10.3 Required Rights for the Middle Tier Proxy User Account and the NSAdmin Utility

Because you might create an administrator account for the Middle Tier Server installation and login and also for the administration of the Middle Tier Server after it is installed (using the NSAdmin utility) at the same time, this section contains the following content:

NOTE: For the purpose of this example, we have already created a proxy user, zenpxyuser, in the CN=zenpxyuser.OU=zen.OU=Users.O=Company context, with test as its password.

10.3.1 Proxy User Rights Required for Middle Tier Installation and Login

Because it already has all of the required access rights, you can use an administrator account as the Middle Tier Proxy User Account, but this poses significant security risks. Alternatively, you can create a user account in ConsoleOne and assign it only the rights required for a ZENworks Middle Tier proxy user.

Use the following steps to assign rights to the proxy user:

  1. Make zenpxyuser a Trustee of OU=Users.O=Company.

    1. Select the OU, then click Properties.

    2. Select the NDS Rights tab.

    3. Click Add Trustee, then add the proxy user as a trustee of the OU.

    4. (Conditional) If the Rights Assigned dialog box is not displayed, click Assigned Rights.

    5. Click Add Property, select Show All Properties, then select all of the properties listed in Table 10-1 and assign the appropriate rights (also shown in the same table.)

After these rights are assigned, you can enter this proxy user's context and password during the ZENworks Middle Tier Server installation. Using the preceding example, you would enter zenpxyuser.zen.users.company as the proxy user and test as the proxy user password.

Table 10-1 Summary of Proxy User Rights

Trustees of Which Object

Add Trustee

Add Property

Rights

Inheritable?

User's or User Container

zenpxyuser

Entry Rights

B[rowse] C[reate]

Yes

User's or User Container

zenpxyuser

All Attributes

C[ompare] R[ead]

Yes

User's or User Container

zenpxyuser

CN

C[ompare] R[ead]

Yes

User's or User Container

zenpxyuser

zendmWSNetworkAddress

C[ompare] R[ead] W[rite]

Yes

10.3.2 Required Rights for NSAdmin Access

To administer the ZENworks Middle Tier Server using the NSAdmin utility, the administrator account you use needs to be equivalent to the proxy user account. The administrative user also needs the Write right to the Equivalent to Me attribute on the proxy user account.

By default, a newly created user does not have the Write right to the Equivalent to Me attribute on its own account. Therefore, as you create an arbitrary user for the proxy account, you need to grant this account the Write right to its own Equivalent to Me attribute. Doing so will let you use NSAdmin to manage the Middle Tier Server.

For more information about NSAdmin, see Configuring the ZENworks Middle Tier Server with NSAdmin in the Novell ZENworks 7 Desktop Management Administration Guide.

Use the following steps to assign rights to the proxy user:

  1. Make zenpxyuser a Trustee of CN=zenpxyuser.OU=zen.OU=Users.O=Company with the following rights:

    1. Select the zenpxyuser User object, click Properties.

    2. Select the NDS Rights tab.

    3. Click Add Trustee, then add the User object that needs rights to log in to NSAdmin as a trustee of the zenpxyuser User object.

    4. (Conditional) If the Rights Assigned dialog box is not displayed, click Assigned Rights.

    5. Click Add Property, select Show All Properties, then select the Equivalent to Me property.

    6. Assign the [C]ompare, [R]ead, and [W]rite rights to this property. See Table 10-2, Summary of Proxy User Rights for NSAdmin for more information.

After these rights are assigned, you can enter this proxy user's name and password during the login to NSAdmin. Using the preceding example, you would enter zenpxyuser as the proxy user and test as the password.

Table 10-2 Summary of Proxy User Rights for NSAdmin

Trustees of Which Object

Add Trustee

Add Property

Rights

Inheritable?

zenpxyuser

Users who want to log in to NSAdmin (including zenpxyuser)

Equivalent to Me

C[ompare] R[ead] W[rite]

No