Novell Documentation: ZENworks for Servers 3.0.2

Role-Based Administration

You can use ConsoleOne, a directory-enabled framework for running Novell network administration utilities. The ZfS snap-ins to ConsoleOne fully leverage eDirectory to enable role-based administration and higher levels of security. Through eDirectory, users will be able to log in once and have access to the management components as specified by their roles within their specific scope.

The ZfS snap-ins to ConsoleOne allows you to divide the task of network administration amongst administrators. With ConsoleOne, the functions and tasks of ZfS are organized into different, customized "views" based on each administrator's role in your organization.

The following sections discuss role-based administration:

ZfS Management Site

The ZfS management site sets boundaries for accessing object data on the management server through the role-based services. You can create roles and tasks and further define the level of access to network objects and information from the network container space.

When you install ZfS Management and Monitoring Services, a management site, a system administrator role (RBS Admin), and all the site objects are created in eDirectory. A management site defines the scope of objects (networks, segments, routers, bridges, switches, servers, workstations, and so on) discovered on your network. You can create a single site or multiple sites, depending on the size of your network or network management requirements. A management site could include a single local network configuration or could encompass your entire network. The boundaries of a site are defined by the scope of network discovery. By default, network discovery is set to discover all connected networks and network nodes. The site object is created in the same context as the server object.

During installation, the default management site that is created is shown below. A single administration role is established with rights and permissions to all configuration and management tasks in the management system.

Some default roles that monitor network traffic, handle alarms, and manage server systems, are available and allow you to add users. You can also use them as examples for your new role creations.

In the ZfS role-based services (RBS), permissions that are required to access network objects, configurations, and information are associated with roles. eDirectory User objects can be assigned to appropriate roles. The levels of abstractions in a role are described below:

Roles - Created to perform various network management functions in your organization. You can simplify granting of permissions and restrict access to management tools and data by creating appropriate roles.
Tasks - Actions performed to utilize components of the management system based on the specific responsibilities.
Component/module - A software tool that provides a network management function. ZfS includes components for managing servers, monitoring segment traffic, and providing common services such as database management, alarm handling, and report generation.

The users added to a role, however, retain the access rights, permissions, and policies granted through the eDirectory user account. For example, a user may be granted permission to access and configure a server through eDirectory, but may not be granted permission to manage the server through the RBS in ZfS. Therefore the management role that the user is assigned has limited access to the management services or components/modules in the ZfS management system.

General ZfS Roles

ZfS components support role-based services (RBS) and task management through eDirectory. ZfS uses RBS to organize ZfS tasks into roles and to assign scope information to a role, user or a group.

RBS roles specify the tasks that users are authorized to perform. Defining an RBS role includes creating an RBS role object and specifying the tasks that the role can perform.

The tasks that RBS roles can perform are displayed as RBS Task objects in your eDirectory tree. These objects are organized into one or more RBS modules, which are containers that correspond to the different ZfS components. As shown in the figure below, ZfS provides predefined modules and RBS role objects.

IMPORTANT: You cannot create new modules or tasks. You have to select from the pre-defined modules and tasks that are available.

A list of predefined ZfS modules and RBS role objects

You can create any role using the modules and tasks. Each module can have one or more tasks. For example, RBS defines the task for Monitoring Services as Enable Remote Ping. If this task is assigned to your role, you can use the Monitoring Services facility. For a list of the predefined ZfS modules and ZfS roles along with the associated tasks, see ZfS Role-Based Modules and Roles.

For more information on creating role objects using tasks and modules, see Configuring Role-Based Administration.

ZfS Role-Based Modules and Roles

This section provides the following tables:

ZfS Role-Based Modules and Associated Tasks

ZfS RBS Predefined Roles and Associated Tasks

The following table lists each ZfS RBS module and the tasks that can be performed for the module.

ZfS RBS Module	Associated Tasks
Alarm Manager	Add Alarm Note Assign Alarm Define Alarm Disposition Delete Alarm View Active Alarms View Active Alarm History View Alarm Summary
Database Object Editor	Database Object Editor
DB_Admin_Tool	DB_BACKUP Database Password Change
MIB Browser	Enable MIB Browser
MIB Compiler	Enable MIB Compiler
Node Management	Clearing a Connection Create Health Profiles Create Health Reports Delete Health Profiles Delete Health Reports Downing a Server Loading an NLM Mounting and Dismounting a Volume Read Only All Read Only All Tabular View Read Only Health Profiles Read Only Health Reports Read Only Homepage Read Only HostFileSystemView Read Only InstalledSoftwareView Read Only NetWareLoadableModuleView Read Only NetWareUserView Read Only NetworkPerformanceView Read Only NTDiskListview Read Only NTMemoryUsageView Read Only NTNetworkView Read Only NTPartitionView Read Only NTApadpterView Read Only NTConnectionListView Read Only NWDiskListView Read Only NWMemoryUsageView Read Only NWNetworkMediaView Read Only NWProtocolView Read Only NWFileListView
	Read Only NWPartitionView Read Only NWQueueJobsListView Read Only NWQueueListView Read Only NWVolumeListView Read Only NWVolumeSegmentView Read Only NWVolumeUsageView Read Only NWRunningSoftwareView Read Only Set Parameter Read Only Trend Read Write All Read Write All TabularView Read Write Health Profiles Read Write Health Reports Read Write Set Parameter Read Write Trend Remote Controlling Restarting a Server Unloading an NLM
Remote Ping	Enable Remote Ping
Traffic Management	Adding_Nodes_For_InactivityMonitoring Adding_Protocols_For_ProtocalDirectory Capture_Packets Deleting_Nodes_For_Inactivity Deleting_Protocols_For_ProtocolDirectory Freeing Agent Resources Setting_Segment_Alarms View_Conversations View_LANZ_Agents View_Protocol_Directory View_RMON_Summary
	View_Segment_Alarms View_Segment_Dashboard View_Segment_Monitor_Nodes_For_Inactivity View_Segment_Protocal_Distribution View_Segment_Stations View_Segment_Summary View_Segment_Trends View_Switch_Port_Traffic View_Switch_Summary
Unified View	Unified View for Devices Unified View for Segments
ZfS Maps	Import Layout Print Rebuild Rename Save

The following table lists each predefined ZfS RBS and the specific tasks that can be performed for each of the roles.

Management and Monitoring Services Predefined RBS Role	Management and Monitoring Services RBS Module	Assigned Default Tasks
RBS_Administrator	All Modules	All available tasks
Segment_ Administrator	Alarm Manager	View Alarm Summary View Active Alarms View Alarm History Assign Alarms Add Alarm Note
	DM_Admin_Tool	No available tasks
	MIB Browser	No available tasks
	MIB Compiler	Enable MIB Compiler
	Node Management	Read Only Health Profiles Read Only Health Reports
	Remote Ping	Enable Remote Ping
	Traffic Management	Adding_Nodes_For_InactivityMonitoring Adding_Protocols_For_ProtocolDirectory Capture_Packets Setting_Segment_Alarms View_Conversations View_LANZ_Agents View_Protocol_Directory View_RMON_Summary View_Segment_Alarms View_Segment_Dashboard View_Segment_Monitor_Nodes_For_Inactivity View_Segment_Protocal_Distribution View_Segment_Stations View_Segment_Summary View_Segment_Trends View_Switch_Port_Traffic View_Switch_Summary
	ZfS Maps	Layout Print
	Unified Views	Unified Views for Segments
Segment Manager	Alarm Manager	Assign Alarms Define Alarms Disposition Delete Alarms View Alarm Summary View Active Alarms View Alarm History Add Alarm Note
	DM_Admin_Tool	No available tasks
	Database Object Editor	Database Object Editor
	MIB Browser	Enable MIB Browser
	MIB Compiler	Enable MIB Compiler
	Node Management	Create Health Profiles Create Health Reports Delete Health Profiles Delete Health Reports Read Write Health Profiles Read Only Health Profiles Read Write Health Reports Read Only Health Reports
	Remote Ping	Enable Remote Ping
Segment Manager continued	Traffic Management	Adding_Nodes_For_InactivityMonitoring Adding_Protocols_For_ProtocalDirectory Capture_Packets Deleting_Nodes_For_InactivityMonitoring Deleting_Protocols_For_ProtocolDirectory Freeing Agent Resources Setting_Segment_Alarms View_Conversations View_LANZ_Agents View_Protocol_Directory View_RMON_Summary View_Segment_Alarms View_Segment_Dashboard View_Segment_Monitor_Nodes_For_Inactivity View_Segment_Protocal_Distribution View_Segment_Stations View_Segment_Summary View_Segment_Trends View_Switch_Port_Traffic View_Switch_Summary
Segment Manager continued	ZfS Maps	Import Layout Print Rebuild Rename Save
Segment Monitor	Alarm Manager	View Alarm Summary View Active Alarms View Alarm History
	DM_Admin_Tool	No available tasks
	MIB Compiler	No available tasks
	MIB Browser	No available tasks
	Node Management	Read Only Health Profiles Read Only Health Reports
	Remote Ping	Enable Remote Ping
	Traffic Management	Capture_Packets View_Conversations View_LANZ_Agents View_Protocol_Directory View_RMON_Summary View_Segment_Alarms View_Segment_Dashboard View_Segment_Monitor_Nodes_For_Inactivity View_Segment_Protocal_Distribution View_Segment_Stations View_Segment_Summary View_Segment_Trends View_Switch_Port_Traffic View_Switch_Summary
	ZfS Maps	Layout Print
	Unified Views	Unified View for Segments
Server Administrator	Alarm Manager	Assign Alarm Define Alarm Disposition Delete Alarm View Alarm Summary View Active Alarms View Alarm History Add Alarm Note
	DM_Admin_Tool	No available tasks
	MIB Browser	Enable MIB Browser
	MIB Compiler	No available tasks
	Node Management	Clearing a Connection Loading an NLM Mounting and Dismounting a Server Volume Downing a Server Read Only Health Profiles Read Only Health Reports Read Write All Restarting a Server Unloading an NLM
	Remote Ping	Enable Remote Ping
	Traffic Management	No available tasks
	ZfS Maps	Layout Print
	Unified Views	Unified Views for Devices
Server Manager	Alarm Manager	Assign Alarm Define Alarm Disposition Delete Alarm View Alarm Summary View Active Alarms View Alarm History Add Alarm Note
	DM_Admin_Tool	No available tasks
	MIB Browser	No available tasks
	MIB Compiler	No available tasks
	Node Management	Clearing a Connection Create Health Profiles Create Health Reports Delete Health Profiles Delete Health Reports Downing a Server Loading an NLM Mounting and Dismounting a Server Volume Read Only Health Profiles Read Only Health Reports Read Write All Read Write Health Profiles Read Write Health Reports Restarting a Server Unloading an NLM
	Remote Ping	No available tasks
	Traffic Management	No available tasks
	ZfS Maps	Import Layout Print Rebuild Rename Save
Server Manager continued	Database Object Editor	Database Object Editor
Server Manager continued	Unified Views	Unified View for Devices
Server Monitor	Alarm Manager	View Alarm Summary View Active Alarms View Alarm History
	DM_Admin_Tool	No available tasks
	MIB Browser	No available tasks
	MIB Compiler	No available tasks
	Node Management	Read Only Health Profiles Read Only Health Reports Read Only Homepage Read Only HostFileSystemView Read Only InstalledSoftwareView Read Only NetWareLoadableModulesView Read Only NetWareUserView Read Only NetworkPerformanceView Read Only NTDiskListview Read Only NTMemoryUsageView Read Only NTNetworkView Read Only NWConnectionListView Read Only NWOpenListView Read Only NWDiskListView Read Only NWMemoryUsageView Read Only NWNetworkMediaView Read Only NWFileListView Read Only NWVolumeListView Read Only NWVolumeUsageView Read Only RunningSoftwareView Read Only Trend
	Remote Ping	Enable Remote Ping
	Traffic Management	No available tasks
	ZfS Maps	Layout Print
Site Database Administrator	Alarm Manager	No available tasks
	DM_Admin_Tool	DB_BACKUP Database Password Change
	MIB Browser	No available tasks
	MIB Compiler	No available tasks
	Node Management	No available tasks
	Remote Ping	No available tasks
	Traffic Management	No available tasks
	ZfS Maps	No available tasks

Configuring Role-Based Administration

Defining an RBS role includes creating an RBS role object and specifying the tasks that the role can perform.

The following sections discuss how to configure Role- Based Administration:

Defining RBS Role

RBS roles specify the tasks that users are authorized to perform in specific administration applications. Defining an RBS role includes the following sections:

Creating an RBS Role Object

To create an RBS role object:

Right-click the container that you want to create the RBS role object > click New > click Object.
Under Class, select RBS:Role > click OK.
Enter a name for the new RBS role object.

Ensure to follow proper eDirectory naming conventions. For eDirectory naming conventions see Novell eDirectory Administration Guide.

Example: Password Administrator Role.
Click OK.

Specifying the Tasks that RBS Roles Can Perform

To specify the tasks:

Right-click an RBS role > click Properties.

RBS task objects are located only in RBS module containers
In the Role Based Services tab, make the associations you want.
Select the Role Content page > Add the list of tasks that the role can perform.
Click OK.

Creating an External Scope

To create an external scope:

Right-click the container that you want to create the scope object > click New > click Object.
Under Class, select MW:Scope > click OK.
Enter a name for the new MW:Scope object.

Ensure to follow proper eDirectory naming conventions. For eDirectory naming conventions see Novell eDirectory Administration Guide.

Example: Password Administrator Role.
Click OK.

Configuring a Scope Object

To configure a scope object:

Right-click the scope object > click Properties.
Browse the site object to which the scope is associated.
In the Site scope browse to select the computers to the site scope.
In the SQL script specify the scope by selecting the object and the operator from the drop-down list.
Click OK.

IMPORTANT: By default the scope object will have all-site access.

The effective scope will be a union of Site scope and the objects specified in SQL script.

Assigning RBS Role Membership and Scope

To assign an RBS role and scope to a user:

Right-click the user object to which you want to assign the role and scope > click Properties.
Click on Role Based Services Tab > Assigned Roles.
Click Add to add the required role to the user.
Click Scope to add the scope for the user.
Click OK.

IMPORTANT: If a user is assigned two different roles with different scopes, the user has rights to all the tasks (union of tasks in role1 and tasks in role2) irrespective of the scopes.

You cannot assign role and scope to User groups and Organization Unit.