Novell Doc: Novell ZENworks 7 Server Management Administration Guide

21.3 Role-Based Administration

You can use Novell ConsoleOne, a directory-enabled framework for running Novell network administration utilities. The Novell ZENworks Server Management snap-ins to Novell ConsoleOne fully leverage Novell eDirectory to enable role-based administration and higher levels of security. Through Novell eDirectory, users will be able to log in once and have access to the management components as specified by their roles within their specific scope.

The Server Management snap-ins to Novell ConsoleOne allows you to divide the task of network administration amongst administrators. With Novell ConsoleOne, the functions and tasks of Server Management are organized into different, customized “views” based on each administrator's role in your organization.

The following sections discuss role-based administration:

21.3.1 Novell ZENworks Management Site

The Novell ZENworks management site sets boundaries for accessing object data on the management server through the role-based services. You can create roles and tasks and further define the level of access to network objects and information from the network container space.

When you install Management and Monitoring Services, a management site, a system administrator role (Role-based Services Admin), and all the site objects are created in Novell eDirectory. A management site defines the scope of objects (networks, segments, routers, bridges, switches, servers, workstations, and so on) discovered on your network. You can create a single site or multiple sites, depending on the size of your network or network management requirements.

A management site could include a single local network configuration or could encompass your entire network. The boundaries of a site are defined by the scope of network discovery. By default, network discovery is set to discover all connected networks and network nodes. The site object is created in the same context as the server object.

During installation, the default management site that is created is shown in Figure 21-3. A single administration role is established with rights and permissions to all configuration and management tasks in the management system.

Figure 21-3 ZENworks Server Management site

Some default roles that monitor network traffic, handle alarms, and manage server systems, are available and allow you to add users. You can also use them as examples for your new role creations.

In the Server Management role-based services (Role-based Services), permissions that are required to access network objects, configurations, and information are associated with roles. Novell eDirectory User objects can be assigned to appropriate roles. The levels of abstractions in a role are described below:

Roles - Created to perform various network management functions in your organization. You can simplify granting of permissions and restrict access to management tools and data by creating appropriate roles.
Tasks - Actions performed to utilize components of the management system based on the specific responsibilities.
Component/module - A software tool that provides a network management function. Server Management includes components for managing servers, monitoring segment traffic, and providing common services such as database management, alarm handling, and report generation.

The users added to a role, however, retain the access rights, permissions, and policies granted through the Novell eDirectory user account. For example, a user may be granted permission to access and configure a server through Novell eDirectory, but may not be granted permission to manage the server through the Role-based Services in Server Management. Therefore the management role that the user is assigned has limited access to the management services or components/modules in the Novell ZENworks Server Management system.

21.3.2 General Novell ZENworks Server Management Roles

Novell ZENworks Server Management components support role-based services (Role-based Services) and task management through Novell eDirectory. Server Management uses Role-based Services to organize Novell ZENworks Server Management tasks into roles and to assign scope information to a role, user or a group.

Role-based Services roles specify the tasks that users are authorized to perform. Defining an Role-based Services role includes creating an Role-based Services role object and specifying the tasks that the role can perform.

The tasks that Role-based Services roles can perform are displayed as Role-based Services Task objects in your Novell eDirectory tree. These objects are organized into one or more Role-based Services modules, which are containers that correspond to the different Server Management components. As shown in Figure 21-4, Novell ZENworks Server Management provides predefined modules and Role-based Services role objects.

IMPORTANT:You cannot create new modules or tasks. You have to select from the pre-defined modules and tasks that are available.

Figure 21-4 Predefined ZENworks Server Management modules and Role-based Services role objects

You can create any role using the modules and tasks. Each module can have one or more tasks. For example, Role-based Services defines the task for Monitoring Services as Enable Remote Ping. If this task is assigned to your role, you can use the Monitoring Services facility. For a list of the predefined Novell ZENworks Server Management modules and roles along with the associated tasks, see Novell ZENworks Server Management Role-Based Modules and Roles.

For more information on creating role objects using tasks and modules, see Configuring Role-Based Administration.

21.3.3 Novell ZENworks Server Management Role-Based Modules and Roles

This section provides the following tables:

The following table lists each Novell ZENworks Server Management Role-based Services module and the tasks that can be performed for the module.

Table 21-1 ZENworks Server Management Role-based Services module and its associated tasks

Novell ZENworks Server Management Role-based Services Module	Associated Tasks
Alarm Manager	Add Alarm Note Assign Alarm Define Alarm Disposition Delete Alarm View Active Alarms View Active Alarm History View Alarm Summary
Database Object Editor	Database Object Editor
DB_Admin_Tool	DB_BACKUP Database Password Change
MIB Browser	Enable MIB Browser
MIB Compiler	Enable MIB Compiler
Node Management	Clearing a Connection Create Health Profiles Create Health Reports Delete Health Profiles Delete Health Reports Downing a Server Loading an NLM Mounting and Dismounting a Volume Read Only All Read Only All Tabular View Read Only Health Profiles Read Only Health Reports Read Only Homepage Read Only HostFileSystemView Read Only InstalledSoftwareView Read Only Novell NetWareLoadableModuleView Read Only Novell NetWareUserView Read Only NetworkPerformanceView Read Only NTDiskListview Read Only NTMemoryUsageView Read Only NTNetworkView Read Only NTPartitionView Read Only NTApadpterView Read Only NTConnectionListView Read Only NWDiskListView Read Only NWMemoryUsageView Read Only NWNetworkMediaView Read Only NWProtocolView Read Only NWFileListView
	Read Only NWPartitionView Read Only NWQueueJobsListView Read Only NWQueueListView Read Only NWVolumeListView Read Only NWVolumeSegmentView Read Only NWVolumeUsageView Read Only NWRunningSoftwareView Read Only Set Parameter Read Only Trend Read Write All Read Write All TabularView Read Write Health Profiles Read Write Health Reports Read Write Set Parameter Read Write Trend Remote Controlling Restarting a Server Unloading an NLM
Remote Ping	Enable Remote Ping
Traffic Management	Adding_Nodes_For_InactivityMonitoring Adding_Protocols_For_ProtocalDirectory Capture_Packets Deleting_Nodes_For_Inactivity Deleting_Protocols_For_ProtocolDirectory Freeing Agent Resources Setting_Segment_Alarms View_Conversations View_LANZ_Agents View_Protocol_Directory View_RMON_Summary
	View_Segment_Alarms View_Segment_Dashboard View_Segment_Monitor_Nodes_For_Inactivity View_Segment_Protocal_Distribution View_Segment_Stations View_Segment_Summary View_Segment_Trends View_Switch_Port_Traffic View_Switch_Summary
Unified View	Unified View for Devices Unified View for Segments
Novell ZENworks Server Management Maps	Import Layout Print Rebuild Rename Save

The following table lists each predefined Novell ZENworks Server Management Role-based Services and the specific tasks that can be performed for each of the roles:

Table 21-2 Predefined ZENworks Server Management Role-based Services and Modules

Management and Monitoring Services Predefined Role-based Services Role	Management and Monitoring Services Role-based Services Module	Assigned Default Tasks
Role-based Services_Administrator	All Modules	All available tasks
Segment_ Administrator	Alarm Manager	View Alarm Summary View Active Alarms View Alarm History Assign Alarms Add Alarm Note
	DM_Admin_Tool	No available tasks
	MIB Browser	No available tasks
	MIB Compiler	Enable MIB Compiler
	Node Management	Read Only Health Profiles Read Only Health Reports
	Remote Ping	Enable Remote Ping
	Traffic Management	Adding_Nodes_For_InactivityMonitoring Adding_Protocols_For_ProtocolDirectory Capture_Packets Setting_Segment_Alarms View_Conversations View_LANZ_Agents View_Protocol_Directory View_RMON_Summary View_Segment_Alarms View_Segment_Dashboard View_Segment_Monitor_Nodes_For_Inactivity View_Segment_Protocal_Distribution View_Segment_Stations View_Segment_Summary View_Segment_Trends View_Switch_Port_Traffic View_Switch_Summary
	Novell ZENworks Server Management Maps	Layout Print
	Unified Views	Unified Views for Segments
Segment Manager	Alarm Manager	Assign Alarms Define Alarms Disposition Delete Alarms View Alarm Summary View Active Alarms View Alarm History Add Alarm Note
	DM_Admin_Tool	No available tasks
	Database Object Editor	Database Object Editor
	MIB Browser	Enable MIB Browser
	MIB Compiler	Enable MIB Compiler
	Node Management	Create Health Profiles Create Health Reports Delete Health Profiles Delete Health Reports Read Write Health Profiles Read Only Health Profiles Read Write Health Reports Read Only Health Reports
	Remote Ping	Enable Remote Ping
Segment Manager continued	Traffic Management	Adding_Nodes_For_InactivityMonitoring Adding_Protocols_For_ProtocalDirectory Capture_Packets Deleting_Nodes_For_InactivityMonitoring Deleting_Protocols_For_ProtocolDirectory Freeing Agent Resources Setting_Segment_Alarms View_Conversations View_LANZ_Agents View_Protocol_Directory View_RMON_Summary View_Segment_Alarms View_Segment_Dashboard View_Segment_Monitor_Nodes_For_Inactivity View_Segment_Protocal_Distribution View_Segment_Stations View_Segment_Summary View_Segment_Trends View_Switch_Port_Traffic View_Switch_Summary
Segment Manager continued	Novell ZENworks Server Management Maps	Import Layout Print Rebuild Rename Save
Segment Monitor	Alarm Manager	View Alarm Summary View Active Alarms View Alarm History
	DM_Admin_Tool	No available tasks
	MIB Compiler	No available tasks
	MIB Browser	No available tasks
	Node Management	Read Only Health Profiles Read Only Health Reports
	Remote Ping	Enable Remote Ping
	Traffic Management	Capture_Packets View_Conversations View_LANZ_Agents View_Protocol_Directory View_RMON_Summary View_Segment_Alarms View_Segment_Dashboard View_Segment_Monitor_Nodes_For_Inactivity View_Segment_Protocal_Distribution View_Segment_Stations View_Segment_Summary View_Segment_Trends View_Switch_Port_Traffic View_Switch_Summary
	Novell ZENworks Server Management Maps	Layout Print
	Unified Views	Unified View for Segments
Server Administrator	Alarm Manager	Assign Alarm Define Alarm Disposition Delete Alarm View Alarm Summary View Active Alarms View Alarm History Add Alarm Note
	DM_Admin_Tool	No available tasks
	MIB Browser	Enable MIB Browser
	MIB Compiler	No available tasks
	Node Management	Clearing a Connection Loading an NLM Mounting and Dismounting a Server Volume Downing a Server Read Only Health Profiles Read Only Health Reports Read Write All Restarting a Server Unloading an NLM
	Remote Ping	Enable Remote Ping
	Traffic Management	No available tasks
	Novell ZENworks Server Management Maps	Layout Print
	Unified Views	Unified Views for Devices
Server Manager	Alarm Manager	Assign Alarm Define Alarm Disposition Delete Alarm View Alarm Summary View Active Alarms View Alarm History Add Alarm Note
	DM_Admin_Tool	No available tasks
	MIB Browser	No available tasks
	MIB Compiler	No available tasks
	Node Management	Clearing a Connection Create Health Profiles Create Health Reports Delete Health Profiles Delete Health Reports Downing a Server Loading an NLM Mounting and Dismounting a Server Volume Read Only Health Profiles Read Only Health Reports Read Write All Read Write Health Profiles Read Write Health Reports Restarting a Server Unloading an NLM
	Remote Ping	No available tasks
	Traffic Management	No available tasks
	Novell ZENworks Server Management Maps	Import Layout Print Rebuild Rename Save
Server Manager continued	Database Object Editor	Database Object Editor
Server Manager continued	Unified Views	Unified View for Devices
Server Monitor	Alarm Manager	View Alarm Summary View Active Alarms View Alarm History
	DM_Admin_Tool	No available tasks
	MIB Browser	No available tasks
	MIB Compiler	No available tasks
	Node Management	Read Only Health Profiles Read Only Health Reports Read Only Homepage Read Only HostFileSystemView Read Only InstalledSoftwareView Read Only Novell NetWareLoadableModulesView Read Only Novell NetWareUserView Read Only NetworkPerformanceView Read Only NTDiskListview Read Only NTMemoryUsageView Read Only NTNetworkView Read Only NWConnectionListView Read Only NWOpenListView Read Only NWDiskListView Read Only NWMemoryUsageView Read Only NWNetworkMediaView Read Only NWFileListView Read Only NWVolumeListView Read Only NWVolumeUsageView Read Only RunningSoftwareView Read Only Trend
	Remote Ping	Enable Remote Ping
	Traffic Management	No available tasks
	Novell ZENworks Server Management Maps	Layout Print
Site Database Administrator	Alarm Manager	No available tasks
	DM_Admin_Tool	DB_BACKUP Database Password Change
	MIB Browser	No available tasks
	MIB Compiler	No available tasks
	Node Management	No available tasks
	Remote Ping	No available tasks
	Traffic Management	No available tasks
	Novell ZENworks Server Management Maps	No available tasks

21.3.4 Configuring Role-Based Administration

Defining an Role-based Services role includes creating an Role-based Services role object and specifying the tasks that the role can perform.

The following sections discuss how to configure Role- Based Administration:

Defining Role-based Services Role

Role-based Services roles specify the tasks that users are authorized to perform in specific administration applications. Defining an Role-based Services role includes the following sections:

Creating an Role-based Services Role Object

To create an Role-based Services role object:

In Novell ConsoleOne, right-click the container that you want to create the Role-based Services role object, then click New > Object.
In Class, select Role-based Services:Role, then click OK.
Enter a name for the new Role-based Services role object.

Ensure to follow proper Novell eDirectory naming conventions. For Novell eDirectory naming conventions see Novell eDirectory Administration Guide.

Example: Password Administrator Role.
Click OK.

Specifying the Tasks that Role-based Services Roles Can Perform

To specify the tasks:

In Novell ConsoleOne, right-click an Role-based Services role, then click Properties.

Role-based Services task objects are located only in Role-based Services module containers
In the Role Based Services tab, make the associations you want.
Select the Role Content page, then add the list of tasks that the role can perform.
Click OK.

Creating an External Scope

To create an external scope:

In Novell ConsoleOne, right-click the container that you want to create the scope object, then click New > Object.
In Class, select MW:Scope, then click OK.
Enter a name for the new MW:Scope object.

Ensure to follow proper Novell eDirectory naming conventions. For Novell eDirectory naming conventions see Novell eDirectory Administration Guide.

Example: Password Administrator Role.
Click OK.

Configuring a Scope Object

To configure a scope object:

In Novell ConsoleOne, right-click the scope object, then click Properties.
Browse the site object to which the scope is associated.
In the Site scope, browse to select the computers to the site scope.
In the SQL script, specify the scope by selecting the object and the operator from the drop-down list.
Click OK.

IMPORTANT:By default the scope object will have all-site access.

The effective scope will be a union of Site scope and the objects specified in SQL script.

Assigning Role-based Services Role Membership and Scope

To assign an Role-based Services role and scope to a user:

In Novell ConsoleOne, right-click the user object to which you want to assign the role and scope, then click Properties.
Click Role Based Services tab, then click Assigned Roles.
Click Add to add the required role to the user.
Click Scope to add the scope for the user.
Click OK.

IMPORTANT:If a user is assigned two different roles with different scopes, the user has rights to all the tasks (union of tasks in role1 and tasks in role2) irrespective of the scopes.

You cannot assign role and scope to User groups and Organization Unit.