You can use ConsoleOne, a directory-enabled framework for running Novell network administration utilities. The ZfS snap-ins to ConsoleOne fully leverage eDirectory to enable role-based administration and higher levels of security. Through eDirectory, users will be able to log in once and have access to the management components as specified by their roles within their specific scope.
The ZfS snap-ins to ConsoleOne allows you to divide the task of network administration amongst administrators. With ConsoleOne, the functions and tasks of ZfS are organized into different, customized "views" based on each administrator's role in your organization.
The following sections discuss role-based administration:
The ZfS management site sets boundaries for accessing object data on the management server through the role-based services. You can create roles and tasks and further define the level of access to network objects and information from the network container space.
When you install ZfS Management and Monitoring Services, a management site, a system administrator role (RBS Admin), and all the site objects are created in eDirectory. A management site defines the scope of objects (networks, segments, routers, bridges, switches, servers, workstations, and so on) discovered on your network. You can create a single site or multiple sites, depending on the size of your network or network management requirements. A management site could include a single local network configuration or could encompass your entire network. The boundaries of a site are defined by the scope of network discovery. By default, network discovery is set to discover all connected networks and network nodes. The site object is created in the same context as the server object.
During installation, the default management site that is created is shown below. A single administration role is established with rights and permissions to all configuration and management tasks in the management system.
Some default roles that monitor network traffic, handle alarms, and manage server systems, are available and allow you to add users. You can also use them as examples for your new role creations.
In the ZfS role-based services (RBS), permissions that are required to access network objects, configurations, and information are associated with roles. eDirectory User objects can be assigned to appropriate roles. The levels of abstractions in a role are described below:
Roles - Created to perform various network management functions in your organization. You can simplify granting of permissions and restrict access to management tools and data by creating appropriate roles.
Tasks - Actions performed to utilize components of the management system based on the specific responsibilities.
Component/module - A software tool that provides a network management function. ZfS includes components for managing servers, monitoring segment traffic, and providing common services such as database management, alarm handling, and report generation.
The users added to a role, however, retain the access rights, permissions, and policies granted through the eDirectory user account. For example, a user may be granted permission to access and configure a server through eDirectory, but may not be granted permission to manage the server through the RBS in ZfS. Therefore the management role that the user is assigned has limited access to the management services or components/modules in the ZfS management system.
General ZfS Roles
ZfS components support role-based services (RBS) and task management through eDirectory. ZfS uses RBS to organize ZfS tasks into roles and to assign scope information to a role, user or a group.
RBS roles specify the tasks that users are authorized to perform. Defining an RBS role includes creating an RBS role object and specifying the tasks that the role can perform.
The tasks that RBS roles can perform are displayed as RBS Task objects in your eDirectory tree. These objects are organized into one or more RBS modules, which are containers that correspond to the different ZfS components. As shown in the figure below, ZfS provides predefined modules and RBS role objects.
IMPORTANT: You cannot create new modules or tasks. You have to select from the pre-defined modules and tasks that are available.
You can create any role using the modules and tasks. Each module can have one or more tasks. For example, RBS defines the task for Monitoring Services as Enable Remote Ping. If this task is assigned to your role, you can use the Monitoring Services facility. For a list of the predefined ZfS modules and ZfS roles along with the associated tasks, see ZfS Role-Based Modules and Roles .
RBS roles specify the tasks that users are authorized to perform in specific administration applications. Defining an RBS role includes the following sections:
Browse the site object to which the scope is associated.
In the Site scope browse to select the computers to the site scope.
In the SQL script specify the scope by selecting the object and the operator from the drop-down list.
Click OK.
IMPORTANT: By default the scope object will have all-site access.
The effective scope will be a union of Site scope and the objects specified in SQL script.
Assigning RBS Role Membership and Scope
To assign an RBS role and scope to a user:
Right-click the user object to which you want to assign the role and scope > click Properties.
Click on Role Based Services Tab > Assigned Roles.
Click Add to add the required role to the user.
Click Scope to add the scope for the user.
Click OK.
IMPORTANT: If a user is assigned two different roles with different scopes, the user has rights to all the tasks (union of tasks in role1 and tasks in role2) irrespective of the scopes.
You cannot assign role and scope to User groups and Organization Unit.