Chapter 3 Managing Organizations, Roles, and Users

Portal Server administrators can provide and limit access to content on a portal through the definitions of the identities of specific end users. You can set up portal pages, attributes and access policies so that portal content is available to specific entities. These entities include the following:

• A specific organization

• A specific suborganization

• A role

• An individual end-user

To manage organizations, roles, and end-users, Portal Server administrators must use both the Portal Server management console and the Sun Java^TM System Access Manager console. This chapter explains how Portal Server administrators can do this using the Access Manager. This chapter provides the following topics:

• Understanding How to Use Access Manager With Portal Server

• Creating New Organizations for Portal Server

• Adding Portal Services to Organizations

• Navigating to Specific Nodes

This chapter explains how to use Access Manager that is installed and configured to support Legacy Mode. For information about Legacy Mode and Realm Mode, see the Sun Java System Access Manager Administration Guide

Understanding How to Use Access Manager With Portal Server

Portal Server uses Sun Java System Access Manager services to manage attributes that are specific to Portal Server end users and applications. You must use the Access Manager console to manage tasks related to identity.

To control who has access to a portal site, Portal Server administrators must use the following tools:

• The Portal Server management console is a browser interface that allows administrators to manage the following:

  • Portals and portal instances

  • Search

  • Remote access

  • Single sign-on

  • Display profile documents

  • Containers and channels

• The Sun Java System Access Manager console is a browser interface that allows administrators with different levels of access to do the following:

  • Create and remove realms and organizations

  • Create and delete users to and from those organizations

  • Manage services

  • Set up enforcement policies that protect and limit access to organization resources

Portal Server administrators must use Access Manager to perform the following tasks:

• Manage identity-based objects, including users, roles, and organizations, to administer and assign appropriate access to users according to roles they have within organizations or suborganizations

• Delegate administrative functions to specific end users by authorizing the end users to administer organizations, suborganizations, users, policy, roles, and channels

Access Manager uses the lightweight directory access protocol (LDAP).

For information about Access Manager administration, see the Sun Java System Access Manager 7.1 Administration Guide.

Creating New Organizations for Portal Server

New organizations inherit services that are registered at the top-level Access Manager organization. Typical services that new organizations inherit include the following:

• Access Manager Configuration

  • Authentication Configuration

• Authentication Modules

  • Core

  • LDAP

  • Policy configuration

New organizations use LDAP authentication, and LDAP service settings are inherited from the corresponding global service.

For information about Access Manager administration, see the Sun Java System Access Manager 7.1 Administration Guide.

To Create a New Organization to Use with Portal Server

1. Log in to the Access Manager console.

   For information about Access Manager administration, see the Sun Java System Access Manager Administration Guide.

2. Under Identity Management, select Organizations from the View menu.

3. Click New to create a new organization.

4. Specify the organization attributes.

   For example:

   Name

   TestOrganization

   Organization Aliases

   TestOrganization

5. Click OK.

To Access a New Organization

1. Type this URL in your browser:

   http://host:port/amserver/UI/Login?org=organizationalias

   host

   The name of the system that the console is running on.

   port

   The console's port number assigned during installation.

   organizationalias

   The value assigned to the Organization Alias attribute field.

Adding Portal Services to Organizations

Before the Portal is accessible, you must add several services to an organization. The services that you must add to the organization include the following:

• Portal Server configuration

  • portalID Desktop

  • portalID Subscriptions

  • SSO Adapter

  • portalID WSRP Consumer

• Mobile Application configuration

  • Mobile Address Book

  • Mobile Calendar

  • Mobile Mail

Optional services that you can add include the following:

• Secure Remote Access configuration

  • Access List

  • NetFile

  • Netlet

  • Proxylet

To Add Portal Services to an Organization

Portal requires several services to be added to an organization before the Portal Server is accessible to the organization. After you add Portal services to the organization, use the Portal Server management console to administer Portal Server settings. [When a PortalID Desktop service is added to an organization or a role, it specifies default settings. It do not inherit the PortalID Desktop service settings from an organization or a role above it. You need to use the Portal Service management console to manage these service settings as per your need.]

1. Log in to the Access Manager console.

   For information about Access Manager administration, see the Sun Java System Access Manager 7.1 Administration Guide.

2. Under Identity Management, select Organizations from the View menu.

3. Click your organization.

   For example: TestOrganization

4. In the View menu for the organization, select Services.

5. Click Add.

6. Select the following services, if they are available in your deployment:

   • Mobile Application Configuration

     • Mobile Address Book

     • Mobile Calendar

     • Mobile Mail

   • Portal Server Configuration

     • portalID Desktop

     • portalID Subscriptions

     • SSO Adapter

   • Remote Portlets (WSRP)

     • portalID WSRP Consumer

   • Secure Remote Access Configuration

     • Access List

     • NetFile

     • Netlet

     • Proxylet

7. Click OK.

To Specify Required Portal Services for New Users

After you add all of the Portal services to an organization, you must use the Access Manager console to add the services to newly created end-users so that they can access the Portal Desktop and whatever Portal services they need.

The Access Manager Administration service allows you to specify which services are dynamically added to end-user entries when they are created. If your Portal deployment allows users to be created, such as a "Sign-Me Up" feature, specify the Required Services setting in the Access Manager console for your organization.

Before You Begin

Add Portal services to the organization. See Adding Portal Services to Organizations.

1. Log in to the Access Manager console.

   For information about Access Manager administration, see the Sun Java System Access Manager 7.1 Administration Guide.

2. Add the Administration Service.

   1. Under Identity Management, select Organizations from the View menu.

   2. Click your organization.

      For example: TestOrganization

   3. In the View menu for the organization, select Services.

   4. Click Add.

   5. Select the Administration service and Click OK.

3. Specify the setting for Administration Service Required Services.

   This setting specifies whether to assign all services in the required services list to a new end user.

   1. Select the Administration service setting.

   2. For the Required Services setting, specify the following services:

      • SunPortalportalIDDesktopService

      • SunPortalportalIDSubscriptionsService

      • SunMobileAppABService

      • SunMobileAppCalendarService

      • SunMobileAppMailService

      • SunSSOAdapterService

   3. Click Save.

4. Log out of the Access Manager console.

Navigating to Specific Nodes

Portal Server uses Access Manager services to store application and user-specific attributes. To enable you to administer portal-related functions for an LDAP directory node (DN), the Portal Server management console provides details about the DN in a location bar, a horizontal strip below the row of tabs.

The location bar enables you to do the following:

• Identify the currently selected node

• View up to 10 organization DNs

• Change to another directory name

A directory name can be a organization, role, or user name.

Understanding the Location Bar

The location bar provides the following functions:

• Select DN – Use this drop-down menu to display the following directory node types:

  • Default organizations defined when Portal Server was installed.

  • Nodes that administrators set up using the Add DNs button.

• Selected DN – Identifies which DN is currently chosen.

• Enter DN – Enables you to go to any DN that is already defined by typing in its full name.

To Set a New Directory Node

You can select a new DN without adding it to the location bar.

1. Log in to the Portal Server management console.

2. Select the Add button next to the location bar.

3. Select the name of the DN using one of the following methods:

   • Select a DN listed in the window.

   • Use the Search utility:

     1. Type the search string.

        You can use wildcard characters.

        Search results are displayed by short name and corresponding directory node.

     2. Click the Search button.

4. Click the Set Current DN button.

   The window closes, and the Selected DN field displays the new directory node. The directory node is not added to the location bar selections.

To Add a Directory Node to Location Bar Selections

When you add a directory node to the location bar menu, it is stored as a cookie so that the directory node is available in the same browser across sessions.

1. Log in to the Portal Server management console.

2. Select the name of the DN using one of the following methods:

   • Using the Add button:

     1. Click the Add button next to the Select DN menu.

        The Add to DNs List pop-up window opens and displays a list of available directory nodes.

     2. Select the desired DN.

   • Using the Search utility:

     1. Use the Search menu to select the object type.

     2. Type the Search string.

        You can use wildcard characters.

        Search results are displayed by short name and corresponding DN.

     3. Select the desired DN.

3. Select the name of the directory node.

4. (Optional) Edit the short name field to change the name that the directory node in the drop-down menu displays.

5. Click the Add button.

   The directory node is added to the Select DN menu.

To Remove a Directory Node From Location Bar Selections

You can delete a directory node from the drop-down list displayed in the location bar. The directory node itself is not removed. To remove a directory name from the LDAP database, you must use Access Manager.

You cannot remove default organizations that were defined during installation.

1. Log in to the Portal Server management console.

2. From the Select DN drop-down menu, select the DN that you want to delete.

3. Click the Delete button next to the Select DN drop-down menu button.

   The selected directory node is removed.

To Display Information for a Directory Node

1. Log in to the Portal Server management console.

2. Display information about a directory node using one of the following methods:

   • Type the name of the directory node in the Enter DN text box, and click the Go button.

   • Select the name of the directory node from the Select DN menu.