The Team Configuration page allows you to create teams and define permissions for these teams. A team definition specifies a domain type (Provisioning, Role, or Resource), as well as a set of team members and managers. The Team Configuration page is accessible to the following users:
Table 8-2 User Access to the Team Configuration Page
User |
Capabilities |
---|---|
Security Administrator |
Can perform all operations on the Team Configuration page. |
Other Domain Administrators |
Can define a team for the domain over which the administrator has authority. |
Team Manager |
Can view a team definition for which he/she is configured to be the manager. When a team manager edits a team, the team definition itself is read-only, because the team manager cannot modify the team configuration. |
The members of a team can be specified individually as a set of users, groups, or containers, or can be defined based on a business relationship, such as the Manager-Employee relationship. Alternatively, the team member list can include all users within the container.
When a team definition includes a container or group in its membership list, the User Application expands the list within the container or group to show the users within the container or group. Therefore, the User Application only allows the team manager to specify a particular user within the container or group as the recipient for a team request; the team manager is not permitted to specify a container or group as the recipient for a team request.
The managers for a team can be a one or more users or groups. When you define a team, you can specify whether you want the team managers to also be members of the team.
The permissions for a team define the actions that team members can take on a particular scope of object instances within the domain type selected for a team. For example, if you select the Role domain as the domain type for a team, the team permissions determine what actions the members can take on the set of role instances selected as the scope for the team. These permission might specify, for the selected scope of roles, that members can perform actions such as assigning roles to users, viewing role assignments, and reporting on role assignments.
To view existing team configurations:
Select
on the tab.The Team Configuration page displays a list of team configurations currently defined.
Click the Display Filter button in the upper right corner of the Resource Catalog display.
Specify a filter string for the team name or description in the Filter dialog, or select a particular domain, and click
:To remove the current filter, click
.Click on the Rows dropdown list and select the number of rows you want to be displayed on each page:
To scroll to another page in the resource list, click on the Next, Previous, First or Last button at the bottom of the list.
To sort the team list:
Click the header for the column you want to sort on.
The pyramid-shaped sort indicator shows you which column is the new sort column. When the sort is ascending, the sort indicator is shown in its normal, upright position.
When the sort is descending, the sort indicator is upside down.
The default sort column is the Resource Name column.
If you override the default sort column, your sort column is added to the list of required columns. Required columns are indicated with an asterisk (*).
When you modify the sort order for the task list, your preference is saved in the Identity Vault along with your other user preferences.
To define a new team:
Click the
button at the top of the Team Configuration display.The
dialog displays:Select one of the following domains:
The domain determines what types of objects the team members can act on. A team can only be associated with a single domain.
NOTE:If a particular user has been designated as a domain administrator, Novell recommends that this user should not also be designated as a manager of a team for the same domain for which the user is a domain administrator.
Provide a name and description for the team.
In the
control, select the users and groups that will be managers of the team.In the
control:Indicate whether the managers will also be members of the team by selecting or deselecting the
checkbox.Define the members of the team by selecting one of the following radio buttons:
Option |
Description |
---|---|
|
Includes all users in the container. |
|
Includes all users that have a relationship with the users in the list. For example, if you select the Manager-Employee relationship, the members report directly to the users in the list. |
|
Includes the users, groups, and containers you select. |
Click
to preserve your team configuration settings.Once you’ve saved a team, the
section is added to the page, and the Team Permissions Configuration interface is displayed.The Team Permissions Configuration interface includes buttons for adding new permissions, deleting permissions and refreshing the display. The Permissions section of the page does not include an
button because the details associated with each permission are shown in the Permissions list. If a particular team permission is not properly defined, you can simply delete the permission and add a new one in its place.To define the permissions for the team, click
.This interface shows controls that apply to the domain selected for the team. These controls allow you to specify which objects are within the scope of the team and which permissions team members have with respect to these objects.
Follow these steps to define permissions for a team that uses the
domain:To include all provisioning request definitions, click the
button.To select provisioning request definitions individually, choose the
radio button, and use the Object Selector to pick one or more provisioning request definitions:Once you’ve defined the scope for the team, choose the permissions you want to allow for each object by selecting the object and picking the desired permissions in the
control.The provisioning permissions are the same for team configurations as for RBPM administrator assignments. See Step 10.c for details on the provisioning permissions.
To define permissions that apply to the User Application driver as a whole, open the
section of the page and select the permissions you want to allow with this assignment.Click
to save the permissions for the selected objects or containers.To delete a permission, select the permission and click
.To refresh the list of permissions for the team, click
.Follow these steps to define permissions for a team that uses the
domain:To include all roles in all levels in the roles hierarchy, choose
in the control:To include all roles at a particular level in the role hierarchy, choose one of the following levels:
To include all roles in a particular sub container under the selected role level, use the Object Selector to select the sub container.
To select roles individually, choose
radio button, and use the Object Selector to pick one or more roles:Once you’ve defined the role scope for the team, choose the permissions you want to allow for each object by selecting the object and picking the desired permissions in the
control.The following role permissions are supported in team configurations:
View Role
Assign Role
Revoke Role
Assign Role to Group and Container
Revoke Role from Group and Container
These role permissions have the same behavior as for RBPM administrator assignments. See Step 11.c for details on these role permissions.
Click
to save the permissions for the selected objects or containers.To delete a permission, select the permission and click
.To refresh the list of permissions for the team, click
.Follow these steps to define permissions for a team that uses the
domain:To include all resources, click the
button.To select resources individually, choose the
radio button, and use the Object Selector to pick one or more resources:Once you’ve defined the resource scope for the team, choose the permissions you want to allow for each object by selecting the object and picking the desired permissions in the
control.The following resource permissions are supported in team configurations:
View Resource
Assign Resource
Revoke Resource
These resource permissions have the same behavior as for RBPM administrator assignments. See Step 12.c for details on these resource permissions.
Click
to save the permissions for the team.To delete a permission, select the permission and click
.To refresh the list of permissions for the team, click
.Click
to save the team configuration and team permissions.To edit an existing team:
Select a previously defined team and click
.When a team manager edits a team, the team definition itself is read-only, because the team manager cannot modify the team configuration.
Make your changes to the team settings and click
.To delete an existing team:
Select a previously defined team and click
.To refresh the list of teams:
Click
.