Novell is now a part of Micro Focus

iManager RBS Configuration Tips

Novell Cool Solutions: Feature

Digg This - Slashdot This

Posted: 14 Apr 2005

Note: This summary article on Role-Based Services is adapted from the following BrainShare presentations:

  • TUT347
  • DHO246a
  • TUT246

What is Role Based Services?

Role-Based Services (RBS) gives you the ability to assign specific tasks to users. RBS presents the user with only the UI and tools necessary to perform those sets of tasks. This enables users to focus on specified tasks and objects as determined by their roles. When users access Novell iManager, they will see only the roles and tasks that have been assigned to them.

With RBS, you can customize your system to your needs, creating custom tasks, books, pages, roles and categories. RBS reads from plug-in descriptors in the file system or from RBS objects stored in eDirectory. It then grants rights to perform tasks based upon the plug-in descriptor. eDirectory inheritance controls which roles and tasks to display for a given user

iManager Access Modes

iManager executes under the following three access modes:

  • Unrestricted
  • Assigned Access
  • Collection Owner

The current mode is displayed in the upper left-hand corner of iManager and on the home page.

Unrestricted Access

This is the default mode before RBS is installed and configured. Role and task information is read from the file system, and all roles and tasks are visible. The authenticated user will still need the necessary eDirectory rights assignments to perform the tasks.

Assigned Access

With RBS installed, this mode displays only the roles and tasks assigned to the authenticated user, as well as those for the collection owner (see below). A role may be assigned to a user directly or indirectly through any of the following:

  • Organization or organizational unit
  • Group
  • Organizational role
  • Dynamic group or any object that has had the dynamic group auxiliary class attached

The authenticated user will have all necessary rights assignments to use the assigned tasks. This mode takes full advantage of the Role Based Services (RBS) technology.

The basic object hierarchy for iManager is shown below:

Figure 1: iManager object hierarchy

Collection Owner Access

This mode displays all the roles and tasks in the collection for which the authenticated user is an owner. The authenticated user will still need the necessary rights assignments to use the tasks. This mode also displays any other roles and tasks assigned to the authenticated user. RBS must be installed and configured in order to use this mode. If the logged in user is the one who installed RBS, then all roles and tasks are displayed for that user.

Collection Object

The Collection Object is a container for all other RBS objects. You can have multiple collection objects per tree. Users can be assigned as an owner of a collection to allow management of RBS, and multiple owners are allowed per collection. Owners are granted supervisor rights to the collection. A collection can be contained by an Organization, an Organizational Unit, a Country, a Locality or a domain.

Category Selector

The category selector is new in iManager 2.5. It provides groups of roles and tasks specific to a particular function. The 'All Categories' selection displays all available roles and tasks.

There are 14 default categories shipped with iManager 2.5. All Novell-based content is assigned to a particular category outlined by Novell Human Factors. You may create new categories and assign roles and tasks to them as needed.

Figure 2: New RBS categories

Best Practices for RBS and iManager

Remember - one size doesn't fit all. There is not a single best way to implement RBS in a tree. Novell iManager 2.5 doesn't cache information related to RBS - the data is always pulled from the directory.

The three most common tree structures are described below.

1: Geographical Structure

If your tree is using a geographical structure, you should create a collection in every geographical location, using one or more iManager servers per location. The benefits are: a faster login time, less tree walking, and each geographical admin can manage his own collection.

Figure 3: Geographic tree collection

2: Organizational Structure

If your tree is using an organizational structure, create one collection at the same level as the organizations, using one or more iManager servers. The benefit is fewer collections to manage.

Figure 4: Organization tree collection

3: Flat Structure

If your tree is using a flat structure, create one collection below the Organization object, using one or more iManager servers.

Figure 5: Flat tree collection

RBS Configuration

By default, RBS is not initially configured in the tree. When you first log in to iManager, you are not forced to configure RBS. Until RBS is configured, all users will see "All Roles and Tasks". A user's existing rights in the tree will determine the ability to do any of the operations.

To configure RBS, you will need to run the iManager Configuration Wizard.

  1. Select the Configure icon.
  2. Select the Role Based Services role.
  3. Select the RBS Configuration task.
  4. Select the Configure iManager link at the top of the page.

There are three necessary steps to configure RBS:

  1. Install RBS schema extensions. Note that they may have already been installed by the OS or the eDirectory install.
  2. Create a collection object. To do this, specify a collection name and select a container where it will be created.
  3. Select and install the necessary modules.

The wizard will take a few moments to create all of the objects and make the necessary associations.

RBS Configuration UI Update

iManager 2.5 has moved from a task-based UI to a category-based UI. The category approach focuses on objects and categories of objects. This enables the user to view and manage the objects in the system, showing the status of each and its relationship to other objects. The user can then perform a variety of actions on single or multiple objects. This new UI consolidates six roles and 28 tasks into one role with three tasks, and it displays only the collections that the logged-in user owns.

RBS Module Status

There are four basic types of module status:

  • Available Modules
  • Installed Modules
  • Out-Of-Date Modules
  • Not-Installed Modules

Each of these status types is described below.

RBS Available Modules

The available module list is read from the current iManager server. This list provides status and version information for each module. You can install, uninstall or update a module from this page, and all columns are sortable. The number of available modules may differ on each iManager server - this depends on which NPM's have been installed.

Figure 6: Available module list

RBS Installed Modules

The installed module list shows which available modules are installed for the selected collection. The list provides version information for each module. You can reinstall or uninstall a module from this page, and all columns are sortable. Reinstalling a module creates or updates the objects that have been changed since it was last installed.

Figure 7: Installed module list

RBS Out-Of-Date Modules

The out-of-date module list shows which modules have a newer version available. The list provides version information for each module. You can update or uninstall a module from this page, and all columns are sortable.

Figure 8: Out-of-date module list

RBS Not-Installed Modules

The not-installed module list shows the available modules that have not been installed into the selected collection. The list provides version information for each module. You can install a module from this page, and all columns are sortable.

RBS Role Administration

For each role you will need to create an association for Member and Scope. A member can be a user, a group, a dynamic group, an organization, an organizational unit, an organizational role, or any object that has been extended with the dynamic group auxiliary class.

The scope is a container object in the tree where the role applies for the associated member. You have the option to assign the rights to the member, and you can to make the rights inheritable. The rights can be just for the container object or rights to the entire sub-directory.

Role Discovery

You can set the iManager search sequence to discover roles at login. Role discovery can be determined by:

  • The user object
  • Group objects that you are a member of
  • Container objects
  • Any Organization or Organizational Unit in the path up to the root
  • Organizational role objects for which you are a role occupant
  • Dynamic group objects
  • Dynamic group auxiliary class objects

Role Discovery Settings

The basic settings for role discovery are:

  • Container role discovery - Parent container (default), first partition, root of the tree
  • Dynamic Group search - Enabled by default; it can be disabled
  • Dynamic Group discovery - Parent container (default), first partition, root of the tree
  • Dynamic Group search type - Dynamic group objects only (default); or, dynamic group objects and dynamic group auxiliary class objects

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions.

© Copyright Micro Focus or one of its affiliates