6.1 Role-Based Services

iManager gives you the ability to assign specific responsibilities to users and to present them with the tools (and their accompanying rights) necessary to perform only those sets of responsibilities. This functionality is called Role-Based Services (RBS).

Role-Based Services (RBS) is a set of extensions to the eDirectory schema. RBS defines several object classes and attributes that provide a mechanism for administrators to grant a user access to management tasks based on the user's role in the organization. This gives users access to only those tasks that the users need to perform. RBS grants only the rights necessary to perform assigned tasks.

Use RBS to create specific roles within your organization; the roles contain tasks that a user performs. You can assign a role to a user who then performs the tasks within iManager, such as creating a new user or changing a password. Tasks are preassigned to roles, but can be replaced, reassigned, or removed altogether.

Furthermore, users are associated with roles in a specified scope, which is a container in the tree in which the user has the requisite permissions to perform a task. A role requires this threefold association of role, members, and scope to be complete.

An RBS Role object creates an association between users and tasks. An administrator grants a user access to a task by making the user a member of the role to which the task is assigned.

A user can be assigned to a role in the following ways:

A user can be associated with a role multiple times, each with a different scope.

6.1.1 RBS Objects in eDirectory

The following table lists the RBS objects. iManager extends the eDirectory schema to include these objects when you install RBS. For more information, see Section 6.1.2, Installing RBS.

Object

Description

rbsCollection

A container object that holds all RBS Role and Module objects.

rbsCollection objects are the uppermost containers for all RBS objects. A tree can have any number of rbsCollection objects. These objects have owners, which are users who have management rights over the collection.

rbsCollection objects can be created in any of the following containers:

  • Country
  • Domain
  • Locality
  • Organization
  • Organizational Unit

rbsRole

Tasks that users (members) are authorized to perform. Defining a role includes creating an rbsRole object and specifying the tasks that the role can perform.

rbsRoles are container objects that can be created only in an rbsCollection container.

Role members can be Users, Groups, Organizations, or Organizational Units, and they are associated to a role in a specific scope of the tree. The rbsTask and rbsBook objects are assigned to rbsRole objects.

rbsTask

A leaf object that holds a specific function, such as resetting login passwords.

rbsTask objects are located only in rbsModule containers.

rbsBook

A leaf object that contains a list of pages assigned to the book. An rbsBook can be assigned to one or more Roles and to one or more Object class types.

rbsBook objects are located only in rbsModule containers.

rbsScope

A leaf object used for ACL assignments (instead of making assignments for each User object). rbsScope objects represent the context in the tree where a role is performed and are associated with rbsRole objects. They inherit from the Group class. User objects are assigned to an rbsScope object. These objects have a reference to the scope of the tree that they are associated with.

The objects are dynamically created when needed, then automatically deleted when no longer needed. They are located only in rbsRole containers.

WARNING:Never change the configuration of an rbsScope object. Doing so has serious consequences and could possibly break the system.

rbs Module

Represents a container object that holds rbsTask and rbsBook objects. rbsModule objects have a module name attribute that represents the name of the product that defines the tasks or books (for example, eDirectory Maintenance Utilities, NMAS™ Management, or Novell Certificate Server™ Access).

rbsModule objects can be created only in rbsCollection containers.

rbs Category

A category groups roles and tasks together which are specific to a particular function. iManager has 14 default categories: Autherntication & Passwords, Collaboration, Directory, File Management, Identity Manager, Infrastructure, Install & Upgrade, Network, Nsure Audit, Printing, Security, Servers, Software Licenses & Network, Usage, Users & Groups

The ’All Categories’ selection displays all available roles and tasks.

You can also create new categories and assign roles and tasks to them.

RBS objects reside in the eDirectory tree as depicted in the following figure:

Figure 6-1 Role-Based Services in eDirectory

6.1.2 Installing RBS

RBS is installed using the iManager Configuration wizard.

  1. In iManager, click the Configure icon.

  2. Select Role Based Services > RBS Configuration.

  3. Select the Configure iManager link in the Notice.

  4. Follow the onscreen instructions.

6.1.3 RBS Configuration

The RBS Configuration task provides complete control over RBS objects. It is a central place for managing and configuring RBS objects. This task enables you to list and modify RBS objects by type. This gives you useful information about the RBS system, such as the number of modules in a collection, how many are installed, how many are not installed, and how many are outdated. For some operations you can operate on multiple objects at the same time. For example, you can associate or disassociate multiple members from a role at the same time.

In Configure > Role-Based Services > RBS Configuration, the RBS Configuration window appears. If RBS Services has not yet been configured on iManager, click the link in the window and follow the onscreen instructions.

Two tabs appear on the RBS Configuration screen:

  • 2.x Collection - The current collection of RBS objects
  • 1.x Collection - The older collection of RBS objects that you can either Delete or Migrate to 2X. If you select Migrate, a wizard steps you through the migration process.

You only see the collections you own.

  • Module indicates the number of modules on the Web server that you are logged into.
  • Installed lists the modules that are currently installed.Outdated modules are listed, as well as modules that are available but not installed.

From the RBS Configuration page you can create roles.

Creating a Role

To create a new iManager or eGuide role:

  1. Select a collection by clicking it.

  2. Click the Role tab.

    A list displays the roles belonging to the collection.

  3. Click New > iManager Role.

    The Create iManager Role wizard appears.

  4. Complete the steps in the wizard.

You can also delete roles. Under Actions, you can set a member association, define its scope, and set rights (Inherited) from that scope down to that subtree. If this option is not selected, then rights are limited to the container.

6.1.4 Removing RBS

If Role-Based Services is no longer needed in the tree, the RBS Collection object can be safely deleted through iManager. Deleting the RBS collection also cleans up all user role associations and scopes in the tree automatically. Do not delete the RBS collection using other utilities, such as ConsoleOne®.

Remove RBS by using the RBS Configuration task.

  1. In iManager, select the Configure view.

  2. Select Role Based Services > RBS Configuration.

  3. Select the check box next to the collection to be deleted.

  4. Click Delete.

After the RBS collection is deleted, all users logging into iManager enter in Assigned Access mode even though there is no RBS collection object in the tree.

Changing to Unrestricted Mode

To switch back to Unrestricted mode (the default mode):

  1. In Configure, select iManager Server > Configure iManager.

  2. Select the RBS tab.

  3. Remove the tree name in the RBS Tree List field by selecting the minus button to the right of the field.

  4. Click Save.

  5. Log out of iManager and log in again.

6.1.5 Plug-In Studio

Plug-In Studio offers a quick and easy way to streamline the tasks that you do several times a day. Use Plug-in Studio to dynamically create tasks for your most frequently used operations. You can also edit and delete tasks here. For example, to modify a user, instead of selecting Modify Object, you can create a dynamic UI to edit only the attributes you have selected, such as first name or title. Data is stored in the $TOMCAT_HOME/webapps/nps/portal/modules/custom directory. (Your Web Server may differ if you use a different Web server program.)

NOTE:The language in which a task is rendered is determined by the language in use by the Web browser. A task can be displayed in any language supported by iManager, since the text strings used to create tasks in Plug-In Studio have already been translated into all of iManager's supported languages. The Web browser automatically displays the task's text strings for it's currently selected language.

Creating a New Task

To create a new task:

  1. In Configure, select Role-Based Services > Plug-in Studio.

  2. Click New.

    The Task Builder appears to help you build custom tasks and property pages.

  3. Choose an object type and platform by populating the following fields:

    • Available classes: (any class in eDirectory)
    • Target Device: Default (supported browsers), Browser (IE)
    • Plug-in Type: Task for Modify, Property Book Page, Task for Create, Task for Delete
    • Add Auxiliary Classes: (eDirectory)
  4. In the Plug-in Fields screen, select or populate the following and click Install.

    • Attributes

      Select an attribute from the list of available attributes for the selected object class.

      Click the attribute to list all available controls for the selected attribute. Double-click to accept the default control and move it into the plug-in field.

      There are three icons beside a selected control:

      • The flashing red icon indicates a required field.

        Click it to add available values, then click OK, and the icon stops flashing.

      • The down arrow allows you to change a control.

        This is the same control that displayed when you clicked the attribute. Change it to any available control for the selected attribute.

      • The third icon deletes the attribute.
    • Controls

      This box lists your attribute selection.

    • Plug-in Properties

      Below Plug-in Properties, in the left area of the page, give the plug-in an ID and assign the task to an RBS collection. Open the Object Selector to find the RBS collection. Assign the task to a role. The role you assign determines where it appears in the Roles and Tasks screen.

      For example, if you choose User Management, click Preview and a new browser window opens. Preview the task to verify your design choices. Close the preview. Click Install, and iManager dynamically builds the .xml file, the .jsp file, and the Java* files that execute the task, and installs it into the system.

Editing a Task

  1. In Configure, select Role-Based Services > Plug-in Studio.

  2. Select the task and click Edit.

  3. Modify the settings described in the create procedure and click Install.

    A confirmation message appears: “The plug-in was successfully created and installed.”

Deleting a task

  1. In Configure, select Role-Based Services > Plug-in Studio.

  2. Select the task and click Delete.

    A message appears: “Are you sure you want to delete this plug-in?”

  3. Click OK.

    A confirmation message appears. “The plug-in has been successfully deleted.”

6.1.6 Edit Member Association

There are two ways to associate members with roles: either go to a member and assign it to a role within a scope, or go to the role, and assign members and scope to it. The Edit Member Association feature assigns a role to a selected member.

  1. In Roles and Tasks, select Configure > Role Based Services > Edit Member Association.

  2. Specify a member and click OK.

    A list appears displaying the roles this member is assigned to.

  3. Specify a role.

    When specifying the role to use in the Member Association, you can type in the full name of the RBS Role object. However, it is much easier to use the Object Selector (the magnifying glass button), from which you can either Browse to the desired Role, or Search for the desired Role from those available in the current eDirectory tree.

  4. Specify the scope and click OK.

    This data is saved to eDirectory. After login, the newly assigned role appears in the left-hand column of the member who owns it.

6.1.7 Edit Owner Collections

Use this feature to allow administration of RBS objects by assigned owners.

  1. Specify a collection owner and click OK.

  2. Add or remove collections this person can own, and click OK.

6.1.8 Create Server Administration Task

Step through the wizard to build custom tasks to access a server’s services. Before you do this, verify that the service is available on the server.