Configuring Role-Based Services

Novell iManager gives administrators the ability to assign specific responsibilities to users and to present the user with only the tools (and their accompanying rights) necessary to perform those sets of responsibilities. This functionality is called Role-Based Services (RBS).

Role-Based Services allows administrators to focus the user on a specified set of functions, called tasks, and objects as determined by the grouping of tasks called roles. What users see when they access iManager is based on their role assignments in eDirectory. Only the tasks assigned to that user are displayed. The user does not need to browse the tree to find an object to administer; the iManager plug-in for that task presents the necessary tools and interface to perform the task.

You can assign multiple roles to a single user. You can also assign the same role to multiple users.

Role-Based Services is represented by objects defined in eDirectory. The base eDirectory schema gets extended during the iManager installation. The RBS object types are listed in the following table.

Object Description

rbsCollection icon rbsCollection

A container object that holds all RBS Role and Module objects.

rbsCollection objects are the topmost containers for all RBS objects. A tree can have any number of rbsCollection objects. These objects have "owners," which are users who have management rights over the collection.

rbsCollection objects can be created in any of the following containers:

  • Country
  • Domain
  • Locality
  • Organization
  • Organizational Unit

rbsRole icon rbsRole

A container object that specifies the tasks that users (members) are authorized to perform. Defining a role includes creating an rbsRole object and specifying the tasks that the role can perform.

Role members can be Users, Groups, Organizations, or Organizational Units, and they are associated to a role in a specific scope of the tree. The rbsTask and rbsBook objects are assigned to rbsRole objects.

rbsRole objects can be created only in rbsCollection containers.

rbsModule icon rbsModule

A container object that holds rbsTask and rbsBook objects. rbsModule objects have a module name attribute that represents the name of the product that defines the tasks or books (for example, eDirectory Maintenance Utilities, NMAS Management, or Novell Certificate Server Access).

rbsModule objects can be created only in rbsCollection containers.

rbsTask icon rbsTask

A leaf object that represents a specific function, such as resetting login passwords.

rbsTask objects are located only in rbsModule containers.

rbsBook icon rbsBook

A leaf object that containing a list of pages assigned to the book. An rbsBook can be assigned to one or more Roles and to one or more Object class types.

rbsBook objects are located only in rbsModule containers.

Scope object rbsScope

A leaf object used for ACL assignments (instead of making assignments for each User object). rbsScope objects represent the context in the tree where a role will be performed and are associated with rbsRole objects. They inherit from the Group class. User objects are assigned to an rbsScope object. These objects have a reference to the scope of the tree that they are associated with.

This object is dynamically created when needed, then automatically deleted when no longer needed. They are located only in rbsRole containers.

WARNING:  Never change the configuration of a Scope object. Doing so will have serious consequences and could possibly break the system.

The RBS objects reside in the eDirectory tree as depicted in the following figure.

Figure 22
RBS Objects in the eDirectory Tree


Defining RBS Roles

RBS roles specify the tasks that users are authorized to perform. Defining an RBS role includes creating an rbsRole object and specifying the tasks that the role can perform and the User, Group, or container objects that can perform those tasks. In some cases, Novell iManager plug-ins (product packages) provide predefined RBS roles that you can modify.

The tasks that RBS roles can perform are exposed as rbsTask objects in your eDirectory tree. These objects are added automatically during the installation of product packages. They are organized into one or more rbsModules, which are containers that correspond to the different functional modules of the product.

For information on assigning members to a role, see Assigning RBS Role Membership and Scope.


Creating a Role Object

Use the Create iManager Role Wizard to create a new rbsRole object. We recommend creating the new rbsRole object in the same rbsCollection container where the other rbsRole objects reside (for example, the Role-Based Services Collection container).

  1. In Novell iManager, click the Configure button Configure button.

  2. Click Role Configuration > Create iManager Role.

  3. Follow the instructions in the Create iManager Role Wizard.

See Defining Custom RBS Tasks for information on adding members to roles.


Modifying the Tasks Associated with a Role

Each RBS role has a set of available tasks associated with it. You can choose which tasks are assigned to a particular role, adding or removing tasks as necessary.

  1. In Novell iManager, click the Configure button Configure button.

  2. Click Role Configuration > Modify iManager Roles.

  3. To add or remove tasks from a role, click the Modify Tasks button Modify Tasks button to the left of the role you want to modify.

  4. Add or remove tasks from the Assigned Task list.

  5. Click OK.


Assigning RBS Role Membership and Scope

After you have defined the RBS roles needed in your organization, you can assign members to each role. In doing so, you specify the scope in which each member can exercise the functions of the role. The scope is the location or context in the eDirectory tree where this role can be performed.

A user can be assigned to a role in the following ways:

  • Directly
  • Through group and dynamic group assignments. If a user is a member of a group or a dynamic group that is assigned to a role, then the user has access to the role.
  • Through organizational role assignments. If a user is an occupant of a organizational role that is assigned a role, then the user has access to the role.
  • Through container assignment. A user object has access to all of the roles that its parent container is assigned. This could also include other containers up to the root of the tree.

A user can be associated with a role multiple times, each with a different scope. You can also assign the same task to multiple members.

To assign role membership and scope:

  1. In Novell iManager, click the Configure button Configure button.

  2. Click Role Configuration > Modify iManager Roles.

  3. To add or remove members from a role, click the Modify Members button Modify Members button to the left of the role you want to modify.

  4. In the Name field, specify an object name (a User, Group, or Container object) and context.

  5. In the Scope field, specify an Organization or Organizational Unit object name and context.

  6. Click Add, then click OK.


Deleting a Role-Based Services Object

  1. In Novell iManager, click the Configure button Configure button.

  2. Click Role Configuration > Delete Role.

  3. Specify the name and context of the RBS role you want to delete.

  4. Click OK.


Defining Custom RBS Tasks


Creating an iManager Task

  1. In Novell iManager, click the Configure button Configure button.

  2. Click Task Configuration > Create iManager Task.

  3. Follow the instructions in the Task Builder to create a custom task.


Creating a Server Administration Task

Use the Create Server Administration Task Wizard to build custom tasks to access a server's services. The system administrator should verify that the service is available on the server.

  1. In Novell iManager, click the Configure button Configure button.

  2. Click Task Configuration > Create Server Administration Task.

  3. Follow the instructions in the Create Server Administration Task Wizard.


Modify Role Assignment

  1. In Novell iManager, click the Configure button Configure button.

  2. Click Task Configuration > Modify Role Assignment.

  3. Specify the name and context of the task you want to modify, then click Next.

  4. Move the roles you want from the Available Roles column to the Assigned Roles column.

  5. Click OK.


Deleting a Task

  1. In Novell iManager, click the Configure button Configure button.

  2. Click Task Configuration > Delete Task.

  3. Specify the name and context of the task you want to delete, then click OK.