2.3 Managing Administrators

You can create administrators with different access controls manage them in the Administration Console.

The Administration Console notifies you when another administrator makes changes to a policy container or to an Access Manager device such as an Access Gateway. The person who is currently editing the configuration is listed at the top of the page with an option to unlock and with the person’s distinguished name and IP address. If you select to unlock, you destroy all changes the other administrator has done.

WARNING:Locking has not been implemented on the pages for modifying the Identity Server. If you have multiple administrators, they need to coordinate with each other so that only one administrator is modifying an Identity Server cluster at any given time.

Multiple Sessions: Do not start multiple sessions of the Administration Console in the same browser on a workstation. Browser sessions share settings that can result in problems when you apply changes to configuration settings. However, if you are using two different brands of browsers simultaneously, such as Internet Explorer and Firefox, it is possible to avoid the session conflicts.

Multiple Administration Consoles: As long as the primary console is running, all configuration changes must be made at the primary console. If you make changes at both a primary console and a secondary console, browser caching can cause you to create an invalid configuration.

The following sections explain how to create additional administrator accounts, how to delegate rights to administrators, and how to manage policy view administrators:

2.3.1 Creating Multiple Admin Accounts

The Administration Console is installed with one admin user account. If you have multiple administrators, you might want to create a user account for each one so that log files reflect the modifications done by each administrator. The easiest way to do this is to create a new user as a trustee of the tree root with [Entry Rights] for Supervisor and inheritable rights assignment This also ensures that you have more than one user who has full access to the Administration Console. If you have only one administrator user and the user forgets the password, you cannot access the Administration Console.

To create a new user as a trustee of the tree root:

  1. In Administration Console Dashboard, click icon at the top right of the page and then click the Roles and Tasks view in the iManager header.

  2. Click Users > Create User.

    Specify all the required details to create a valid user.

    NOTE:Select the same Context that the existing administrator has.

  3. Click Rights > Modify Trustees, then select the tree root user.

  4. Add the newly created user as a trustee of the tree root user.

  5. Click Assigned Rights and specify [Entry Rights] for supervisor and inheritable rights assignment.

  6. Click Done.

You can also create delegated administrators and configure them to have rights to specific components of Access Manager. For configuration information for this type of user, see Managing Delegated Administrators.

2.3.2 Managing Policy View Administrators

The super administrators can create policy view administrators. Policy view administrators can log in to Access Manager with their credentials and they can only view the policy containers assigned to them.

The policy view administrators are created same as creating users. For more information on creating users, see Creating Users. In step 5b, select "ou=policyviewusers, o=novell” option in the Context field from the Contents list

After creating user, assign rights to the newly created user. For more information, see Policy Container Administrators.

2.3.3 Managing Delegated Administrators

As an Access Manager administrator, you can create delegated administrators to manage the following Access Manager components.

  • Individual Access Gateways or an Access Gateway cluster

  • Identity Server clusters

  • Policy containers

IMPORTANT:You need to trust the users you assign as delegated administrators. They are granted sufficient rights that they can compromise the security of the system. For example if you create delegated administrators with View/Modify rights to policy containers, they have sufficient rights to implement a cross-site scripting attack by using the Deny Message in an Access Gateway Authorization policy.

Delegated administrators are also granted rights to the LDAP server. They can access the configuration datastore with an LDAP browser. Any modifications made with the LDAP browser are not logged by Access Manager. To log LDAP events, you need to turn on eDirectory auditing. For configuration information, see Activating eDirectory Auditing for LDAP Events.

By default, all users except the administrator are assigned no rights to the policy containers and the devices. The administrator has all rights and cannot be configured to have less than all rights. The administrator is the only user who has the rights to delegate rights to other users, and the only user who can modify keystores, create certificates, and import certificates.

The configuration pages for delegated administrators control access to the Access Manager pages. They do not control access to the tasks available for the Roles and Tasks view in iManager. If you want your delegated administrators to have rights to any of these tasks such as Directory Administration or Groups, you must use eDirectory methods to grant the user rights to these tasks or enable and configure Role-Based Services in iManager.

To create a delegated administrator, you must first create user accounts, then assign them rights to the Access Manager components.

  1. In Administration Console Dashboard, click icon at the top right of the page and then click the Roles and Tasks view.

  2. (Optional) If you want to create a container for your delegated administrators, click Directory Administration > Create Object, then create a container for the administrators.

  3. To create the users, click Users > Create User and create user accounts for your delegated administrators. You can create the users based on the delegatedusers or policyviewusers context. For more information on Creating Users, see Creating Users.

  4. Return to the Access Manager view. In Administration Console Dashboard click Administrators.

  5. Select the component you want to assign a user to manage.

    For more information about the types of rights you might want to assign for each component, see the following:

  6. To assign all delegated administrators the same rights to a component, configure All Users option by using the drop-down menu and selecting None, View Only, or View/Modify.

    By default, All Users is configured for None. All Users is a quick way to assign everyone View Only rights to a component when you want your delegated administrators to have the rights to view the configuration but not change it.

  7. To select one or more users to assign rights, click Add, then specify the following details:

    Name filter: Specify a string that you want the user’s cn attribute to match. The default value is an asterisk, which matches all cn values.

    Search from context: Specify the context you want used for the search. Click the down-arrow to select from a list of available contexts.

    Include subcontainers: Specifies whether subcontainers must be searched for users.

  8. Click Query. The User section is populated with the users that match the query.

  9. In the User section, select one or more users to whom you want to grant the same rights.

  10. For the Access option, click the down-arrow and select one of the following values:

    View/Modify: Grants full configuration rights to the device. View/Modify rights do not grant the rights to manage keystores, to create certificates, or to import certificates from other servers or certificate authorities. View/Modify rights allow the delegated administrator to perform actions such as stop, start, and update the device.

    If the assignment is to a policy container, this option grants the rights to create policies of any type and to modify any existing policies in the container

    View Only: Grants the rights to view all the configuration options of the device or all rules and conditions of the policies in a container.

    None: Prevents the user from seeing the device or the policy container.

  11. In the Device or Policy Containers section, select the devices, the clusters, or policy containers that you want to assign for delegated administration.

  12. Click Apply.

    The rights are immediately assigned to the selected users. If the user already had a rights assignment to the device or policy container, this new assignment overwrites any previous assignments.

  13. After assigning a user rights, check the user’s effective rights.

    A user’s effective rights and assigned rights do not always match. For example, if Kim is granted View Only rights but All Users have been granted View/Modify rights, Kim’s effective rights are View/Modify.

Access Gateway Administrators

You can assign a user to be a delegated administrator of an Access Gateway cluster or a single Access Gateway that does not belong to a cluster. You cannot assign a user to manage a single member of a cluster.

When a delegated administrator of an Access Gateway cluster is granted View/Modify rights, the administrator has sufficient rights to change the cluster configuration, to stop and start (or reboot and shut down), and to update the Access Gateways in the cluster. However, to configure the Access Gateway to use SSL, you need to be the admin user, rather than a delegated administrator.

When the user is assigned View/Modify rights to manage a cluster or an Access Gateway, the user is automatically granted View Only rights to the master policy container. If you have created other policy containers, these containers are hidden until you grant the delegated administrator rights to them. View Only rights allows the delegated administrator to view the policies and assign them to protected resources. It does not allow them to modify the policies. If you want the delegated administrator to modify or create policies, you need to grant View/Modify rights to a policy container.

View/Modify rights to an Access Gateway or a cluster allows the delegated administrator to modify which Identity Server cluster the Access Gateway uses for authentication. It does not allow delegated administrators to update the Identity Server configuration, which is required whenever the Access Gateway is configured to trust an Identity Server. To update the Identity Server, the delegated administrator needs View/Modify rights to the Identity Server configuration.

Policy Container Administrators

The policy container administrators are of two types:

  • Delegated Administrators

  • Policy View Administrators

Delegated Administrators

All delegated administrators with View/Modify rights to a device have read rights to the master policy container. To create or modify policies, a delegated administrator needs View/Modify rights to a policy container. When a delegated administrator has View/Modify rights to any policy container, the delegated administrator is also granted enough rights to allow the administrator to select shared secret values, attributes, LDAP groups, and LDAP OUs to policies.

If you want your delegated administrators to have full control over a device and its policies, you might want to create a separate policy container for each delegated administrator or for each device that is managed by a group of delegated administrators.

Policy View Administrators

A policy view administrator has rights only to view policy containers. The super administrators can create a special type of delegated administrators called policy view administrators. The policy view administrators can login to Access Manager with their credentials and they are allowed to view only the policy containers assigned to them.

Using Policy Container option the super administrators can add and remove the delegated and policy view administrators.

  • Adding Administrators

  • Removing Administrators

Adding Policy Container Administrators

The administrator can assign the rights to the delegated administrators and the users based on the policy containers.

  1. In the Administration Console Dashboard, click icon at the top right of the page and then click Administrators> Policy Containers > Add Administrators.

  2. (Optional) Specify the filter.

  3. Select the Access Rights from the list for the type of administrator. For Example -View/Modify, View Only, and None. The policy view administrators have only View Only rights.

  4. Select the search from context in the list. For example, “ou=delegated users, o=novell, ou=policyviewusers, o=novell”. Based on the user selected, the delegated or policy view administrators are created.

  5. (Optional) Select Include Subcontainers, if you want to add it.

  6. Click Query. The users and the policy containers are displayed for the selected query.

  7. Select User and Policy Container. The users and policy containers list are displayed based on the association with query.

  8. Click Apply > Close.

Removing Policy Container Administrators

To remove the administrators from the policy containers list, do the following:

  1. In the Administration Console Dashboard, click icon at the top right of the page and then click Administrators> Policy Containers > Remove Administrators.

  2. Select the check box of the user assigned to the administrator and click Remove.

  3. Click Close.

Delegated Administrators of the Identity Servers

You cannot assign a delegated administrator to an individual Identity Server. You can only assign a delegated administrator to a cluster configuration, which gives the delegated administrator rights to all the cluster members.

When a delegated administrator of an Identity Server cluster is granted the View/Modify rights, the administrator has sufficient rights to change the cluster configuration and to stop, start, and update the Identity Servers in that cluster. The administrator is granted view rights to the keystores for each Identity Server in the cluster. To change any of the certificates, the administrator needs to be the admin user rather than a delegated administrator.

The delegated administrator of an Identity Server cluster is granted View Only rights to the master policy container. If you want the delegated administrator with View/Modify rights to have sufficient rights to manage policies, grant the following rights:

  • To have sufficient rights to create Role policies, grant View/Modify rights to a policy container.

  • To have sufficient rights to enable Role policies, grant View Only rights to the policy containers with Role policies.

Activating eDirectory Auditing for LDAP Events

If you are concerned that your delegated administrators might use an LDAP browser to access the configuration datastore, you can configure eDirectory to audit events that come from LDAP connections to the LDAP server.

  1. In the Administration Console Dashboard, click Auditing.

  2. Ensure that you have configured the IP address and port to use for your Secure Logging Server.

    The server can be a Novell Audit server, a Sentinel server, or a Sentinel Log Manager. For more information about this process, see Enabling Auditing.

    WARNING:Whenever you change the port or address of the Secure Logging Server, all Access Gateways must be updated. Then every Access Manager device (Identity Server, Administration Console, and Access Gateways) must be rebooted (not just the module stopped and started) before the configuration change takes affect.

  3. From the iManager view bar, select the Roles and Tasks view.

  4. Click Directory Administration > Modify Object.

  5. Click the Object Selector icon, expand the novell container, then select the eDirectory server.

    The eDirectory server uses the tree name, without the _TREE suffix, for its name. The tree name is displayed in the iManager view bar.

  6. Click OK > Novell Audit > eDirectory.

  7. From the Meta, Objects, and Attributes sections, select the events that you want to monitor for potential security problems.

    • In the Meta section, you probably want to monitor changes made to groups and ACLs.

    • In the Objects section, you probably want to monitor who is logging in and out and if objects are being created or deleted.

    • In the Attributes section, you probably want to monitor when attribute values are added or deleted.

  8. Click Apply.

  9. (Linux) Restart eDirectory and the Audit Server. Enter the following commands:

    /etc/init.d/ndsd restart

    /etc/init.d/novell-naudit restart OR rcnovell-naudit restart

  10. (Windows) Restart eDirectory and the Audit Server:

    1. Click Control Panel > Administrative Tools > Services.

    2. Right click NDS Server, then select Stop.

    3. Answer Yes to the prompt to stop the Novell Audit Log Server.

    4. Right click NDS Server, then select Start.

    5. Right click Novell Audit Log Server, then select Start.

Creating Users

After creating users, you can assign the role of a delegated administrator or policy view administrator.

  1. Log in to Access Manager.

  2. Click Roles and Tasks > Users > Create User.

  3. User Name: Specify the user name. This is a mandatory field.

  4. (Optional) First Name: Specify the first name of the user.

  5. Last Name: Specify the name of the delegated administrator user. This is a mandatory field..

  6. (Optional) Full Name: Specify the full name of the user.

  7. Context: Specify the context as delegated administrators.This is a mandatory field.

    1. Click object selector icon. The object selector browser displays the Browse and Search tabs.

    2. Click Browse tab. Select delegated users option from the Contents list. The delegatedusers.novell or policyviewusers.novell is displayed in the context field based on the selection.

  8. Password: Specify the password and retype the password to confirm it.

    NOTE:Failure to enter a password will allow the user to login without a password.

  9. (Optional) Simple Password: Select this check box to set the simple password.

    NOTE:Simple Password is required for native file access on Windows and Macintosh using the CIFS and AFP protocols. Simple Password is not required for normal eDirectory access. The Universal Password feature supersedes Simple Password. When the Universal Password feature is enabled, setting the Simple Password is not required. For more information on the Universal Password feature, refer to Netware 6.5 Documentation

  10. (Optional) Copy from Template or User Object: Copies the attributes from a user template that you've created.

  11. (Optional) Create Home Directory: You can create a home directory for this new User object if you have sufficient eDirectory rights. To do this, specify the path where you want to create the user's home directory.

    1. Volume: Applies only to NCP-enabled volumes.

    2. Path: You must specify a valid, existing directory path.The last directory typed in the path is the one that is created; all other directories in the path must already exist. For example, if you specify the path corp/home/sclark, the directories corp and home must already exist. The directory sclark is the only directory created.

  12. (Optional) Enter or Select the title, location, department, telephone number, fax number, email address of the delegated user from the list.

  13. (Optional) Enter the description if there are any to the user. You are able to add, remove and edit the information as per the requirement.

  14. Click OK.

After creating a user, assign rights to the newly created user. For more information, see Policy Container Administrators.

2.3.4 Changing Administrator’s Password

You can change password of the Administration Console and user store’s administrators.

Changing the Password of the Administration Console Administrator

  1. In the Roles and Tasks view, click Users > Modify User.

  2. Click the Object Selector icon.

  3. Browse to the novell container and select the name of the admin user, then click OK.

  4. Click Restrictions > Set Password.

  5. Specify a password in New password and confirm the password in Retype new password.

  6. Click OK > OK.

Changing the Administration Password of the User Store Administrator

Perform the following steps to change the admin password of a user store configured for the Identity Server:

  1. In the Administration Console, click Devices > Identity Servers > IDP-Cluster.

  2. Go to the Local tab and click the existing user store name in the user store’s list.

  3. Enter a password that matches the User Store password in the Admin password text box.

  4. Confirm the password in the Confirm password text box.

  5. Click Apply.