iManager gives you the ability to assign specific responsibilities to users and to present them with the tools (and their accompanying rights) necessary to perform only those sets of responsibilities. This functionality is called Role-Based Services (RBS).
Role-Based Services (RBS) is a set of extensions to the eDirectory schema. RBS defines several object classes and attributes that provide a mechanism for administrators to grant a user access to management tasks based on the user's role in the organization. This gives users access to only those tasks that the users need to perform. RBS grants only the rights necessary to perform assigned tasks.
Use RBS to create specific roles within your organization; the roles contain tasks that a user performs. You can assign a role to a user who then performs the tasks within iManager, such as creating a new user or changing a password. Tasks are preassigned to roles, but can be replaced, reassigned, or removed altogether.
Furthermore, users are associated with roles in a specified scope, which is a container in the tree in which the user has the requisite permissions to perform a task. A role requires this threefold association of role, members, and scope to be complete.
An RBS Role object creates an association between users and tasks. An administrator grants a user access to a task by making the user a member of the role to which the task is assigned.
A user can be assigned to a role in the following ways:
If a user is a member of a group or a dynamic group that is assigned to a role, then the user has access to the role.
If a user is an occupant of a organizational role that is assigned a role, then the user has access to the role.
A user object has access to all of the roles that its parent container is assigned. This could also include other containers up to the root of the tree.
A user can be associated with a role multiple times, each with a different scope.
The following table lists the RBS objects. iManager extends the eDirectory schema to include these objects when you install RBS. For more information, see Section 6.1.2, Installing RBS.
RBS objects reside in the eDirectory tree as depicted in the following figure:
Figure 6-1 Role-Based Services in eDirectory
RBS is installed using the iManager Configuration wizard.
In iManager, click the
icon.Select
>Select the
link in the Notice.Follow the onscreen instructions.
The RBS Configuration task provides complete control over RBS objects. It is a central place for managing and configuring RBS objects. This task enables you to list and modify RBS objects by type. This gives you useful information about the RBS system, such as the number of modules in a collection, how many are installed, how many are not installed, and how many are outdated. For some operations you can operate on multiple objects at the same time. For example, you can associate or disassociate multiple members from a role at the same time.
In Configure > Role-Based Services > RBS Configuration, the RBS Configuration window appears. If RBS Services has not yet been configured on iManager, click the link in the window and follow the onscreen instructions.
Two tabs appear on the RBS Configuration screen:
You only see the collections you own.
From the RBS Configuration page you can create roles.
To create a new iManager or eGuide role:
Select a collection by clicking it.
Click the
tab.A list displays the roles belonging to the collection.
Click
>The Create iManager Role wizard appears.
Complete the steps in the wizard.
You can also delete roles. Under
you can set a member association, define its scope, and set rights (Inherited) from that scope down to that subtree. If this option is not selected, then rights are limited to the container.If Role-Based Services is no longer needed in the tree, the RBS Collection object can be safely deleted through iManager. Deleting the RBS collection also cleans up all user role associations and scopes in the tree automatically. Do not delete the RBS collection using other utilities, such as ConsoleOne®.
Remove RBS by using the RBS Configuration task.
In iManager, select the
view.Select
>Select the check box next to the collection to be deleted.
Click
After the RBS collection is deleted, all users logging into iManager enter in Assigned Access mode even though there is no RBS collection object in the tree.
To switch back to Unrestricted mode (the default mode):
In
, select > .Select the
tab.Remove the tree name in the
field by selecting the minus button to the right of the field.Click
Log out of iManager and log in again.
Plug-In Studio offers a quick and easy way to streamline the tasks that you do several times a day. Use Plug-in Studio to dynamically create tasks for your most frequently used operations. You can also edit and delete tasks here. For example, to modify a user, instead of selecting Modify Object, you can create a dynamic UI to edit only the attributes you have selected, such as first name or title. Data is stored in the $TOMCAT_HOME/webapps/nps/portal/modules/custom directory. (Your Web Server may differ if you use a different Web server program.)
NOTE:The language in which a task is rendered is determined by the language in use by the Web browser. A task can be displayed in any language supported by iManager, since the text strings used to create tasks in Plug-In Studio have already been translated into all of iManager's supported languages. The Web browser automatically displays the task's text strings for it's currently selected language.
To create a new task:
In Configure, select
>Click
The Task Builder appears to help you build custom tasks and property pages.
Choose an object type and platform by populating the following fields:
In the Plug-in Fields screen, select or populate the following and click Install.
Select an attribute from the list of available attributes for the selected object class.
Click the attribute to list all available controls for the selected attribute. Double-click to accept the default control and move it into the plug-in field.
There are three icons beside a selected control:
Click it to add available values, then click OK, and the icon stops flashing.
This is the same control that displayed when you clicked the attribute. Change it to any available control for the selected attribute.
This box lists your attribute selection.
Below Plug-in Properties, in the left area of the page, give the plug-in an ID and assign the task to an RBS collection. Open the Object Selector to find the RBS collection. Assign the task to a role. The role you assign determines where it appears in the Roles and Tasks screen.
For example, if you choose User Management, click
and a new browser window opens. Preview the task to verify your design choices. Close the preview. Click , and iManager dynamically builds the .xml file, the .jsp file, and the Java* files that execute the task, and installs it into the system.In Configure, select
>Select the task and click
Modify the settings described in the create procedure and click
A confirmation message appears: “The plug-in was successfully created and installed.”
In Configure, select
>Select the task and click
A message appears: “Are you sure you want to delete this plug-in?”
Click
A confirmation message appears. “The plug-in has been successfully deleted.”
There are two ways to associate members with roles: either go to a member and assign it to a role within a scope, or go to the role, and assign members and scope to it. The Edit Member Association feature assigns a role to a selected member.
In Roles and Tasks, select
> s >Specify a member and click
A list appears displaying the roles this member is assigned to.
Specify a role.
When specifying the role to use in the Member Association, you can type in the full name of the RBS Role object. However, it is much easier to use the Object Selector (the magnifying glass button), from which you can either Browse to the desired Role, or Search for the desired Role from those available in the current eDirectory tree.
Specify the scope and click
This data is saved to eDirectory. After login, the newly assigned role appears in the left-hand column of the member who owns it.
Use this feature to allow administration of RBS objects by assigned owners.
Specify a collection owner and click
Add or remove collections this person can own, and click
Step through the wizard to build custom tasks to access a server’s services. Before you do this, verify that the service is available on the server.