HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

161

162

163

164

165

166

167

168

169

170

5 Organizing entries with roles, class of service, and views

Entries contained within the directory can be grouped in different ways to simplify the

management of user accounts. HP-UX Directory Server supports a variety of methods for grouping

entries and sharing attributes between entries. To take full advantage of the features offered by

roles and class of service, determine the directory topology when planning the directory

deployment.

Topics include:

• “Using roles” (page 165)

• “Assigning class of service” (page 187)

• “Using views” (page 210)

• “Using groups” (page 217)

5.1 Using roles

Roles are an grouping mechanism that unify the static and dynamic groups described in the

previous sections. Roles are designed to be more efficient and easier to use for applications. For

example, an application can get the list of roles of which an entry is a member by querying the

entry itself, rather than selecting a group and browsing the members list of several groups.

This section contains the following topics:

• “About roles”

• “Managing roles using the console”

• “Managing roles using the command line”

• “Using roles securely”

5.1.1 About roles

There are two kinds of groups:

• Static groups have a finite and defined list of members.

• Dynamic groups use filters to recognize which entries are members of the group, so the

group membership is constantly changed as the entries that match the group filter change.

Both kinds of groups are described in “Using groups”).

Roles are a sort of hybrid group, behaving as both a static and dynamic group. With a group,

entries are added to a group entry as members. With a role, the role attribute is added to an

entry, then that attribute is used to identify members in the role entry automatically.

Roles effectively organize users in a number of different ways:

• Explicitly listing role members

Viewing the role will display the complete list of members for that role. The role itself can

be queried to check membership (which is not possible with a dynamic group).

• Showing what roles an entry belongs to

Because role membership is determined by an attribute on an entry, simply viewing an entry

will show all the roles to which it belongs. This is similar to the memberOf attributes for

groups.

• Assigning the appropriate roles

Role membership is assigned through the entry, not through the role, so the roles to which

a user belongs can be easily assigned and removed by editing the entry, in a single step.

5.1 Using roles 165