Using the RBS Configuration Wizard to Implement Role-Based Services
Novell Cool Solutions: Feature
By Wendy Busath
Digg This -
Posted: 28 Oct 2003
Update: Wendy Busath is a software engineer at Novell. If you have any questions about this article you may contact her at firstname.lastname@example.org
Using a unique feature known as Role-Based Services (RBS), Novell iManager allows network administrators to assign individual users or groups with specific management tasks and duties, based upon their role within an organization. Delegating simple administrative tasks like resetting passwords or adding network printers, allows the IT staff to focus on strategic projects that more directly affect an organization's bottom line. This article discusses how to quickly implement Role-Based Services using the RBS Configuration Wizard.
What does the RBS Configuration Wizard do?
The RBS Configuration Wizard will install Role-Based Services (RBS) version 2 into the directory tree. This involves extending the schema for RBS, installing iManager plug-in modules, and creating roles and tasks. RBS allows you to give users or groups access to only those tasks that have been explicitly granted to them by an administrator.
Can I use iManager without configuring RBS?
Yes, but certain functionality will not be accessible, namely the eDirectory maintenance utilities (DSBackup, DSMerge, DSRepair, etc), which use RBS as a mechanism to control access to usage of those tasks. For all other tasks, the eDirectory rights assigned to the logged-in user will determine whether a task can be utilized.
If you haven't configured RBS, you will notice that the words "Unrestricted Access" appear at the top left of the iManager window. This is to alert you that the display of roles and tasks is unrestricted, not that the user has unrestricted access to all tasks. The logged-in user will have the ability to peruse all the roles and tasks and attempt to use the tasks, but their ability to complete the tasks is still controlled by his/her eDirectory rights.
If you have configured RBS, then the words "Collection Owner Access" or "Assigned Access" will appear. "Collection Owner Access" displays all roles and tasks in the collection-not just those roles the collection owner has been explicitly assigned-so that the collection owner can view them to make sure they are all present. See the notes below on configuring collection ownership. "Assigned Access" displays only those roles and tasks that have been granted to the logged-in user. You will see this view if RBS is configured but you are not a collection owner.
RBS offers many benefits:
- You can create your own custom roles and assign any tasks you want to belong to those roles.
- You can assign out those roles to help desk employees, server administrators, individual users, containers, groups, or dynamic groups.
- When a user logs in to iManager, he/she is only able to see the roles which he/she has been assigned.
- When you associate a user with a role, and select the "Assign Rights" option, that user is automatically given all the ACLs necessary to complete the tasks in that role but only in the scope defined.
How do I get to the RBS Configuration Wizard?
Log in to iManager and switch to the "Configure" tab by clicking on the desk icon, then expand the "RBS Configuration" role and select the "Configure iManager" task. See Figure 1.
Why can't I see the RBS Configuration role?
If you have logged in to another tree (accessible via the "Login to a different tree" button), other than the one for which you originally configured iManager, you will not have access to the RBS Configuration functionality. Note that is different than iManager 1.5.x, which allowed you to see the Config tab as well as do the RBS Configuration for any tree you were logged in to.
What option should I select?
Figure 2 below shows the options available. Some options might be disabled according to your situation.
What determines if an available option is enabled?
If you are the owner of an iManager 1.5.x collection, the option to "Migrate a previous collection" will be enabled.
If you are the owner of an iManager 2.x collection, the option to "Upgrade collections" will be enabled.
If you are the owner of an iManager 1.5.x collection and an iManager 2.x collection, the option to "Migrate previous role associations" will be enabled.
The option to "Create a new collection" is always enabled, even though you might not have sufficient rights to create a collection.
What does each of the options in the RBS Configuration Wizard do?
This option allows the user to create a new iManager 2.x collection. Note that 2.x collections use RBS version 2 schema, which is different than RBS version 1 schema used in iManager 1.5.x.
When a new collection is created, you first specify the name and context of the collection. If you have already installed iManager 1.5.x into your tree, it is wise to name the collection so that you can easily recognize that it is an iManager 2.x collection, e.g. "Role Based Service 2." Place the collection in a container that is held on a local partition. Place the collection at the top level of the hierarchy that you are administering. Note that the collection cannot be placed at the root of the tree. When the collection is created, the attribute "rbsOwnedCollections2" on your user object will be populated with the DN of the collection object, and the collection object's "Owner" attribute will be populated with your user object's DN.
NOTE: Collection ownership. The user who created the collection is automatically assigned to be the collection owner, but collection ownership is configurable. You can remove the creator as a collection owner and you can add other owners to the collection. Multiple users are allowed to own a single collection. Only owners of collections are allowed to upgrade, migrate, or modify the collection's roles, member associations, and tasks. See the table under Schema differences between RBS v1 and RBS v2.
The collection object will also contain a link to the portal object created when iManager was configured during the nps/servlet/configure operation you should have run immediately after installing iManager.
NOTE: Portal object and collections. iManager locates its associated 2.x collections through the Portal object (object class "bhPortal"). When you create a collection using iManager 2.x, the portal object's multivalued "bhCollectionList" attribute is populated with the DN of the new collection object. This is why a 2.x collection is only usable by iManager installations that have been configured to the same portal object.
At this point the RBS Configuration Wizard locates all the xml files on the file system that contain installation information. These xml files are typically located in the webapps\nps\portal\modules\
You can also choose to grant yourself (whichever user you are logged in as) the roles and tasks associated with those modules by selecting a "Scope." The scope is a container in which members of a role can perform tasks. If you are a super administrator and you want to be able to do anything anywhere in the tree, you should select the root of the tree or type "[root]" into the text box. Selecting "Assign Rights" will give you all the ACLs needed to do each task. Note that the tasks and the rights needed to use each task are contained in the same xml files mentioned above. Selecting "Inheritable" will make those ACLs flow down the tree from the container specified in the "Scope."
Once you press the Start button, the following things will occur: 1) The schema will be extended for RBS version 2 if it has not been already; 2) the collection object will be created, 3) the selected modules will be installed; 4) the list of tasks maintained by the portal will be refreshed; and if specified to do so, 5) any new roles will be associated with your user object and ACLs will be assigned.
A new iManager 2.x collection will be created that is nearly a copy of the iManager 1.5.x collection you had created.
NOTE: iManager 1.5.x versus iManager 2.x collections. It is important to keep in mind that iManager 1.5.x does not read or understand iManager 2.x collections, and iManager 2.x does not read or understand iManager 1.5.x collections. In fact, the schema for iManager 1.5.x is completely different than the schema for iManager 2.x. When you install iManager 2.x, you will need to run a migration if you want to utilize the same role assignments you had granted in your iManager 1.5.x environment.You will have to select the iManager 1.5.x collection you want to migrate to 2.x. You will also be asked the name and context of the new iManager 2.x collection to create. Follow the guidelines and steps in Create a new collection above.
NOTE: Limitations of collection migration. The migration does not do any file copy of modules from the 1.5.x installation to your 2.x installation. You should make sure you have all of the modules you want to use already in place before running the migration. The migration also will not migrate custom tasks or pages created with iManager 1.5.x Task Builder or iManager 1.5.x third-party plugins. A separate utility is provided in order to do these complex migrations.
Migrate previous role associations
This option is nearly the same as Migrate a previous collection except that the iManager 2.x collection you want to migrate into already exists.
Upgrading collections encompasses installing new modules into your iManager 2.x collection as well as upgrading existing installed modules to a newer version. The RBS Configuration Wizard scans the file system to find xml files and the modules defined in them (mentioned in Create a new collection above), and then compares the modules on the file system with the module objects (object class rbsModule2) inside the existing iManager 2.x collection.
Any new modules will populate the "Modules to be installed" box, and you can select the modules necessary to administer your system. Refer to the steps and description for installing new modules in Create a new collection above.
Any modules whose version is newer than the version in the module object inside the existing collection will populate the "Modules to be upgraded" box. You should always select to upgrade an out-of-date module because if the files on your iManager file system do not correspond with the information in the collection, the software for that module might not function correctly.
Schema differences between RBS v1 and RBS v2
|RBS v1 classes||RBS v2 classes|
|RBS v1 attributes||RBS v2 attributes|
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com