.example.com/amserver/UI/Login?org=exampleorg

    http://machine.example1.com/amserver/UI/Login?=org=exampleorg

    http://machine.example2.com/amserver/UI/Login?org=exampleorg

    Unique Attribute List. Allows you to add a list of unique attribute names for users in the organization. For example, if you add a unique attribute name specifying an email address, you would not be able to create two users with the same email address. This field also accepts a comma-separated list. Any one of the attribute names in the list defines uniqueness. For example, if the field contains the following list of attribute names:

    PreferredDomain, AssociatedDomain

    and PreferredDomain is defined as http://www.example.com for a particular user, then the entire comma-separated list is defined as unique for that URL.

    Uniqueness is enforced for all suborganizations.

  4. Click OK.

    5. The new organization displays in the Navigation pane. To edit any of the properties that you defined during creation of the organization, click the Properties arrow of the organization you wish to edit, select General from the View menu in the Data pane, edit the properties and click OK. You can use the Display Options and Available Actions views to customize the appearance of the Access Manager console and to specify the behavior for any users that authenticate to this organization.

To Delete an Organization

  1. Choose Organizations from the View menu in Identity Management.

    2. All created organizations are displayed. To display specific organizations, enter a search string and click Search.

  2. Select the checkbox next to the name of the Organization to be deleted.
  3. Click Delete.

    4. Note

    There is no warning message when performing a delete. All entries within the organization will be deleted and you can not perform an undo.

To Add an Organization to a Policy

Access Manager objects are added to a policy through the policy’s subject definition. When a policy is created or modified, organizations, roles, groups, and users can be defined as the subject in the policy’s Subject page. Once the subject is defined, the policy will be applied to the object. For more information, see “Managing Policies” on page 132.

Groups

A group represents a collection of users with a common function, feature or interest. Typically, this grouping has no privileges associated with it. Groups can exist at two levels; within an organization and within other managed groups. Groups that exist within other groups are called sub-groups. Sub-groups are child nodes that “physically” exist within a parent group.

Access Manager also supports nested groups, which are “representations” of existing groups contained in a single group. As opposed to sub-groups, nested groups can exist anywhere in the DIT. They allow you to quickly set up access permissions for a large number of users.

When you create a group, you can create groups that use Membership By Subscription (static group) or Membership By Filter (filtered groups). This controls the way in which users are added to the group. Users can only be added to static groups. Dynamic groups control the addition of users through a filter. Nested or sub-groups, however, can be added to both.

Static Group (Membership By Subscription)

When you specify group membership by subscription, a static group is created based on the Managed Group Type you specify. If the Managed Group Type value is static, group members are added to a group entry using the groupOfNames or groupOfUniqueNames object class. If the Managed Group Type value is dynamic, a specific LDAP filter is used to search and return only user entries that contain the memberof attribute. For more information, see Managed Group Type.

Note

By default, the managed group type is dynamic. You can change this default in the Administration service configuration.

Filtered Group (Membership By Filter)

A filtered group is a dynamic group that is created through the use of an LDAP filter. All entries are funneled through the filter and dynamically assigned to the group. The filter would look for any attribute in an entry and return those that contain the attribute. For example, if you were to create a group based on a building number, you can use the filter to return a list all users containing the building number attribute.

Note

Access Manager should be configured with Directory Server to use the referential integrity plug-in. When the referential integrity plug-in is enabled, it performs integrity updates on specified attributes immediately after a delete or rename operation. This ensures that relationships between related entries are maintained throughout the database. Database indexes enhance the search performance in Directory Server. For more information on enabling the plug-in, see the Sun Java System Access Manager Migration Guide.

To Create a Static Group

  1. Navigate to the organization, group or group container where the group will be created.
  2. Choose Groups from the View menu.
  3. Click New.
  4. Select Membership By Subscription for the group type from within the Data pane.
  5. Enter a name for the group in the Name field. Click Next.
  6. Select the Users Can Subscribe to this Group attribute to allow users to subscribe to the group themselves.
  7. If you have defined multiple group containers in your DIT and the Show Group Containers attribute (from the Administration Service) is not enabled, you can select the Parent Group Container to which the static group will belong. Otherwise, this field is not displayed.
  8. Click Finish.

    9. Once the group is created, you can edit the Users Can Subscribe to this Group attribute by selecting General from the View menu in the Data pane.

To Add or Remove Members to a Static Group

  1. Click the Properties arrow next to the group to which you will add members.
  2. In the Data pane, select Members from the View menu.

    3. Choose an action to perform in the Select Action menu. The actions you can perform are as follows:

    New User. This action creates a new user and automatically adds the user to the group when the user information is saved.

    Add User. This action adds an existing user to the group. When you select this action, you create a search criteria which will specify users you wish to add. The fields used to construct the criteria use either an ANY or ALL operator. ALL returns users for all specified fields. ANY returns users for any one of the specified fields. If a field is left blank, it will match all possible entries for that particular attribute.

    Once you have constructed the search criteria, click Next. From the returned list of users, select the users you wish to add and click Finish.

    Tip

    Click the Show Path button to view the complete organizational path of the user.

    Add Group. This action adds a nested group to the current group. When you select this action, you create a search criteria, including search scope, the name of the group (the “*” wildcard is accepted), and you can specify whether users can subscribe to the group themselves. Once you have entered the information, click Next. From the returned list of groups, select the group you wish to add and click Finish.

    Remove Members. This action will remove members (which includes users and groups) from the group, but will not delete them. Select the member(s) you wish to remove and choose Remove Members from the Available Actions list.

    Delete Members. This action will permanently delete the member you select. Select the member(s) you wish to delete and choose Delete Members from the Available Actions list.

To Create a Filtered Group

  1. Navigate to the organization (or group) where the group will be created.
  2. Choose Groups from the View menu.
  3. Click New.
  4. Select Membership By Filter for the group type from within the Data pane.
  5. Enter a name for the group in the Name field. Click Next.
  6. Construct the LDAP search filter.

    7. By default, Access Manager displays the Basic search filter interface. The Basic fields used to construct the filter use either an ANY or ALL operator. ALL returns users for all specified fields. ANY returns users for any one of the specified fields. If a field is left blank it will match all possible entries for that particular attribute.

    Alternatively, you can select the Advanced button to define the filter attributes yourself. For example,

    (&(uid=user1)(|(inetuserstatus=active)(!(inetuserstatus=*))))

    When you click Finish, all users matching the search criteria are automatically added to the group.

To Add or Remove Members to a Filtered Group

  1. Click the Properties arrow next to the group to which you will add members.
  2. In the Data pane, select Members from the View menu.

    3. Choose an action to perform in the Action menu. The actions you can perform are as follows:

    Add Group. This action adds a nested group to the current group. When you select this action, you create a search criteria, including search scope, the name of the group (the “*” wildcard is accepted), and you can specify whether users can subscribe to the group themselves. Once you have entered the information, click Next. From the returned list of groups, select the group you wish to add and click Finish.

    Remove Members. This action will remove members (which includes groups) from the group, but will not delete them. Select the member(s) you wish to remove and choose Remove Members from the Available Actions list.

    Delete Members. This action will permanently delete the member you select. Select the member(s) you wish to delete and choose Delete Members from the Available Actions list.

To Add a Group to a Policy

Access Manager objects are added to a policy through the policy’s subject definition. When a policy is created or modified, organizations, roles, groups, and users can be defined as the subject in the policy’s Subject page. Once the subject is defined, the policy will be applied to the object. For more information, see “Managing Policies” on page 132.

Users

A user represents an individual’s identity. Through the Access Manager Identity Management module, users can be created and deleted in organizations, containers and groups and can be added or removed from roles and/or groups. You can also assign services to the user.

Note

If a user in a suborganization is created with the same userid as amadmin, the login will fail for amadmin. If such a problem arises, the administrator should change the user's userid through the Directory Server console. This enables the administrator to login to the default organization. Additionally, the DN to Start User Search in the authentication service can be set to the people container DN to ensure that a unique match is returned during the login process.

To Create a User

  1. Navigate to the organization, container or people container where the user is to be created.
  2. Choose Users from the View menu.
  3. Click New.

    4. This displays the New User page in the Data pane.

  4. If there are services available to the users, select a service to which the user will subscribe from the Available Services page. If you wish to skip this page, click Next.
  5. Enter data for the following default required values:

    6. UserId. This field takes the name of the user with which he or she will log into Access Manager. This property may be a non-DN value.

    First Name. This field takes the first name of the user. The First Name value and the Last Name value identify the user in the Currently Logged In field in the upper right corner of the Access Manager console. This is not a required value.

    Last Name. This field takes the last name of the user. The First Name value and the Last Name value identify the user in the Currently Logged In field in the upper right corner of the Access Manager console.

    Full Name. This field takes the full name of the user.

    Password. This field takes the password for the name specified in the User Id field.

    Password (Confirm). Confirm the password.

    User Status. This option indicates whether the user is allowed to authenticate through Access Manager. Only active users can authenticate through Access Manager. The default value is Active.

  6. Click Finish.

To Add a User to Roles and Groups

  1. Navigate to the Organization for the user that is to be modified.
  2. Choose Users from the View menu.
  3. In the Navigation pane, select the user you wish to modify and click the Properties arrow.
  4. From the View menu in the Data pane, select Roles or Groups. Only the roles and groups that have already been assigned to the user are displayed. Click Add to see the list of available roles and groups from which to choose.
  5. Select the role or group that to which you wish to add the user, and click Save.

To Add a Service to a User

  1. Navigate to the Organization for the user that is to be modified.
  2. Choose Users from the View menu in the Navigation pane.
  3. In the Navigation pane, select the user you wish to modify and click the Properties arrow.
  4. From the View menu in the Data pane, select Services. The list of services that are available to the user are displayed in the Add Services pages.
  5. Select the services you wish to assign to the user.
  6. Click OK.

    7. To edit a service’s attributes, click the Edit link next to the service name. Only services that are editable will display the Edit link.

To Remove a User

  1. From the View menu in the Data pane, select Roles or Groups.
  2. From the Selected list, choose the role or group that from which you wish to remove the user, and click Remove. You can optionally remove the user from all available roles and groups by clicking Remove All.
  3. Click Save to remove the user.

    4. Note

    There is no warning message before the delete operation, and it can not be undone.

To Add a User to a Policy

Access Manager objects are added to a policy through the policy’s subject definition. When a policy is created or modified, organizations, roles, groups, and users can be defined as the subject in the policy’s Subject page. Once the subject is defined, the policy will be applied to the object. For more information, see “Managing Policies” on page 132.

Services

Activating a service for an organization or container (containers behave the same as organizations) is a two step process. In the first step you need to add the service to the organization. After you add the service, you must configure a template configured specifically for that organization.

Note

New services must first be imported into the Access Manager through the command line’s amadmin. Information on importing a service’s XML schema can be found in the Access Manager Developer’s Guide.

To Add a Service

  1. Navigate to the Organization where you will add services.
  2. Choose Services from the View menu.
  3. Click Add.

    4. The Data pane will display a list of services available to add to this organization.

  4. Select the checkbox next to each service to be added.
  5. Click OK. The services that have been added are displayed in the Navigation pane.

    6. Note

    Only the services that are added to the parent organization are displayed at the suborganization level.

To Create a Template for a Service

  1. Navigate to the organization or role where the added service exists.

    2. Choose Organizations from the View menu in the Identity Management module and select the organization from the Navigation pane.

  2. Choose Services from the View menu.
  3. Click the properties icon next to the name of the service to be activated.

    4. The Data pane displays the message A template does not currently exist for this service. Do you want to create one now?

  4. Click Yes.

    5. A template is created for this service for the parent organization or role. The Data pane displays the default attributes and values for this service. Descriptions for the attributes for the default services are described in the Attribute Reference.

  5. Accept or modify the default values and click Save.

To Remove a Service

  1. Navigate to the organization where you will remove services.

    2. Choose Organizations from the View menu in Identity Management module and select the organization from the Navigation pane.

  2. Choose Services from the View menu.
  3. Select the checkboxes for the services to remove.
  4. Click Remove.

    5. Note

    Services can not be removed from the parent organization level if they are registered at the sub organization level.

Roles

Roles are a Directory Server entry mechanism similar to the concept of a group. A group has members; a role has members. A role’s members are LDAP entries that possess the role. The criteria of the role itself is defined as an LDAP entry with attributes, identified by the Distinguished Name (DN) attribute of the entry. Directory Server has a number of different types of roles but Access Manager can manage only one of them: the managed role.

Note

The other Directory Server role types can still be used in a directory deployment; they just can not be managed by the Access Manager console. Other Directory Server types can be used in a policy’s subject definition. For more information on policy subjects, see “Creating Policies” on page 129.

Users can possess one or more roles. For example, a contractor role which has attributes from the Session Service and the Password Reset Service might be created. When new contractors start, the administrator can assign them this role rather than setting separate attributes in the contractor entry. If the contractor is working in the Engineering department and requires services and access rights applicable to an engineering employee, the administrator could assign the contractor to the engineering role as well as the contractor role.

Access Manager uses roles to apply access control instructions. When first installed, Access Manager configures access control instructions (ACIs) that define administrator permissions. These ACIs are then designated in roles (such as Organization Admin Role and Organization Help Desk Admin Role) which, when assigned to a user, define the user’s access permissions.

Users can view their assigned roles only if the Display User’s Roles attribute is enabled in the Administration Service. For more information, see Show Roles on User Profile Page.

Note

Access Manager should be configured with Directory Server to use the referential integrity plug-in. When the referential integrity plug-in is enabled, it performs integrity updates on specified attributes immediately after a delete or rename operation. This ensures that relationships between related entries are maintained throughout the database. Database indexes enhance the search performance in Directory Server. For more information on enabling the plug-in, see the Sun Java System Access Manager Migration Guide.

Similar to groups, roles can be created by a filter, or be created statically.

Static Role. In contrast to a filtered role, a static role can be created without adding users at the point of the role’s creation. This gives you more control when adding specific users to a given role.

Filtered Role. A filtered role is a dynamic role created through the use of an LDAP filter. All users are funneled through the filter and assigned to the role at the time of the role’s creation. The filter looks for any attribute value pair (for example, ca=user*) in an entry and automatically assign the users that contain the attribute to the role.

To Create a Static Role

  1. In the Navigation pane go the organization where the role will be created.
  2. Choose Roles from the View menu.

    3. A set of default roles are created when an organization is configured, and are displayed in the Navigation pane. The default roles are:

    Container Help Desk Admin. The Container Help Desk Admin role has read access to all entries in an organizational unit and write access to the userPassword attribute in user entries only in this container unit.

    Organization Help Desk Admin. The Organization Help Desk Administrator has read access to all entries in an organization and write access to the userPassword attribute.

    Note

    When a suborganization is created, remember that the administration roles are created in the suborganization, not in the parent organization.

    Container Admin. The Container Admin role has read and write access to all entries in an LDAP organizational unit. In Access Manager, the LDAP organizational unit is often referred to as a container.

    Organization Policy Admin. The Organization Policy Administrator has read and write access to all policies, and can create, assign, modify, and delete all policies within that organization.

    People Container Admin. By default, any user entry in an newly created organization is a member of that organization’s People Container. The People Container Administrator has read and write access to all user entries in the organization’s People Container. Keep in mind that this role DOES NOT have read and write access to the attributes that contain role and group DNs therefore, they cannot modify the attributes of, or remove a user from, a role or a group.

    Note

    Other containers can be configured with Access Manager to hold user entries, group entries or even other containers. To apply an Administrator role to a container created after the organization has already been configured, the Container Admin Role or Container Help Desk Admin defaults would be used.

    Group Admin. The Group Administrator has read and write access to all members of a specific group, and can create new users, assign users to the groups they manage, and delete the users the that they have created.

    When a group is created, the Group Administrator role is automatically generated with the necessary privileges to manage the group. The role is not automatically assigned to a group member. It must be assigned by the group’s creator, or anyone that has access to the Group Administrator Role.

    Top-level Admin. The Top-level Administrator has read and write access to all entries in the top-level organization. In other words, this Top-level Admin role has privileges for every configuration principal within the Access Manager application.

    Organization Admin. The Organization Administrator has read and write access to all entries in an organization. When an organization is created, the Organization Admin role is automatically generated with the necessary privileges to manage the organization.

  3. Click New in the Navigation pane. The New Role template appears in the Data pane.
  4. Select Static Role and enter a name. Click Next.
  5. Enter a description of the role.
  6. Choose the role type from the Type menu.

    7. The role can be either an Administrative role or a Service role. The role type is used by the console to determine and here to start the user in the Access Manager console. An administrative role notifies the console that the possessor of the role has administrative privileges; the service role notifies the console that the possessor is an end user.

  7. Choose a default set of permissions to apply to the role from the Access Permission menu.The permissions provide access to entries within the organization. The default permissions shown are in no particular order. The permissions are:

    8. No permissions. No permissions are to be set on the role.

    Organization Admin. The Organization Administrator has read and write access to all entries in the configured organization.

    Organization Help Desk Admin. The Organization Help Desk Administrator has read access to all entries in the configured organization and write access to the userPassword attribute.

    Organization Policy Admin. The Organization Policy Administrator has read and write access to all policies in the organization. The Organization Policy Administrator can not create a referral policy to a peer organization.

    Generally, the No Permissions ACI is assigned to Service roles, while Administrative roles are assigned any of the default ACIs.

  8. Click Finish.

    9. The created role is displayed in the Navigation pane and status information about the role is displayed in the Data pane.

    You can optionally configure the Display Options and Available Actions by selecting them in the View menu. For more information, see Display Options and Available Actions at the end of this chapter.

To Add Users to a Static Role

  1. Select the role to modify and click on the Properties arrow.
  2. Choose Users from the View menu in the Data pane.
  3. Click Add.
  4. Enter the information for the search criteria. You can choose to search for users based on one or more the displayed fields The fields are:

    5. Match. Allows you to include an operator for any the fields you wish to include for the filter. ALL returns users for all specified fields. ANY returns users for any one of the specified fields.

    First Name. Search for users by their first name.

    User Status. Search for users by their status (active or inactive).

    User ID. Search for a user by User ID.

    Last Name. Search for users by their last name.

    Full Name. Search for users by their full name.

  5. Click Next to begin the search. The results of the search are displayed.
  6. Choose the users from the names returned by selecting the checkbox next to the user name.
  7. Click Finish.

    8. The Users are now assigned to the role.

To Create a Filtered Role

  1. In the Navigation pane, go the organization where the role will be created.
  2. Choose Roles from the View menu.

    3. A set of default roles are created when an organization is configured, and are displayed in the Navigation pane. The default roles are:

    Container Help Desk Admin. The Container Help Desk Admin role has read access to all entries in an organizational unit and write access to the userPassword attribute in user entries only in this container unit.

    Organization Help Desk Admin. The Organization Help Desk Administrator has read access to all entries in an organization and write access to the userPassword attribute.

    Note

    When a suborganization is created, remember that the administration roles are created in the suborganization, not in the parent organization.

    Container Admin. The Container Admin role has read and write access to all entries in an LDAP organizational unit. In Access Manager, the LDAP organizational unit is often referred to as a container.

    Organization Policy Admin. The Organization Policy Administrator has read and write access to all policies, and can create, assign, modify, and delete all policies within that organization.

    People Container Admin. By default, any user entry in an newly created organization is a member of that organization’s People Container. The People Container Administrator has read and write access to all user entries in the organization’s People Container. Keep in mind that this role DOES NOT have read and write access to the attributes that contain role and group DNs therefore, they cannot modify the attributes of, or remove a user from, a role or a group.

    Note

    Other containers can be configured with Access Manager to hold user entries, group entries or even other containers. To apply an Administrator role to a container created after the organization has already been configured, the Container Admin Role or Container Help Desk Admin defaults would be used.

    Group Admin. The Group Administrator has read and write access to all members of a specific group, and can create new users, assign users to the groups they manage, and delete the users the that they have created.

    When a group is created, the Group Administrator role is automatically generated with the necessary privileges to manage the group. The role is not automatically assigned to a group member. It must be assigned by the group’s creator, or anyone that has access to the Group Administrator Role.

    Top-level Admin. The Top-level Administrator has read and write access to all entries in the top-level organization. In other words, this Top-level Admin role has privileges for every configuration principal within the Access Manager application.

    Organization Admin. The Organization Administrator has read and write access to all entries in an organization. When an organization is created, the Organization Admin role is automatically generated with the necessary privileges to manage the organization.

  3. Click New in the Navigation pane. The New Role template appears in the Data pane.
  4. Select Filtered Role and enter the name. Click Next.
  5. Enter a description for the role.
  6. Choose the role type from the Type menu.

    7. The role can be either an Administrative role or a Service role. The role type is used by the console to determine and where to start the user in the Access Manager console. An administrative role notifies the console that the possessor of the role has administrative privileges; the service role notifies the console that the possessor is an end user.

  7. Choose a default set of permissions to apply to the role from the Access Permission menu.
  8. The permissions provide access to entries within the organization. The default permissions shown are in no particular order. The permissions are:

    9. No permissions. No permissions are to be set on the role.

    Organization Admin. The Organization Administrator has read and write access to all entries in the configured organization.

    Organization Help Desk Admin. The Organization Help Desk Administrator has read access to all entries in the configured organization and write access to the userPassword attribute.

    Organization Policy Admin. The Organization Policy Administrator has read and write access to all policies in the organization. The Organization Policy Administrator can not create a referral policy to a peer organization.

    Generally, the No Permissions ACI is assigned to Service roles, while Administrative roles are assigned any of the default ACIs.

  9. Enter the information for the search criteria. The fields are:

    10. Match. Allows you to include an operator for any the fields you wish to include for the filter. ALL returns users for all specified fields. ANY returns users for any one of the specified fields.

    First Name. Search for users by their first name.

    User Status. Search for users by their status (active or inactive).

    User ID. Search for a user by User ID.

    Last Name. Search for users by their last name.

    Full Name. Search for users by their full name.

    Alternatively, you can select the Advanced button to define the filter attributes yourself. For example,

    (&(uid=user1)(|(inetuserstatus=active)(!(inetuserstatus=*))))

    If the filter is left blank, by default, the following role is created:

    (objectclass = inetorgperson)

    Click Cancel to cancel the role creation process.

  10. Click Finish to initiate the search based on the filter criteria. The users defined by the filter criteria are automatically assigned to the role.

    11. You can optionally configure the Display Options and Available Actions by selecting them in the View menu. For more information, see Display Options and Available Actions at the end of this chapter.

    Note

    You can add users to static roles through the Role profile page and/or the User profile page.

To Remove Users from a Role

  1. Navigate to the Organization that contains the role to modify.

    2. Choose Organizations from the View menu in the Identity Management module and select the organization from the Navigation pane.

  2. Choose Roles from the View menu.
  3. Select the role to modify.
  4. Choose Users from the View menu.
  5. Select the checkbox next to each user to be removed.
  6. Click Remove.

    7. The users are now removed from the role.

To Add a Role to a Policy

Access Manager objects are added to a policy through the policy’s subject definition. When a policy is created or modified, organizations, roles, groups, and users can be defined as the subject in the policy’s Subject page. Once the subject is defined, the policy will be applied to the object. For more information, see “Managing Policies” on page 132.

Customizing a Service to a Role

You can customize the services available to a role, and the access level for the service attributes, on a per-role basis. Each of the available services can be customized for a role by setting role-specific values to the attributes. You can also grant access for each of the services and to the services’ attributes. There may be services that you wish only to be accessed by a specific type of user (for example, managers). To accomplish this, all users are assigned the service, but only the Manager type belonging to the role is allowed access to the specific service.

The same logic applies to service attributes. A user’s account consists of many attributes, some of which the user may not be allowed to access; for example the account expiration date. The administrator of the account can be granted access to this attribute, but the user (the account owner) is not. Customizing the service and attribute access is accomplished through the role’s Service view in the Navigation pane.

You must first add the services at the organization level in order to display the services. Users that are added to the role will inherit the role’s service attributes.

To Configure Services
  1. In the role’s Service view, go to the section labeled Service Configuration for this Role.
  2. Choose a service that is to be granted to the role by clicking on the Edit link next to the service name.

    3. If you have not created a service template, you will be prompted to do so. Click Yes.

  3. Modify the Service attributes. For more information on specific Service attributes, see Part 3 of this manual, the Attribute Reference Guide.
  4. Click Save.

    5. Note

    When access to a service is denied (not checked), the service will not be displayed in the Access Manager console for the user possessing the role. Additionally, it is not possible to register or unregister a user, assign the service to a user, or create, delete, view or modify the Service template.

To Customize Attribute Access
  1. In the role’s Services view, go to the section labeled Service Access for this Role.
  2. Choose the enable or disable status for the service you wish to modify. Enable allows the access modifications. Disable disallows the access modifications.
  3. Click the Modify Access link.
  4. Assign an access level to an attribute by selecting the Read/Write or Read Only check boxes.
  5. Click OK and then Save.

For more information on specific Service attributes, see Part 4 of this manual, the Attribute Reference.

To Add a Role to a Policy

Access Manager objects are added to a policy through the policy’s subject definition. When a policy is created or modified, organizations, roles, groups, and users can be defined as the subject in the policy’s Subject page. Once the subject is defined, the policy will be applied to the object. For more information, see “Managing Policies” on page 132.

To Delete a Role

  1. Navigate to the organization that contains the role to be deleted.
  2. Choose Organizations from the View menu in Identity Management and select the organization from the Navigation pane. The Location path displays the default top-level organization and chosen organization.
  3. Choose Roles from the View menu.
  4. Select the checkbox next to the name of the role.
  5. Click Delete.

Policies

Policies define rules to help protect an organization’s web resources. Although policy creation, modification and deletion is performed through the Identity Management module, the procedures are described in “Creating Policies” on page 129.

Agents

Access Manager Policy Agents protect content on web servers and web proxy servers from unauthorized intrusions. They control access to services and web resources based on the policies configured by an administrator.

The agent object defines a Policy Agent profile, and allows Access Manager to store authentication and other profile information about a specific agent that is protecting an Access Manager resource. Through the Access Manager console, administrators can view, create, modify and delete agent profiles.

To Create an Agent

  1. Navigate to the organization that contains the agent to be created.
  2. Choose Agents from the View menu.
  3. Click New.
  4. Enter the values for the fields. The fields are:

    5. Name. Enter the name or identity of the agent. This is the name that the agent will use to log into Access Manager. Multi-byte names are not accepted.

    Password. Enter the agent password. This password must match the password used by the agent during LDAP authentication.

    Confirm Password. Confirm the password.

    Description. Enter a brief description of the agent. For example, you can enter the agent instance name or the name of the application it is protecting.

    Agent Key Value. Set the agent properties with a key/value pair. This property is used by Access Manager to receive agent requests for credential assertions about users. Currently, only one property is valid and all other properties will be ignored. Use the following format:

    agentRootURL=http://server_name:port/

    Device Status. Enter the device status of the agent. If set to Active, the agent will be able to authenticate to and communicate with Access Manager. If set to Inactive, the agent will not be able to authenticate to Access Manager.

To Delete an Agent

  1. Navigate to the organization that contains the agent to be deleted.
  2. Choose Agent from the View menu.
  3. Select the checkbox next to the name of the agent.
  4. Click Delete.

Creating a Unique Policy Agent Identity

By default, when you create multiple policy agents in a trusted environment, the policy agents contain the same UID and password. Because the UID and passwords are shared, Access Manager cannot distinguish between the agents, which may leave the session cookie open to interception.

The weakness may be present when an Identity Provider provides authentication, authorization and profile information about a user to applications (or Service Providers) that are developed by third parties or by unauthorized groups within the enterprise. Possible security issues are:

To Create a Unique Policy Identity
  1. Use the Access Manager administration console to make an entry for each agent. For more information, see To Create an Agent.
  2. Run the following command on the password that was entered in step 1b.

    3. AccessManager-base/SUNWam/agents/bin/crypt_util agent123

    This will give the following output:

    WnmKUCg/y3l404ivWY6HPQ==

  3. Change AMAgent.properties to reflect the new value, and then and restart the agent. Example:

    # The username and password to use for the Application authentication module.

    com.sun.am.policy.am.username = agent123
    com.sun.am.policy.am.password = WnmKUCg/y3l404ivWY6HPQ==

    # Cross-Domain Single Sign On URL

    # Is CDSSO enabled.

    com.sun.am.policy.agents.cdsso-enabled=true

    # This is the URL the user will be redirected to after successful login

    # in a CDSSO Scenario.

    com.sun.am.policy.agents.cdcservletURL = http://server.example.com:port/amserver/cdcservlet

  4. Change AMConfig.properties to reflect the new values, and then and restart Access Manager. Example:

    com.sun.identity.enableUniqueSSOTokenCookie=true

    com.sun.identity.authentication.uniqueCookieName=sunIdentityServerAuthN Server

    com.sun.identity.authentication.uniqueCookieDomain=example.com

  5. In the Access Manager administration console, choose Service Configuration>Platform.

  6. In the Cookie Domains list, change the cookie domain name:
    1. Select the default iplanet.com domain, and then click Remove.
    2. Enter the host name of the Access Manager installation, and then click Add.

      3. Example: server.example.com

      You should see two cookies set on the browser:

      Cookie

      Host Name

      iPlanetDirectoryPro

      server.example.com

      sunIdentityServerAuthNServer

      example.com

Containers

The container entry is used when, due to object class and attribute differences, it is not possible to use an organization entry. It is important to remember that the Access Manager container entry and the Access Manager organization entry are not necessarily equivalent to the LDAP object classes organizationalUnit and organization. They are abstract Identity entries. Ideally, the organization entry will be used instead of the container entry.

Note

The display of containers is optional. To view containers you must select Show Containers in View Menu in the Service Configuration module. For more information, see Show Containers In View Menu.

To Create a Container

  1. Navigate to the Organization or Container where the new Container will be created.

    2. Select Containers from the View menu.

  2. Click New.

    3. A Container template displays in the Data pane.

  3. Enter the name of the Container to be created.
  4. Click OK.

    5. You can optionally configure the Display Options and Available Actions by selecting them in the View menu. For more information, see Display Options and Available Actions at the end of this chapter.

To Delete a Container

  1. Navigate to the organization or container which contains the container to be deleted.
  2. Choose Containers from the View menu.
  3. Select the checkbox next to the name of the container to be deleted.
  4. Click Delete.

    5. Note

    Deleting a container will delete all objects that exist in that Container. This includes all objects and sub containers.

People Containers

A people container is the default LDAP organizational unit to which all users are assigned when they are created within an organization. People containers can be found at the organization level and at the people container level as a sub People Container. They can contain only other people containers and users. Additional people containers can be added into the organization, if desired.

Note

The display of people containers is optional. To view People Containers you must select Show People Containers in the Service Configuration module. For more information, see Show People Containers.

Create a People Container

  1. Navigate to the organization or people container where the new people container will be created.

    2. Select People Containers from the View menu.

  2. Click New.

    3. The People Container template displays in the Data pane.

  3. Enter the name of the people container to be created.
  4. Click OK.

Delete a People Container

  1. Navigate to the organization or people container which contains the people container to be deleted.
  2. Choose People Containers from the View menu.
  3. Select the checkbox next to the name of the people container to be deleted.
  4. Click Delete.

    5. Note

    Deleting a people container will delete all objects that exist in that people container. This includes all users and sub people containers.

Group Containers

A group container is used to manage groups. It can contain only groups and other group containers. The group container Groups is dynamically assigned as the parent entry for all managed groups. Additional group containers can be added, if desired.

Note

The display of group containers is optional. To view group containers you must select Show Group Containers in the Service Configuration module. For more information, see Show Group Containers.

To Create a Group Container

  1. Navigate to the organization or the group container which contains the group container to be created.
  2. Choose group containers from the View menu.

    3. The default Groups was created during the organization’s creation.

  3. Click New.
  4. Enter a value in the Name field and click OK. The new group container displays in the Navigation pane.

To Delete a Group Container

  1. Navigate to the organization which contains the group container to be deleted.
  2. Choose Group Containers from the View menu.

    3. The default Groups and all created group containers display in the Navigation pane.

  3. Select the checkbox next to the group container to be deleted.
  4. Click Delete.

Display Options

For organizations, roles and containers, you can use Display Options view to customize the way in which Access Manager objects are displayed in the Access Manager console. Not all display options are available for all object types.

To Change the Display Options

  1. Click on the Properties arrow of the organization for which you would like to change the display options.
  2. Select Display Options from the View menu in the Data pane.
  3. Edit the properties in the General section. The properties are:

    4. Generate Full Name Attribute. Select this attribute to enable Access Manager to always generate the user’s full name, which is formed from the first and last name values in the user’s profile.

    Always Select First Entry. Select this attribute for a search so that it automatically selects the first item of a given identity object type in the Navigation pane and displays it in the Data pane.

    User Profile Page Title. Choose an attribute from this pull-down menu to be used for the title in the User Profile Page.

    Disable Initial Search. This value disables the initial Access Manager search for one or more identity object types. Disabling the initial Search may enhance performance and reduce the likelihood of a timeout error.

  4. Change the display options in the Display Configuration of Access Manager Objects section. This section allows you to customize how Access Manager containers and objects are displayed. The Access Manager Containers option allows you to specify which object views are displayed in the Navigation pane’s View menu. The Access Manager Objects field allows you to specify which object views are displayed in the Data pane’s View menu.
  5. Click Save.

Available Actions

For certain Access Manager object types, you can define user access rights through the Available Actions view.

To Set Available Actions for Users

  1. Click on the Properties arrow of the Identity object for which you would like to set available actions.
  2. Select Available Actions from the View menu in the Data pane.
  3. Choose the action type available for any Access Manager object. The action type defines the user’s accessibility for each object. The action types are:

    4. No Access. The user has no access to this object.

    View. The user has read-only access to this object.

    Modify. The user can modify and view this object.

    Delete. The user can modify, view and delete this object.

    Full Access. The user can create, modify, view and delete this object.

  4. Click Save. To change the values to their previously saved state, click Reset.



Previous      Contents      Index      Next     

Part No: 817-7647-11.   Copyright 2005 Sun Microsystems, Inc. All rights reserved.