Methods for Controlling End User and Administrator Privileges

Different sites using Instant Messaging server have different needs in terms of enabling and restricting the type of access end users have to the Instant Messaging service. The process of controlling end user and administrator Instant Messaging server features and privileges is referred to as policy management. There are two methods of policy management available: through access control files or through Sun Java^TM System Access Manager.

• Managing Policies Using Access Control Files - The access control file method for managing policies allows you to adjust end-user privileges in the following areas: news channel management, conference room management, the ability to change preferences in the User Settings dialog, and ability to send alerts. It also allows specific end users to be assigned as system administrators.

• Managing Policies using Sun Java System Access Manager - This method gives you control of the same privileges available with the access control file method; however, it additionally allows more fine-tuned control over various features, such as the ability to receive alerts, send polls, receive polls, etc. For a complete list, see Table 17–3. Furthermore, managing policies using Sun Java System Access Manager gives you finer-tuned control over privileges.

  Two types of policies exist, Instant Messaging policies and Presence policies. The Instant Messaging policies govern general Instant Messaging features, such as the ability to send or receive alerts, the ability to manage public conferences and news channels, and the ability to send files. Presence policies govern the control end users have over changing their online status, and in allowing or preventing others from seeing their online or presence information.

If your deployment does not include Sun Java System Access Manager, you must use the access control file method to manage policies. If you are using Sun Java System Access Manager with the Instant Messaging server, and you have installed the Instant Messaging and Presence services components, you can use either policy management method. Managing policies using Sun Java System Access Manager is a more comprehensive method. One advantage of this method is that it allows you to store all end-user information in the directory.

Setting the Policy Management Method

When you choose which method to use to manage policies, you must also choose where they will be stored. Select the method for managing policies by editing the iim.conf file and setting the iim.policy.modules parameter to either identity for the Access Manager method or iim_ldap for the access control file method, which is also the default method.

Follow these steps to set which method you want to use to manage policies.

To Set the Policy Management Method

1. Open iim.conf.

   See iim.conf File Syntax for instructions on locating and modifying iim.conf.

2. Edit the iim.policy.modules parameter by setting it to one of the following:

   • iim_ldap (default, the access control file method)

   • identity (the Access Manager method)

   If you choose identity, you can run imadmin assign_services to assign Instant Messaging and presence services to existing users.

3. Edit the iim.userprops.store parameter and set it to either:

   • ldap (To store user properties in LDAP.)

     If you choose ldap, you can run imadmin assign_services to add the required objectclasses that store user properties to user entries in the directory.

   • file (Default, to store user properties in files.)

4. Save and close iim.conf.

5. Refresh the configuration.

Policy Configuration Parameters

Table 17–1 lists and describes the parameters available in iim.conf that relate to the increased role that Sun Java System Access Manager can play in Instant Messaging deployments.