iManager gives you the ability to assign specific responsibilities to users and to present them with the tools (and their accompanying rights) necessary to perform those sets of responsibilities. This functionality is called Role-Based Services (RBS).
Role-Based Services is a set of extensions to the eDirectory schema. RBS defines several object classes and attributes that provide a mechanism for administrators to grant a user access to management tasks based on the user's role in the organization. This gives users access to only those tasks that the users need to perform. RBS grants only the rights necessary to perform assigned tasks.
NOTE:Novell iManager Role-Based Services (RBS) grants rights based upon the Access Control List (ACL) capability of Novell eDirectory. The ACLs allow a trustee to be granted rights to a specific object or its subordinate objects. ACLs are not granted based upon specific object types. Each Novell iManager task defines its applicable object types and necessary ACLs. However, these ACLs allow the user to perform those operations with other object types through eDirectory APIs or other tools such as Novell ConsoleOne or NWAdmin.
Use RBS to create specific roles within your organization; the roles contain tasks that an assigned user can perform within iManager, such as creating a new user or changing a password. Tasks are preassigned to roles but can be replaced, reassigned, or removed altogether.
Furthermore, users are associated with roles in a specified scope, which is a container in the tree in which the user has the requisite permissions to perform a task. A role requires this threefold association of role, members, and scope to be complete.
An RBS Role object creates an association between users and tasks. An administrator grants a user access to a task by making the user a member of the role to which the task is assigned.
A user can be assigned to a role in the following ways:
Directly as a user
Through group and dynamic group assignments
If a user is a member of a group or a dynamic group that is assigned to a role, then the user has access to the role.
Through organizational role assignments
If a user is an occupant of a organizational role that is assigned a role, then the user has access to the role.
Through container assignment
A User object has access to all of the roles that its parent container is assigned. This could also include other containers up to the root of the tree.
A user can be associated with a role multiple times, each with a different scope.
The following table lists the RBS objects. iManager extends the eDirectory schema to include these objects when you install RBS. For more information, see Installing RBS.
RBS objects reside in the eDirectory tree as depicted in the following figure:
Figure 6-1 Role-Based Services in eDirectory
RBS is installed using the iManager Configuration Wizard.
In the Configure view, select
> .Select
.Follow the on-screen instructions.
If Role-Based Services is no longer needed in the tree, the RBS Collection object can be safely deleted through iManager. Deleting the RBS collection automatically cleans up all user role associations and scopes in the tree. Do not delete the RBS collection using other utilities, such as ConsoleOne.
To remove Roll-based Services:
In the Configure view, select
> .Select the collection to be deleted.
Click
.After the RBS collection is deleted, all users logging in to iManager enter in Assigned Access mode even though there is no RBS collection object in the tree.
To switch back to Unrestricted mode (the default mode):
In the Configure view, select
> .Select the
tab.Select the appropriate tree name in the
field, then click the minus button.Click
.NOTE:When using iManager in Unrestricted mode, you typically see the following message on the iManager Home Page: Notice: Some of the roles and tasks are not available. Clicking might display a Not supported by current authenticators message for several of the tasks, even though the tasks work correctly. This message is misleading, and iManager removes these messages after you configure RBS.