Identity Console provides the ability to assign specific responsibilities to users and present them with the tools and their accompanying rights required to perform these responsibilities.
RAC is an extension of the eDirectory schema. RAC defines several object classes and attributes which is a mechanism for administrators to grant a user access to management tasks based on the user's role in the RAC configuration. This provides access to users to only those tasks which needs to be performed.
NOTE:NetIQ Identity Console RAC grants rights based on the Access Control List (ACL) capability of NetIQ eDirectory. The ACLs allow a trustee to be granted rights to a specific object or its subordinate objects. ACLs are not granted based on specific object types. Each NetIQ Identity Console task defines its applicable object types and necessary ACLs. However, these ACLs allow the user to perform those operations with other object types through the eDirectory APIs or other tools.
RAC feature also helps to create specific roles within your organization. The roles contain tasks that an assigned user can perform within Identity Console, such as creating a new user or changing a password. Tasks are preassigned to roles but can be replaced, reassigned, or removed.
Furthermore, the users are associated with roles with a specified scope, which is a container in the tree, in which the user has the requisite permissions to perform a task. A role requires this threefold association of role, members, and scope to be completed.
A Role object creates an association between users and tasks. An administrator grants a user access to a task by making the user a member of the Role to which the task is assigned.
A user can be assigned to a Role in the following ways:
Directly as a user.
Through a group assignments.
If a user is a member of a group or a dynamic group that is assigned to a role, then the user has access to the role.
Through container assignment.
A User object has access to all the roles that its parent container is assigned. This could also include the containers such as organization and organization unit.
A user can be associated with a role multiple times, each with a different scope.
The following table lists the RAC objects. Identity Console extends the eDirectory schema to include these objects when you install RAC.
|
Object |
Description |
|---|---|
|
RAC Configuration |
A container object that holds all the Role and Module objects. RAC Configuration objects are the uppermost containers for all RAC objects. A tree can have any number of RAC Configuration objects. These objects have owners, which are users who have management rights over the Configurations. RAC Configuration objects can be created in any of the following containers:
|
|
RAC Role |
Defining a role includes creating an RAC Role object and specifying the tasks that the role can perform. RAC Roles are container objects that can be created only in an RAC Configuration container. Role members can be User, Group, Organization, or Organizational Unit, and role members are associated with a role in a specific scope of the tree. The RAC Task objects are assigned to RAC Role objects. |
|
RAC Task |
A leaf object that holds a specific function, such as creating a user, or a group. RAC Task objects are located only in RAC Module containers. |
|
RAC Scope |
A leaf object is used for ACL assignments (instead of making assignments for each User object). RAC Scope objects represent the context in the tree where a role is performed and are associated with RAC Role objects. They inherit from the Group class. User objects are assigned to an RAC Scope object. These objects have a reference to the scope of the tree that they are associated with. The objects are dynamically created when needed, then automatically deleted when no longer needed. They are located only in RAC Role containers. RAC Scope can be Organization and Organizational Unit. WARNING:Never change the configuration of an RAC Scope object. Doing so has serious consequences and could possibly break the system. |
|
RAC Module |
Represents a container object that holds RAC Task objects. RAC Module objects have a module name attribute, which represents the name of the product that defines the tasks (for example, Certificate Management, Authentication Management, User Management and so on). RAC Module objects can be created only in the RAC Configuration containers. |