6.1 Role-Based Services

iManager gives you the ability to assign specific responsibilities to users and to present them with the tools (and their accompanying rights) necessary to perform those sets of responsibilities. This functionality is called Role-Based Services (RBS).

Role-Based Services is a set of extensions to the eDirectory schema. RBS defines several object classes and attributes that provide a mechanism for administrators to grant a user access to management tasks based on the user's role in the organization. This gives users access to only those tasks that the users need to perform. RBS grants only the rights necessary to perform assigned tasks.

NOTE:NetIQ iManager Role-Based Services (RBS) grants rights based upon the Access Control List (ACL) capability of NetIQ eDirectory. The ACLs allow a trustee to be granted rights to a specific object or its subordinate objects. ACLs are not granted based upon specific object types. Each NetIQ iManager task defines its applicable object types and necessary ACLs. However, these ACLs allow the user to perform those operations with other object types through eDirectory APIs or other tools such as Novell ConsoleOne or NWAdmin.

Use RBS to create specific roles within your organization. The roles contain tasks that an assigned user can perform within iManager, such as creating a new user or changing a password. Tasks are preassigned to roles but can be replaced, reassigned, or removed altogether.

Furthermore, users are associated with roles in a specified scope, which is a container in the tree in which the user has the requisite permissions to perform a task. A role requires this threefold association of role, members, and scope to be complete.

An RBS Role object creates an association between users and tasks. An administrator grants a user access to a task by making the user a member of the role to which the task is assigned.

A user can be assigned to a role in the following ways:

  • Directly as a user

  • Through group and dynamic group assignments

    If a user is a member of a group or a dynamic group that is assigned to a role, then the user has access to the role.

  • Through organizational role assignments

    If a user is an occupant of a organizational role that is assigned a role, then the user has access to the role.

  • Through container assignment

    A User object has access to all of the roles that its parent container is assigned. This could also include other containers up to the root of the tree.

A user can be associated with a role multiple times, each with a different scope.

6.1.1 RBS Objects in eDirectory

The following table lists the RBS objects. iManager extends the eDirectory schema to include these objects when you install RBS. For more information, see Installing RBS.

Object

Description

rbsCollection

A container object that holds all RBS Role and Module objects.

rbsCollection objects are the uppermost containers for all RBS objects. A tree can have any number of rbsCollection objects. These objects have owners, which are users who have management rights over the collection.

rbsCollection objects can be created in any of the following containers:

  • Country

  • Domain

  • Locality

  • Organization

  • Organizational Unit

rbsRole

Defining a role includes creating an rbsRole object and specifying the tasks that the role can perform.

rbsRoles are container objects that can be created only in an rbsCollection container.

Role members can be Users, Groups, Organizations, Organization Roles, or Organizational Units, and role members are associated to a role in a specific scope of the tree. The rbsTask and rbsBook objects are assigned to rbsRole objects.

rbsTask

A leaf object that holds a specific function, such as resetting login passwords.

rbsTask objects are located only in rbsModule containers.

rbsBook (aka Property Book)

A book is a leaf object that displays a group of pages that allow a user to view or modify the properties of an object or set of objects of the same type. Each page of the book has a tab that you click, to view a different page.

A book object resides only in rbsModule containers and can be assigned to one or more roles and to one or more object class types.

rbsScope

A leaf object used for ACL assignments (instead of making assignments for each User object). rbsScope objects represent the context in the tree where a role is performed and are associated with rbsRole objects. They inherit from the Group class. User objects are assigned to an rbsScope object. These objects have a reference to the scope of the tree that they are associated with.

The objects are dynamically created when needed, then automatically deleted when no longer needed. They are located only in rbsRole containers.

WARNING:Never change the configuration of an rbsScope object. Doing so has serious consequences and could possibly break the system.

rbs Module

Represents a container object that holds rbsTask and rbsBook objects. rbsModule objects have a module name attribute that represents the name of the product that defines the tasks or books (for example, eDirectory Maintenance Utilities, NMAS Management, or NetIQ Certificate Server Access).

rbsModule objects can be created only in rbsCollection containers.

rbs Category

A category groups roles and tasks together which are specific to a particular function. iManager has 14 default categories: Authentication & Passwords, Collaboration, Directory, File Management, Identity Manager, Infrastructure, Install & Upgrade, Network, Novell Audit, Printing, Security, Servers, Software Licenses & Network, Usage, and Users & Groups.

The All Categories selection displays all available roles and tasks.

You can also create new categories and assign roles and tasks to them.

RBS objects reside in the eDirectory tree as depicted in the following figure:

Figure 6-1 Role-Based Services in eDirectory

6.1.2 Installing RBS

RBS is installed using the iManager Configuration Wizard.

  1. In the Configure view, select Role Based Services > RBS Configuration.

  2. Select Configure iManager.

  3. Follow the on-screen instructions.

6.1.3 Removing RBS

If Role-Based Services is no longer needed in the tree, the RBS Collection object can be safely deleted through iManager. Deleting the RBS collection automatically cleans up all user role associations and scopes in the tree. Do not delete the RBS collection using other utilities, such as ConsoleOne.

To remove Roll-based Services:

  1. In the Configure view, select Role Based Services > RBS Configuration.

  2. Select the collection to be deleted.

  3. Click Delete.

After the RBS collection is deleted, all users logging in to iManager enter in Assigned Access mode even though there is no RBS collection object in the tree.

To switch back to Unrestricted mode (the default mode):

  1. In the Configure view, select iManager Server > Configure iManager.

  2. Select the RBS tab.

  3. Select the appropriate tree name in the RBS Tree List field, then click the minus button.

  4. Click Save.

NOTE:When using iManager in Unrestricted mode, you typically see the following message on the iManager Home Page: Notice: Some of the roles and tasks are not available. Clicking View Details might display a Not supported by current authenticators message for several of the tasks, even though the tasks work correctly. This message is misleading, and iManager removes these messages after you configure RBS.