6.4 Assigning Permissions for Pages

You can assign permission to other users, groups, and containers to work with specific container pages and shared pages. Two security levels of permission can be assigned.

Table 6-5 Page Permissions

Permission

Description

Can be assigned for

View

Allows a user, group, or container to access the page and see it in a list of available pages

Container pages and shared pages

Ownership

Allows a user, group, or container to modify the content and layout of the page, and to assign View and Ownership permission to other users, groups, and containers

Shared pages

6.4.1 Assigning Page View Permission

When you assign users View permission for a container page or shared page, they can access the page and see it in a list of available pages.

To assign View permission for container pages or shared pages:

  1. Open a page on the Maintain Container Pages panel or the Maintain Shared Pages panel, then click the Assign Permissions page task (at the bottom of the panel).

    The Page Permissions dialog box displays in a new browser window:

    Illustration
  2. Go to the View tab.

  3. Specify values for the following search settings:

    Setting

    What to do

    Search for

    Select one of the following from the drop-down menu:

    • Users

    • Groups

    • Containers

    Starts with

    If you want to:

    • Find all available objects of your specified type (user, group, or container), then make this setting blank.

    • Find a subset of those objects, then enter the starting characters of the CN values you want. (Case is not considered. Wildcards are not supported.)

      For example, searching for groups that start with S would narrow your search results to something like this: cn=Sales,ou=groups,o=MyOrg cn=Service,ou=groups,o=MyOrg cn=Shipping,ou=groups,o=MyOrg

      Searching for groups that start with Se would return: cn=Service,ou=groups,o=MyOrg

  4. Click Go.

    The results of your search appear in the Results list.

  5. Select the users, groups, or containers you want to assign to the page, then click the Add (>) button.

    Hold down the Ctrl key to make multiple selections.

  6. Enable or disable page lock-down as follows:

    If you want to

    Do this

    Lock down the page so only User Application Administrators can view it

    Select View Permission Set to Admin Only

    Allow all assigned users, groups, and containers to view the page

    Deselect View Permission Set to Admin Only

    NOTE:If you deselect this setting but there are no users, groups, or containers explicitly assigned to the page, then everyone has View permission for this page.

  7. Click Save, then click Close.

6.4.2 Assigning Shared Page Owners

Users who own shared pages can modify the content of the pages they own and change the preferences of portlets on those pages.

To assign Ownership permission for shared pages:

  1. Open a page on the Maintain Shared Pages panel, then click the Assign Permissions page task (at the bottom of the panel).

    The Page Permissions dialog box displays in a new browser window as shown in Step 1.

  2. Go to the Ownership tab.

  3. Specify values for the following search settings:

    Setting

    What to do

    Search for

    Select one of the following from the drop-down menu:

    • Users

    • Groups

    • Containers

    Starts with

    If you want to:

    • Find all available objects of your specified type (user, group, or container), then make this setting blank.

    • Find a subset of those objects, then enter the starting characters of the CN values you want. (Case is not considered. Wildcards are not supported.)

      For example, searching for groups that start with S would narrow your search results to something like this: cn=Sales,ou=groups,o=MyOrg cn=Service,ou=groups,o=MyOrg cn=Shipping,ou=groups,o=MyOrg

      Searching for groups that start with Se would return: cn=Service,ou=groups,o=MyOrg

  4. Click Go.

    The results of your search appear in the Results list.

  5. Select the users, groups, or containers you want to assign to the page, then click the Add (>) button.

    Hold down the Ctrl key to make multiple selections.

  6. Enable or disable page lock-down as follows:

    If you want to

    Do this

    Lock down the page so only User Application Administrators can work with it

    Select Ownership Permission Set to Admin Only

    Allow all assigned users, groups, and containers to work with the page

    Deselect Ownership Permission Set to Admin Only

    NOTE:If you deselect this setting but there are no users, groups, or containers explicitly assigned to the page, then everyone has Ownership permission for this page.

  7. Click Save, then click Close.

6.4.3 Enabling User Access to the Create User or Group Page

By default, only User Application Administrators can see and use the Create User or Group page, which is a shared page on the Identity Self-Service tab of the Identity Manager user interface. But, where appropriate, a User Application Administrator can assign permission for one or more end users to access that page. For instance, selected people in administration or management positions might need the ability to create users, groups, or task groups.

To give users access to the Create User or Group page:

  1. On the Maintain Shared Pages panel, open the page named Create User or Group.

  2. Use the Assign Permissions page task to give View permission to the appropriate users, groups, or containers for the Create User or Group shared page.

  3. Switch from Page Admin to Portlet Admin, and open the CreatePortlet portlet registration (which is used on the Create User or Group page).

  4. Use the Security panel to give List and Execute permissions to the appropriate users, groups, or containers for the CreatePortlet portlet registration.

    For more information about assigning permissions for portlets, see Section 7.0, Portlet Administration.

  5. Go to iManager and use an administrator account to log in to the tree for your Identity Vault.

  6. Make sure that the people who will be using Create User or Group have Create rights for the [Entry Rights] property on the containers in which objects (users, groups, or task groups) will be created.

    For example, you can modify trustees for a chosen container and add the appropriate users, groups, or containers as trustees. Then, for each trustee, you can assign the following rights:

    Property name

    Assigned rights

    Inherit

    [All Attributes Rights]

    • Compare

    • Read

    • Write

    Yes (select this check box)

    [Entry Rights]

    • Browse

    • Create

    Yes (select this check box)

    If you don’t assign the necessary rights in the Identity Vault (or if those rights can’t somehow be derived), an end user might get an error message such as this one from Create User or Group:

    
    User 'cn=mmackenzie,ou=users,ou=idmsample,o=novell' does not have permission 
    to create 'cn=MyNewGroup,ou=groups,ou=idmsample,o=novell' or modify related 
    objects.
    

To learn how the Create User or Group page is used (by those with access to it), see the Identity Manager User Application: User Guide.

6.4.4 Enabling User Access to Individual Administration Pages

By default, only User Application Administrators can access the Administration tab of the Identity Manager user interface and the pages contained on that tab (Application Configuration, Page Admin, Portlet Admin, Provisioning, Security). But if necessary, a User Application Administrator can assign permission for one or more end users to see and use specific pages on the Administration tab. For example, a small group of users might need to change themes periodically, even though they are not User Application Administrators.

To give users access to individual Administration pages:

  1. On the Maintain Container Pages panel, open Admin Container Page.

    This is the container page that’s used when you go to the Administration tab of the Identity Manager user interface.

  2. Use the Assign Permissions page task to give View permission to the appropriate users, groups, or containers for Admin Container Page.

  3. On the Maintain Shared Pages panel, open the appropriate Administration page (one of the shared pages under the category Administration).

  4. Use the Assign Permissions page task to give View and Ownership permissions to the appropriate users, groups, or containers for that shared page.

  5. Make sure the specified users, groups, or containers have Execute permission for each portlet used on a specified page (if you have restricted those portlets).

    For more information about assigning permissions for portlets, see Section 7.0, Portlet Administration.