Sun Java System Instant Messaging 7.2 Administration Guide

Managing Policies using Sun Java System Access Manager

The Instant Messaging and Presence services in Sun Java System Access Manager provide another way to control end user and administrator privileges. Each service has three types of attributes: dynamic, user, and policy. A policy attribute is the type of attribute used to set privileges.

Policy attributes become a part of the rules when rules are added to a policy created in Access Manager to allow or deny administrator and end-user involvement in various Instant Messaging features, such as receiving poll messages from others.

When Instant Messaging server is installed with Sun Java System Access Manager, several example policies and roles are created. See the Sun Java System Access Manager Getting Started Guide and the Sun Java System Access Manager Administration Guide for more information about policies and roles.

You can create new policies and assign those policies to a role, group, organization, or end user as needed to match your site’s needs.

When the Instant Messaging service or the Presence service are assigned to end users, they receive the dynamic and user attributes applied to them. The dynamic attributes can be assigned to an Access Manager configured role or organization.

When a role is assigned to an end user or an end user is created in an organization, the dynamic attributes become a characteristic of the end user. The user attributes are assigned directly to each end user, they are not inherited from a role or an organization and, typically, are different for each end user. When an end users logs on, they get all the attributes that are applicable to them depending upon which roles are assigned to them and how the policies are applied.

Dynamic, user or policy attributes are associated with end users after assigning the Presence and Instant Messaging Services to these end users.

Instant Messaging Service Attributes

Table 17–3 lists the policy, dynamic, and user attributes for each service.

Table 17–3 Access Manager Attributes for Instant Messaging

Service  

Policy Attribute  

Dynamic Attributes  

User Attributes  

sunIM 

sunIMAllowChat

sunIMAllowChatInvite

sunIMAllowForumAccess

sunIMAllowForumManage

sunIMAllowForumModerate

sunIMAllowAlertsAccess

sunIMAllowAlertsSend

sunIMAllowNewsAccess

sunIMAllowNewsManage

sunIMAllowFileTransfer

sunIMAllowContactListManage

sunIMAllowUserSettings

sunIMAllowPollingAccess

sunIMAllowPollingSend

sunIMProperties

sunIMRoster

sunIMConferenceRoster

sunIMNewsRoster

sunIMPrivateSettings

sunIMUserProperties

sunIMUserRoster

sunIMUserConferenceRoster

sunIMUserNewsRoster

sunIMUserPrivateSettings

sunPresence 

sunPresenceAllowAccess

sunPresenceAllowPublish

sunPresenceAllowManage

sunPresenceDevices

sunPresencePrivacy

sunPresenceEntityDevices

sunPresenceUserPrivacy

For each attribute in the preceding table, a corresponding label appears in the Access Manager admin console. Table 17–4 lists and describes the policy attributes and Table 17–5 lists and describes the dynamic and user attributes.

Table 17–4 Access Manager Policy Attributes for Instant Messaging

Policy Attribute 

Admin Console Label 

Attribute Description 

sunIMAllowChat

Ability to Chat 

End users can be invited to join chat room and access normal chat functionality 

sunIMAllowChatInvite

Ability to Invite others to Chat 

End users can invite others to chat 

sunIMAllowForumAccess

Ability to Join Conference Rooms 

A conference tab shows up in Instant Messenger, allowing end users to join conference rooms 

sunIMAllowForumManage

Ability to Manage Conference Rooms 

End users are able to create, delete, and manage conference rooms 

sunIMAllowForumModerate

Ability to Moderate Conference Rooms 

End users can be conference moderators 

sunIMAllowAlertsAccess

Ability to Receive Alerts 

End users can receive alerts from others 

sunIMAllowAlertsSend

Ability to Send Alerts 

End users can send alerts to others 

sunIMAllowNewsAccess

Ability to Read News 

A News button is displayed in Instant Messenger that enables end users to list news channels in order to receive and send news messages 

sunIMAllowNewsManage

Ability to Manage News Channels 

End users can manage news channels and create, delete, and assign privileges to news channels 

sunIMAllowFileTransfer

Ability to Exchange Files 

End users can add attachments to alert, chat, and news messages 

sunIMAllowContactListManage

Ability to Manage one’s Contact List 

End users can manage their own contact lists; they can add and delete users or groups to and from the list; they can rename the folder in their contact list 

sunIMAllowUserSettings

Ability to Manage Messenger 

A Settings button is displayed in Instant Messenger that enables end users to change their own Instant Messenger settings 

sunIMAllowPollingAccess

Ability to Receive Polls 

End users can receive poll messages from others, and they can respond to polls 

sunIMAllowPollingSend

Ability to Send Polls 

A Poll button is displayed in Instant Messenger that enables end users to send poll messages to others and to receive the responses 

sunPresenceAllowAccess

Ability to Access other’s Presence 

End users can watch the presence status of others. The contact list, in addition to showing the contact, reflects contacts’ presence status changes by changing the status icon 

sunPresenceAllowPublish

Ability to Publish Presence 

End users can click to select their status (online, offline, busy, etc.) for others to watch 

sunPresenceAllowManage

Ability to Manage Presence Access 

An Access tab is displayed in Instant Messenger settings that allows end users to set up their own default presence access, presence permitted, or presence denied list 

Modifying Attributes Directly

An end user can log into theAccess Manager admin console and view the values of attributes in the Instant Messaging and Presence service attributes. If the attributes have been defined as modifiable, end users can alter them. By default no attributes in the Instant Messaging service are modifiable, nor is it recommended that end users be allowed to modify them. However, from the standpoint of system administration, manipulating attributes directly can be useful.

For example, since roles do not affect some system attributes, such as setting conference subscriptions, system administrators might want to modify the values of these attributes by copying them from another end user (such as from a conference roster) or modifying them directly. These attributes are listed in Table 17–5.

User attributes can be set by end users through the Sun Java System Access Manager admin console. Dynamic attributes are set by the administrator. A value set for a dynamic attribute overrides or is combined with the corresponding user attribute value.

The nature of corresponding dynamic and user attributes influences how conflicting and complementing information is resolved. For example, Conference Subscriptions from two sources (dynamic and user) complement each other, so the subscriptions are merged. Neither attribute overrides the other.

Table 17–5 Access Manager User and Dynamic Attributes for Instant Messaging

Admin Console Label 

User Attribute 

Dynamic Attribute 

Attribute Description 

Conflict Resolution 

Messenger Settings 

sunIMUserProperties

sunIMProperties

Contains all the properties for Instant Messenger and corresponds to the user.properties file in the file-based user properties storage

Merge. Unless a particular property has a value from both the user and dynamic attribute, then the dynamic attribute overrides. 

Subscriptions 

sunIMUserRoster

sunIMRoster

Contains subscription information (user contact list roster) 

Merge. If a Jabber identifier is present in both the user and dynamic attribute, then the nickname will be taken from the user attribute, the group will be a union of all groups from both user and dynamic attributes, the subscription value will be the highest value from the user and dynamic value. 

Conference Subscriptions 

sunIMUserConferenceRoster

sunIMConferenceRoster

Contains conference room subscription information 

Merge. Dynamic and user subscriptions are merged, and duplicates are removed. 

News Channel Subscriptions 

sunIMUserNewsRoster

sunIMNewsRoster

Contains news channel subscription information 

Merge. Dynamic and user subscriptions are merged and duplicates are removed. 

Presence Agents 

sunPresenceEntityDevices

sunPresenceDevices

Not used in this release (for future use) 

The dynamic information is used. 

Privacy 

sunPresenceUserPrivacy

sunPresencePrivacy

Corresponds to the privacy setting in Instant Messenger 

Merge. the dynamic value is used if there is a conflict. 

Instant Messenger Preferences 

sunIMUserPrivateSettings

sunIMPrivateSettings

Store private preferences here that are not stored in Messenger Settings 

Merge. 

Predefined Instant Messaging and Presence Policies

Table 17–6 lists and describes the seven example policies and roles that are created in Sun Java System Access Manager when the Instant Messaging service component is installed. You can add end users to different roles according to the access control you want to give them.

A typical site might want to assign the role IM Regular User (a role that receives the default Instant Messaging and Presence access) to end users who simply use Instant Messenger, but have no responsibilities in administering Instant Messaging policies. The same site might assign the role of IM Administrator (a role associated with the ability to administer Instant Messaging and Presence services) to particular end users with full responsibilities in administering Instant Messaging policies. Table 17–7 lists the default assignment of privileges amongst the policy attributes. If an action is not selected in a rule, the values allow and deny are not relevant as the policy then does not affect that attribute.

Table 17–6 Default Policies and Roles for Sun Java System Access Manager

Policy 

Role to Which the Policy Applies 

Service to Which the Policy Applies 

Policy Description 

Default Instant Messaging and presence access 

IM Regular User 

sunIM, sunPresence 

The default access that a regular Instant Messaging end user should have. 

Ability to administer Instant Messaging and Presence Service 

IM Administrator 

sunIM, sunPresence 

The access that an Instant Messaging Administrator has, which is access to all Instant Messaging features. 

Ability to manage Instant Messaging news channels 

IM News Administrator 

sunIM 

End users can manage news channels by creating, deleting, etc. 

Ability to manage Instant Messaging conference rooms 

IM Conference Rooms Administrator 

sunIM 

End users can manage conference rooms by creating, deleting, etc. 

Ability to change own Instant Messaging user settings 

IM Allow User Settings Role 

sunIM 

End users can edit settings modifying values in the Settings dialog box in Instant Messenger. 

Ability to send Instant Messaging alerts 

IM Allow Send Alerts Role 

sunIM 

End users can send alerts in Instant Messenger. 

Ability to watch changes on other Instant Messaging end users 

IM Allow Watch Changes Role 

sunIM 

End users can access the presence status of other Instant Messaging end users. 

Table 17–7 Default Policy Assignments
 

Policy 

Attribute  

Default access  

Can administer Instant Messaging and Presence Service  

Can manage news channels  

Can manage conference rooms  

Can change own end-user settings  

Can send alerts  

Can watch changes to other users  

sunIMAllowChat

allow 

allow 

         

sunIMAllowChatInvite

allow 

allow 

         

sunIMAllowForumAccess

allow 

allow 

 

allow 

     

sunIMAllowForumManage

deny 

allow 

 

allow 

     

sunIMAllowForumModerate

deny 

allow 

 

allow 

     

sunIMAllowAlertsAccess

allow 

allow 

     

allow 

 

sunIMAllowAlertsSend

allow 

allow 

     

allow 

 

sunIMAllowNewsAccess

allow 

allow 

allow 

       

sunIMAllowNewsManage

deny 

allow 

allow 

       

sunIMAllowFileTransfer

allow 

allow 

         

sunIMAllowContactListManage

allow 

allow 

         

sunIMAllowUserSettings

allow 

allow 

   

allow 

   

sunIMAllowPollingAccess

allow 

allow 

         

sunIMAllowPollingSend

allow 

allow 

         

sunPresenceAllowManage

allow 

allow 

         

sunPresenceAllowAccess

allow 

allow 

       

allow 

sunPresenceAllowPublish

allow 

allow 

         

Creating New Instant Messaging Policies

You can create new policies to fit the specific needs of your site.

ProcedureTo Create a New Policy

  1. Log in to the Access Manager admin console at http://hostname:port/amconsole.

    For example:

    http://imserver.company22.example.com:80/amconsole

  2. Select the Identity Management tab.

  3. Select Policies in the View drop down list in the navigation pane (the lower-left frame).

  4. Click New.

    The New Policy page appears in the data pane (the lower-right frame).

  5. Select Normal for the Type of Policy.

  6. Enter a policy description in the Name field.

    For example:


    Ability to Perform IM Task.
    
  7. Click Create.

    Access Manager admin console displays the name of the new policy in the policy list in the navigation pane and brings up the Edit page for your new policy.

  8. On the Edit page, select Rules in the View drop down list.

    The Rule Name Service Resource panel appears inside the Edit page.

  9. Click Add.

    The Add Rule page appears.

  10. Select the Service that applies.

    You can select either Instant Messaging Service or Presence Service.

    Each service enables you to allow or deny end users the ability to perform specific actions. For example, Ability to Chat is an action specific to the Instant Messaging service while Ability to Access other’s Presence is an action specific to the Presence service.

  11. Enter a description for a rule in the Rule Name field.

    For example:


    Rule 1
    
  12. Enter the appropriate Resource Name.

    Enter either:

    IMResource for Instant Messaging Service

    or

    PresenceResource for Presence Service

  13. Select the Actions that you want to apply.

  14. Select the Value for each action.

    You can select either Allow or Deny.

  15. Click Create.

    The proposed rule is displayed in the list of saved rules for that policy.

  16. Click Save.

    The proposed rule becomes a saved rule.

  17. Repeat steps 9-16 for any additional rules that you want to apply to that policy.

Assigning Policies to a Role, Group, Organization, or User

You can assign policies to a role, group, organization, or user. This includes the default policies or policies that were created after Instant Messaging was installed.

ProcedureTo Assign a Policy

  1. Log in to the Access Manager admin console at http://hostname:port/amconsole.

    For example:

    http://imserver.company22.example.com:80/amconsole

  2. Select the Identity Management tab.

  3. Select Policies in the View drop down list in the navigation pane (the lower-left frame).

  4. Click the arrow next to the name of the policy you want to assign.

    The Edit page for that policy appears in the data pane (the lower-right frame).

  5. On the Edit page, select Subjects in the View drop down list.

  6. Click Add.

    The Add Subject page appears, which lists the possible subject types:

    • Access Manager Roles

    • LDAP Groups

    • LDAP Roles

    • LDAP Users

    • Organization

  7. Select the subject type that matches the policy.

    For example, Organization.

  8. Click Next.

  9. In the Name field, enter a description of the subject.

  10. (Optional) Select the Exclusive check box.

    The Exclusive check box is not selected as the default setting, which means that the policy applies to all members of the subject.

    Selecting the Exclusive check box applies the policy to everyone who is not a member of the subject.

  11. In the Available field, search for entries that you want to add to your subject.

    1. Type a search for the entries you want to search for.

      The default search is *, which displays all the subjects for that subject type.

    2. Click search.

    3. Highlight entries in the Available text box that you want to add to the Selected text box.

    4. Click Add or Add All, whichever applies.

    5. Repeat steps a-d until you have added all the names you want to the Selected text box.

  12. Click Create.

    The proposed subject appears in the list of proposed subjects for that policy.

  13. Click Save.

    The proposed subject becomes a saved subject.

  14. Repeat steps 6-13 for any additional subjects that you want to add to the policy.

Creating New Suborganizations Using Access Manager

The ability to create suborganizations using Sun Java System Access Manager enables organizationally separate populations to be created within the Instant Messaging server. Each suborganization can be mapped to a different DNS domain. End users in one suborganization are completely isolated from those in another. The following procedure describes minimal steps to create a new suborganization for Instant Messaging.

ProcedureTo Create a New Suborganization

  1. Log in to the Access Manager admin console at http://hostname:port/amconsole.

    For example:

    http://imserver.company22.example.com:80/amconsole

  2. Select the Identity Management tab.

  3. Create a new organization:

    1. Select Organizations in the View drop down list in the navigation pane (the lower-left frame).

    2. Click New.

      The New Organization page appears in the data pane (the lower-right frame).

    3. Enter a suborganization name.

      For example:


      sub1
      
    4. Enter a domain name.

      For example:


      sub1.company22.example.com
      
    5. Click Create.

  4. Register services for the newly created suborganization:

    1. Click the name for the new suborganization in the navigation pane.

      For example, click sub1. Ensure that you click the name, not the property arrow at the right.

    2. Select Services from the View drop down list in the navigation pane.

    3. Click Register.

      The Register Services page appears in the data pane.

    4. Select the following services under the Authentication heading:

      • Core

      • LDAP

    5. Select the following services under the Instant Messaging Configuration heading:

      • Instant Messaging Service

      • Presence Service

    6. Click Register.

      The newly selected services for this suborganization appear in the navigation pane.

  5. Create service templates for the newly selected services:

    1. In the navigation pane, click the property arrow for a service, starting with the Core service.

      The Create Service Template page appears in the data pane.

    2. In the data pane, click Create.

      A page displaying a list of template options for the service you have selected appears.

      You should click Create for each service even when you do not want to modify the template options.

    3. Modify the options for the service template of each service as follows:

      • Core: Generally, no options need to be modified.

      • LDAP: Add the prefix of the new suborganization to the DN to Start User Search field.

        After adding the prefix, the final DN should be in this format:

        o=sub1,dc=company22,dc=example,dc=com

        Enter the LDAP password in the Password for Root User Bind and Password for Root User Bind (confirm) fields.

      • Instant Messaging Service: Generally, no options need to be modified.

    4. Click Save.

    5. Repeat steps a-d until you have created service templates for each service.

Assigning Roles to End Users in New Suborganizations

After new end users have been created in a suborganization they need to be assigned roles. Roles can be inherited from the parent organization.

ProcedureTo Assign Roles to End Users in a New Suborganization

  1. Log in to the Access Manager admin console at http://hostname:port/amconsole.

    For example:

    http://imserver.company22.example.com:80/amconsole

  2. Select the Identity Management tab.

  3. Select Roles in the View drop down list in the navigation pane (the lower-left frame).

  4. Click on the property arrow to the right of the role you wish to assign.

    A page for that role appears in the data pane (the lower-right frame).

  5. Select Users from the View drop down list in the data pane.

  6. Click Add.

    The Add Users page appears.

  7. Enter a matching pattern to identify users.

    For example, in the UserId field an asterisk, *, lists all users.

  8. Click Filter.

    The Select User page appears.

  9. On the Select User page, check the Show Parentage Path check box and click Refresh.

    The parentage path is displayed.

  10. Select the users to be assigned to this role.

  11. Click Submit.