Home Contact Download

asyd.net

Welcome to Bruno Bonfils's (aka asyd homepage).
Trace:

Differences

This shows you the differences between the selected revision and the current version of the page.

docs:idm:adminroles 2008/12/27 19:01 current
Line 1: Line 1:
 +======Sun IDM: Admin roles======
 +Remember what the IDM documentation say : //Do not confuse roles with admin-roles. Roles are used to manage end-users’ access to external resources, whereas admin-roles are primarily used to manage Identity Manager administrator access to Identity Manager objects.//
 +
 +Admin roles can be assigned dynamically by a rule. However, regarding which capabilities you assin, you probably change the system configuration to enable check at login. Otherwise, if you assign a role with a capability like //View User// and if the user doesn't have admin cap (assigned in a static way) the user won't be able to access to the admin interface.
 +
 +===Enable checkDynamicallyAssignedAdminRolesAtLoginTo===
 +
 +Hit /idm/debug/, select //Configuration// and click //List Objects//. Click on the //edit// button for //System Configuration// and modify the XML to have something like:
 +
 +<code xml>
 +                <Attribute name='authz'>
 +                    <Object>
 +                        <Attribute name='checkDynamicallyAssignedAdminRolesAtLoginTo'>
 +                            <Object>
 +                                <Attribute name='Administrator Interface'>
 +                                    <Boolean>true</Boolean>
 +                                </Attribute>
 +                                <Attribute name='Service Provider User Interface'>
 +                                    <Boolean>false</Boolean>
 +                                </Attribute>
 +                                <Attribute name='User Interface'>
 +                                    <Boolean>true</Boolean>
 +                                </Attribute>
 +</code>
 +
 +and click on the //save// button.
 +
 +===Rule example to assign a role===
 +
 +This is a very simple rule that return true if the user match the string //bbonfils//.
 +
 +<code xml>
 +<?xml version='1.0' encoding='UTF-8'?>
 +<!DOCTYPE Rule PUBLIC 'waveset.dtd' 'waveset.dtd'>
 +<Rule id='#ID#Rule:assignManagerAdminRole' name='assignManagerAdminRole' authType='UserIsAssignedAdminRoleRule'>
 +    <MemberObjectGroups>
 +        <ObjectRef type='ObjectGroup' id='#ID#Top' name='Top'/>
 +    </MemberObjectGroups>
 +    <RuleArgument name='context'>
 +        <Comments>
 +          Identity session context (e.g. Lighthouse context)
 +        </Comments>
 +    </RuleArgument>
 +
 +    <RuleArgument name='runAsUser'>
 +        <Comments>
 +          The User view of the user the rule will run as.
 +        </Comments>
 +    </RuleArgument>
 +
 +    <cond>
 +        <ref>runAsUser</ref>
 +        <cond>
 +            <!-- Remember that CMP returns 0 if string are equals -->
 +            <cmp><ref>runAsUser.waveset.accountId</ref><s>bbonfils</s></cmp>
 +            <s>false</s>
 +            <s>true</s>
 +        </cond>
 +        <s>false</s>
 +    </cond>
 +
 +    <MemberObjectGroups>
 +        <ObjectRef type='ObjectGroup' id='#ID#All' name='All'/>
 +    </MemberObjectGroups>
 +</Rule>
 +
 +</code>