Novell Home

Setting up an Organizational Role to Administer Group Membership

Novell Cool Solutions: Trench
By David Gersic

Digg This - Slashdot This

Posted: 10 Mar 2003
 

Many thanks to David Gersic who provided us with this updated list of steps necessary to set up an Organizational Role specifically to administer group membership.

  1. Make sure that User or Organizational Role is a Trustee of the Group objects and then assign the following rights (these are just for the group):

    MEMBER with Compare, Read, Write
    EQUIVALENT TO ME with Compare, Read, Write

    Note: Option #1 will give occupants of the Organizational Role the ability to add and remove users from the member list of the group it is a trustee of. However, if you would like to have the occupants of the Organizational Role be able to go to the user to add and remove users from the Group Membership list you need to follow step #2. If you would like both options, follow both steps.

  2. You then need to go to the container that you would like your Organizational Role to administer and make it a trustee of that container. You then need to give it the following rights:

    GROUP MEMBERSHIP with Compare, Read, Write, and INHERITABLE
    SECURITY EQUALS with Compare, Read, Write and INHERITABLE

Note: For some reason, ConsoleOne doesn't always work when setting up these rights. I, however, have never had a problem using NWAdmin or the JRB Utilities to take care of business.

The reason this works is a feature called "Write Managed" rights to the objects being modified. Group membership is one of the few sets of attributes where this little-understood feature is used.

DS checks only the Group object for rights to determine if the operation should be allowed to proceed or not. If the modifying object has sufficient rights to the Group object to change its MEMBER and EQUIVALENT TO ME attributes, then the modifying object is also allowed to modify the User object that is being added. The modifying object's rights to the User object being modified are not used, other than the modifying object must be able to see (Browse) the object to be modified.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell