6.4 Assigning Permissions for Pages

You can assign permission to other users, groups, and containers to work with specific container pages and shared pages. Two security levels of permission can be assigned.

Table 6-5 Page Permissions

Permission	Description	Can be assigned for
View	Allows a user, group, or container to access the page and see it in a list of available pages	Container pages and shared pages
Ownership	Allows a user, group, or container to modify the content and layout of the page, and to assign View and Ownership permission to other users, groups, and containers	Shared pages

6.4.1 Assigning Page View Permission

When you assign users View permission for a container page or shared page, they can access the page and see it in a list of available pages.

To assign View permission for container pages or shared pages:

Open a page on the Maintain Container Pages panel or the Maintain Shared Pages panel, then click the Assign Permissions page task (at the bottom of the panel).

The Page Permissions dialog box displays in a new browser window:
Go to the View tab.

Specify values for the following search settings:

Setting	What to do
Search for	Select one of the following from the drop-down menu: Users Groups Containers
Starts with	If you want to: Find all available objects of your specified type (user, group, or container), then make this setting blank. Find a subset of those objects, then enter the starting characters of the CN values you want. (Case is not considered. Wildcards are not supported.) For example, searching for groups that start with S would narrow your search results to something like this: cn=Sales,ou=groups,o=MyOrg cn=Service,ou=groups,o=MyOrg cn=Shipping,ou=groups,o=MyOrg Searching for groups that start with Se would return: cn=Service,ou=groups,o=MyOrg

Setting

What to do

Search for

Select one of the following from the drop-down menu:

Users
Groups
Containers

Starts with

If you want to:

Find all available objects of your specified type (user, group, or container), then make this setting blank.
Find a subset of those objects, then enter the starting characters of the CN values you want. (Case is not considered. Wildcards are not supported.)

For example, searching for groups that start with S would narrow your search results to something like this: cn=Sales,ou=groups,o=MyOrg cn=Service,ou=groups,o=MyOrg cn=Shipping,ou=groups,o=MyOrg

Searching for groups that start with Se would return: cn=Service,ou=groups,o=MyOrg

Click Go.

The results of your search appear in the Results list.
Select the users, groups, or containers you want to assign to the page, then click the Add (>) button.

Hold down the Ctrl key to make multiple selections.

Enable or disable page lock-down as follows:

If you want to	Do this
Lock down the page so only User Application Administrators can view it	Select View Permission Set to Admin Only
Allow all assigned users, groups, and containers to view the page	Deselect View Permission Set to Admin Only NOTE:If you deselect this setting but there are no users, groups, or containers explicitly assigned to the page, then everyone has View permission for this page.

Click Save, then click Close.

6.4.2 Assigning Shared Page Owners

Users who own shared pages can modify the content of the pages they own and change the preferences of portlets on those pages.

To assign Ownership permission for shared pages:

Open a page on the Maintain Shared Pages panel, then click the Assign Permissions page task (at the bottom of the panel).

The Page Permissions dialog box displays in a new browser window as shown in Step 1.
Go to the Ownership tab.

Specify values for the following search settings:

Setting	What to do
Search for	Select one of the following from the drop-down menu: Users Groups Containers
Starts with	If you want to: Find all available objects of your specified type (user, group, or container), then make this setting blank. Find a subset of those objects, then enter the starting characters of the CN values you want. (Case is not considered. Wildcards are not supported.) For example, searching for groups that start with S would narrow your search results to something like this: cn=Sales,ou=groups,o=MyOrg cn=Service,ou=groups,o=MyOrg cn=Shipping,ou=groups,o=MyOrg Searching for groups that start with Se would return: cn=Service,ou=groups,o=MyOrg

Setting

What to do

Search for

Select one of the following from the drop-down menu:

Users
Groups
Containers

Starts with

If you want to:

Find all available objects of your specified type (user, group, or container), then make this setting blank.
Find a subset of those objects, then enter the starting characters of the CN values you want. (Case is not considered. Wildcards are not supported.)

For example, searching for groups that start with S would narrow your search results to something like this: cn=Sales,ou=groups,o=MyOrg cn=Service,ou=groups,o=MyOrg cn=Shipping,ou=groups,o=MyOrg

Searching for groups that start with Se would return: cn=Service,ou=groups,o=MyOrg

Click Go.

The results of your search appear in the Results list.
Select the users, groups, or containers you want to assign to the page, then click the Add (>) button.

Hold down the Ctrl key to make multiple selections.

Enable or disable page lock-down as follows:

If you want to	Do this
Lock down the page so only User Application Administrators can work with it	Select Ownership Permission Set to Admin Only
Allow all assigned users, groups, and containers to work with the page	Deselect Ownership Permission Set to Admin Only NOTE:If you deselect this setting but there are no users, groups, or containers explicitly assigned to the page, then everyone has Ownership permission for this page.

Click Save, then click Close.

6.4.3 Enabling User Access to the Create User or Group Page

By default, only User Application Administrators can see and use the Create User or Group page, which is a shared page on the Identity Self-Service of the Identity Manager user interface. But, where appropriate, a User Application Administrator can assign permission for one or more end users to access that page. For instance, selected people in administration or management positions might need the ability to create users, groups, or task groups.

To give users access to the Create User or Group page:

On the Maintain Shared Pages panel, open the page named Create User or Group.
Use the Assign Permissions page task to give View permission to the appropriate users, groups, or containers for the Create User or Group shared page.
Switch from Page Admin to Portlet Admin, and open the CreatePortlet portlet registration (which is used on the Create User or Group page).
Use the Security panel to give List and Execute permissions to the appropriate users, groups, or containers for the CreatePortlet portlet registration.

For more information about assigning permissions for portlets, see Section 7.0, Portlet Administration.
Go to iManager and use an administrator account to log in to the tree for your Identity Vault.

Make sure that the people who will be using Create User or Group have Create rights for the [Entry Rights] property on the containers in which objects (users, groups, or task groups) will be created.

For example, you can modify trustees for a chosen container and add the appropriate users, groups, or containers as trustees. Then, for each trustee, you can assign the following rights:

Property name	Assigned rights	Inherit
[All Attributes Rights]	Compare Read Write	Yes (select this check box)
[Entry Rights]	Browse Create	Yes (select this check box)

If you don’t assign the necessary rights in the Identity Vault (or if those rights can’t somehow be derived), an end user might get an error message such as this one from Create User or Group:


User 'cn=mmackenzie,ou=users,ou=idmsample,o=novell' does not have permission 
to create 'cn=MyNewGroup,ou=groups,ou=idmsample,o=novell' or modify related 
objects.

To learn how the Create User or Group page is used (by those with access to it), see the Identity Manager User Application: User Guide.

6.4.4 Enabling User Access to Individual Administration Pages

By default, only User Application Administrators can access the Administration tab of the Identity Manager user interface and the pages contained on that (Application Configuration, Page Admin, Portlet Admin, Provisioning, Security). But if necessary, a User Application Administrator can assign permission for one or more end users to see and use specific pages on the Administration tab. For example, a small group of users might need to change themes periodically, even though they are not User Application Administrators.

To give users access to individual Administration pages:

On the Maintain Container Pages panel, open Admin Container Page.

This is the container page that’s used when you go to the Administration of the Identity Manager user interface.
Use the Assign Permissions page task to give View permission to the appropriate users, groups, or containers for Admin Container Page.
On the Maintain Shared Pages panel, open the appropriate Administration page (one of the shared pages under the category Administration).
Use the Assign Permissions page task to give View and Ownership permissions to the appropriate users, groups, or containers for that shared page.
Make sure the specified users, groups, or containers have Execute permission for each portlet used on a specified page (if you have restricted those portlets).

For more information about assigning permissions for portlets, see Section 7.0, Portlet Administration.