Sun ONE logo     Previous      Contents      Index      Next     
Sun ONE Portal Server 6.0 Administrator's Guide



Chapter 3   Configuring Delegated Administration

This chapter describes how to configure delegated administration for Sun™ ONE Portal Server.

This chapter contains these sections:

Overview of Delegated Administration

As enterprises create larger and more complex portals, a centralized administration model is no longer viable. Delegated administration or Line of Business (LOB) administration addresses this issue by delegating or distributing the administration tasks to the actual portal users.

The Sun ONE Portal Server allows you to delegate administration functions to users by using roles. Role-based administration enables an enterprise to break its business into smaller organizations or lines of business (LOB) and then allows different users to administer the organizations, suborganizations, users, policy, roles, channels, and desktop providers of the LOB based on the user's roles.

Table 3-1 lists and defines some important delegated administration terms as they apply in the Sun ONE Portal Server. The table contains two columns: the first column lists the term and the second column gives a brief description.

Table 3-1    Delegated Administration Terms

Term

Description

Privilege

The combination of a single resource and a single action that can be performed upon the resource (for example, view a static web page, view paystubs in a paycheck application, modify W-4 data in the paycheck application, and so on).

Action

Actions are a procedure or operation that can be performed on a resource (for example, read a catalog, write a catalog, get email using POP, get email using IMAP, and so on).

Resource

A resource is something that can be abstractly represented in software and whose access is controlled and protected. In iPlanet™ Directory Server Access Management Edition, the Resource refers to the URL Access only.

Super admin role

A role that has complete management rights to all policy and identity settings.

Organization admin role

A role that has complete management rights to policy and identity settings for an organization.

Line of Business (LOB)

Line of business capabilities are administration capabilities that can be done by a business analyst or equivalent position. LOB administrators are able to perform administrative tasks that do not require super admin capabilities to complete. Typically, LOB capabilities, such as adding or removing users to and from roles that grant access to resources, would be available only within their sphere of interest.

Role administrator role

A role administrator role is a role with the access permissions to administer some other specific roles and a certain set of user objects. For example, adding or removing users from a role or editing role level attributes.

Role administrator

Role administrators are users to whom role administrator roles have been assigned.

Delegated Administration Roles

The iiPlanet Directory Server Access Management Edition admin console provides role-based delegated administration capabilities to different kinds of administrators to manage organizations, users, policy, roles, channels, and Desktop providers based on the given permissions.

iPlanet Directory Server Access Management Edition admin console provides a number of predefined administrator roles for delegating administration functions. They are as follows:

  • Super Admin

  • Group Admin

  • Organization Admin

  • Organization Help Desk Admin

  • People Container Admin

  • Organizational Unit Admin

  • Organizational Unit Help Desk Admin

  • Top Level Admin

For detailed information on these roles, refer to the iPlanet Directory Server Access Management Edition product documentation.

Note

iPlanet Directory Server Access Management Edition also implements three other roles: Top-level Admin, Top-level Help Desk Admin, and Deny Write Access. These roles are created during installation and only exist at the root of the installation. Any new organizations created will not get these three roles. By default, when a new organization is created, three roles get created with it: Organization Admin, Organization Help Desk Admin, and People Admin.

You can use these predefined administrator roles to set up your delegated administration implementation if their function fits the need. For example, if the directory structure for your model comprises an organization with multiple sub-organizations, you could assign Organization Admin roles to users to create delegated administrators for each of the suborganizations. However, if the organizational structure of your enterprise is more complicated, you might want to create a delegated administration model that targets your specific needs. To do this, the iPlanet Directory Server Access Management Edition admin console allows you to define delegated administrator roles with privileges specific to your business needs.

To implement an enterprise-specific delegated administration model, there are three critical conceptual roles:

  • Super Admin Role

  • Organization Admin Role

  • Role Administrator Role

The Super Admin Role and the Organization Admin Role are created automatically when the system or a new organization is set up. The Role Administrator Role is a role you create based on the requirements of the delegated administration model. The access permissions for the Role Administrator Role are defined by directly editing the corresponding Access Control Instructions (ACIs).

In a delegated administration, the following principles apply:

  • User privileges are granted by the user's role.

  • Privileges are granted on a per individual user basis by defining a role with desired privileges and assigning this role to the individual user.

  • Sets of users can be grouped together by assigning them a specific role. These users will be granted the set of privileges and inherit the values for dynamic attributes that are defined for that role.

  • Users can have multiple or aggregated roles. Users with multiple roles have access to combined features of all their roles. When there is a conflict in the features granted by aggregated roles, conflict resolution is based on the priority configured through Conflict Resolution Level defined for the each of the services for those roles. There are seven conflict resolution settings available ranging from Highest to Lowest. When an attribute conflict as multiple Desktop templates from multiple roles are merged, the attribute on the template set with the highest conflict resolution level is returned.

Developing a Delegated Administration Model

In order to delegate administration functions for the Sun ONE Portal Server appropriately, you should develop a delegated administration model to help determine the administration roles required for you enterprise. Consider the following when developing your model:

  • Focus on the business requirements of your enterprise. In general, the proposed solution for the role-based delegated administration should be parallel with the business requirements.

  • Develop a directory structure that enables users to be grouped so they can access their required resources and have their administration needs managed by a delegated administrator.

  • Try to fit your business entities into a more standard tree structure as much as possible while still addressing all the business requirements. You can use a structure with a hierarchy of organizations and suborganizations or a flat directory tree structure. In a flat directory structure, all the entities are defined immediately beneath the top level organization and all the roles (including Role Administrator Roles) are "parallel" to each other in terms of the organizational hierarchy. For example, all the users who are affiliated with business unit would be created in people containers under the top-level organization. For each of the access roles and administrative roles needed in your model a corresponding role at the top-level would be created.

Configuring Delegated Administration

The high-level steps that you perform to configure a delegated administration implementation for the Sun ONE Portal Server are:

  1. Defining the ACI settings for the Role Administrator Roles

  2. Creating new Admin Roles for the delegation model

  3. Assigning Role Administrator Roles to users

  4. Configuring Additional Restrictions on a Role

Defining the ACI Settings for Role Administrator Roles

To configure the appropriate privileges for any of the role administrator roles you identified in your delegation model, you must define the appropriate permissions in an ACI for each unique role in your delegation model. You can define an ACI permission template for a role using the iPlanet Directory Server Access Management Edition admin console or the Directory Server console. You can also define an ACI for a specific role using the ldapmodify command.

Use the following format when defining ACI permission templates in the iPlanet Directory Server Access Management Edition admin console or with the Directory Server console:

aci_name | aci_desc| dn:aci ## dn:aci ## dn:aci

where:

aci_name is the name of the role.

aci_desc is a description of the access these ACIs allow.

dn:aci represents pairs of DNs and ACIs separated by ##. iPlanet Directory Server Access Management Edition sets each ACI in the associated DN entry.

This format also supports tags that can be substituted for values that would otherwise have to be specified literally in an ACI: ROLENAME, ORGANIZATION, GROUPNAME, and PCNAME. Using these tags lets you define roles flexible enough to be used as defaults. When a role is created based on one of the default roles, tags in the ACI resolve to values taken from the DN of the new role.

For detailed information setting ACIs, refer to the iPlanet Directory Server Access Management Edition product documentation.

Note

In these example ACI definitions, the sesta.com organization is under the default top level organization of o=isp.

To Define an ACI Using the Command Line

  1. Create a text file containing the ACI settings for use with the ldapmodify command. For example, the following file, acis.ldif, contains an ACI definition of a role called JDCAdmin.
    dn:o=sesta.com,o=isp
    changetype:modify
    # aci for JDCAdmin role
    # This role can add/delete users from JDC role.
    add:aci
    aci: (target= "ldap:///ou=people,o=sesta.com,o=isp") (targetattr = "*")(version 3.0; acl "Allow JDCAdmin Role to read and search users"; allow (read,search) roledn = "ldap:///cn=JDCAdmin,o=sesta.com,o=isp";)
    -
    add:aci
    aci: (target="ldap:///o=sesta.com,o=isp") (targetfilter="(entrydn=cn=JDC,o=sesta.com,o=isp)")(targetattr="*")(version 3.0; acl "Allow JDCAdmin Role to read and search JDC Role";allow (read,search) roledn="ldap:///cn=JDCAdmin,o=sesta.com,o=isp";)
    -
    add:aci
    aci: (target="ldap:///ou=people,o=sesta.com,o=isp")(targetattr="nsroledn")(targetfi lter="(!(|( nsroledn=cn=SuperAdminRole,o=isp)(nsroledn=cn=iPlanetAMTopLevelHelpDeskAdminRo le,o=isp)(nsroledn=cn=iPlanetAMOrgAdminRole,o=sesta.com,o=isp)))")(targattrfil ters="add=nsroledn:(nsroledn=cn=JDC,o=sesta.com,o=isp),del=nsroledn:(nsroledn= cn=JDC,o=sesta.com,o=isp)")(version 3.0; acl "Allow JDCAdmin Role to add/remove users to JDCRole"; allow (write)roledn="ldap:///cn=JDCAdmin,o=sesta.com,o=isp";)

  2. Change directories to iPlanet Directory Server Access Management Edition utilities directory. For example,

    3. cd /BaseDir/SUNWam/bin

  3. Execute the following command.

    4. ./ldapmodify -D "DS_DIRMGR_DN" -w DS_DIRMGR_PASSWORD -f /tmp/acis.ldif

  4. Restart Sun ONE Portal Server:
    /etc/init.d/amserver start

To Define an ACI Using the Admin Console

  1. Log in to the iPlanet Directory Server Access Management Edition admin console as Super Admin.

  2. Navigate to Service Management by choosing View Service Management.

  3. Click the properties arrow next to the Administration service.

    4. The administration attributes appear in the data pane.

  4. In the Default Role Permissions (ACIs) entry field type in the ACI definition and click Add. For example, for the JDCAdmin role defined previously, you would enter the following:

    5. o=sesta.com,o=isp:aci:(target= "ldap:///ou=people,o=sesta.com,o=isp") (targetattr = "*")(version 3.0; acl "Allow JDCAdmin Role to read and search users"; allow (read,search) roledn = "ldap:///cn=JDCAdmin,o=sesta.com,o=isp";)##o=sesta.com,o=isp:aci: (target="ldap:///o=sesta.com,o=isp") (targetfilter="(entrydn=cn=JDC,o=sesta.com,o=isp)")(targetattr="*")(version 3.0; acl "Allow JDCAdmin Role to read and search JDC Role";allow (read,search) roledn="ldap:///cn=JDCAdmin,o=sesta.com,o=isp";)##(target="ldap:///ou=people,o=sesta.com,o=isp")(targetattr="nsroledn")(targetfilter="(!(|( nsroledn=cn=SuperAdminRole,o=isp)(nsroledn=cn=iPlanetAMTopLevelHelpDeskAdminRole,o=isp)(nsroledn=cn=iPlanetAMOrgAdminRole,o=sesta.com,o=isp)))")(targattrfilters="add=nsroledn:(nsroledn=cn=JDC,o=sesta.com,o=isp),del=nsroledn:(nsroledn=cn=JDC,o=sesta.com,o=isp)")(version 3.0; acl "Allow JDCAdmin Role to add/remove users to JDCRole"; allow (write)roledn="ldap:///cn=JDCAdmin,o=sesta.com,o=isp";)

    The new ACI appears in the Default Role Permissions (ACIs) list.

  5. Click Save.

To Create a New Admin Role for the Delegation Model

Once you have created an ACI defining the permissions for a delegated administration role, you must create a role for using that ACI definition.

  1. Log in to the iPlanet Directory Server Access Management Edition admin console as Super Admin or Organization Admin.

  2. By default, when you log in, User Management is selected in the View menu, and Organizations is selected in the Show menu.

  3. Navigate to the organization or suborganization where the role will be created.
    Note

    If this is a new organization, you must register all the services and create the appropriate templates. See "Creating New Organizations and Suborganizations".


  4. Choose Roles from the Show menu and click New.

    5. The Create Role page appears in the data pane.

  5. Type in a name and description for the role.

  6. Choose Administrative as the Type.

  7. Select the Access Permissions:

    1. If you created the ACI definition for the role using the Admin Console, select the role you created from the Access Permissions list.

    2. If you created the ACI definition for the role using the command line, select No Permissions as the role name will not be listed in the Access Permissions list.

  8. Click Create.

    9. The new role appears in the navigation pane.

To Assign a Role Administrator Role

  1. Log in to the iPlanet Directory Server Access Management Edition admin console as administrator.

  2. Choose Organizations from the Show menu in User Management.

  3. Navigate to the organization or suborganization where the role was created.

  4. Choose Roles from the Show menu.

  5. Select the role to assign.

  6. Click Add.

    7. The Search page appears in the data pane.

  7. Specify the values for the Search fields to find the user to assign and click Search.

    8. A list of users displays.

  8. Check the box next to the users to which to assign the role or click Select All to choose all the users.

  9. Click Submit.

    10. The list of users for this role box is updated with the assigned users.

To Configure Additional Restrictions on a Role Administrator Role

You can configure a role with a restricted set of capabilities. One common restriction you might want is a role with permissions to modify the display profile and perform content management functions, but that is restricted from viewing the rest of the Desktop attributes.

You can also set up delegated administrators with a start DN view. The start DN view is the directory location below which the delegated administrator can see and modify entities.

To configure additional restrictions on a role:

  1. Log in to the iPlanet Directory Server Access Management Edition admin console as administrator.

  2. By default, when you log in, User Management is selected in the View menu, and Organizations is selected in the Show menu.

  3. Navigate to the organization or suborganization where containing the role to configure.

  4. Choose Roles from the Show menu.

  5. Select the role to configure.

  6. Select Services from the Show menu.

  7. To restrict the role to only display profile or channel management capabilities, do the following:

    1. Click the Desktop properties arrow in the navigation pane.

    2. Create a template for the service at this role.

      3. The Desktop page appears in the data pane.

    3. Unselect the Show Desktop Attributes checkbox.

    4. Click Save.
      Note

      If the Show Desktop Attributes checkbox is unselected, when users with this role access the Desktop services, they will not be able to see the Desktop attributes; they will only see the Channel and Container Management link. In addition, they will only be able to see the channels and containers defined at the role level.

  8. To restrict the role to a particular start DN, do the following:

    1. Click the User properties arrow in the navigation pane.

    2. Create a template for the role.

      3. The User page appears in the data pane.

    3. Specify a DN in Admin DN Starting View. For example, cn=JDC, o=sesta, o=isp.

    4. Click Save.

Previous      Contents      Index      Next     
Copyright 2002-2003 Sun Microsystems, Inc. All rights reserved.