Role-Based Administration
You can use ConsoleOne, a directory-enabled framework for running Novell network administration utilities. The ZfS snap-ins to ConsoleOne fully leverage eDirectory to enable role-based administration and higher levels of security. Through eDirectory, users will be able to log in once and have access to the management components as specified by their roles within their specific scope.
The ZfS snap-ins to ConsoleOne allows you to divide the task of network administration amongst administrators. With ConsoleOne, the functions and tasks of ZfS are organized into different, customized "views" based on each administrator's role in your organization.
The following sections discuss role-based administration:
ZfS Management Site
The ZfS management site sets boundaries for accessing object data on the management server through the role-based services. You can create roles and tasks and further define the level of access to network objects and information from the network container space.
When you install ZfS Management and Monitoring Services, a management site, a system administrator role (RBS Admin), and all the site objects are created in eDirectory. A management site defines the scope of objects (networks, segments, routers, bridges, switches, servers, workstations, and so on) discovered on your network. You can create a single site or multiple sites, depending on the size of your network or network management requirements. A management site could include a single local network configuration or could encompass your entire network. The boundaries of a site are defined by the scope of network discovery. By default, network discovery is set to discover all connected networks and network nodes. The site object is created in the same context as the server object.
During installation, the default management site that is created is shown below. A single administration role is established with rights and permissions to all configuration and management tasks in the management system.
Some default roles that monitor network traffic, handle alarms, and manage server systems, are available and allow you to add users. You can also use them as examples for your new role creations.
In the ZfS role-based services (RBS), permissions that are required to access network objects, configurations, and information are associated with roles. eDirectory User objects can be assigned to appropriate roles. The levels of abstractions in a role are described below:
- Roles - Created to perform various network management functions in your organization. You can simplify granting of permissions and restrict access to management tools and data by creating appropriate roles.
- Tasks - Actions performed to utilize components of the management system based on the specific responsibilities.
- Component/module - A software tool that provides a network management function. ZfS includes components for managing servers, monitoring segment traffic, and providing common services such as database management, alarm handling, and report generation.
The users added to a role, however, retain the access rights, permissions, and policies granted through the eDirectory user account. For example, a user may be granted permission to access and configure a server through eDirectory, but may not be granted permission to manage the server through the RBS in ZfS. Therefore the management role that the user is assigned has limited access to the management services or components/modules in the ZfS management system.
General ZfS Roles
ZfS components support role-based services (RBS) and task management through eDirectory. ZfS uses RBS to organize ZfS tasks into roles and to assign scope information to a role, user or a group.
RBS roles specify the tasks that users are authorized to perform. Defining an RBS role includes creating an RBS role object and specifying the tasks that the role can perform.
The tasks that RBS roles can perform are displayed as RBS Task objects in your eDirectory tree. These objects are organized into one or more RBS modules, which are containers that correspond to the different ZfS components. As shown in the figure below, ZfS provides predefined modules and RBS role objects.
IMPORTANT: You cannot create new modules or tasks. You have to select from the pre-defined modules and tasks that are available.
You can create any role using the modules and tasks. Each module can have one or more tasks. For example, RBS defines the task for Monitoring Services as Enable Remote Ping. If this task is assigned to your role, you can use the Monitoring Services facility. For a list of the predefined ZfS modules and ZfS roles along with the associated tasks, see ZfS Role-Based Modules and Roles.
For more information on creating role objects using tasks and modules, see Configuring Role-Based Administration.
ZfS Role-Based Modules and Roles
This section provides the following tables:
- ZfS Role-Based Modules and Associated Tasks
- ZfS RBS Predefined Roles and Associated Tasks
The following table lists each ZfS RBS module and the tasks that can be performed for the module.
Alarm Manager |
- Add Alarm Note
- Assign Alarm
- Define Alarm Disposition
- Delete Alarm
- View Active Alarms
- View Active Alarm History
- View Alarm Summary
|
Database Object Editor |
Database Object Editor |
DB_Admin_Tool |
- DB_BACKUP
- Database Password Change
|
MIB Browser |
Enable MIB Browser |
MIB Compiler |
Enable MIB Compiler |
Node Management |
- Clearing a Connection
- Create Health Profiles
- Create Health Reports
- Delete Health Profiles
- Delete Health Reports
- Downing a Server
- Loading an NLM
- Mounting and Dismounting a Volume
- Read Only All
- Read Only All Tabular View
- Read Only Health Profiles
- Read Only Health Reports
- Read Only Homepage
- Read Only HostFileSystemView
- Read Only InstalledSoftwareView
- Read Only NetWareLoadableModuleView
- Read Only NetWareUserView
- Read Only NetworkPerformanceView
- Read Only NTDiskListview
- Read Only NTMemoryUsageView
- Read Only NTNetworkView
- Read Only NTPartitionView
- Read Only NTApadpterView
- Read Only NTConnectionListView
- Read Only NWDiskListView
- Read Only NWMemoryUsageView
- Read Only NWNetworkMediaView
- Read Only NWProtocolView
- Read Only NWFileListView
|
|
- Read Only NWPartitionView
- Read Only NWQueueJobsListView
- Read Only NWQueueListView
- Read Only NWVolumeListView
- Read Only NWVolumeSegmentView
- Read Only NWVolumeUsageView
- Read Only NWRunningSoftwareView
- Read Only Set Parameter
- Read Only Trend
- Read Write All
- Read Write All TabularView
- Read Write Health Profiles
- Read Write Health Reports
- Read Write Set Parameter
- Read Write Trend
- Remote Controlling
- Restarting a Server
- Unloading an NLM
|
Remote Ping |
Enable Remote Ping |
Traffic Management |
- Adding_Nodes_For_InactivityMonitoring
- Adding_Protocols_For_ProtocalDirectory
- Capture_Packets
- Deleting_Nodes_For_Inactivity
- Deleting_Protocols_For_ProtocolDirectory
- Freeing Agent Resources
- Setting_Segment_Alarms
- View_Conversations
- View_LANZ_Agents
- View_Protocol_Directory
- View_RMON_Summary
|
|
- View_Segment_Alarms
- View_Segment_Dashboard
- View_Segment_Monitor_Nodes_For_Inactivity
- View_Segment_Protocal_Distribution
- View_Segment_Stations
- View_Segment_Summary
- View_Segment_Trends
- View_Switch_Port_Traffic
- View_Switch_Summary
|
Unified View |
- Unified View for Devices
- Unified View for Segments
|
ZfS Maps |
- Import
- Layout
- Print
- Rebuild
- Rename
- Save
|
The following table lists each predefined ZfS RBS and the specific tasks that can be performed for each of the roles.
RBS_Administrator |
All Modules |
All available tasks |
Segment_ Administrator |
Alarm Manager |
- View Alarm Summary
- View Active Alarms
- View Alarm History
- Assign Alarms
- Add Alarm Note
|
DM_Admin_Tool |
No available tasks |
MIB Browser |
No available tasks |
MIB Compiler |
Enable MIB Compiler |
Node Management |
- Read Only Health Profiles
- Read Only Health Reports
|
Remote Ping |
Enable Remote Ping |
Traffic Management |
- Adding_Nodes_For_InactivityMonitoring
- Adding_Protocols_For_ProtocolDirectory
- Capture_Packets
- Setting_Segment_Alarms
- View_Conversations
- View_LANZ_Agents
- View_Protocol_Directory
- View_RMON_Summary
- View_Segment_Alarms
- View_Segment_Dashboard
- View_Segment_Monitor_Nodes_For_Inactivity
- View_Segment_Protocal_Distribution
- View_Segment_Stations
- View_Segment_Summary
- View_Segment_Trends
- View_Switch_Port_Traffic
- View_Switch_Summary
|
ZfS Maps |
|
Unified Views |
Unified Views for Segments |
Segment Manager |
Alarm Manager |
- Assign Alarms
- Define Alarms Disposition
- Delete Alarms
- View Alarm Summary
- View Active Alarms
- View Alarm History
- Add Alarm Note
|
DM_Admin_Tool |
No available tasks |
Database Object Editor |
Database Object Editor |
MIB Browser |
Enable MIB Browser |
MIB Compiler |
Enable MIB Compiler |
Node Management |
- Create Health Profiles
- Create Health Reports
- Delete Health Profiles
- Delete Health Reports
- Read Write Health Profiles
- Read Only Health Profiles
- Read Write Health Reports
- Read Only Health Reports
|
Remote Ping |
Enable Remote Ping |
Segment Manager continued |
Traffic Management |
- Adding_Nodes_For_InactivityMonitoring
- Adding_Protocols_For_ProtocalDirectory
- Capture_Packets
- Deleting_Nodes_For_InactivityMonitoring
- Deleting_Protocols_For_ProtocolDirectory
- Freeing Agent Resources
- Setting_Segment_Alarms
- View_Conversations
- View_LANZ_Agents
- View_Protocol_Directory
- View_RMON_Summary
- View_Segment_Alarms
- View_Segment_Dashboard
- View_Segment_Monitor_Nodes_For_Inactivity
- View_Segment_Protocal_Distribution
- View_Segment_Stations
- View_Segment_Summary
- View_Segment_Trends
- View_Switch_Port_Traffic
- View_Switch_Summary
|
ZfS Maps |
- Import
- Layout
- Print
- Rebuild
- Rename
- Save
|
Segment Monitor |
Alarm Manager |
- View Alarm Summary
- View Active Alarms
- View Alarm History
|
DM_Admin_Tool |
No available tasks |
MIB Compiler |
No available tasks |
MIB Browser |
No available tasks |
Node Management |
- Read Only Health Profiles
- Read Only Health Reports
|
Remote Ping |
Enable Remote Ping |
Traffic Management |
- Capture_Packets
- View_Conversations
- View_LANZ_Agents
- View_Protocol_Directory
- View_RMON_Summary
- View_Segment_Alarms
- View_Segment_Dashboard
- View_Segment_Monitor_Nodes_For_Inactivity
- View_Segment_Protocal_Distribution
- View_Segment_Stations
- View_Segment_Summary
- View_Segment_Trends
- View_Switch_Port_Traffic
- View_Switch_Summary
|
ZfS Maps |
|
Unified Views |
Unified View for Segments |
Server Administrator |
Alarm Manager |
- Assign Alarm
- Define Alarm Disposition
- Delete Alarm
- View Alarm Summary
- View Active Alarms
- View Alarm History
- Add Alarm Note
|
DM_Admin_Tool |
No available tasks |
MIB Browser |
Enable MIB Browser |
MIB Compiler |
No available tasks |
Node Management |
- Clearing a Connection
- Loading an NLM
- Mounting and Dismounting a Server Volume
- Downing a Server
- Read Only Health Profiles
- Read Only Health Reports
- Read Write All
- Restarting a Server
- Unloading an NLM
|
Remote Ping |
Enable Remote Ping |
Traffic Management |
No available tasks |
ZfS Maps |
|
Unified Views |
Unified Views for Devices |
Server Manager |
Alarm Manager |
- Assign Alarm
- Define Alarm Disposition
- Delete Alarm
- View Alarm Summary
- View Active Alarms
- View Alarm History
- Add Alarm Note
|
DM_Admin_Tool |
No available tasks |
MIB Browser |
No available tasks |
MIB Compiler |
No available tasks |
Node Management |
- Clearing a Connection
- Create Health Profiles
- Create Health Reports
- Delete Health Profiles
- Delete Health Reports
- Downing a Server
- Loading an NLM
- Mounting and Dismounting a Server Volume
- Read Only Health Profiles
- Read Only Health Reports
- Read Write All
- Read Write Health Profiles
- Read Write Health Reports
- Restarting a Server
- Unloading an NLM
|
Remote Ping |
No available tasks |
Traffic Management |
No available tasks |
ZfS Maps |
- Import
- Layout
- Print
- Rebuild
- Rename
- Save
|
Server Manager continued |
Database Object Editor |
Database Object Editor |
Unified Views |
Unified View for Devices |
Server Monitor |
Alarm Manager |
- View Alarm Summary
- View Active Alarms
- View Alarm History
|
DM_Admin_Tool |
No available tasks |
MIB Browser |
No available tasks |
MIB Compiler |
No available tasks |
Node Management |
- Read Only Health Profiles
- Read Only Health Reports
- Read Only Homepage
- Read Only HostFileSystemView
- Read Only InstalledSoftwareView
- Read Only NetWareLoadableModulesView
- Read Only NetWareUserView
- Read Only NetworkPerformanceView
- Read Only NTDiskListview
- Read Only NTMemoryUsageView
- Read Only NTNetworkView
- Read Only NWConnectionListView
- Read Only NWOpenListView
- Read Only NWDiskListView
- Read Only NWMemoryUsageView
- Read Only NWNetworkMediaView
- Read Only NWFileListView
- Read Only NWVolumeListView
- Read Only NWVolumeUsageView
- Read Only RunningSoftwareView
- Read Only Trend
|
Remote Ping |
Enable Remote Ping |
Traffic Management |
No available tasks |
ZfS Maps |
|
Site Database Administrator |
Alarm Manager |
No available tasks |
DM_Admin_Tool |
- DB_BACKUP
- Database Password Change
|
MIB Browser |
No available tasks |
MIB Compiler |
No available tasks |
Node Management |
No available tasks |
Remote Ping |
No available tasks |
Traffic Management |
No available tasks |
ZfS Maps |
No available tasks |
Configuring Role-Based Administration
Defining an RBS role includes creating an RBS role object and specifying the tasks that the role can perform.
The following sections discuss how to configure Role- Based Administration:
Defining RBS Role
RBS roles specify the tasks that users are authorized to perform in specific administration applications. Defining an RBS role includes the following sections:
Creating an RBS Role Object
To create an RBS role object:
-
Right-click the container that you want to create the RBS role object > click New > click Object.
-
Under Class, select RBS:Role > click OK.
-
Enter a name for the new RBS role object.
Ensure to follow proper eDirectory naming conventions. For eDirectory naming conventions see Novell eDirectory Administration Guide.
Example: Password Administrator Role.
-
Click OK.
Specifying the Tasks that RBS Roles Can Perform
To specify the tasks:
-
Right-click an RBS role > click Properties.
RBS task objects are located only in RBS module containers
-
In the Role Based Services tab, make the associations you want.
-
Select the Role Content page > Add the list of tasks that the role can perform.
-
Click OK.
Creating an External Scope
To create an external scope:
-
Right-click the container that you want to create the scope object > click New > click Object.
-
Under Class, select MW:Scope > click OK.
-
Enter a name for the new MW:Scope object.
Ensure to follow proper eDirectory naming conventions. For eDirectory naming conventions see Novell eDirectory Administration Guide.
Example: Password Administrator Role.
-
Click OK.
Configuring a Scope Object
To configure a scope object:
-
Right-click the scope object > click Properties.
-
Browse the site object to which the scope is associated.
-
In the Site scope browse to select the computers to the site scope.
-
In the SQL script specify the scope by selecting the object and the operator from the drop-down list.
-
Click OK.
IMPORTANT: By default the scope object will have all-site access.
The effective scope will be a union of Site scope and the objects specified in SQL script.
Assigning RBS Role Membership and Scope
To assign an RBS role and scope to a user:
-
Right-click the user object to which you want to assign the role and scope > click Properties.
-
Click on Role Based Services Tab > Assigned Roles.
-
Click Add to add the required role to the user.
-
Click Scope to add the scope for the user.
-
Click OK.
IMPORTANT: If a user is assigned two different roles with different scopes, the user has rights to all the tasks (union of tasks in role1 and tasks in role2) irrespective of the scopes.
You cannot assign role and scope to User groups and Organization Unit.