Role Based Services (RBS) is a set of extensions to the eDirectory schema. RBS defines several object classes and attributes that provide a mechanism for administrators to grant a user access to management tasks based on the user's role in the organization. This gives users access to only those tasks that the users need to perform. RBS grants only the rights necessary to perform assigned tasks.
Furthermore, users are associated with roles in a specified scopeāa container in the tree in which the user has the requisite permissions to perform a task. A role requires this ternary association of role, members, and scope to be complete. The following figure illustrates the relationship of roles, members, and scopes.
Figure 2-3 The relationship of roles, members, and scope.
An RBS role object creates an association between users and tasks. An administrator grants a user access to a task by making the user a member of the role to which the task is assigned.
A user can be assigned to a role in the following ways:
Directly
Through group and dynamic group assignments. If a user is a member of a group or a dynamic group that is assigned to a role, then the user has access to the role.
Through organizational role assignments. If a user is an occupant of a organizational role that is assigned a role, then the user has access to the role.
Through container assignment. A user object has access to all of the roles that its parent container is assigned. This could also include other containers up to the root of the tree.
A user can be associated with a role multiple times, each with a different scope.
For information about RBS directory objects, see Section 12.3, Role-Based Services Directory Objects.