iManager RBS Configuration Tips
Novell Cool Solutions: Feature
Digg This -
Posted: 14 Apr 2005
Note: This summary article on Role-Based Services is adapted from the following BrainShare presentations:
What is Role Based Services?
Role-Based Services (RBS) gives you the ability to assign specific tasks to users. RBS presents the user with only the UI and tools necessary to perform those sets of tasks. This enables users to focus on specified tasks and objects as determined by their roles. When users access Novell iManager, they will see only the roles and tasks that have been assigned to them.
With RBS, you can customize your system to your needs, creating custom tasks, books, pages, roles and categories. RBS reads from plug-in descriptors in the file system or from RBS objects stored in eDirectory. It then grants rights to perform tasks based upon the plug-in descriptor. eDirectory inheritance controls which roles and tasks to display for a given user
iManager Access Modes
iManager executes under the following three access modes:
- Assigned Access
- Collection Owner
The current mode is displayed in the upper left-hand corner of iManager and on the home page.
This is the default mode before RBS is installed and configured. Role and task information is read from the file system, and all roles and tasks are visible. The authenticated user will still need the necessary eDirectory rights assignments to perform the tasks.
With RBS installed, this mode displays only the roles and tasks assigned to the authenticated user, as well as those for the collection owner (see below). A role may be assigned to a user directly or indirectly through any of the following:
- Organization or organizational unit
- Organizational role
- Dynamic group or any object that has had the dynamic group auxiliary class attached
The authenticated user will have all necessary rights assignments to use the assigned tasks. This mode takes full advantage of the Role Based Services (RBS) technology.
The basic object hierarchy for iManager is shown below:
Figure 1: iManager object hierarchy
Collection Owner Access
This mode displays all the roles and tasks in the collection for which the authenticated user is an owner. The authenticated user will still need the necessary rights assignments to use the tasks. This mode also displays any other roles and tasks assigned to the authenticated user. RBS must be installed and configured in order to use this mode. If the logged in user is the one who installed RBS, then all roles and tasks are displayed for that user.
The Collection Object is a container for all other RBS objects. You can have multiple collection objects per tree. Users can be assigned as an owner of a collection to allow management of RBS, and multiple owners are allowed per collection. Owners are granted supervisor rights to the collection. A collection can be contained by an Organization, an Organizational Unit, a Country, a Locality or a domain.
The category selector is new in iManager 2.5. It provides groups of roles and tasks specific to a particular function. The 'All Categories' selection displays all available roles and tasks.
There are 14 default categories shipped with iManager 2.5. All Novell-based content is assigned to a particular category outlined by Novell Human Factors. You may create new categories and assign roles and tasks to them as needed.
Figure 2: New RBS categories
Best Practices for RBS and iManager
Remember - one size doesn't fit all. There is not a single best way to implement RBS in a tree. Novell iManager 2.5 doesn't cache information related to RBS - the data is always pulled from the directory.
The three most common tree structures are described below.
1: Geographical Structure
If your tree is using a geographical structure, you should create a collection in every geographical location, using one or more iManager servers per location. The benefits are: a faster login time, less tree walking, and each geographical admin can manage his own collection.
Figure 3: Geographic tree collection
2: Organizational Structure
If your tree is using an organizational structure, create one collection at the same level as the organizations, using one or more iManager servers. The benefit is fewer collections to manage.
Figure 4: Organization tree collection
3: Flat Structure
If your tree is using a flat structure, create one collection below the Organization object, using one or more iManager servers.
Figure 5: Flat tree collection
By default, RBS is not initially configured in the tree. When you first log in to iManager, you are not forced to configure RBS. Until RBS is configured, all users will see "All Roles and Tasks". A user's existing rights in the tree will determine the ability to do any of the operations.
To configure RBS, you will need to run the iManager Configuration Wizard.
- Select the Configure icon.
- Select the Role Based Services role.
- Select the RBS Configuration task.
- Select the Configure iManager link at the top of the page.
There are three necessary steps to configure RBS:
- Install RBS schema extensions. Note that they may have already been installed by the OS or the eDirectory install.
- Create a collection object. To do this, specify a collection name and select a container where it will be created.
- Select and install the necessary modules.
The wizard will take a few moments to create all of the objects and make the necessary associations.
RBS Configuration UI Update
iManager 2.5 has moved from a task-based UI to a category-based UI. The category approach focuses on objects and categories of objects. This enables the user to view and manage the objects in the system, showing the status of each and its relationship to other objects. The user can then perform a variety of actions on single or multiple objects. This new UI consolidates six roles and 28 tasks into one role with three tasks, and it displays only the collections that the logged-in user owns.
RBS Module Status
There are four basic types of module status:
- Available Modules
- Installed Modules
- Out-Of-Date Modules
- Not-Installed Modules
Each of these status types is described below.
RBS Available Modules
The available module list is read from the current iManager server. This list provides status and version information for each module. You can install, uninstall or update a module from this page, and all columns are sortable. The number of available modules may differ on each iManager server - this depends on which NPM's have been installed.
Figure 6: Available module list
RBS Installed Modules
The installed module list shows which available modules are installed for the selected collection. The list provides version information for each module. You can reinstall or uninstall a module from this page, and all columns are sortable. Reinstalling a module creates or updates the objects that have been changed since it was last installed.
Figure 7: Installed module list
RBS Out-Of-Date Modules
The out-of-date module list shows which modules have a newer version available. The list provides version information for each module. You can update or uninstall a module from this page, and all columns are sortable.
Figure 8: Out-of-date module list
RBS Not-Installed Modules
The not-installed module list shows the available modules that have not been installed into the selected collection. The list provides version information for each module. You can install a module from this page, and all columns are sortable.
RBS Role Administration
For each role you will need to create an association for Member and Scope. A member can be a user, a group, a dynamic group, an organization, an organizational unit, an organizational role, or any object that has been extended with the dynamic group auxiliary class.
The scope is a container object in the tree where the role applies for the associated member. You have the option to assign the rights to the member, and you can to make the rights inheritable. The rights can be just for the container object or rights to the entire sub-directory.
You can set the iManager search sequence to discover roles at login. Role discovery can be determined by:
- The user object
- Group objects that you are a member of
- Container objects
- Any Organization or Organizational Unit in the path up to the root
- Organizational role objects for which you are a role occupant
- Dynamic group objects
- Dynamic group auxiliary class objects
Role Discovery Settings
The basic settings for role discovery are:
- Container role discovery - Parent container (default), first partition, root of the tree
- Dynamic Group search - Enabled by default; it can be disabled
- Dynamic Group discovery - Parent container (default), first partition, root of the tree
- Dynamic Group search type - Dynamic group objects only (default); or, dynamic group objects and dynamic group auxiliary class objects
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com