3.3 Configuring Role-Based Services

iManager gives administrators the ability to assign specific responsibilities to users and to present the user with only the tools (and their accompanying rights) necessary to perform those sets of responsibilities. This functionality is called Role-Based Services (RBS).

Role-Based Services allows administrators to focus the user on a specified set of functions, called tasks, and objects as determined by the grouping of tasks called roles. What users see when they access iManager is based on their role assignments in eDirectory. Only the tasks assigned to that user are displayed. The user does not need to browse the tree to find an object to administer. The iManager plug-in for that task presents the necessary tools and interface to perform the task.

You can assign multiple roles to a single user. You can also assign the same role to multiple users.

Role-Based Services is represented by objects defined in eDirectory. The base eDirectory schema gets extended during the iManager installation. The RBS object types are listed in the following table.

Object

Description

rbsCollection

A container object that holds all RBS Role and Module objects.

rbsCollection objects are the topmost containers for all RBS objects. A tree can have any number of rbsCollection objects. These objects have “owners,” which are users who have management rights over the collection.

rbsCollection objects can be created in any of the following containers:

  • Country

  • Domain

  • Locality

  • Organization

  • Organizational Unit

rbsRole

A container object that specifies the tasks that users (members) are authorized to perform. Defining a role includes creating an rbsRole object and specifying the tasks that the role can perform.

Role members can be Users, Groups, Organizations, or Organizational Units, and they are associated to a role in a specific scope of the tree. The rbsTask and rbsBook objects are assigned to rbsRole objects.

rbsRole objects can be created only in rbsCollection containers.

rbsModule

A container object that holds rbsTask and rbsBook objects. rbsModule objects have a module name attribute that represents the name of the product that defines the tasks or books (for example, eDirectory Maintenance, NMAS, or NetIQ Certificate Access).

rbsModule objects can be created only in rbsCollection containers.

rbsTask

A leaf object that represents a specific function, such as resetting login passwords.

rbsTask objects are located only in rbsModule containers.

rbsBook

A leaf object that containing a list of pages assigned to the book. An rbsBook can be assigned to one or more Roles and to one or more Object class types.

rbsBook objects are located only in rbsModule containers.

rbsScope

A leaf object used for ACL assignments (instead of making assignments for each User object). rbsScope objects represent the context in the tree where a role will be performed and are associated with rbsRole objects. They inherit from the Group class. User objects are assigned to an rbsScope object. These objects have a reference to the scope of the tree that they are associated with.

This object is dynamically created when needed, then automatically deleted when no longer needed. They are located only in rbsRole containers.

WARNING:Never change the configuration of a Scope object. Doing so will have serious consequences and could possibly break the system.

The RBS objects reside in the eDirectory tree as depicted in the following figure.

Figure 3-1 RBS Objects in the eDirectory Tree

3.3.1 Defining RBS Roles

RBS roles specify the tasks that users are authorized to perform. Defining an RBS role includes creating an rbsRole object and specifying the tasks that the role can perform and the User, Group, or container objects that can perform those tasks. In some cases, NetIQ iManager plug-ins (product packages) provide predefined RBS roles that you can modify.

The tasks that RBS roles can perform are exposed as rbsTask objects in your eDirectory tree. These objects are added automatically during the installation of product packages. They are organized into one or more rbsModules, which are containers that correspond to the different functional modules of the product.

For information on assigning members to a role, see Assigning RBS Role Membership and Scope.

Creating a Role Object

Use the Create iManager Role Wizard to create a new rbsRole object. We recommend creating the new rbsRole object in the same rbsCollection container where the other rbsRole objects reside (for example, the Role-Based Services Collection container).

  1. In iManager, click the Configure button Configure button.

  2. Click Role Based Services > RBS Configuration.

  3. Click the collection in which you want to create a new role.

  4. Click the Role tab.

  5. Click New > iManager Role.

  6. Follow the instructions in the Create iManager Role Wizard.

See Defining Custom RBS Tasks for information on adding members to roles.

Modifying the Tasks Associated with a Role

Each RBS role has a set of available tasks associated with it. You can choose which tasks are assigned to a particular role, adding or removing tasks as necessary.

  1. In iManager, click the Configure button Configure button.

  2. Click Role Based Services > RBS Configuration.

  3. Click the collection in which you want to modify a role.

  4. Click the Role tab.

  5. Click the role you want to modify.

  6. (Optional) If you want to add tasks to a role, complete the following steps:

    1. Click Add.

    2. Use the arrow buttons to move tasks from the All Tasks list to the Assigned Tasks list, as necessary.

    3. Click OK, then click OK again.

  7. (Optional) If you want to remove tasks from a role, complete the following steps:

    1. Select the tasks you want to remove and click Remove.

    2. Click OK, then click OK again.

  8. When finished, click Close.

Assigning RBS Role Membership and Scope

After you have defined the RBS roles needed in your organization, you can assign members to each role. In doing so, you specify the scope in which each member can exercise the functions of the role. The scope is the location or context in the eDirectory tree where this role can be performed.

A user can be assigned to a role in the following ways:

  • Directly

  • Through group and dynamic group assignments. If a user is a member of a group or a dynamic group that is assigned to a role, then the user has access to the role.

  • Through organizational role assignments. If a user is an occupant of a organizational role that is assigned a role, then the user has access to the role.

  • Through container assignment. A user object has access to all of the roles that its parent container is assigned. This could also include other containers up to the root of the tree.

A user can be associated with a role multiple times, each with a different scope. You can also assign the same task to multiple members.

To assign role membership and scope:

  1. In iManager, click the Configure button Configure button.

  2. Click Role Based Services > RBS Configuration.

  3. Click the collection in which you want to modify a role.

  4. Click the Role tab.

  5. Select the role you want to modify.

  6. Click Actions > Member Associations.

  7. (Optional) If you want to add a member to the role, complete the following steps:

    1. In the Name field, specify the name of the object you want to add (a User, Group, or Container object) and context.

    2. In the Scope field, specify an Organization or Organizational Unit object name and context.

    3. Click Add.

  8. (Optional) If you want to remove a member from the role, complete the following steps:

    1. In the list of current role members, select the member you want to remove.

    2. Click Remove.

  9. When finished, click OK, then click OK again.

  10. Click Close.

Deleting a Role-Based Services Object

  1. In iManager, click the Configure button Configure button.

  2. Click Role Based Services > RBS Configuration.

  3. Click the collection in which you want to delete an RBS role.

  4. Click the Role tab.

  5. Select the role you want to modify.

  6. Click Delete.

  7. Click OK.

  8. When finished, click OK.

  9. Click Close.

3.3.2 Defining Custom RBS Tasks

Creating an iManager Task

  1. In iManager, click the Configure button Configure button.

  2. Click Role Based Services > RBS Configuration.

  3. Click the collection in which you want to create a new task.

  4. Click the Task tab.

  5. Click New > iManager Task.

  6. Follow the instructions in the Task Builder to create a custom task.

Modify Role Assignment

  1. In iManager, click the Configure button Configure button.

  2. Click Role Based Services > RBS Configuration.

  3. Click the collection in which you want to modify a task.

  4. Click the Task tab.

  5. Select the task you want to modify.

  6. Click Actions > Role Assignment.

  7. Move the roles you want from the Available Roles column to the Assigned Roles column.

  8. Click OK, then click OK again.

  9. Click Close.

Deleting a Task

  1. In iManager, click the Configure button Configure button.

  2. Click Role Based Services > RBS Configuration.

  3. Click the collection in which you want to delete a task.

  4. Click the Task tab.

  5. Select the task you want to delete.

  6. Click Delete.

  7. Click OK.

  8. When finished, click OK.

  9. Click Close.